tyler.durden/audk
1
0
Fork 0
mirror of https://github.com/acidanthera/audk.git synced 2025-07-27 07:34:06 +02:00
Code Issues Packages Projects Releases Wiki Activity

1.Update IPsec driver to set the Transform structure’s Next Payload field to be zero when it is the last transform structure in a proposal. The same as Proposal Structure’s Next Payload filed, it also should be zero when it is the last proposal in the SA.

Browse Source 
2.Delete all SAs in the IPsec->Stop().

Signed-off-by: qianouyang
Reviewed-by: sfu5

git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@12768 6f19259b-4bc3-4df7-8a09-765794883524
This commit is contained in:
qianouyang 2011-11-23 10:31:04 +00:00
parent eb5e7d3e7a
commit 6cf9230ff2
6 changed files with 414 additions and 409 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

92
NetworkPkg/IpSecDxe/IkeService.c
View File

@ -1,6 +1,6 @@
/** @file /** @file
Provide IPsec Key Exchange (IKE) service general interfaces. Provide IPsec Key Exchange (IKE) service general interfaces.
Copyright (c) 2010 - 2011, Intel Corporation. All rights reserved.<BR> Copyright (c) 2010 - 2011, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials This program and the accompanying materials
@ -104,13 +104,13 @@ IkeLookupUdp (
/** /**
Configure a UDPIO's UDP4 instance. Configure a UDPIO's UDP4 instance.
This fuction is called by the UdpIoCreateIo() to configures a This fuction is called by the UdpIoCreateIo() to configures a
UDP4 instance. UDP4 instance.
@param[in] UdpIo The UDP_IO to be configured. @param[in] UdpIo The UDP_IO to be configured.
@param[in] Context User-defined data when calling UdpIoCreateIo(). @param[in] Context User-defined data when calling UdpIoCreateIo().
@retval EFI_SUCCESS The configuration succeeded. @retval EFI_SUCCESS The configuration succeeded.
@retval Others The UDP4 instance fails to configure. @retval Others The UDP4 instance fails to configure.
@ -146,13 +146,13 @@ IkeConfigUdp4 (
/** /**
Configure a UDPIO's UDP6 instance. Configure a UDPIO's UDP6 instance.
This fuction is called by the UdpIoCreateIo()to configure a This fuction is called by the UdpIoCreateIo()to configure a
UDP6 instance. UDP6 instance.
@param[in] UdpIo The UDP_IO to be configured. @param[in] UdpIo The UDP_IO to be configured.
@param[in] Context User-defined data when calling UdpIoCreateIo(). @param[in] Context User-defined data when calling UdpIoCreateIo().
@retval EFI_SUCCESS The configuration succeeded. @retval EFI_SUCCESS The configuration succeeded.
@retval Others The configuration fails. @retval Others The configuration fails.
@ -194,14 +194,14 @@ IkeConfigUdp6 (
/** /**
Open and configure the related output UDPIO for IKE packet sending. Open and configure the related output UDPIO for IKE packet sending.
If the UdpService is not configured, this fuction calls UdpIoCreatIo() to If the UdpService is not configured, this fuction calls UdpIoCreatIo() to
create UDPIO to bind this UdpService for IKE packet sending. If the UdpService create UDPIO to bind this UdpService for IKE packet sending. If the UdpService
has already been configured, then return. has already been configured, then return.
@param[in] UdpService The UDP_IO to be configured. @param[in] UdpService The UDP_IO to be configured.
@param[in] RemoteIp User-defined data when calling UdpIoCreateIo(). @param[in] RemoteIp User-defined data when calling UdpIoCreateIo().
@retval EFI_SUCCESS The configuration is successful. @retval EFI_SUCCESS The configuration is successful.
@retval Others The configuration fails. @retval Others The configuration fails.
@ -340,16 +340,16 @@ ON_EXIT:
/** /**
Open and configure a UDPIO of Udp4 for IKE packet receiving. Open and configure a UDPIO of Udp4 for IKE packet receiving.
This function is called at the IPsecDriverBinding start. IPsec create a UDP4 and This function is called at the IPsecDriverBinding start. IPsec create a UDP4 and
UDP4 IO for each NIC handle. UDP4 IO for each NIC handle.
@param[in] Private Point to IPSEC_PRIVATE_DATA @param[in] Private Point to IPSEC_PRIVATE_DATA
@param[in] Controller Handler for NIC card. @param[in] Controller Handler for NIC card.
@retval EFI_SUCCESS The Operation is successful. @retval EFI_SUCCESS The Operation is successful.
@retval EFI_OUT_OF_RESOURCE The required system resource can't be allocated. @retval EFI_OUT_OF_RESOURCE The required system resource can't be allocated.
**/ **/
EFI_STATUS EFI_STATUS
IkeOpenInputUdp4 ( IkeOpenInputUdp4 (
@ -411,16 +411,16 @@ IkeOpenInputUdp4 (
/** /**
Open and configure a UDPIO of Udp6 for IKE packet receiving. Open and configure a UDPIO of Udp6 for IKE packet receiving.
This function is called at the IPsecDriverBinding start. IPsec create a UDP6 and UDP6 This function is called at the IPsecDriverBinding start. IPsec create a UDP6 and UDP6
IO for each NIC handle. IO for each NIC handle.
@param[in] Private Point to IPSEC_PRIVATE_DATA @param[in] Private Point to IPSEC_PRIVATE_DATA
@param[in] Controller Handler for NIC card. @param[in] Controller Handler for NIC card.
@retval EFI_SUCCESS The Operation is successful. @retval EFI_SUCCESS The Operation is successful.
@retval EFI_OUT_OF_RESOURCE The required system resource can't be allocated. @retval EFI_OUT_OF_RESOURCE The required system resource can't be allocated.
**/ **/
EFI_STATUS EFI_STATUS
IkeOpenInputUdp6 ( IkeOpenInputUdp6 (
@ -479,18 +479,18 @@ IkeOpenInputUdp6 (
/** /**
The general interface of starting IPsec Key Exchange. The general interface of starting IPsec Key Exchange.
This function is called when a IKE negotiation to start getting a Key. This function is called when a IKE negotiation to start getting a Key.
@param[in] UdpService Point to IKE_UDP_SERVICE which will be used for @param[in] UdpService Point to IKE_UDP_SERVICE which will be used for
IKE packet sending. IKE packet sending.
@param[in] SpdEntry Point to the SPD entry related to the IKE negotiation. @param[in] SpdEntry Point to the SPD entry related to the IKE negotiation.
@param[in] RemoteIp Point to EFI_IP_ADDRESS related to the IKE negotiation. @param[in] RemoteIp Point to EFI_IP_ADDRESS related to the IKE negotiation.
@retval EFI_SUCCESS The Operation is successful. @retval EFI_SUCCESS The Operation is successful.
@retval EFI_ACCESS_DENIED No related PAD entry was found. @retval EFI_ACCESS_DENIED No related PAD entry was found.
@retval EFI_INVALID_PARAMETER The IKE version is not supported. @retval EFI_INVALID_PARAMETER The IKE version is not supported.
**/ **/
EFI_STATUS EFI_STATUS
IkeNegotiate ( IkeNegotiate (
@ -519,8 +519,8 @@ IkeNegotiate (
} }
// //
// Try to find the IKE SA session in the IKEv1 and IKEv2 established SA session list. // Try to find the IKE SA session in the IKEv1 and IKEv2 established SA session list.
// //
IkeSaSession = (UINT8 *) Ikev2SaSessionLookup (&Private->Ikev2EstablishedList, RemoteIp); IkeSaSession = (UINT8 *) Ikev2SaSessionLookup (&Private->Ikev2EstablishedList, RemoteIp);
if (IkeSaSession == NULL) { if (IkeSaSession == NULL) {
@ -551,7 +551,7 @@ IkeNegotiate (
if (IkeVersion != 2) { if (IkeVersion != 2) {
return EFI_INVALID_PARAMETER; return EFI_INVALID_PARAMETER;
} }
Exchange = mIkeExchange[IkeVersion - 1]; Exchange = mIkeExchange[IkeVersion - 1];
// //
// Start the quick mode stage to negotiate child SA. // Start the quick mode stage to negotiate child SA.
@ -564,15 +564,15 @@ IkeNegotiate (
/** /**
The generic interface when receive a IKE packet. The generic interface when receive a IKE packet.
This function is called when UDP IO receives a IKE packet. This function is called when UDP IO receives a IKE packet.
@param[in] Packet Point to received IKE packet. @param[in] Packet Point to received IKE packet.
@param[in] EndPoint Point to UDP_END_POINT which contains the information of @param[in] EndPoint Point to UDP_END_POINT which contains the information of
Remote IP and Port. Remote IP and Port.
@param[in] IoStatus The Status of Recieve Token. @param[in] IoStatus The Status of Recieve Token.
@param[in] Context Point to data passed from the caller. @param[in] Context Point to data passed from the caller.
**/ **/
VOID VOID
EFIAPI EFIAPI
@ -687,17 +687,19 @@ ON_EXIT:
/** /**
Delete all established IKE SAs and related Child SAs. Delete all established IKE SAs and related Child SAs.
This function is the subfunction of the IpSecCleanupAllSa(). It first calls This function is the subfunction of the IpSecCleanupAllSa(). It first calls
IkeDeleteChildSa() to delete all Child SAs then send out the related IkeDeleteChildSa() to delete all Child SAs then send out the related
Information packet. Information packet.
@param[in] Private Pointer of the IPSEC_PRIVATE_DATA @param[in] Private Pointer of the IPSEC_PRIVATE_DATA
@param[in] IsDisableIPsec Indicate whether needs to disable IPsec.
**/ **/
VOID VOID
IkeDeleteAllSas ( IkeDeleteAllSas (
IN IPSEC_PRIVATE_DATA *Private IN IPSEC_PRIVATE_DATA *Private,
IN BOOLEAN IsDisableIpsec
) )
{ {
LIST_ENTRY *Entry; LIST_ENTRY *Entry;
@ -719,17 +721,17 @@ IkeDeleteAllSas (
// //
if (!IsListEmpty (&Private->Ikev2SessionList)) { if (!IsListEmpty (&Private->Ikev2SessionList)) {
NET_LIST_FOR_EACH_SAFE (Entry, NextEntry, &Private->Ikev2SessionList) { NET_LIST_FOR_EACH_SAFE (Entry, NextEntry, &Private->Ikev2SessionList) {
Ikev2SaSession = IKEV2_SA_SESSION_BY_SESSION (Entry); Ikev2SaSession = IKEV2_SA_SESSION_BY_SESSION (Entry);
RemoveEntryList (Entry); RemoveEntryList (Entry);
Ikev2SaSessionFree (Ikev2SaSession); Ikev2SaSessionFree (Ikev2SaSession);
} }
} }
// //
// If there is no existing established IKE SA, set the Ipsec DisableFlag to TRUE // If there is no existing established IKE SA, set the Ipsec DisableFlag to TRUE
// and turn off the IsIPsecDisabling flag. // and turn off the IsIPsecDisabling flag.
// //
if (IsListEmpty (&Private->Ikev2EstablishedList)) { if (IsListEmpty (&Private->Ikev2EstablishedList) && IsDisableIpsec) {
Value = IPSEC_STATUS_DISABLED; Value = IPSEC_STATUS_DISABLED;
Status = gRT->SetVariable ( Status = gRT->SetVariable (
IPSECCONFIG_STATUS_NAME, IPSECCONFIG_STATUS_NAME,
@ -752,7 +754,7 @@ IkeDeleteAllSas (
for (Entry = Private->Ikev2EstablishedList.ForwardLink; Entry != &Private->Ikev2EstablishedList;) { for (Entry = Private->Ikev2EstablishedList.ForwardLink; Entry != &Private->Ikev2EstablishedList;) {
Ikev2SaSession = IKEV2_SA_SESSION_BY_SESSION (Entry); Ikev2SaSession = IKEV2_SA_SESSION_BY_SESSION (Entry);
Entry = Entry->ForwardLink; Entry = Entry->ForwardLink;
Ikev2SaSession->SessionCommon.State = IkeStateSaDeleting; Ikev2SaSession->SessionCommon.State = IkeStateSaDeleting;
// //
@ -762,10 +764,10 @@ IkeDeleteAllSas (
if (IkeVersion == 2) { if (IkeVersion == 2) {
Exchange = mIkeExchange[IkeVersion - 1]; Exchange = mIkeExchange[IkeVersion - 1];
Exchange->NegotiateInfo((UINT8*)Ikev2SaSession, NULL); Exchange->NegotiateInfo((UINT8*)Ikev2SaSession, NULL);
} }
} }
} }
} }

60
NetworkPkg/IpSecDxe/IkeService.h
View File

@ -1,6 +1,6 @@
/** @file /** @file
Prototypes definitions of IKE service. Prototypes definitions of IKE service.
Copyright (c) 2010 - 2011, Intel Corporation. All rights reserved.<BR> Copyright (c) 2010 - 2011, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials This program and the accompanying materials
@ -44,7 +44,7 @@ EFI_STATUS
); );
/** /**
This is prototype definition fo general interface to start a IKE negotiation at Quick Mode. This is prototype definition fo general interface to start a IKE negotiation at Quick Mode.
This function will be called when the related IKE SA is existed and start to This function will be called when the related IKE SA is existed and start to
create a Child SA. create a Child SA.
@ -81,7 +81,7 @@ EFI_STATUS
); );
/** /**
This is prototype definition of the general interface when recived a IKE Pakcet This is prototype definition of the general interface when recived a IKE Pakcet
for the IKE SA establishing. for the IKE SA establishing.
@param[in] UdpService Point to UDP service used to send IKE Packet. @param[in] UdpService Point to UDP service used to send IKE Packet.
@ -97,8 +97,8 @@ VOID
/** /**
This is prototyp definition of the general interface when recived a IKE Packet This is prototyp definition of the general interface when recived a IKE Packet
xfor the Child SA establishing. xfor the Child SA establishing.
@param[in] UdpService Point to UDP service used to send IKE packet. @param[in] UdpService Point to UDP service used to send IKE packet.
@param[in] IkePacket Point to received IKE packet. @param[in] IkePacket Point to received IKE packet.
@ -111,7 +111,7 @@ VOID
); );
/** /**
This is prototype definition of the general interface when received a IKE This is prototype definition of the general interface when received a IKE
information Packet. information Packet.
@param[in] UdpService Point to UDP service used to send IKE packet. @param[in] UdpService Point to UDP service used to send IKE packet.
@ -137,16 +137,16 @@ typedef struct _IKE_EXCHANGE_INTERFACE {
/** /**
Open and configure a UDPIO of Udp4 for IKE packet receiving. Open and configure a UDPIO of Udp4 for IKE packet receiving.
This function is called at the IPsecDriverBinding start. IPsec create a UDP4 and This function is called at the IPsecDriverBinding start. IPsec create a UDP4 and
a UDP4 IO for each NIC handle. a UDP4 IO for each NIC handle.
@param[in] Private Point to IPSEC_PRIVATE_DATA @param[in] Private Point to IPSEC_PRIVATE_DATA
@param[in] Controller Handler for NIC card. @param[in] Controller Handler for NIC card.
@retval EFI_SUCCESS The Operation is successful. @retval EFI_SUCCESS The Operation is successful.
@retval EFI_OUT_OF_RESOURCE The required system resource can't be allocated. @retval EFI_OUT_OF_RESOURCE The required system resource can't be allocated.
**/ **/
EFI_STATUS EFI_STATUS
IkeOpenInputUdp4 ( IkeOpenInputUdp4 (
@ -156,16 +156,16 @@ IkeOpenInputUdp4 (
/** /**
Open and configure a UDPIO of Udp6 for IKE packet receiving. Open and configure a UDPIO of Udp6 for IKE packet receiving.
This function is called at the IPsecDriverBinding start. IPsec create a UDP6 and UDP6 This function is called at the IPsecDriverBinding start. IPsec create a UDP6 and UDP6
IO for each NIC handle. IO for each NIC handle.
@param[in] Private Point to IPSEC_PRIVATE_DATA @param[in] Private Point to IPSEC_PRIVATE_DATA
@param[in] Controller Handler for NIC card. @param[in] Controller Handler for NIC card.
@retval EFI_SUCCESS The Operation is successful. @retval EFI_SUCCESS The Operation is successful.
@retval EFI_OUT_OF_RESOURCE The required system resource can't be allocated. @retval EFI_OUT_OF_RESOURCE The required system resource can't be allocated.
**/ **/
EFI_STATUS EFI_STATUS
IkeOpenInputUdp6 ( IkeOpenInputUdp6 (
@ -175,17 +175,17 @@ IkeOpenInputUdp6 (
/** /**
The general interface of starting IPsec Key Exchange. The general interface of starting IPsec Key Exchange.
This function is called when start a IKE negotiation to get a Key. This function is called when start a IKE negotiation to get a Key.
@param[in] UdpService Point to IKE_UDP_SERVICE which will be used for @param[in] UdpService Point to IKE_UDP_SERVICE which will be used for
IKE packet sending. IKE packet sending.
@param[in] SpdEntry Point to the SPD entry related to the IKE negotiation. @param[in] SpdEntry Point to the SPD entry related to the IKE negotiation.
@param[in] RemoteIp Point to EFI_IP_ADDRESS related to the IKE negotiation. @param[in] RemoteIp Point to EFI_IP_ADDRESS related to the IKE negotiation.
@retval EFI_SUCCESS The Operation is successful. @retval EFI_SUCCESS The Operation is successful.
@retval EFI_ACCESS_DENIED No related PAD entry was found. @retval EFI_ACCESS_DENIED No related PAD entry was found.
**/ **/
EFI_STATUS EFI_STATUS
IkeNegotiate ( IkeNegotiate (
@ -196,15 +196,15 @@ IkeNegotiate (
/** /**
The general interface when receive a IKE packet. The general interface when receive a IKE packet.
This function is called when UDP IO receives a IKE packet. This function is called when UDP IO receives a IKE packet.
@param[in] Packet Point to received IKE packet. @param[in] Packet Point to received IKE packet.
@param[in] EndPoint Point to UDP_END_POINT which contains the information of @param[in] EndPoint Point to UDP_END_POINT which contains the information of
Remote IP and Port. Remote IP and Port.
@param[in] IoStatus The Status of Recieve Token. @param[in] IoStatus The Status of Recieve Token.
@param[in] Context Point to data passed from the caller. @param[in] Context Point to data passed from the caller.
**/ **/
VOID VOID
EFIAPI EFIAPI
@ -235,17 +235,19 @@ IkeLookupUdp (
/** /**
Delete all established IKE SAs and related Child SAs. Delete all established IKE SAs and related Child SAs.
This function is the subfunction of the IpSecCleanupAllSa(). It first calls This function is the subfunction of the IpSecCleanupAllSa(). It first calls
IkeDeleteChildSa() to delete all Child SAs then send out the related IkeDeleteChildSa() to delete all Child SAs then send out the related
Information packet. Information packet.
@param[in] Private Pointer of the IPSEC_PRIVATE_DATA. @param[in] Private Pointer of the IPSEC_PRIVATE_DATA.
@param[in] IsDisableIPsec Indicate whether needs to disable IPsec.
**/ **/
VOID VOID
IkeDeleteAllSas ( IkeDeleteAllSas (
IN IPSEC_PRIVATE_DATA *Private IN IPSEC_PRIVATE_DATA *Private,
IN BOOLEAN IsDisableIpsec
); );

107
NetworkPkg/IpSecDxe/Ikev2/Exchange.c
View File

@ -1,7 +1,7 @@
/** @file /** @file
The general interfaces of the IKEv2. The general interfaces of the IKEv2.
Copyright (c) 2010, Intel Corporation. All rights reserved.<BR> Copyright (c) 2010 - 2011, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License are licensed and made available under the terms and conditions of the BSD License
@ -46,7 +46,7 @@ Ikev2NegotiateSa (
IKEV2_PACKET_HANDLER Handler; IKEV2_PACKET_HANDLER Handler;
IKE_PACKET *IkePacket; IKE_PACKET *IkePacket;
EFI_STATUS Status; EFI_STATUS Status;
if (UdpService == NULL || RemoteIp == NULL) { if (UdpService == NULL || RemoteIp == NULL) {
return EFI_INVALID_PARAMETER; return EFI_INVALID_PARAMETER;
} }
@ -66,7 +66,7 @@ Ikev2NegotiateSa (
// //
return EFI_SUCCESS; return EFI_SUCCESS;
} }
// //
// Create a new IkeSaSession and initiate the common parameters. // Create a new IkeSaSession and initiate the common parameters.
// //
@ -79,7 +79,7 @@ Ikev2NegotiateSa (
// Set the specific parameters and state(IKE_STATE_INIT). // Set the specific parameters and state(IKE_STATE_INIT).
// //
IkeSaSession->Spd = SpdEntry; IkeSaSession->Spd = SpdEntry;
IkeSaSession->Pad = PadEntry; IkeSaSession->Pad = PadEntry;
SessionCommon = &IkeSaSession->SessionCommon; SessionCommon = &IkeSaSession->SessionCommon;
SessionCommon->IsInitiator = TRUE; SessionCommon->IsInitiator = TRUE;
SessionCommon->State = IkeStateInit; SessionCommon->State = IkeStateInit;
@ -88,13 +88,13 @@ Ikev2NegotiateSa (
// to support it. // to support it.
// //
SessionCommon->PreferDhGroup = IKEV2_TRANSFORM_ID_DH_1024MODP; SessionCommon->PreferDhGroup = IKEV2_TRANSFORM_ID_DH_1024MODP;
CopyMem ( CopyMem (
&SessionCommon->RemotePeerIp, &SessionCommon->RemotePeerIp,
RemoteIp, RemoteIp,
sizeof (EFI_IP_ADDRESS) sizeof (EFI_IP_ADDRESS)
); );
CopyMem ( CopyMem (
&SessionCommon->LocalPeerIp, &SessionCommon->LocalPeerIp,
&UdpService->DefaultAddress, &UdpService->DefaultAddress,
@ -147,15 +147,15 @@ ON_ERROR:
/** /**
It is general interface to negotiate the Child SA. It is general interface to negotiate the Child SA.
There are three situations which will invoke this function. First, create a CHILD There are three situations which will invoke this function. First, create a CHILD
SA if the input Context is NULL. Second, rekeying the existing IKE SA if the Context SA if the input Context is NULL. Second, rekeying the existing IKE SA if the Context
is a IKEv2_SA_SESSION. Third, rekeying the existing CHILD SA if the context is a is a IKEv2_SA_SESSION. Third, rekeying the existing CHILD SA if the context is a
IKEv2_CHILD_SA_SESSION. IKEv2_CHILD_SA_SESSION.
@param[in] IkeSaSession Pointer to IKEv2_SA_SESSION related to this operation. @param[in] IkeSaSession Pointer to IKEv2_SA_SESSION related to this operation.
@param[in] SpdEntry Pointer to IPSEC_SPD_ENTRY related to this operation. @param[in] SpdEntry Pointer to IPSEC_SPD_ENTRY related to this operation.
@param[in] Context The data pass from the caller. @param[in] Context The data pass from the caller.
@retval EFI_SUCCESS The operation is successful. @retval EFI_SUCCESS The operation is successful.
@retval EFI_OUT_OF_RESOURCES The required system resource can't be allocated. @retval EFI_OUT_OF_RESOURCES The required system resource can't be allocated.
@retval EFI_UNSUPPORTED The condition is not support yet. @retval EFI_UNSUPPORTED The condition is not support yet.
@ -239,7 +239,7 @@ Ikev2NegotiateChildSa (
if (EFI_ERROR (Status)) { if (EFI_ERROR (Status)) {
goto ON_ERROR; goto ON_ERROR;
} }
// //
// Insert the ChildSaSession into processing child SA list. // Insert the ChildSaSession into processing child SA list.
// //
@ -278,8 +278,8 @@ ON_ERROR:
It is general interface to start the Information Exchange. It is general interface to start the Information Exchange.
There are three situations which will invoke this function. First, deliver a Delete Information There are three situations which will invoke this function. First, deliver a Delete Information
to delete the IKE SA if the input Context is NULL and the state of related IkeSaSeesion's is on to delete the IKE SA if the input Context is NULL and the state of related IkeSaSeesion's is on
deleting.Second, deliver a Notify Information without the contents if the input Context is NULL. deleting.Second, deliver a Notify Information without the contents if the input Context is NULL.
Third, deliver a Notify Information if the input Context is not NULL. Third, deliver a Notify Information if the input Context is not NULL.
@param[in] IkeSaSession Pointer to IKEv2_SA_SESSION related to this operation. @param[in] IkeSaSession Pointer to IKEv2_SA_SESSION related to this operation.
@ -297,7 +297,7 @@ Ikev2NegotiateInfo (
IN UINT8 *Context IN UINT8 *Context
) )
{ {
EFI_STATUS Status; EFI_STATUS Status;
IKEV2_SA_SESSION *Ikev2SaSession; IKEV2_SA_SESSION *Ikev2SaSession;
IKEV2_CHILD_SA_SESSION *ChildSaSession; IKEV2_CHILD_SA_SESSION *ChildSaSession;
@ -318,11 +318,6 @@ Ikev2NegotiateInfo (
// //
if (Ikev2SaSession->SessionCommon.State == IkeStateSaDeleting && Context == NULL) { if (Ikev2SaSession->SessionCommon.State == IkeStateSaDeleting && Context == NULL) {
//
// The IKE SA Session should be initiator if it triggers the deleting.
//
Ikev2SaSession->SessionCommon.IsInitiator = TRUE;
// //
// Generate Information Packet which contains the Delete Payload. // Generate Information Packet which contains the Delete Payload.
// //
@ -335,10 +330,12 @@ Ikev2NegotiateInfo (
// //
// Send out the Packet // Send out the Packet
// //
Status = Ikev2SendIkePacket (UdpService, (UINT8 *) SaCommon, IkePacket, 0); if (UdpService != NULL) {
Status = Ikev2SendIkePacket (UdpService, (UINT8 *) SaCommon, IkePacket, 0);
if (EFI_ERROR (Status)) { if (EFI_ERROR (Status)) {
goto ON_ERROR; goto ON_ERROR;
}
} }
} else if (!IsListEmpty (&Ikev2SaSession->DeleteSaList)) { } else if (!IsListEmpty (&Ikev2SaSession->DeleteSaList)) {
// //
@ -360,10 +357,12 @@ Ikev2NegotiateInfo (
// //
// Send out the Packet // Send out the Packet
// //
Status = Ikev2SendIkePacket (UdpService, (UINT8 *) &ChildSaSession->SessionCommon, IkePacket, 0); if (UdpService != NULL) {
Status = Ikev2SendIkePacket (UdpService, (UINT8 *) &ChildSaSession->SessionCommon, IkePacket, 0);
if (EFI_ERROR (Status)) { if (EFI_ERROR (Status)) {
goto ON_ERROR; goto ON_ERROR;
}
} }
} }
} else if (Context == NULL) { } else if (Context == NULL) {
@ -386,9 +385,9 @@ ON_ERROR:
/** /**
The general interface when received a IKEv2 packet for the IKE SA establishing. The general interface when received a IKEv2 packet for the IKE SA establishing.
This function first find the related IKE SA Session according to the IKE packet's This function first find the related IKE SA Session according to the IKE packet's
remote IP. Then call the corresponding function to handle this IKE packet according remote IP. Then call the corresponding function to handle this IKE packet according
to the related IKE SA Session's State. to the related IKE SA Session's State.
@param[in] UdpService Pointer of related UDP Service. @param[in] UdpService Pointer of related UDP Service.
@param[in] IkePacket Data passed by caller. @param[in] IkePacket Data passed by caller.
@ -411,13 +410,13 @@ Ikev2HandleSa (
IPSEC_PRIVATE_DATA *Private; IPSEC_PRIVATE_DATA *Private;
BOOLEAN IsNewSession; BOOLEAN IsNewSession;
Private = (UdpService->IpVersion == IP_VERSION_4) ? Private = (UdpService->IpVersion == IP_VERSION_4) ?
IPSEC_PRIVATE_DATA_FROM_UDP4LIST(UdpService->ListHead) : IPSEC_PRIVATE_DATA_FROM_UDP4LIST(UdpService->ListHead) :
IPSEC_PRIVATE_DATA_FROM_UDP6LIST(UdpService->ListHead); IPSEC_PRIVATE_DATA_FROM_UDP6LIST(UdpService->ListHead);
ChildSaSession = NULL; ChildSaSession = NULL;
ChildSaCommon = NULL; ChildSaCommon = NULL;
// //
// Lookup the remote ip address in the processing IKE SA session list. // Lookup the remote ip address in the processing IKE SA session list.
// //
@ -461,7 +460,7 @@ Ikev2HandleSa (
&UdpService->DefaultAddress, &UdpService->DefaultAddress,
sizeof (EFI_IP_ADDRESS) sizeof (EFI_IP_ADDRESS)
); );
IsNewSession = TRUE; IsNewSession = TRUE;
} }
@ -517,15 +516,15 @@ Ikev2HandleSa (
// //
// Generate a piggyback child SA in IKE_STATE_AUTH state. // Generate a piggyback child SA in IKE_STATE_AUTH state.
// //
ASSERT (IsListEmpty (&IkeSaSession->ChildSaSessionList) && ASSERT (IsListEmpty (&IkeSaSession->ChildSaSessionList) &&
IsListEmpty (&IkeSaSession->ChildSaEstablishSessionList)); IsListEmpty (&IkeSaSession->ChildSaEstablishSessionList));
ChildSaSession = Ikev2ChildSaSessionCreate (IkeSaSession, UdpService); ChildSaSession = Ikev2ChildSaSessionCreate (IkeSaSession, UdpService);
ChildSaCommon = &ChildSaSession->SessionCommon; ChildSaCommon = &ChildSaSession->SessionCommon;
// //
// Initialize the SA data for Child SA. // Initialize the SA data for Child SA.
// //
ChildSaSession->SaData = Ikev2InitializeSaData (ChildSaCommon); ChildSaSession->SaData = Ikev2InitializeSaData (ChildSaCommon);
} }
@ -570,7 +569,7 @@ Ikev2HandleSa (
// //
// Remove the Established Child SA Session from the IkeSaSession->ChildSaSessionList // Remove the Established Child SA Session from the IkeSaSession->ChildSaSessionList
// ,insert it into IkeSaSession->ChildSaEstablishSessionList and save this Child SA // ,insert it into IkeSaSession->ChildSaEstablishSessionList and save this Child SA
// into SAD. // into SAD.
// //
ChildSaSession = IKEV2_CHILD_SA_SESSION_BY_IKE_SA (IkeSaSession->ChildSaSessionList.BackLink); ChildSaSession = IKEV2_CHILD_SA_SESSION_BY_IKE_SA (IkeSaSession->ChildSaSessionList.BackLink);
@ -610,12 +609,12 @@ ON_ERROR:
/** /**
The general interface when received a IKEv2 packet for the IKE Child SA establishing The general interface when received a IKEv2 packet for the IKE Child SA establishing
or IKE SA/CHILD SA rekeying. or IKE SA/CHILD SA rekeying.
This function first find the related IKE SA Session according to the IKE packet's This function first find the related IKE SA Session according to the IKE packet's
remote IP. Then call the corresponding function to handle this IKE packet according remote IP. Then call the corresponding function to handle this IKE packet according
to the related IKE Child Session's State. to the related IKE Child Session's State.
@param[in] UdpService Pointer of related UDP Service. @param[in] UdpService Pointer of related UDP Service.
@param[in] IkePacket Data passed by caller. @param[in] IkePacket Data passed by caller.
@ -632,8 +631,8 @@ Ikev2HandleChildSa (
IKEV2_CREATE_CHILD_REQUEST_TYPE RequestType; IKEV2_CREATE_CHILD_REQUEST_TYPE RequestType;
IKE_PACKET *Reply; IKE_PACKET *Reply;
IPSEC_PRIVATE_DATA *Private; IPSEC_PRIVATE_DATA *Private;
Private = (UdpService->IpVersion == IP_VERSION_4) ? Private = (UdpService->IpVersion == IP_VERSION_4) ?
IPSEC_PRIVATE_DATA_FROM_UDP4LIST(UdpService->ListHead) : IPSEC_PRIVATE_DATA_FROM_UDP4LIST(UdpService->ListHead) :
IPSEC_PRIVATE_DATA_FROM_UDP6LIST(UdpService->ListHead); IPSEC_PRIVATE_DATA_FROM_UDP6LIST(UdpService->ListHead);
@ -671,20 +670,20 @@ Ikev2HandleChildSa (
// //
// Get the request type: CreateChildSa/RekeyChildSa/RekeyIkeSa. // Get the request type: CreateChildSa/RekeyChildSa/RekeyIkeSa.
// //
RequestType = Ikev2ChildExchangeRequestType (IkePacket); RequestType = Ikev2ChildExchangeRequestType (IkePacket);
switch (RequestType) { switch (RequestType) {
case IkeRequestTypeCreateChildSa: case IkeRequestTypeCreateChildSa:
case IkeRequestTypeRekeyChildSa: case IkeRequestTypeRekeyChildSa:
case IkeRequestTypeRekeyIkeSa: case IkeRequestTypeRekeyIkeSa:
// //
// Parse the IKE request packet. Not support CREATE_CHILD_SA exchange yet, so // Parse the IKE request packet. Not support CREATE_CHILD_SA exchange yet, so
// only EFI_UNSUPPORTED will be returned and that will trigger a reply with a // only EFI_UNSUPPORTED will be returned and that will trigger a reply with a
// Notify payload of type NO_ADDITIONAL_SAS. // Notify payload of type NO_ADDITIONAL_SAS.
// //
Status = mIkev2CreateChild.Parser ((UINT8 *) IkeSaSession, IkePacket); Status = mIkev2CreateChild.Parser ((UINT8 *) IkeSaSession, IkePacket);
if (EFI_ERROR (Status)) { if (EFI_ERROR (Status)) {
goto ON_REPLY; goto ON_REPLY;
} }
@ -694,7 +693,7 @@ Ikev2HandleChildSa (
// //
return ; return ;
} }
ON_REPLY: ON_REPLY:
// //
// Generate the reply packet if needed and send it out. // Generate the reply packet if needed and send it out.
@ -712,15 +711,15 @@ ON_REPLY:
} }
} }
} }
} }
return ; return ;
} }
/** /**
It is general interface to handle IKEv2 information Exchange. It is general interface to handle IKEv2 information Exchange.
@param[in] UdpService Point to IKE UPD Service related to this information exchange. @param[in] UdpService Point to IKE UPD Service related to this information exchange.
@param[in] IkePacket The IKE packet to be parsed. @param[in] IkePacket The IKE packet to be parsed.
**/ **/
@ -735,15 +734,15 @@ Ikev2HandleInfo (
IKEV2_SA_SESSION *IkeSaSession; IKEV2_SA_SESSION *IkeSaSession;
IPSEC_PRIVATE_DATA *Private; IPSEC_PRIVATE_DATA *Private;
Private = (UdpService->IpVersion == IP_VERSION_4) ? Private = (UdpService->IpVersion == IP_VERSION_4) ?
IPSEC_PRIVATE_DATA_FROM_UDP4LIST(UdpService->ListHead) : IPSEC_PRIVATE_DATA_FROM_UDP4LIST(UdpService->ListHead) :
IPSEC_PRIVATE_DATA_FROM_UDP6LIST(UdpService->ListHead); IPSEC_PRIVATE_DATA_FROM_UDP6LIST(UdpService->ListHead);
// //
// Lookup the remote ip address in the processing IKE SA session list. // Lookup the remote ip address in the processing IKE SA session list.
// //
IkeSaSession = Ikev2SaSessionLookup (&Private->Ikev2EstablishedList, &IkePacket->RemotePeerIp); IkeSaSession = Ikev2SaSessionLookup (&Private->Ikev2EstablishedList, &IkePacket->RemotePeerIp);
if (IkeSaSession == NULL) { if (IkeSaSession == NULL) {
// //
// Drop the packet if no IKE SA associated. // Drop the packet if no IKE SA associated.
@ -754,12 +753,12 @@ Ikev2HandleInfo (
// Validate the IKE packet header. // Validate the IKE packet header.
// //
if (!Ikev2ValidateHeader (IkeSaSession, IkePacket->Header)) { if (!Ikev2ValidateHeader (IkeSaSession, IkePacket->Header)) {
// //
// Drop the packet if invalid IKE header. // Drop the packet if invalid IKE header.
// //
return; return;
} }
SessionCommon = &IkeSaSession->SessionCommon; SessionCommon = &IkeSaSession->SessionCommon;
@ -778,7 +777,7 @@ Ikev2HandleInfo (
// Drop the packet if fail to parse. // Drop the packet if fail to parse.
// //
return; return;
} }
} }
IKE_EXCHANGE_INTERFACE mIkev1Exchange = { IKE_EXCHANGE_INTERFACE mIkev1Exchange = {

371
NetworkPkg/IpSecDxe/Ikev2/Payload.c
View File

File diff suppressed because it is too large Load Diff

26
NetworkPkg/IpSecDxe/IpSecDriver.c
View File

@ -1,7 +1,7 @@
/** @file /** @file
Driver Binding Protocol for IPsec Driver. Driver Binding Protocol for IPsec Driver.
Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.<BR> Copyright (c) 2009 - 2011, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License are licensed and made available under the terms and conditions of the BSD License
@ -81,7 +81,7 @@ IpSecDriverBindingSupported (
@retval EFI_SUCCES This driver is added to ControllerHandle @retval EFI_SUCCES This driver is added to ControllerHandle
@retval EFI_ALREADY_STARTED This driver is already running on ControllerHandle @retval EFI_ALREADY_STARTED This driver is already running on ControllerHandle
@retval EFI_DEVICE_ERROR The device could not be started due to a device error. @retval EFI_DEVICE_ERROR The device could not be started due to a device error.
Currently not implemented. Currently not implemented.
@retval other This driver does not support this device @retval other This driver does not support this device
@ -189,6 +189,10 @@ IpSecDriverBindingStop (
Private = IPSEC_PRIVATE_DATA_FROM_IPSEC (IpSec); Private = IPSEC_PRIVATE_DATA_FROM_IPSEC (IpSec);
//
// Delete all SAs before stop Ipsec.
//
IkeDeleteAllSas (Private, FALSE);
// //
// If has udp4 io opened on the controller, close and free it. // If has udp4 io opened on the controller, close and free it.
// //
@ -256,9 +260,9 @@ EFI_DRIVER_BINDING_PROTOCOL gIpSecDriverBinding = {
/** /**
This is a callback function when the mIpSecInstance.DisabledEvent is signaled. This is a callback function when the mIpSecInstance.DisabledEvent is signaled.
@param[in] Event Event whose notification function is being invoked. @param[in] Event Event whose notification function is being invoked.
@param[in] Context Pointer to the notification function's context. @param[in] Context Pointer to the notification function's context.
**/ **/
VOID VOID
@ -271,15 +275,15 @@ IpSecCleanupAllSa (
IPSEC_PRIVATE_DATA *Private; IPSEC_PRIVATE_DATA *Private;
Private = (IPSEC_PRIVATE_DATA *) Context; Private = (IPSEC_PRIVATE_DATA *) Context;
Private->IsIPsecDisabling = TRUE; Private->IsIPsecDisabling = TRUE;
IkeDeleteAllSas (Private); IkeDeleteAllSas (Private, TRUE);
} }
/** /**
This is the declaration of an EFI image entry point. This entry point is This is the declaration of an EFI image entry point. This entry point is
the same for UEFI Applications, UEFI OS Loaders, and UEFI Drivers, including the same for UEFI Applications, UEFI OS Loaders, and UEFI Drivers, including
both device drivers and bus drivers. both device drivers and bus drivers.
The entry point for IPsec driver which installs the driver binding, The entry point for IPsec driver which installs the driver binding,
component name protocol, IPsec Config protcolon, and IPsec protocol in component name protocol, IPsec Config protcolon, and IPsec protocol in
its ImageHandle. its ImageHandle.
@ -289,7 +293,7 @@ IpSecCleanupAllSa (
@retval EFI_SUCCESS The operation completed successfully. @retval EFI_SUCCESS The operation completed successfully.
@retval EFI_ALREADY_STARTED The IPsec driver has been already loaded. @retval EFI_ALREADY_STARTED The IPsec driver has been already loaded.
@retval EFI_OUT_OF_RESOURCES The request could not be completed due to a lack of resources. @retval EFI_OUT_OF_RESOURCES The request could not be completed due to a lack of resources.
@retval Others The operation is failed. @retval Others The operation is failed.
**/ **/
EFI_STATUS EFI_STATUS
@ -346,7 +350,7 @@ IpSecDriverEntryPoint (
Private->Signature = IPSEC_PRIVATE_DATA_SIGNATURE; Private->Signature = IPSEC_PRIVATE_DATA_SIGNATURE;
Private->ImageHandle = ImageHandle; Private->ImageHandle = ImageHandle;
CopyMem (&Private->IpSec, &mIpSecInstance, sizeof (EFI_IPSEC2_PROTOCOL)); CopyMem (&Private->IpSec, &mIpSecInstance, sizeof (EFI_IPSEC2_PROTOCOL));
// //
// Initilize Private's members. Thess members is used for IKE. // Initilize Private's members. Thess members is used for IKE.
// //
@ -356,7 +360,7 @@ IpSecDriverEntryPoint (
InitializeListHead (&Private->Ikev1EstablishedList); InitializeListHead (&Private->Ikev1EstablishedList);
InitializeListHead (&Private->Ikev2SessionList); InitializeListHead (&Private->Ikev2SessionList);
InitializeListHead (&Private->Ikev2EstablishedList); InitializeListHead (&Private->Ikev2EstablishedList);
RandomSeed (NULL, 0); RandomSeed (NULL, 0);
// //
// Initialize the ipsec config data and restore it from variable. // Initialize the ipsec config data and restore it from variable.
@ -390,7 +394,7 @@ IpSecDriverEntryPoint (
if (EFI_ERROR (Status)) { if (EFI_ERROR (Status)) {
goto ON_UNINSTALL_IPSEC; goto ON_UNINSTALL_IPSEC;
} }
return Status; return Status;
ON_UNINSTALL_IPSEC: ON_UNINSTALL_IPSEC:

167
NetworkPkg/IpSecDxe/IpSecImpl.c
View File

@ -23,7 +23,7 @@
Check if the specified Address is the Valid Address Range. Check if the specified Address is the Valid Address Range.
This function checks if the bytes after prefixed length are all Zero in this This function checks if the bytes after prefixed length are all Zero in this
Address. This Address is supposed to point to a range address. That means it Address. This Address is supposed to point to a range address. That means it
should gives the correct prefixed address and the bytes outside the prefixed are should gives the correct prefixed address and the bytes outside the prefixed are
zero. zero.
@ -329,7 +329,7 @@ IpSecLookupSadBySpd (
{ {
LIST_ENTRY *Entry; LIST_ENTRY *Entry;
IPSEC_SAD_ENTRY *SadEntry; IPSEC_SAD_ENTRY *SadEntry;
NET_LIST_FOR_EACH (Entry, SadList) { NET_LIST_FOR_EACH (Entry, SadList) {
SadEntry = IPSEC_SAD_ENTRY_FROM_SPD (Entry); SadEntry = IPSEC_SAD_ENTRY_FROM_SPD (Entry);
@ -341,7 +341,7 @@ IpSecLookupSadBySpd (
DestAddress, DestAddress,
SadEntry->Data->SpdSelector->RemoteAddress, SadEntry->Data->SpdSelector->RemoteAddress,
SadEntry->Data->SpdSelector->RemoteAddressCount SadEntry->Data->SpdSelector->RemoteAddressCount
)){ )){
return SadEntry; return SadEntry;
} }
} }
@ -382,7 +382,7 @@ IpSecLookupSadBySpi (
if (SadEntry->Id->Spi == Spi) { if (SadEntry->Id->Spi == Spi) {
if (SadEntry->Data->Mode == EfiIPsecTunnel) { if (SadEntry->Data->Mode == EfiIPsecTunnel) {
if (CompareMem ( if (CompareMem (
&DestAddress, &DestAddress,
&SadEntry->Data->TunnelDestAddress, &SadEntry->Data->TunnelDestAddress,
sizeof (EFI_IP_ADDRESS) sizeof (EFI_IP_ADDRESS)
)) { )) {
@ -391,14 +391,14 @@ IpSecLookupSadBySpi (
} else { } else {
if (SadEntry->Data->SpdSelector != NULL && if (SadEntry->Data->SpdSelector != NULL &&
IpSecMatchIpAddress ( IpSecMatchIpAddress (
IpVersion, IpVersion,
DestAddress, DestAddress,
SadEntry->Data->SpdSelector->RemoteAddress, SadEntry->Data->SpdSelector->RemoteAddress,
SadEntry->Data->SpdSelector->RemoteAddressCount SadEntry->Data->SpdSelector->RemoteAddressCount
) )
) { ) {
return SadEntry; return SadEntry;
} }
} }
} }
} }
@ -471,14 +471,13 @@ IpSecLookupSadEntry (
sizeof (EFI_IP_ADDRESS) sizeof (EFI_IP_ADDRESS)
); );
} }
// //
// Find the SAD entry in the spd.sas list according to the dest address. // Find the SAD entry in the spd.sas list according to the dest address.
// //
Entry = IpSecLookupSadBySpd (&SpdEntry->Data->Sas, &DestIp, IpVersion); Entry = IpSecLookupSadBySpd (&SpdEntry->Data->Sas, &DestIp, IpVersion);
if (Entry == NULL) { if (Entry == NULL) {
if (OldLastHead != IP6_ICMP || if (OldLastHead != IP6_ICMP ||
(OldLastHead == IP6_ICMP && *IpPayload == ICMP_V6_ECHO_REQUEST) (OldLastHead == IP6_ICMP && *IpPayload == ICMP_V6_ECHO_REQUEST)
) { ) {
@ -498,7 +497,7 @@ IpSecLookupSadEntry (
&DestIp &DestIp
); );
} }
} }
return EFI_NOT_READY; return EFI_NOT_READY;
@ -595,7 +594,7 @@ IpSecLookupSpdEntry (
IN VOID *IpHead, IN VOID *IpHead,
IN UINT8 *IpPayload, IN UINT8 *IpPayload,
IN UINT8 Protocol, IN UINT8 Protocol,
IN BOOLEAN IsOutbound, IN BOOLEAN IsOutbound,
OUT EFI_IPSEC_ACTION *Action OUT EFI_IPSEC_ACTION *Action
) )
{ {
@ -733,7 +732,7 @@ IpSecRecycleCallback (
} }
/** /**
Calculate the extension hader of IP. The return length only doesn't contain Calculate the extension hader of IP. The return length only doesn't contain
the fixed IP header length. the fixed IP header length.
@param[in] IpHead Points to an IP head to be calculated. @param[in] IpHead Points to an IP head to be calculated.
@ -801,7 +800,7 @@ IpSecEspAuthVerifyPayload (
// //
HashFragment[0].Data = EspBuffer; HashFragment[0].Data = EspBuffer;
HashFragment[0].DataSize = AuthSize; HashFragment[0].DataSize = AuthSize;
Status = IpSecCryptoIoHmac ( Status = IpSecCryptoIoHmac (
SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthAlgoId, SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthAlgoId,
SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthKey, SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthKey,
@ -814,7 +813,7 @@ IpSecEspAuthVerifyPayload (
if (EFI_ERROR (Status)) { if (EFI_ERROR (Status)) {
return Status; return Status;
} }
// //
// Compare the calculated icv and the appended original icv. // Compare the calculated icv and the appended original icv.
// //
@ -832,10 +831,10 @@ IpSecEspAuthVerifyPayload (
@param[in] IpHead The pointer to IP header. @param[in] IpHead The pointer to IP header.
@param[in] IpVersion The version of IP (IP4 or IP6). @param[in] IpVersion The version of IP (IP4 or IP6).
@param[in] Spi The SPI used to search the related SAD entry. @param[in] Spi The SPI used to search the related SAD entry.
@retval NULL Not find the related SAD entry. @retval NULL Not find the related SAD entry.
@retval IPSEC_SAD_ENTRY Return the related SAD entry. @retval IPSEC_SAD_ENTRY Return the related SAD entry.
**/ **/
IPSEC_SAD_ENTRY * IPSEC_SAD_ENTRY *
@ -843,10 +842,10 @@ IpSecFoundSadFromInboundPacket (
UINT8 *IpHead, UINT8 *IpHead,
UINT8 IpVersion, UINT8 IpVersion,
UINT32 Spi UINT32 Spi
) )
{ {
EFI_IP_ADDRESS DestIp; EFI_IP_ADDRESS DestIp;
// //
// Parse destination address from ip header. // Parse destination address from ip header.
// //
@ -864,10 +863,10 @@ IpSecFoundSadFromInboundPacket (
sizeof (EFI_IPv6_ADDRESS) sizeof (EFI_IPv6_ADDRESS)
); );
} }
// //
// Lookup SAD entry according to the spi and dest address. // Lookup SAD entry according to the spi and dest address.
// //
return IpSecLookupSadBySpi (Spi, &DestIp, IpVersion); return IpSecLookupSadBySpi (Spi, &DestIp, IpVersion);
} }
@ -994,7 +993,7 @@ IpSecIsIp6ExtsValid (
} }
return TRUE; return TRUE;
} }
} }
*LastHeader = NextHeader; *LastHeader = NextHeader;
@ -1007,14 +1006,14 @@ IpSecIsIp6ExtsValid (
} }
/** /**
The actual entry to process the tunnel header and inner header for tunnel mode The actual entry to process the tunnel header and inner header for tunnel mode
outbound traffic. outbound traffic.
This function is the subfunction of IpSecEspInboundPacket(). It change the destination This function is the subfunction of IpSecEspInboundPacket(). It change the destination
Ip address to the station address and recalculate the uplayyer's checksum. Ip address to the station address and recalculate the uplayyer's checksum.
@param[in, out] IpHead Points to the IP header containing the ESP header
@param[in, out] IpHead Points to the IP header containing the ESP header
to be trimed on input, and without ESP header to be trimed on input, and without ESP header
on return. on return.
@param[in] IpPayload The decrypted Ip payload. It start from the inner @param[in] IpPayload The decrypted Ip payload. It start from the inner
@ -1042,10 +1041,10 @@ IpSecTunnelInboundPacket (
IP6_ICMP_HEAD *Icmp6Head; IP6_ICMP_HEAD *Icmp6Head;
Checksum = NULL; Checksum = NULL;
if (IpVersion == IP_VERSION_4) { if (IpVersion == IP_VERSION_4) {
// //
// Zero OutIP header use this to indicate the input packet is under // Zero OutIP header use this to indicate the input packet is under
// IPsec Tunnel protected. // IPsec Tunnel protected.
// //
ZeroMem ( ZeroMem (
@ -1057,20 +1056,20 @@ IpSecTunnelInboundPacket (
&SadData->TunnelDestAddress.v4, &SadData->TunnelDestAddress.v4,
sizeof (EFI_IPv4_ADDRESS) sizeof (EFI_IPv4_ADDRESS)
); );
// //
// Recalculate IpHeader Checksum // Recalculate IpHeader Checksum
// //
if (((IP4_HEAD *)(IpPayload))->Checksum != 0 ) { if (((IP4_HEAD *)(IpPayload))->Checksum != 0 ) {
((IP4_HEAD *)(IpPayload))->Checksum = 0; ((IP4_HEAD *)(IpPayload))->Checksum = 0;
((IP4_HEAD *)(IpPayload))->Checksum = (UINT16) (~NetblockChecksum ( ((IP4_HEAD *)(IpPayload))->Checksum = (UINT16) (~NetblockChecksum (
(UINT8 *)IpPayload, (UINT8 *)IpPayload,
((IP4_HEAD *)IpPayload)->HeadLen << 2 ((IP4_HEAD *)IpPayload)->HeadLen << 2
)); ));
} }
// //
// Recalcualte PseudoChecksum // Recalcualte PseudoChecksum
// //
@ -1091,7 +1090,7 @@ IpSecTunnelInboundPacket (
break; break;
} }
PacketChecksum = NetblockChecksum ( PacketChecksum = NetblockChecksum (
(UINT8 *)IpPayload + (((IP4_HEAD *)IpPayload)->HeadLen << 2), (UINT8 *)IpPayload + (((IP4_HEAD *)IpPayload)->HeadLen << 2),
NTOHS (((IP4_HEAD *)IpPayload)->TotalLen) - (((IP4_HEAD *)IpPayload)->HeadLen << 2) NTOHS (((IP4_HEAD *)IpPayload)->TotalLen) - (((IP4_HEAD *)IpPayload)->HeadLen << 2)
); );
PseudoChecksum = NetPseudoHeadChecksum ( PseudoChecksum = NetPseudoHeadChecksum (
@ -1100,14 +1099,14 @@ IpSecTunnelInboundPacket (
((IP4_HEAD *)IpPayload)->Protocol, ((IP4_HEAD *)IpPayload)->Protocol,
0 0
); );
if (Checksum != NULL) { if (Checksum != NULL) {
*Checksum = NetAddChecksum (PacketChecksum, PseudoChecksum); *Checksum = NetAddChecksum (PacketChecksum, PseudoChecksum);
*Checksum = (UINT16) ~(NetAddChecksum (*Checksum, HTONS((UINT16)(NTOHS (((IP4_HEAD *)IpPayload)->TotalLen) - (((IP4_HEAD *)IpPayload)->HeadLen << 2))))); *Checksum = (UINT16) ~(NetAddChecksum (*Checksum, HTONS((UINT16)(NTOHS (((IP4_HEAD *)IpPayload)->TotalLen) - (((IP4_HEAD *)IpPayload)->HeadLen << 2)))));
} }
}else { }else {
// //
// Zero OutIP header use this to indicate the input packet is under // Zero OutIP header use this to indicate the input packet is under
// IPsec Tunnel protected. // IPsec Tunnel protected.
// //
ZeroMem ( ZeroMem (
@ -1119,7 +1118,7 @@ IpSecTunnelInboundPacket (
&SadData->TunnelDestAddress.v6, &SadData->TunnelDestAddress.v6,
sizeof (EFI_IPv6_ADDRESS) sizeof (EFI_IPv6_ADDRESS)
); );
// //
// Get the Extension Header and Header length. // Get the Extension Header and Header length.
// //
@ -1130,7 +1129,7 @@ IpSecTunnelInboundPacket (
&LastHead, &LastHead,
&OptionLen &OptionLen
); );
// //
// Recalcualte PseudoChecksum // Recalcualte PseudoChecksum
// //
@ -1154,7 +1153,7 @@ IpSecTunnelInboundPacket (
break; break;
} }
PacketChecksum = NetblockChecksum ( PacketChecksum = NetblockChecksum (
IpPayload + sizeof (EFI_IP6_HEADER) + OptionLen, IpPayload + sizeof (EFI_IP6_HEADER) + OptionLen,
NTOHS(((EFI_IP6_HEADER *)IpPayload)->PayloadLength) - OptionLen NTOHS(((EFI_IP6_HEADER *)IpPayload)->PayloadLength) - OptionLen
); );
PseudoChecksum = NetIp6PseudoHeadChecksum ( PseudoChecksum = NetIp6PseudoHeadChecksum (
@ -1163,7 +1162,7 @@ IpSecTunnelInboundPacket (
*LastHead, *LastHead,
0 0
); );
if (Checksum != NULL) { if (Checksum != NULL) {
*Checksum = NetAddChecksum (PacketChecksum, PseudoChecksum); *Checksum = NetAddChecksum (PacketChecksum, PseudoChecksum);
*Checksum = (UINT16) ~(NetAddChecksum ( *Checksum = (UINT16) ~(NetAddChecksum (
@ -1171,22 +1170,22 @@ IpSecTunnelInboundPacket (
HTONS ((UINT16)((NTOHS (((EFI_IP6_HEADER *)(IpPayload))->PayloadLength)) - OptionLen)) HTONS ((UINT16)((NTOHS (((EFI_IP6_HEADER *)(IpPayload))->PayloadLength)) - OptionLen))
)); ));
} }
} }
} }
/** /**
The actual entry to create inner header for tunnel mode inbound traffic. The actual entry to create inner header for tunnel mode inbound traffic.
This function is the subfunction of IpSecEspOutboundPacket(). It create This function is the subfunction of IpSecEspOutboundPacket(). It create
the sending packet by encrypting its payload and inserting ESP header in the orginal the sending packet by encrypting its payload and inserting ESP header in the orginal
IP header, then return the IpHeader and IPsec protected Fragmentable. IP header, then return the IpHeader and IPsec protected Fragmentable.
@param[in, out] IpHead Points to IP header containing the orginal IP header @param[in, out] IpHead Points to IP header containing the orginal IP header
to be processed on input, and inserted ESP header to be processed on input, and inserted ESP header
on return. on return.
@param[in] IpVersion The version of IP. @param[in] IpVersion The version of IP.
@param[in] SadData The related SAD data. @param[in] SadData The related SAD data.
@param[in, out] LastHead The Last Header in IP header. @param[in, out] LastHead The Last Header in IP header.
@param[in] OptionsBuffer Pointer to the options buffer. @param[in] OptionsBuffer Pointer to the options buffer.
@param[in] OptionsLength Length of the options buffer. @param[in] OptionsLength Length of the options buffer.
@param[in, out] FragmentTable Pointer to a list of fragments to be protected by @param[in, out] FragmentTable Pointer to a list of fragments to be protected by
@ -1221,7 +1220,7 @@ IpSecTunnelOutboundPacket (
if (OptionsLength == NULL) { if (OptionsLength == NULL) {
return NULL; return NULL;
} }
if (IpVersion == IP_VERSION_4) { if (IpVersion == IP_VERSION_4) {
InnerHead = AllocateZeroPool (sizeof (IP4_HEAD) + *OptionsLength); InnerHead = AllocateZeroPool (sizeof (IP4_HEAD) + *OptionsLength);
ASSERT (InnerHead != NULL); ASSERT (InnerHead != NULL);
@ -1256,7 +1255,7 @@ IpSecTunnelOutboundPacket (
*OptionsLength = 0; *OptionsLength = 0;
} }
} }
// //
// 2. Reassamlbe Fragment into Packet // 2. Reassamlbe Fragment into Packet
// //
@ -1294,13 +1293,13 @@ IpSecTunnelOutboundPacket (
Checksum = &IcmpHead->Checksum; Checksum = &IcmpHead->Checksum;
*Checksum = 0; *Checksum = 0;
break; break;
default: default:
break; break;
} }
PacketChecksum = NetbufChecksum (Packet); PacketChecksum = NetbufChecksum (Packet);
if (IpVersion == IP_VERSION_4) { if (IpVersion == IP_VERSION_4) {
// //
// Replace the source address of Inner Header. // Replace the source address of Inner Header.
@ -1318,7 +1317,7 @@ IpSecTunnelOutboundPacket (
*LastHead, *LastHead,
0 0
); );
} else { } else {
// //
// Replace the source address of Inner Header. // Replace the source address of Inner Header.
@ -1335,7 +1334,7 @@ IpSecTunnelOutboundPacket (
*LastHead, *LastHead,
0 0
); );
} }
if (Checksum != NULL) { if (Checksum != NULL) {
*Checksum = NetAddChecksum (PacketChecksum, PseudoChecksum); *Checksum = NetAddChecksum (PacketChecksum, PseudoChecksum);
@ -1351,12 +1350,12 @@ IpSecTunnelOutboundPacket (
/** /**
The actual entry to relative function processes the inbound traffic of ESP header. The actual entry to relative function processes the inbound traffic of ESP header.
This function is the subfunction of IpSecProtectInboundPacket(). It checks the This function is the subfunction of IpSecProtectInboundPacket(). It checks the
received packet security property and trim the ESP header and then returns without received packet security property and trim the ESP header and then returns without
an IPsec protected IP Header and FramgmentTable. an IPsec protected IP Header and FramgmentTable.
@param[in] IpVersion The version of IP. @param[in] IpVersion The version of IP.
@param[in, out] IpHead Points to the IP header containing the ESP header @param[in, out] IpHead Points to the IP header containing the ESP header
to be trimed on input, and without ESP header to be trimed on input, and without ESP header
on return. on return.
@param[out] LastHead The Last Header in IP header on return. @param[out] LastHead The Last Header in IP header on return.
@ -1417,7 +1416,7 @@ IpSecEspInboundPacket (
*RecycleEvent = NULL; *RecycleEvent = NULL;
PlainPayloadSize = 0; PlainPayloadSize = 0;
NextHeader = 0; NextHeader = 0;
// //
// Build netbuf from fragment table first. // Build netbuf from fragment table first.
// //
@ -1433,27 +1432,27 @@ IpSecEspInboundPacket (
Status = EFI_OUT_OF_RESOURCES; Status = EFI_OUT_OF_RESOURCES;
goto ON_EXIT; goto ON_EXIT;
} }
// //
// Get the esp size and esp header from netbuf. // Get the esp size and esp header from netbuf.
// //
EspSize = Payload->TotalSize; EspSize = Payload->TotalSize;
EspHeader = (EFI_ESP_HEADER *) NetbufGetByte (Payload, 0, NULL); EspHeader = (EFI_ESP_HEADER *) NetbufGetByte (Payload, 0, NULL);
if (EspHeader == NULL) { if (EspHeader == NULL) {
Status = EFI_ACCESS_DENIED; Status = EFI_ACCESS_DENIED;
goto ON_EXIT; goto ON_EXIT;
} }
// //
// Parse destination address from ip header and found the related SAD Entry. // Parse destination address from ip header and found the related SAD Entry.
// //
SadEntry = IpSecFoundSadFromInboundPacket ( SadEntry = IpSecFoundSadFromInboundPacket (
IpHead, IpHead,
IpVersion, IpVersion,
NTOHL (EspHeader->Spi) NTOHL (EspHeader->Spi)
); );
if (SadEntry == NULL) { if (SadEntry == NULL) {
Status = EFI_ACCESS_DENIED; Status = EFI_ACCESS_DENIED;
goto ON_EXIT; goto ON_EXIT;
@ -1475,7 +1474,7 @@ IpSecEspInboundPacket (
// TODO: Check SA lifetime and sequence number // TODO: Check SA lifetime and sequence number
// //
} }
// //
// Allocate buffer for decryption and authentication. // Allocate buffer for decryption and authentication.
// //
@ -1493,7 +1492,7 @@ IpSecEspInboundPacket (
IcvSize = IpSecGetIcvLength (SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthAlgoId); IcvSize = IpSecGetIcvLength (SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthAlgoId);
IvSize = IpSecGetEncryptIvLength (SadEntry->Data->AlgoInfo.EspAlgoInfo.EncAlgoId); IvSize = IpSecGetEncryptIvLength (SadEntry->Data->AlgoInfo.EspAlgoInfo.EncAlgoId);
BlockSize = IpSecGetEncryptBlockSize (SadEntry->Data->AlgoInfo.EspAlgoInfo.EncAlgoId); BlockSize = IpSecGetEncryptBlockSize (SadEntry->Data->AlgoInfo.EspAlgoInfo.EncAlgoId);
// //
// Make sure the ESP packet is not mal-formt. // Make sure the ESP packet is not mal-formt.
// 1. Check whether the Espsize is larger than ESP header + IvSize + EspTail + IcvSize. // 1. Check whether the Espsize is larger than ESP header + IvSize + EspTail + IcvSize.
@ -1540,20 +1539,20 @@ IpSecEspInboundPacket (
goto ON_EXIT; goto ON_EXIT;
} }
} }
// //
// Parse EspTail and compute the plain payload size. // Parse EspTail and compute the plain payload size.
// //
EspTail = (EFI_ESP_TAIL *) (ProcessBuffer + EspSize - IcvSize - sizeof (EFI_ESP_TAIL)); EspTail = (EFI_ESP_TAIL *) (ProcessBuffer + EspSize - IcvSize - sizeof (EFI_ESP_TAIL));
PaddingSize = EspTail->PaddingLength; PaddingSize = EspTail->PaddingLength;
NextHeader = EspTail->NextHeader; NextHeader = EspTail->NextHeader;
if (EspSize <= (MiscSize + sizeof (EFI_ESP_TAIL) + PaddingSize)) { if (EspSize <= (MiscSize + sizeof (EFI_ESP_TAIL) + PaddingSize)) {
Status = EFI_ACCESS_DENIED; Status = EFI_ACCESS_DENIED;
goto ON_EXIT; goto ON_EXIT;
} }
PlainPayloadSize = EspSize - MiscSize - sizeof (EFI_ESP_TAIL) - PaddingSize; PlainPayloadSize = EspSize - MiscSize - sizeof (EFI_ESP_TAIL) - PaddingSize;
// //
// TODO: handle anti-replay window // TODO: handle anti-replay window
// //
@ -1577,7 +1576,7 @@ IpSecEspInboundPacket (
if (EFI_ERROR (Status)) { if (EFI_ERROR (Status)) {
goto ON_EXIT; goto ON_EXIT;
} }
// //
// The caller will take responsible to handle the original fragment table // The caller will take responsible to handle the original fragment table
// //
@ -1589,7 +1588,7 @@ IpSecEspInboundPacket (
RecycleContext->PayloadBuffer = ProcessBuffer; RecycleContext->PayloadBuffer = ProcessBuffer;
RecycleContext->FragmentTable = *FragmentTable; RecycleContext->FragmentTable = *FragmentTable;
// //
// If Tunnel, recalculate upper-layyer PesudoCheckSum and trim the out // If Tunnel, recalculate upper-layyer PesudoCheckSum and trim the out
// //
@ -1602,20 +1601,20 @@ IpSecEspInboundPacket (
SadData, SadData,
LastHead LastHead
); );
if (IpVersion == IP_VERSION_4) { if (IpVersion == IP_VERSION_4) {
(*FragmentTable)[0].FragmentBuffer = InnerHead ; (*FragmentTable)[0].FragmentBuffer = InnerHead ;
(*FragmentTable)[0].FragmentLength = (UINT32) PlainPayloadSize; (*FragmentTable)[0].FragmentLength = (UINT32) PlainPayloadSize;
}else { }else {
(*FragmentTable)[0].FragmentBuffer = InnerHead; (*FragmentTable)[0].FragmentBuffer = InnerHead;
(*FragmentTable)[0].FragmentLength = (UINT32) PlainPayloadSize; (*FragmentTable)[0].FragmentLength = (UINT32) PlainPayloadSize;
} }
} else { } else {
(*FragmentTable)[0].FragmentBuffer = ProcessBuffer + sizeof (EFI_ESP_HEADER) + IvSize; (*FragmentTable)[0].FragmentBuffer = ProcessBuffer + sizeof (EFI_ESP_HEADER) + IvSize;
(*FragmentTable)[0].FragmentLength = (UINT32) PlainPayloadSize; (*FragmentTable)[0].FragmentLength = (UINT32) PlainPayloadSize;
} }
*FragmentCount = 1; *FragmentCount = 1;
// //
@ -1633,7 +1632,7 @@ IpSecEspInboundPacket (
// //
*LastHead = NextHeader; *LastHead = NextHeader;
} }
// //
// Update the SPD association of the SAD entry. // Update the SPD association of the SAD entry.
@ -1721,7 +1720,7 @@ IpSecEspOutboundPacket (
EFI_ESP_TAIL *EspTail; // Address behind padding EFI_ESP_TAIL *EspTail; // Address behind padding
UINT8 *InnerHead; UINT8 *InnerHead;
HASH_DATA_FRAGMENT HashFragment[1]; HASH_DATA_FRAGMENT HashFragment[1];
Status = EFI_ACCESS_DENIED; Status = EFI_ACCESS_DENIED;
SaId = SadEntry->Id; SaId = SadEntry->Id;
SadData = SadEntry->Data; SadData = SadEntry->Data;
@ -1754,7 +1753,7 @@ IpSecEspOutboundPacket (
FragmentTable, FragmentTable,
FragmentCount FragmentCount
); );
if (InnerHead == NULL) { if (InnerHead == NULL) {
return EFI_INVALID_PARAMETER; return EFI_INVALID_PARAMETER;
} }
@ -1794,7 +1793,7 @@ IpSecEspOutboundPacket (
// //
// OPtions should be encryption into it // OPtions should be encryption into it
// //
PlainPayloadSize += *OptionsLength; PlainPayloadSize += *OptionsLength;
} }
@ -1852,7 +1851,7 @@ IpSecEspOutboundPacket (
// HeadLen, Total Length // HeadLen, Total Length
// //
((IP4_HEAD *)InnerHead)->HeadLen = (UINT8) ((sizeof (IP4_HEAD) + *OptionsLength) >> 2); ((IP4_HEAD *)InnerHead)->HeadLen = (UINT8) ((sizeof (IP4_HEAD) + *OptionsLength) >> 2);
((IP4_HEAD *)InnerHead)->TotalLen = HTONS ((UINT16) PlainPayloadSize); ((IP4_HEAD *)InnerHead)->TotalLen = HTONS ((UINT16) PlainPayloadSize);
((IP4_HEAD *)InnerHead)->Checksum = 0; ((IP4_HEAD *)InnerHead)->Checksum = 0;
((IP4_HEAD *)InnerHead)->Checksum = (UINT16) (~NetblockChecksum ( ((IP4_HEAD *)InnerHead)->Checksum = (UINT16) (~NetblockChecksum (
(UINT8 *)InnerHead, (UINT8 *)InnerHead,
@ -1904,7 +1903,7 @@ IpSecEspOutboundPacket (
EspTail->NextHeader = 4; EspTail->NextHeader = 4;
} else { } else {
EspTail->NextHeader = 41; EspTail->NextHeader = 41;
} }
} }
// //
@ -1914,8 +1913,8 @@ IpSecEspOutboundPacket (
(UINT8 *) (EspHeader + 1), (UINT8 *) (EspHeader + 1),
IvSize IvSize
); );
if (EFI_ERROR (Status)) { if (EFI_ERROR (Status)) {
goto ON_EXIT; goto ON_EXIT;
} }
@ -2011,10 +2010,10 @@ IpSecEspOutboundPacket (
if (SadData->Mode == EfiIPsecTunnel) { if (SadData->Mode == EfiIPsecTunnel) {
if (IpVersion == IP_VERSION_4) { if (IpVersion == IP_VERSION_4) {
CopyMem ( CopyMem (
&((IP4_HEAD *) IpHead)->Src, &((IP4_HEAD *) IpHead)->Src,
&SadData->TunnelSourceAddress.v4, &SadData->TunnelSourceAddress.v4,
sizeof (EFI_IPv4_ADDRESS) sizeof (EFI_IPv4_ADDRESS)
); );
CopyMem ( CopyMem (
&((IP4_HEAD *) IpHead)->Dst, &((IP4_HEAD *) IpHead)->Dst,
&SadData->TunnelDestAddress.v4, &SadData->TunnelDestAddress.v4,
@ -2065,11 +2064,11 @@ ON_EXIT:
/** /**
This function processes the inbound traffic with IPsec. This function processes the inbound traffic with IPsec.
It checks the received packet security property, trims the ESP/AH header, and then It checks the received packet security property, trims the ESP/AH header, and then
returns without an IPsec protected IP Header and FragmentTable. returns without an IPsec protected IP Header and FragmentTable.
@param[in] IpVersion The version of IP. @param[in] IpVersion The version of IP.
@param[in, out] IpHead Points to IP header containing the ESP/AH header @param[in, out] IpHead Points to IP header containing the ESP/AH header
to be trimed on input, and without ESP/AH header to be trimed on input, and without ESP/AH header
on return. on return.
@param[in, out] LastHead The Last Header in IP header on return. @param[in, out] LastHead The Last Header in IP header on return.