1.Update IPsec driver to set the Transform structure’s Next Payload field to be zero when it is the last transform structure in a proposal. The same as Proposal Structure’s Next Payload filed, it also should be zero when it is the last proposal in the SA.

2.Delete all SAs in the IPsec->Stop(). Signed-off-by: qianouyang Reviewed-by: sfu5 git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@12768 6f19259b-4bc3-4df7-8a09-765794883524
2011-11-23 10:31:04 +00:00 · 2011-11-23 10:31:04 +00:00 · 6cf9230ff2
parent eb5e7d3e7a
commit 6cf9230ff2
6 changed files with 414 additions and 409 deletions
--- a/NetworkPkg/IpSecDxe/IkeService.c
+++ b/NetworkPkg/IpSecDxe/IkeService.c
@ -692,12 +692,14 @@ ON_EXIT:
  IkeDeleteChildSa() to delete all Child SAs then send out the related
  Information packet.

-  @param[in]  Private  Pointer of the IPSEC_PRIVATE_DATA
+  @param[in]  Private           Pointer of the IPSEC_PRIVATE_DATA
+  @param[in]  IsDisableIPsec    Indicate whether needs to disable IPsec.

 **/
 VOID
 IkeDeleteAllSas (
-  IN IPSEC_PRIVATE_DATA  *Private
+  IN IPSEC_PRIVATE_DATA  *Private,
+  IN BOOLEAN             IsDisableIpsec
  )
 {
  LIST_ENTRY             *Entry;
@ -729,7 +731,7 @@ IkeDeleteAllSas (
  // If there is no existing established IKE SA, set the Ipsec DisableFlag to TRUE
  // and turn off the IsIPsecDisabling flag.
  //
-  if (IsListEmpty (&Private->Ikev2EstablishedList)) {
+  if (IsListEmpty (&Private->Ikev2EstablishedList) && IsDisableIpsec) {
    Value = IPSEC_STATUS_DISABLED;
    Status = gRT->SetVariable (
               IPSECCONFIG_STATUS_NAME,
--- a/NetworkPkg/IpSecDxe/IkeService.h
+++ b/NetworkPkg/IpSecDxe/IkeService.h
@ -240,12 +240,14 @@ IkeLookupUdp (
  IkeDeleteChildSa() to delete all Child SAs then send out the related
  Information packet.

-  @param[in]  Private  Pointer of the IPSEC_PRIVATE_DATA.
+  @param[in]  Private           Pointer of the IPSEC_PRIVATE_DATA.
+  @param[in]  IsDisableIPsec    Indicate whether needs to disable IPsec.

 **/
 VOID
 IkeDeleteAllSas (
-  IN IPSEC_PRIVATE_DATA             *Private
+  IN IPSEC_PRIVATE_DATA             *Private,
+  IN BOOLEAN                        IsDisableIpsec
  );


--- a/NetworkPkg/IpSecDxe/Ikev2/Exchange.c
+++ b/NetworkPkg/IpSecDxe/Ikev2/Exchange.c
@ -1,7 +1,7 @@
 /** @file
  The general interfaces of the IKEv2.

-  Copyright (c) 2010, Intel Corporation. All rights reserved.<BR>
+  Copyright (c) 2010 - 2011, Intel Corporation. All rights reserved.<BR>

  This program and the accompanying materials
  are licensed and made available under the terms and conditions of the BSD License
@ -318,11 +318,6 @@ Ikev2NegotiateInfo (
  //
  if (Ikev2SaSession->SessionCommon.State == IkeStateSaDeleting && Context == NULL) {

-    //
-    // The IKE SA Session should be initiator if it triggers the deleting.
-    //
-    Ikev2SaSession->SessionCommon.IsInitiator = TRUE;
-
    //
    // Generate Information Packet which contains the Delete Payload.
    //
@ -335,10 +330,12 @@ Ikev2NegotiateInfo (
    //
    // Send out the Packet
    //
-    Status = Ikev2SendIkePacket (UdpService, (UINT8 *) SaCommon, IkePacket, 0);
+    if (UdpService != NULL) {
+      Status = Ikev2SendIkePacket (UdpService, (UINT8 *) SaCommon, IkePacket, 0);

-    if (EFI_ERROR (Status)) {
-      goto ON_ERROR;
+      if (EFI_ERROR (Status)) {
+        goto ON_ERROR;
+      }
    }
  } else if (!IsListEmpty (&Ikev2SaSession->DeleteSaList)) {
    //
@ -360,10 +357,12 @@ Ikev2NegotiateInfo (
      //
      // Send out the Packet
      //
-      Status = Ikev2SendIkePacket (UdpService, (UINT8 *) &ChildSaSession->SessionCommon, IkePacket, 0);
+      if (UdpService != NULL) {
+        Status = Ikev2SendIkePacket (UdpService, (UINT8 *) &ChildSaSession->SessionCommon, IkePacket, 0);

-      if (EFI_ERROR (Status)) {
-        goto ON_ERROR;
+        if (EFI_ERROR (Status)) {
+          goto ON_ERROR;
+        }
      }
    }
  }  else if (Context == NULL) {
--- a/NetworkPkg/IpSecDxe/Ikev2/Payload.c
+++ b/NetworkPkg/IpSecDxe/Ikev2/Payload.c
@ -1605,9 +1605,7 @@ Ikev2EncodeSa (
  UINTN                 TransformIndex;
  IKE_SA_ATTRIBUTE      *SaAttribute;
  IKEV2_PROPOSAL        *Proposal;
-  IKEV2_PROPOSAL        *LastProposal;
  IKEV2_TRANSFORM       *Transform;
-  IKEV2_TRANSFORM       *LastTransform;

  //
  // Transform IKE_SA_DATA structure to IKE_SA Payload.
@ -1635,7 +1633,6 @@ Ikev2EncodeSa (
  CopyMem (Sa, SaData, sizeof (IKEV2_SA));
  Sa->Header.PayloadLength  = (UINT16) sizeof (IKEV2_SA);
  ProposalsSize             = 0;
-  LastProposal              = NULL;
  Proposal                  = (IKEV2_PROPOSAL *) (Sa + 1);

  //
@ -1655,7 +1652,6 @@ Ikev2EncodeSa (
    }

    TransformsSize  = 0;
-    LastTransform   = NULL;
    Transform       = (IKEV2_TRANSFORM *) ((UINT8 *) (Proposal + 1) + Proposal->SpiSize);

    //
@ -1694,8 +1690,8 @@ Ikev2EncodeSa (
      Transform->Header.NextPayload   = IKE_TRANSFORM_NEXT_PAYLOAD_MORE;
      Transform->Header.PayloadLength = HTONS ((UINT16)TransformSize);

-      if (TransformIndex == ProposalData->NumTransforms) {
-        LastTransform->Header.NextPayload = IKE_TRANSFORM_NEXT_PAYLOAD_NONE;
+      if (TransformIndex == (UINTN)(ProposalData->NumTransforms - 1)) {
+        Transform->Header.NextPayload = IKE_TRANSFORM_NEXT_PAYLOAD_NONE;
      }

      Transform     = (IKEV2_TRANSFORM *)((UINT8 *) Transform + TransformSize);
@ -1709,8 +1705,8 @@ Ikev2EncodeSa (
    Proposal->Header.NextPayload   = IKE_PROPOSAL_NEXT_PAYLOAD_MORE;
    Proposal->Header.PayloadLength = HTONS ((UINT16)ProposalSize);

-    if (ProposalIndex == SaData->NumProposals) {
-      LastProposal->Header.NextPayload = IKE_PROPOSAL_NEXT_PAYLOAD_NONE;
+    if (ProposalIndex == (UINTN)(SaData->NumProposals - 1)) {
+      Proposal->Header.NextPayload = IKE_PROPOSAL_NEXT_PAYLOAD_NONE;
    }

    //
@ -1804,11 +1800,14 @@ Ikev2DecodeSa (
  }

  //
-  // Check the proposal number. The Proposal Payload type is 2. Nonce Paylod is 0.
-  // SUM(ProposalNextPayload) = Proposal Num * 2 + Noce Payload Type (0).
+  // Check the proposal number.
+  // The proposal Substructure, the NextPayLoad field indicates : 0 (last) or 2 (more)
+  // which Specifies whether this is the last Proposal Substructure in the SA.
+  // Here suming all Proposal NextPayLoad field to check the proposal number is correct
+  // or not.
  //
  if (TotalProposals == 0 ||
-      (TotalProposals - 1) * IKE_PROPOSAL_NEXT_PAYLOAD_MORE + IKE_PROPOSAL_NEXT_PAYLOAD_NONE != ProposalNextPayloadSum
+      (TotalProposals - 1) * IKE_PROPOSAL_NEXT_PAYLOAD_MORE != ProposalNextPayloadSum
      ) {
    Status = EFI_INVALID_PARAMETER;
    goto Exit;
--- a/NetworkPkg/IpSecDxe/IpSecDriver.c
+++ b/NetworkPkg/IpSecDxe/IpSecDriver.c
@ -1,7 +1,7 @@
 /** @file
  Driver Binding Protocol for IPsec Driver.

-  Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.<BR>
+  Copyright (c) 2009 - 2011, Intel Corporation. All rights reserved.<BR>

  This program and the accompanying materials
  are licensed and made available under the terms and conditions of the BSD License
@ -189,6 +189,10 @@ IpSecDriverBindingStop (

  Private = IPSEC_PRIVATE_DATA_FROM_IPSEC (IpSec);

+  //
+  // Delete all SAs before stop Ipsec.
+  //
+  IkeDeleteAllSas (Private, FALSE);
  //
  // If has udp4 io opened on the controller, close and free it.
  //
@ -271,7 +275,7 @@ IpSecCleanupAllSa (
  IPSEC_PRIVATE_DATA  *Private;
  Private                   = (IPSEC_PRIVATE_DATA *) Context;
  Private->IsIPsecDisabling = TRUE;
-  IkeDeleteAllSas (Private);
+  IkeDeleteAllSas (Private, TRUE);
 }

 /**
--- a/NetworkPkg/IpSecDxe/IpSecImpl.c
+++ b/NetworkPkg/IpSecDxe/IpSecImpl.c
@ -478,7 +478,6 @@ IpSecLookupSadEntry (
  Entry = IpSecLookupSadBySpd (&SpdEntry->Data->Sas, &DestIp, IpVersion);

  if (Entry == NULL) {
-
    if (OldLastHead != IP6_ICMP ||
        (OldLastHead == IP6_ICMP && *IpPayload == ICMP_V6_ECHO_REQUEST)
        ) {