tyler.durden/audk
1
0
Fork 0
mirror of https://github.com/acidanthera/audk.git synced 2025-07-22 21:24:35 +02:00
Code Issues Packages Projects Releases Wiki Activity

NetworkPkg: Remove IpSec driver and application

Browse Source 
* REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1697

The IpSec driver in NetworkPkg is not really used by platforms
but has security risks. So it is scheduled to be removed from
edk2, also include IpSecConfig application.

Cc: Fu Siyuan <siyuan.fu@intel.com>
Cc: Wu Jiaxin <jiaxin.wu@intel.com>
Signed-off-by: Wang Fan <fan.wang@intel.com>
Reviewed-by: Siyuan Fu <siyuan.fu@intel.com>
This commit is contained in:
Wang, Fan 2019-04-23 11:16:50 +08:00 committed by Fu Siyuan
parent af51cb48a2
commit d55d9d0664
53 changed files with 0 additions and 29709 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

104
NetworkPkg/Application/IpsecConfig/Delete.c
View File

@ -1,104 +0,0 @@
/** @file
The implementation of delete policy entry function in IpSecConfig application.
Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#include "IpSecConfig.h"
#include "Indexer.h"
#include "Delete.h"
#include "Match.h"
#include "ForEach.h"
/**
Private function to delete entry information in database.
@param[in] Selector The pointer to EFI_IPSEC_CONFIG_SELECTOR structure.
@param[in] Data The pointer to Data.
@param[in] Context The pointer to DELETE_POLICY_ENTRY_CONTEXT.
@retval EFI_ABORTED Abort the iteration.
@retval EFI_SUCCESS Continue the iteration.
**/
EFI_STATUS
DeletePolicyEntry (
IN EFI_IPSEC_CONFIG_SELECTOR *Selector,
IN VOID *Data,
IN DELETE_POLICY_ENTRY_CONTEXT *Context
)
{
if (mMatchPolicyEntry[Context->DataType] (Selector, Data, &Context->Indexer)) {
Context->Status = mIpSecConfig->SetData (
mIpSecConfig,
Context->DataType,
Selector,
NULL,
NULL
);
//
// Abort the iteration after the insertion.
//
return EFI_ABORTED;
}
return EFI_SUCCESS;
}
/**
Flush or delete entry information in the database according to datatype.
@param[in] DataType The value of EFI_IPSEC_CONFIG_DATA_TYPE.
@param[in] ParamPackage The pointer to the ParamPackage list.
@retval EFI_SUCCESS Delete entry information successfully.
@retval EFI_NOT_FOUND Can't find the specified entry.
@retval Others Some mistaken case.
**/
EFI_STATUS
FlushOrDeletePolicyEntry (
IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,
IN LIST_ENTRY *ParamPackage
)
{
EFI_STATUS Status;
DELETE_POLICY_ENTRY_CONTEXT Context;
CONST CHAR16 *ValueStr;
//
// If user wants to remove all.
//
if (ShellCommandLineGetFlag (ParamPackage, L"-f")) {
Status = mIpSecConfig->SetData (
mIpSecConfig,
DataType,
NULL,
NULL,
NULL
);
} else {
ValueStr = ShellCommandLineGetValue (ParamPackage, L"-d");
if (ValueStr == NULL) {
ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_INDEX_NOT_SPECIFIED), mHiiHandle, mAppName, ValueStr);
return EFI_NOT_FOUND;
}
Status = mConstructPolicyEntryIndexer[DataType] (&Context.Indexer, ParamPackage);
if (!EFI_ERROR (Status)) {
Context.DataType = DataType;
Context.Status = EFI_NOT_FOUND;
ForeachPolicyEntry (DataType, (VISIT_POLICY_ENTRY) DeletePolicyEntry, &Context);
Status = Context.Status;
if (Status == EFI_NOT_FOUND) {
ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_INDEX_NOT_FOUND), mHiiHandle, mAppName, ValueStr);
} else if (EFI_ERROR (Status)) {
ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_DELETE_FAILED), mHiiHandle, mAppName);
}
}
}
return Status;
}

36
NetworkPkg/Application/IpsecConfig/Delete.h
View File

@ -1,36 +0,0 @@
/** @file
The internal structure and function declaration of delete policy entry function
in IpSecConfig application.
Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#ifndef __DELETE_H_
#define __DELETE_H_
typedef struct {
EFI_IPSEC_CONFIG_DATA_TYPE DataType;
POLICY_ENTRY_INDEXER Indexer;
EFI_STATUS Status; //Indicate whether deletion succeeds.
} DELETE_POLICY_ENTRY_CONTEXT;
/**
Flush or delete entry information in the database according to datatype.
@param[in] DataType The value of EFI_IPSEC_CONFIG_DATA_TYPE.
@param[in] ParamPackage The pointer to the ParamPackage list.
@retval EFI_SUCCESS Delete entry information successfully.
@retval EFI_NOT_FOUND Can't find the specified entry.
@retval Others Some mistaken case.
**/
EFI_STATUS
FlushOrDeletePolicyEntry (
IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,
IN LIST_ENTRY *ParamPackage
);
#endif

573
NetworkPkg/Application/IpsecConfig/Dump.c
View File

@ -1,573 +0,0 @@
/** @file
The implementation of dump policy entry function in IpSecConfig application.
Copyright (c) 2009 - 2011, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#include "IpSecConfig.h"
#include "Dump.h"
#include "ForEach.h"
#include "Helper.h"
/**
Private function called to get the version infomation from an EFI_IP_ADDRESS_INFO structure.
@param[in] AddressInfo The pointer to the EFI_IP_ADDRESS_INFO structure.
@return the value of version.
**/
UINTN
GetVerFromAddrInfo (
IN EFI_IP_ADDRESS_INFO *AddressInfo
)
{
if((AddressInfo->PrefixLength <= 32) && (AddressInfo->Address.Addr[1] == 0) &&
(AddressInfo->Address.Addr[2] == 0) && (AddressInfo->Address.Addr[3] == 0)) {
return IP_VERSION_4;
} else {
return IP_VERSION_6;
}
}
/**
Private function called to get the version information from a EFI_IP_ADDRESS structure.
@param[in] Address The pointer to the EFI_IP_ADDRESS structure.
@return The value of the version.
**/
UINTN
GetVerFromIpAddr (
IN EFI_IP_ADDRESS *Address
)
{
if ((Address->Addr[1] == 0) && (Address->Addr[2] == 0) && (Address->Addr[3] == 0)) {
return IP_VERSION_4;
} else {
return IP_VERSION_6;
}
}
/**
Private function called to print an ASCII string in unicode char format.
@param[in] Str The pointer to the ASCII string.
@param[in] Length The value of the ASCII string length.
**/
VOID
DumpAsciiString (
IN CHAR8 *Str,
IN UINTN Length
)
{
UINTN Index;
Print (L"\"");
for (Index = 0; Index < Length; Index++) {
Print (L"%c", (CHAR16) Str[Index]);
}
Print (L"\"");
}
/**
Private function called to print a buffer in Hex format.
@param[in] Data The pointer to the buffer.
@param[in] Length The size of the buffer.
**/
VOID
DumpBuf (
IN UINT8 *Data,
IN UINTN Length
)
{
UINTN Index;
for (Index = 0; Index < Length; Index++) {
Print (L"%02x ", Data[Index]);
}
}
/**
Private function called to print EFI_IP_ADDRESS_INFO content.
@param[in] AddressInfo The pointer to the EFI_IP_ADDRESS_INFO structure.
**/
VOID
DumpAddressInfo (
IN EFI_IP_ADDRESS_INFO *AddressInfo
)
{
if (IP_VERSION_4 == GetVerFromAddrInfo (AddressInfo)) {
Print (
L"%d.%d.%d.%d",
(UINTN) AddressInfo->Address.v4.Addr[0],
(UINTN) AddressInfo->Address.v4.Addr[1],
(UINTN) AddressInfo->Address.v4.Addr[2],
(UINTN) AddressInfo->Address.v4.Addr[3]
);
if (AddressInfo->PrefixLength != 32) {
Print (L"/%d", (UINTN) AddressInfo->PrefixLength);
}
}
if (IP_VERSION_6 == GetVerFromAddrInfo (AddressInfo)) {
Print (
L"%x:%x:%x:%x:%x:%x:%x:%x",
(((UINT16) AddressInfo->Address.v6.Addr[0]) << 8) | ((UINT16) AddressInfo->Address.v6.Addr[1]),
(((UINT16) AddressInfo->Address.v6.Addr[2]) << 8) | ((UINT16) AddressInfo->Address.v6.Addr[3]),
(((UINT16) AddressInfo->Address.v6.Addr[4]) << 8) | ((UINT16) AddressInfo->Address.v6.Addr[5]),
(((UINT16) AddressInfo->Address.v6.Addr[6]) << 8) | ((UINT16) AddressInfo->Address.v6.Addr[7]),
(((UINT16) AddressInfo->Address.v6.Addr[8]) << 8) | ((UINT16) AddressInfo->Address.v6.Addr[9]),
(((UINT16) AddressInfo->Address.v6.Addr[10]) << 8) | ((UINT16) AddressInfo->Address.v6.Addr[11]),
(((UINT16) AddressInfo->Address.v6.Addr[12]) << 8) | ((UINT16) AddressInfo->Address.v6.Addr[13]),
(((UINT16) AddressInfo->Address.v6.Addr[14]) << 8) | ((UINT16) AddressInfo->Address.v6.Addr[15])
);
if (AddressInfo->PrefixLength != 128) {
Print (L"/%d", AddressInfo->PrefixLength);
}
}
}
/**
Private function called to print EFI_IP_ADDRESS content.
@param[in] IpAddress The pointer to the EFI_IP_ADDRESS structure.
**/
VOID
DumpIpAddress (
IN EFI_IP_ADDRESS *IpAddress
)
{
if (IP_VERSION_4 == GetVerFromIpAddr (IpAddress)) {
Print (
L"%d.%d.%d.%d",
(UINTN) IpAddress->v4.Addr[0],
(UINTN) IpAddress->v4.Addr[1],
(UINTN) IpAddress->v4.Addr[2],
(UINTN) IpAddress->v4.Addr[3]
);
}
if (IP_VERSION_6 == GetVerFromIpAddr (IpAddress)) {
Print (
L"%x:%x:%x:%x:%x:%x:%x:%x",
(((UINT16) IpAddress->v6.Addr[0]) << 8) | ((UINT16) IpAddress->v6.Addr[1]),
(((UINT16) IpAddress->v6.Addr[2]) << 8) | ((UINT16) IpAddress->v6.Addr[3]),
(((UINT16) IpAddress->v6.Addr[4]) << 8) | ((UINT16) IpAddress->v6.Addr[5]),
(((UINT16) IpAddress->v6.Addr[6]) << 8) | ((UINT16) IpAddress->v6.Addr[7]),
(((UINT16) IpAddress->v6.Addr[8]) << 8) | ((UINT16) IpAddress->v6.Addr[9]),
(((UINT16) IpAddress->v6.Addr[10]) << 8) | ((UINT16) IpAddress->v6.Addr[11]),
(((UINT16) IpAddress->v6.Addr[12]) << 8) | ((UINT16) IpAddress->v6.Addr[13]),
(((UINT16) IpAddress->v6.Addr[14]) << 8) | ((UINT16) IpAddress->v6.Addr[15])
);
}
}
/**
Private function called to print EFI_IPSEC_SPD_SELECTOR content.
@param[in] Selector The pointer to the EFI_IPSEC_SPD_SELECTOR structure.
**/
VOID
DumpSpdSelector (
IN EFI_IPSEC_SPD_SELECTOR *Selector
)
{
UINT32 Index;
CHAR16 *Str;
for (Index = 0; Index < Selector->LocalAddressCount; Index++) {
if (Index > 0) {
Print (L",");
}
DumpAddressInfo (&Selector->LocalAddress[Index]);
}
if (Index == 0) {
Print (L"localhost");
}
Print (L" -> ");
for (Index = 0; Index < Selector->RemoteAddressCount; Index++) {
if (Index > 0) {
Print (L",");
}
DumpAddressInfo (&Selector->RemoteAddress[Index]);
}
Str = MapIntegerToString (Selector->NextLayerProtocol, mMapIpProtocol);
if (Str != NULL) {
Print (L" %s", Str);
} else {
Print (L" proto:%d", (UINTN) Selector->NextLayerProtocol);
}
if ((Selector->NextLayerProtocol == EFI_IP4_PROTO_TCP) || (Selector->NextLayerProtocol == EFI_IP4_PROTO_UDP)) {
Print (L" port:");
if (Selector->LocalPort != EFI_IPSEC_ANY_PORT) {
Print (L"%d", Selector->LocalPort);
if (Selector->LocalPortRange != 0) {
Print (L"~%d", (UINTN) Selector->LocalPort + Selector->LocalPortRange);
}
} else {
Print (L"any");
}
Print (L" -> ");
if (Selector->RemotePort != EFI_IPSEC_ANY_PORT) {
Print (L"%d", Selector->RemotePort);
if (Selector->RemotePortRange != 0) {
Print (L"~%d", (UINTN) Selector->RemotePort + Selector->RemotePortRange);
}
} else {
Print (L"any");
}
} else if (Selector->NextLayerProtocol == EFI_IP4_PROTO_ICMP) {
Print (L" class/code:");
if (Selector->LocalPort != 0) {
Print (L"%d", (UINTN) (UINT8) Selector->LocalPort);
} else {
Print (L"any");
}
Print (L"/");
if (Selector->RemotePort != 0) {
Print (L"%d", (UINTN) (UINT8) Selector->RemotePort);
} else {
Print (L"any");
}
}
}
/**
Print EFI_IPSEC_SPD_SELECTOR and EFI_IPSEC_SPD_DATA content.
@param[in] Selector The pointer to the EFI_IPSEC_SPD_SELECTOR structure.
@param[in] Data The pointer to the EFI_IPSEC_SPD_DATA structure.
@param[in] EntryIndex The pointer to the Index in SPD Database.
@retval EFI_SUCCESS Dump SPD information successfully.
**/
EFI_STATUS
DumpSpdEntry (
IN EFI_IPSEC_SPD_SELECTOR *Selector,
IN EFI_IPSEC_SPD_DATA *Data,
IN UINTN *EntryIndex
)
{
BOOLEAN HasPre;
CHAR16 DataName[128];
CHAR16 *String1;
CHAR16 *String2;
CHAR16 *String3;
UINT8 Index;
Print (L"%d.", (*EntryIndex)++);
//
// xxx.xxx.xxx.xxx/yy -> xxx.xxx.xxx.xx/yy proto:23 port:100~300 -> 300~400
// Protect PF:0x34323423 Name:First Entry
// ext-sequence sequence-overflow fragcheck life:[B0,S1024,H3600]
// ESP algo1 algo2 Tunnel [xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx set]
//
DumpSpdSelector (Selector);
Print (L"\n ");
Print (L"%s ", MapIntegerToString (Data->Action, mMapIpSecAction));
Print (L"PF:%08x ", Data->PackageFlag);
Index = 0;
while (Data->Name[Index] != 0) {
DataName[Index] = (CHAR16) Data->Name[Index];
Index++;
ASSERT (Index < 128);
}
DataName[Index] = L'\0';
Print (L"Name:%s", DataName);
if (Data->Action == EfiIPsecActionProtect) {
Print (L"\n ");
if (Data->ProcessingPolicy->ExtSeqNum) {
Print (L"ext-sequence ");
}
if (Data->ProcessingPolicy->SeqOverflow) {
Print (L"sequence-overflow ");
}
if (Data->ProcessingPolicy->FragCheck) {
Print (L"fragment-check ");
}
HasPre = FALSE;
if (Data->ProcessingPolicy->SaLifetime.ByteCount != 0) {
Print (HasPre ? L"," : L"life:[");
Print (L"%lxB", Data->ProcessingPolicy->SaLifetime.ByteCount);
HasPre = TRUE;
}
if (Data->ProcessingPolicy->SaLifetime.SoftLifetime != 0) {
Print (HasPre ? L"," : L"life:[");
Print (L"%lxs", Data->ProcessingPolicy->SaLifetime.SoftLifetime);
HasPre = TRUE;
}
if (Data->ProcessingPolicy->SaLifetime.HardLifetime != 0) {
Print (HasPre ? L"," : L"life:[");
Print (L"%lxS", Data->ProcessingPolicy->SaLifetime.HardLifetime);
HasPre = TRUE;
}
if (HasPre) {
Print (L"]");
}
if (HasPre || Data->ProcessingPolicy->ExtSeqNum ||
Data->ProcessingPolicy->SeqOverflow || Data->ProcessingPolicy->FragCheck) {
Print (L"\n ");
}
String1 = MapIntegerToString (Data->ProcessingPolicy->Proto, mMapIpSecProtocol);
String2 = MapIntegerToString (Data->ProcessingPolicy->AuthAlgoId, mMapAuthAlgo);
String3 = MapIntegerToString (Data->ProcessingPolicy->EncAlgoId, mMapEncAlgo);
Print (
L"%s Auth:%s Encrypt:%s ",
String1,
String2,
String3
);
Print (L"%s ", MapIntegerToString (Data->ProcessingPolicy->Mode, mMapIpSecMode));
if (Data->ProcessingPolicy->Mode == EfiIPsecTunnel) {
Print (L"[");
DumpIpAddress (&Data->ProcessingPolicy->TunnelOption->LocalTunnelAddress);
Print (L" -> ");
DumpIpAddress (&Data->ProcessingPolicy->TunnelOption->RemoteTunnelAddress);
Print (L" %s]", MapIntegerToString (Data->ProcessingPolicy->TunnelOption->DF, mMapDfOption));
}
}
Print (L"\n");
return EFI_SUCCESS;
}
/**
Print EFI_IPSEC_SA_ID and EFI_IPSEC_SA_DATA2 content.
@param[in] SaId The pointer to the EFI_IPSEC_SA_ID structure.
@param[in] Data The pointer to the EFI_IPSEC_SA_DATA2 structure.
@param[in] EntryIndex The pointer to the Index in the SAD Database.
@retval EFI_SUCCESS Dump SAD information successfully.
**/
EFI_STATUS
DumpSadEntry (
IN EFI_IPSEC_SA_ID *SaId,
IN EFI_IPSEC_SA_DATA2 *Data,
IN UINTN *EntryIndex
)
{
BOOLEAN HasPre;
CHAR16 *AuthAlgoStr;
CHAR16 *EncAlgoStr;
AuthAlgoStr = NULL;
EncAlgoStr = NULL;
//
// SPI:1234 ESP Destination:xxx.xxx.xxx.xxx
// Mode:Transport SeqNum:134 AntiReplayWin:64 life:[0B,1023s,3400S] PathMTU:34
// Auth:xxxx/password Encrypt:yyyy/password
// xxx.xxx.xxx.xxx/yy -> xxx.xxx.xxx.xx/yy proto:23 port:100~300 -> 300~400
//
Print (L"%d.", (*EntryIndex)++);
Print (L"0x%x %s ", (UINTN) SaId->Spi, MapIntegerToString (SaId->Proto, mMapIpSecProtocol));
if (Data->Mode == EfiIPsecTunnel) {
Print (L"TunnelSourceAddress:");
DumpIpAddress (&Data->TunnelSourceAddress);
Print (L"\n");
Print (L" TunnelDestination:");
DumpIpAddress (&Data->TunnelDestinationAddress);
Print (L"\n");
}
Print (
L" Mode:%s SeqNum:%lx AntiReplayWin:%d ",
MapIntegerToString (Data->Mode, mMapIpSecMode),
Data->SNCount,
(UINTN) Data->AntiReplayWindows
);
HasPre = FALSE;
if (Data->SaLifetime.ByteCount != 0) {
Print (HasPre ? L"," : L"life:[");
Print (L"%lxB", Data->SaLifetime.ByteCount);
HasPre = TRUE;
}
if (Data->SaLifetime.SoftLifetime != 0) {
Print (HasPre ? L"," : L"life:[");
Print (L"%lxs", Data->SaLifetime.SoftLifetime);
HasPre = TRUE;
}
if (Data->SaLifetime.HardLifetime != 0) {
Print (HasPre ? L"," : L"life:[");
Print (L"%lxS", Data->SaLifetime.HardLifetime);
HasPre = TRUE;
}
if (HasPre) {
Print (L"] ");
}
Print (L"PathMTU:%d\n", (UINTN) Data->PathMTU);
if (SaId->Proto == EfiIPsecAH) {
Print (
L" Auth:%s/%s\n",
MapIntegerToString (Data->AlgoInfo.AhAlgoInfo.AuthAlgoId, mMapAuthAlgo),
Data->AlgoInfo.AhAlgoInfo.AuthKey
);
} else {
AuthAlgoStr = MapIntegerToString (Data->AlgoInfo.EspAlgoInfo.AuthAlgoId, mMapAuthAlgo);
EncAlgoStr = MapIntegerToString (Data->AlgoInfo.EspAlgoInfo.EncAlgoId, mMapEncAlgo);
if (Data->ManualSet) {
//
// if the SAD is set manually the key is a Ascii string in most of time.
// Print the Key in Ascii string format.
//
Print (L" Auth:%s/",AuthAlgoStr);
DumpAsciiString (
Data->AlgoInfo.EspAlgoInfo.AuthKey,
Data->AlgoInfo.EspAlgoInfo.AuthKeyLength
);
Print (L"\n Encrypt:%s/",EncAlgoStr);
DumpAsciiString (
Data->AlgoInfo.EspAlgoInfo.EncKey,
Data->AlgoInfo.EspAlgoInfo.EncKeyLength
);
} else {
//
// if the SAD is created by IKE, the key is a set of hex value in buffer.
// Print the Key in Hex format.
//
Print (L" Auth:%s/",AuthAlgoStr);
DumpBuf ((UINT8 *)(Data->AlgoInfo.EspAlgoInfo.AuthKey), Data->AlgoInfo.EspAlgoInfo.AuthKeyLength);
Print (L"\n Encrypt:%s/",EncAlgoStr);
DumpBuf ((UINT8 *)(Data->AlgoInfo.EspAlgoInfo.EncKey), Data->AlgoInfo.EspAlgoInfo.EncKeyLength);
}
}
Print (L"\n");
if (Data->SpdSelector != NULL) {
Print (L" ");
DumpSpdSelector (Data->SpdSelector);
Print (L"\n");
}
return EFI_SUCCESS;
}
/**
Print EFI_IPSEC_PAD_ID and EFI_IPSEC_PAD_DATA content.
@param[in] PadId The pointer to the EFI_IPSEC_PAD_ID structure.
@param[in] Data The pointer to the EFI_IPSEC_PAD_DATA structure.
@param[in] EntryIndex The pointer to the Index in the PAD Database.
@retval EFI_SUCCESS Dump PAD information successfully.
**/
EFI_STATUS
DumpPadEntry (
IN EFI_IPSEC_PAD_ID *PadId,
IN EFI_IPSEC_PAD_DATA *Data,
IN UINTN *EntryIndex
)
{
CHAR16 *String1;
CHAR16 *String2;
//
// ADDR:10.23.17.34/15
// IDEv1 PreSharedSecret IKE-ID
// password
//
Print (L"%d.", (*EntryIndex)++);
if (PadId->PeerIdValid) {
Print (L"ID:%s", PadId->Id.PeerId);
} else {
Print (L"ADDR:");
DumpAddressInfo (&PadId->Id.IpAddress);
}
Print (L"\n");
String1 = MapIntegerToString (Data->AuthProtocol, mMapAuthProto);
String2 = MapIntegerToString (Data->AuthMethod, mMapAuthMethod);
Print (
L" %s %s",
String1,
String2
);
if (Data->IkeIdFlag) {
Print (L"IKE-ID");
}
Print (L"\n");
if (Data->AuthData != NULL) {
DumpAsciiString (Data->AuthData, Data->AuthDataSize);
Print (L"\n");
}
if (Data->RevocationData != NULL) {
Print (L" %s\n", Data->RevocationData);
}
return EFI_SUCCESS;
}
VISIT_POLICY_ENTRY mDumpPolicyEntry[] = {
(VISIT_POLICY_ENTRY) DumpSpdEntry,
(VISIT_POLICY_ENTRY) DumpSadEntry,
(VISIT_POLICY_ENTRY) DumpPadEntry
};
/**
Print all entry information in the database according to datatype.
@param[in] DataType The value of EFI_IPSEC_CONFIG_DATA_TYPE.
@param[in] ParamPackage The pointer to the ParamPackage list.
@retval EFI_SUCCESS Dump all information successfully.
@retval Others Some mistaken case.
**/
EFI_STATUS
ListPolicyEntry (
IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,
IN LIST_ENTRY *ParamPackage
)
{
UINTN EntryIndex;
EntryIndex = 0;
return ForeachPolicyEntry (DataType, mDumpPolicyEntry[DataType], &EntryIndex);
}

28
NetworkPkg/Application/IpsecConfig/Dump.h
View File

@ -1,28 +0,0 @@
/** @file
The function declaration of dump policy entry function in IpSecConfig application.
Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#ifndef _DUMP_H_
#define _DUMP_H_
/**
Print all entry information in the database according to datatype.
@param[in] DataType The value of EFI_IPSEC_CONFIG_DATA_TYPE.
@param[in] ParamPackage The pointer to the ParamPackage list.
@retval EFI_SUCCESS Dump all information successfully.
@retval Others Some mistaken case.
**/
EFI_STATUS
ListPolicyEntry (
IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,
IN LIST_ENTRY *ParamPackage
);
#endif

109
NetworkPkg/Application/IpsecConfig/ForEach.c
View File

@ -1,109 +0,0 @@
/** @file
The implementation to go through each entry in IpSecConfig application.
Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#include "IpSecConfig.h"
#include "ForEach.h"
/**
Enumerate all entries in the database to execute specified operations according to datatype.
@param[in] DataType The value of EFI_IPSEC_CONFIG_DATA_TYPE.
@param[in] Routine The pointer to the function of a specified operation.
@param[in] Context The pointer to the context of a function.
@retval EFI_SUCCESS Execute specified operation successfully.
**/
EFI_STATUS
ForeachPolicyEntry (
IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,
IN VISIT_POLICY_ENTRY Routine,
IN VOID *Context
)
{
EFI_STATUS GetNextStatus;
EFI_STATUS GetDataStatus;
EFI_IPSEC_CONFIG_SELECTOR *Selector;
VOID *Data;
UINTN SelectorSize;
UINTN DataSize;
BOOLEAN FirstGetNext;
FirstGetNext = TRUE;
SelectorSize = sizeof (EFI_IPSEC_CONFIG_SELECTOR);
Selector = AllocateZeroPool (SelectorSize);
DataSize = 0;
Data = NULL;
while (TRUE) {
GetNextStatus = mIpSecConfig->GetNextSelector (
mIpSecConfig,
DataType,
&SelectorSize,
Selector
);
if (GetNextStatus == EFI_BUFFER_TOO_SMALL) {
gBS->FreePool (Selector);
Selector = FirstGetNext ? AllocateZeroPool (SelectorSize) : AllocatePool (SelectorSize);
GetNextStatus = mIpSecConfig->GetNextSelector (
mIpSecConfig,
DataType,
&SelectorSize,
Selector
);
}
if (EFI_ERROR (GetNextStatus)) {
break;
}
FirstGetNext = FALSE;
GetDataStatus = mIpSecConfig->GetData (
mIpSecConfig,
DataType,
Selector,
&DataSize,
Data
);
if (GetDataStatus == EFI_BUFFER_TOO_SMALL) {
if (Data != NULL) {
gBS->FreePool (Data);
}
Data = AllocateZeroPool (DataSize);
GetDataStatus = mIpSecConfig->GetData (
mIpSecConfig,
DataType,
Selector,
&DataSize,
Data
);
}
ASSERT_EFI_ERROR (GetDataStatus);
if (EFI_ERROR (Routine (Selector, Data, Context))) {
break;
}
}
if (Data != NULL) {
gBS->FreePool (Data);
}
if (Selector != NULL) {
gBS->FreePool (Selector);
}
return EFI_SUCCESS;
}

48
NetworkPkg/Application/IpsecConfig/ForEach.h
View File

@ -1,48 +0,0 @@
/** @file
The internal structure and function declaration of the implementation
to go through each entry in IpSecConfig application.
Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#ifndef _FOREACH_H_
#define _FOREACH_H_
/**
The prototype for the DumpSpdEntry()/DumpSadEntry()/DumpPadEntry().
Print EFI_IPSEC_CONFIG_SELECTOR and corresponding content.
@param[in] Selector The pointer to the EFI_IPSEC_CONFIG_SELECTOR union.
@param[in] Data The pointer to the corresponding data.
@param[in] Context The pointer to the Index in SPD/SAD/PAD Database.
@retval EFI_SUCCESS Dump SPD/SAD/PAD information successfully.
**/
typedef
EFI_STATUS
(*VISIT_POLICY_ENTRY) (
IN EFI_IPSEC_CONFIG_SELECTOR *Selector,
IN VOID *Data,
IN VOID *Context
);
/**
Enumerate all entry in the database to execute a specified operation according to datatype.
@param[in] DataType The value of EFI_IPSEC_CONFIG_DATA_TYPE.
@param[in] Routine The pointer to function of a specified operation.
@param[in] Context The pointer to the context of a function.
@retval EFI_SUCCESS Execute specified operation successfully.
**/
EFI_STATUS
ForeachPolicyEntry (
IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,
IN VISIT_POLICY_ENTRY Routine,
IN VOID *Context
);
#endif

414
NetworkPkg/Application/IpsecConfig/Helper.c
View File

@ -1,414 +0,0 @@
/** @file
The assistant function implementation for IpSecConfig application.
Copyright (c) 2009 - 2012, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#include "IpSecConfig.h"
#include "Helper.h"
/**
Helper function called to change an input parameter in the string format to a number.
@param[in] FlagStr The pointer to the flag string.
@param[in] Maximum Greatest value number.
@param[in, out] ValuePtr The pointer to the input parameter in string format.
@param[in] ByteCount The valid byte count
@param[in] Map The pointer to the STR2INT table.
@param[in] ParamPackage The pointer to the ParamPackage list.
@param[in] FormatMask The bit mask.
BIT 0 set indicates the value of a flag might be a number.
BIT 1 set indicates the value of a flag might be a string that needs to be looked up.
@retval EFI_SUCCESS The operation completed successfully.
@retval EFI_NOT_FOUND The input parameter can't be found.
@retval EFI_INVALID_PARAMETER The input parameter is an invalid input.
**/
EFI_STATUS
GetNumber (
IN CHAR16 *FlagStr,
IN UINT64 Maximum,
IN OUT VOID *ValuePtr,
IN UINTN ByteCount,
IN STR2INT *Map,
IN LIST_ENTRY *ParamPackage,
IN UINT32 FormatMask
)
{
EFI_STATUS Status;
UINT64 Value64;
BOOLEAN Converted;
UINTN Index;
CONST CHAR16 *ValueStr;
ASSERT (FormatMask & (FORMAT_NUMBER | FORMAT_STRING));
Converted = FALSE;
Value64 = 0;
ValueStr = ShellCommandLineGetValue (ParamPackage, FlagStr);
if (ValueStr == NULL) {
return EFI_NOT_FOUND;
} else {
//
// Try to convert to integer directly if MaybeNumber is TRUE.
//
if ((FormatMask & FORMAT_NUMBER) != 0) {
Value64 = StrToUInteger (ValueStr, &Status);
if (!EFI_ERROR (Status)) {
//
// Convert successfully.
//
if (Value64 > Maximum) {
//
// But the result is invalid
//
ShellPrintHiiEx (
-1,
-1,
NULL,
STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE),
mHiiHandle,
mAppName,
FlagStr,
ValueStr
);
return EFI_INVALID_PARAMETER;
}
Converted = TRUE;
}
}
if (!Converted && ((FormatMask & FORMAT_STRING) != 0)) {
//
// Convert falied, so use String->Integer map.
//
ASSERT (Map != NULL);
Value64 = MapStringToInteger (ValueStr, Map);
if (Value64 == (UINT32) -1) {
//
// Cannot find the string in the map.
//
ShellPrintHiiEx (
-1,
-1,
NULL,
STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE),
mHiiHandle,
mAppName,
FlagStr,
ValueStr
);
ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_ACCEPT_PARAMETERS), mHiiHandle);
for (Index = 0; Map[Index].String != NULL; Index++) {
Print (L" %s", Map[Index].String);
}
Print (L"\n");
return EFI_INVALID_PARAMETER;
}
}
CopyMem (ValuePtr, &Value64, ByteCount);
return EFI_SUCCESS;
}
}
/**
Helper function called to convert a string containing an Ipv4 or Ipv6 Internet Protocol address
into a proper address for the EFI_IP_ADDRESS structure.
@param[in] Ptr The pointer to the string containing an Ipv4 or Ipv6 Internet Protocol address.
@param[out] Ip The pointer to the EFI_IP_ADDRESS structure to contain the result.
@retval EFI_SUCCESS The operation completed successfully.
@retval EFI_INVALID_PARAMETER Invalid parameter.
**/
EFI_STATUS
EfiInetAddr2 (
IN CHAR16 *Ptr,
OUT EFI_IP_ADDRESS *Ip
)
{
EFI_STATUS Status;
if ((Ptr == NULL) || (Ip == NULL)) {
return EFI_INVALID_PARAMETER;
}
//
// Parse the input address as Ipv4 Address first.
//
Status = NetLibStrToIp4 (Ptr, &Ip->v4);
if (!EFI_ERROR (Status)) {
return Status;
}
Status = NetLibStrToIp6 (Ptr, &Ip->v6);
return Status;
}
/**
Helper function called to calculate the prefix length associated with the string
containing an Ipv4 or Ipv6 Internet Protocol address.
@param[in] Ptr The pointer to the string containing an Ipv4 or Ipv6 Internet Protocol address.
@param[out] Addr The pointer to the EFI_IP_ADDRESS_INFO structure to contain the result.
@retval EFI_SUCCESS The operation completed successfully.
@retval EFI_INVALID_PARAMETER Invalid parameter.
@retval Others Other mistake case.
**/
EFI_STATUS
EfiInetAddrRange (
IN CHAR16 *Ptr,
OUT EFI_IP_ADDRESS_INFO *Addr
)
{
EFI_STATUS Status;
if ((Ptr == NULL) || (Addr == NULL)) {
return EFI_INVALID_PARAMETER;
}
Status = NetLibStrToIp4 (Ptr, &Addr->Address.v4);
if (!EFI_ERROR (Status)) {
if ((UINT32)(*Addr->Address.v4.Addr) == 0) {
Addr->PrefixLength = 0;
} else {
Addr->PrefixLength = 32;
}
return Status;
}
Status = NetLibStrToIp6andPrefix (Ptr, &Addr->Address.v6, &Addr->PrefixLength);
if (!EFI_ERROR (Status) && (Addr->PrefixLength == 0xFF)) {
Addr->PrefixLength = 128;
}
return Status;
}
/**
Helper function called to calculate the port range associated with the string.
@param[in] Ptr The pointer to the string containing a port and range.
@param[out] Port The pointer to the Port to contain the result.
@param[out] PortRange The pointer to the PortRange to contain the result.
@retval EFI_SUCCESS The operation completed successfully.
@retval EFI_INVALID_PARAMETER Invalid parameter.
@retval Others Other mistake case.
**/
EFI_STATUS
EfiInetPortRange (
IN CHAR16 *Ptr,
OUT UINT16 *Port,
OUT UINT16 *PortRange
)
{
CHAR16 *BreakPtr;
CHAR16 Ch;
EFI_STATUS Status;
for (BreakPtr = Ptr; (*BreakPtr != L'\0') && (*BreakPtr != L':'); BreakPtr++) {
;
}
Ch = *BreakPtr;
*BreakPtr = L'\0';
*Port = (UINT16) StrToUInteger (Ptr, &Status);
*BreakPtr = Ch;
if (EFI_ERROR (Status)) {
return Status;
}
*PortRange = 0;
if (*BreakPtr == L':') {
BreakPtr++;
*PortRange = (UINT16) StrToUInteger (BreakPtr, &Status);
if (EFI_ERROR (Status)) {
return Status;
}
if (*PortRange < *Port) {
return EFI_INVALID_PARAMETER;
}
*PortRange = (UINT16) (*PortRange - *Port);
}
return EFI_SUCCESS;
}
/**
Helper function called to transfer a string to an unsigned integer.
@param[in] Str The pointer to the string.
@param[out] Status The operation status.
@return The integer value of converted Str.
**/
UINT64
StrToUInteger (
IN CONST CHAR16 *Str,
OUT EFI_STATUS *Status
)
{
UINT64 Value;
UINT64 NewValue;
CHAR16 *StrTail;
CHAR16 Char;
UINTN Base;
UINTN Len;
Base = 10;
Value = 0;
*Status = EFI_ABORTED;
//
// Skip leading white space.
//
while ((*Str != 0) && (*Str == ' ')) {
Str++;
}
//
// For NULL Str, just return.
//
if (*Str == 0) {
return 0;
}
//
// Skip white space in tail.
//
Len = StrLen (Str);
StrTail = (CHAR16 *) (Str + Len - 1);
while (*StrTail == ' ') {
*StrTail = 0;
StrTail--;
}
Len = StrTail - Str + 1;
//
// Check hex prefix '0x'.
//
if ((Len >= 2) && (*Str == '0') && ((*(Str + 1) == 'x') || (*(Str + 1) == 'X'))) {
Str += 2;
Len -= 2;
Base = 16;
}
if (Len == 0) {
return 0;
}
//
// Convert the string to value.
//
for (; Str <= StrTail; Str++) {
Char = *Str;
if (Base == 16) {
if (RShiftU64 (Value, 60) != 0) {
//
// Overflow here x16.
//
return 0;
}
NewValue = LShiftU64 (Value, 4);
} else {
if (RShiftU64 (Value, 61) != 0) {
//
// Overflow here x8.
//
return 0;
}
NewValue = LShiftU64 (Value, 3);
Value = LShiftU64 (Value, 1);
NewValue += Value;
if (NewValue < Value) {
//
// Overflow here.
//
return 0;
}
}
Value = NewValue;
if ((Base == 16) && (Char >= 'a') && (Char <= 'f')) {
Char = (CHAR16) (Char - 'a' + 'A');
}
if ((Base == 16) && (Char >= 'A') && (Char <= 'F')) {
Value += (Char - 'A') + 10;
} else if ((Char >= '0') && (Char <= '9')) {
Value += (Char - '0');
} else {
//
// Unexpected Char encountered.
//
return 0;
}
}
*Status = EFI_SUCCESS;
return Value;
}
/**
Helper function called to transfer a string to an unsigned integer according to the map table.
@param[in] Str The pointer to the string.
@param[in] Map The pointer to the map table.
@return The integer value of converted Str. If not found, then return -1.
**/
UINT32
MapStringToInteger (
IN CONST CHAR16 *Str,
IN STR2INT *Map
)
{
STR2INT *Item;
for (Item = Map; Item->String != NULL; Item++) {
if (StrCmp (Item->String, Str) == 0) {
return Item->Integer;
}
}
return (UINT32) -1;
}
/**
Helper function called to transfer an unsigned integer to a string according to the map table.
@param[in] Integer The pointer to the string.
@param[in] Map The pointer to the map table.
@return The converted Str. If not found, then return NULL.
**/
CHAR16 *
MapIntegerToString (
IN UINT32 Integer,
IN STR2INT *Map
)
{
STR2INT *Item;
for (Item = Map; Item->String != NULL; Item++) {
if (Integer == Item->Integer) {
return Item->String;
}
}
return NULL;
}

137
NetworkPkg/Application/IpsecConfig/Helper.h
View File

@ -1,137 +0,0 @@
/** @file
The assistant function declaration for IpSecConfig application.
Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#ifndef _HELPER_H_
#define _HELPER_H_
#define FORMAT_NUMBER 0x1
#define FORMAT_STRING 0x2
/**
Helper function called to change input parameter in string format to number.
@param[in] FlagStr The pointer to the flag string.
@param[in] Maximum most value number.
@param[in, out] ValuePtr The pointer to the input parameter in string format.
@param[in] ByteCount The valid byte count
@param[in] Map The pointer to the STR2INT table.
@param[in] ParamPackage The pointer to the ParamPackage list.
@param[in] FormatMask The bit mask.
BIT 0 set indicates the value of flag might be number.
BIT 1 set indicates the value of flag might be a string that needs to be looked up.
@retval EFI_SUCCESS The operation completed successfully.
@retval EFI_NOT_FOUND The input parameter can't be found.
@retval EFI_INVALID_PARAMETER The input parameter is an invalid input.
**/
EFI_STATUS
GetNumber (
IN CHAR16 *FlagStr,
IN UINT64 Maximum,
IN OUT VOID *ValuePtr,
IN UINTN ByteCount,
IN STR2INT *Map,
IN LIST_ENTRY *ParamPackage,
IN UINT32 FormatMask
);
/**
Helper function called to convert a string containing an (Ipv4) Internet Protocol dotted address
into a proper address for the EFI_IP_ADDRESS structure.
@param[in] Ptr The pointer to the string containing an (Ipv4) Internet Protocol dotted address.
@param[out] Ip The pointer to the Ip address structure to contain the result.
@retval EFI_SUCCESS The operation completed successfully.
@retval EFI_INVALID_PARAMETER Invalid parameter.
**/
EFI_STATUS
EfiInetAddr2 (
IN CHAR16 *Ptr,
OUT EFI_IP_ADDRESS *Ip
);
/**
Helper function called to calculate the prefix length associated with the string
containing an Ipv4 or Ipv6 Internet Protocol address.
@param[in] Ptr The pointer to the string containing an Ipv4 or Ipv6 Internet Protocol address.
@param[out] Addr The pointer to the EFI_IP_ADDRESS_INFO structure to contain the result.
@retval EFI_SUCCESS The operation completed successfully.
@retval EFI_INVALID_PARAMETER Invalid parameter.
@retval Others Other mistake case.
**/
EFI_STATUS
EfiInetAddrRange (
IN CHAR16 *Ptr,
OUT EFI_IP_ADDRESS_INFO *Addr
);
/**
Helper function called to calculate the port range associated with the string.
@param[in] Ptr The pointer to the string containing a port and range.
@param[out] Port The pointer to the Port to contain the result.
@param[out] PortRange The pointer to the PortRange to contain the result.
@retval EFI_SUCCESS The operation completed successfully.
@retval EFI_INVALID_PARAMETER Invalid parameter.
@retval Others Other mistake case.
**/
EFI_STATUS
EfiInetPortRange (
IN CHAR16 *Ptr,
OUT UINT16 *Port,
OUT UINT16 *PortRange
);
/**
Helper function called to transfer a string to an unsigned integer.
@param[in] Str The pointer to the string.
@param[out] Status The operation status.
@return The integer value of a converted str.
**/
UINT64
StrToUInteger (
IN CONST CHAR16 *Str,
OUT EFI_STATUS *Status
);
/**
Helper function called to transfer a string to an unsigned integer according to the map table.
@param[in] Str The pointer to the string.
@param[in] Map The pointer to the map table.
@return The integer value of converted str. If not found, then return -1.
**/
UINT32
MapStringToInteger (
IN CONST CHAR16 *Str,
IN STR2INT *Map
);
/**
Helper function called to transfer an unsigned integer to a string according to the map table.
@param[in] Integer The pointer to the string.
@param[in] Map The pointer to the map table.
@return The converted str. If not found, then return NULL.
**/
CHAR16 *
MapIntegerToString (
IN UINT32 Integer,
IN STR2INT *Map
);
#endif

249
NetworkPkg/Application/IpsecConfig/Indexer.c
View File

@ -1,249 +0,0 @@
/** @file
The implementation of construct ENTRY_INDEXER in IpSecConfig application.
Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#include "IpSecConfig.h"
#include "Indexer.h"
#include "Helper.h"
/**
Fill in SPD_ENTRY_INDEXER through ParamPackage list.
@param[in, out] Indexer The pointer to the SPD_ENTRY_INDEXER structure.
@param[in] ParamPackage The pointer to the ParamPackage list.
@retval EFI_SUCCESS Filled in SPD_ENTRY_INDEXER successfully.
**/
EFI_STATUS
ConstructSpdIndexer (
IN OUT SPD_ENTRY_INDEXER *Indexer,
IN LIST_ENTRY *ParamPackage
)
{
EFI_STATUS Status;
UINT64 Value64;
CONST CHAR16 *ValueStr;
ValueStr = NULL;
if (ShellCommandLineGetFlag (ParamPackage, L"-i")) {
ValueStr = ShellCommandLineGetValue (ParamPackage, L"-i");
} else if (ShellCommandLineGetFlag (ParamPackage, L"-d")) {
ValueStr = ShellCommandLineGetValue (ParamPackage, L"-d");
} else if (ShellCommandLineGetFlag (ParamPackage, L"-e")) {
ValueStr = ShellCommandLineGetValue (ParamPackage, L"-e");
} else {
return EFI_INVALID_PARAMETER;
}
if (ValueStr == NULL) {
return EFI_INVALID_PARAMETER;
}
Value64 = StrToUInteger (ValueStr, &Status);
if (!EFI_ERROR (Status)) {
Indexer->Index = (UINTN) Value64;
ZeroMem (Indexer->Name, MAX_PEERID_LEN);
} else {
UnicodeStrToAsciiStrS (ValueStr, (CHAR8 *) Indexer->Name, MAX_PEERID_LEN);
}
return EFI_SUCCESS;
}
/**
Fill in SAD_ENTRY_INDEXER through ParamPackage list.
@param[in, out] Indexer The pointer to the SAD_ENTRY_INDEXER structure.
@param[in] ParamPackage The pointer to the ParamPackage list.
@retval EFI_SUCCESS Filled in SPD_ENTRY_INDEXER successfully.
@retval EFI_INVALID_PARAMETER The mistaken user input in ParamPackage list.
**/
EFI_STATUS
ConstructSadIndexer (
IN OUT SAD_ENTRY_INDEXER *Indexer,
IN LIST_ENTRY *ParamPackage
)
{
EFI_STATUS Status;
EFI_STATUS Status1;
UINT64 Value64;
CONST CHAR16 *ValueStr;
ValueStr = NULL;
if (ShellCommandLineGetFlag (ParamPackage, L"-i")) {
ValueStr = ShellCommandLineGetValue (ParamPackage, L"-i");
} else if (ShellCommandLineGetFlag (ParamPackage, L"-d")) {
ValueStr = ShellCommandLineGetValue (ParamPackage, L"-d");
} else if (ShellCommandLineGetFlag (ParamPackage, L"-e")) {
ValueStr = ShellCommandLineGetValue (ParamPackage, L"-e");
} else {
return EFI_INVALID_PARAMETER;
}
if (ValueStr == NULL) {
return EFI_INVALID_PARAMETER;
}
Value64 = StrToUInteger (ValueStr, &Status);
if (!EFI_ERROR (Status)) {
Indexer->Index = (UINTN) Value64;
ZeroMem (&Indexer->SaId, sizeof (EFI_IPSEC_SA_ID));
} else {
if ((!ShellCommandLineGetFlag (ParamPackage, L"--lookup-spi")) ||
(!ShellCommandLineGetFlag (ParamPackage, L"--lookup-ipsec-proto")) ||
(!ShellCommandLineGetFlag (ParamPackage, L"--lookup-dest"))) {
ShellPrintHiiEx (
-1,
-1,
NULL,
STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS),
mHiiHandle,
mAppName,
L"--lookup-spi --lookup-ipsec-proto --lookup-dest"
);
return EFI_INVALID_PARAMETER;
}
Status = GetNumber (
L"--lookup-spi",
(UINT32) -1,
&Indexer->SaId.Spi,
sizeof (UINT32),
NULL,
ParamPackage,
FORMAT_NUMBER
);
Status1 = GetNumber (
L"--lookup-ipsec-proto",
0,
&Indexer->SaId.Proto,
sizeof (EFI_IPSEC_PROTOCOL_TYPE),
mMapIpSecProtocol,
ParamPackage,
FORMAT_STRING
);
if (EFI_ERROR (Status) || EFI_ERROR (Status1)) {
return EFI_INVALID_PARAMETER;
}
ValueStr = ShellCommandLineGetValue (ParamPackage, L"--lookup-dest");
ASSERT (ValueStr != NULL);
Status = EfiInetAddr2 ((CHAR16 *) ValueStr, &Indexer->SaId.DestAddress);
if (EFI_ERROR (Status)) {
ShellPrintHiiEx (
-1,
-1,
NULL,
STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE),
mHiiHandle,
mAppName,
L"--lookup-dest",
ValueStr
);
return EFI_INVALID_PARAMETER;
}
}
return EFI_SUCCESS;
}
/**
Fill in PAD_ENTRY_INDEXER through ParamPackage list.
@param[in, out] Indexer The pointer to the PAD_ENTRY_INDEXER structure.
@param[in] ParamPackage The pointer to the ParamPackage list.
@retval EFI_SUCCESS Filled in PAD_ENTRY_INDEXER successfully.
@retval EFI_INVALID_PARAMETER The mistaken user input in ParamPackage list.
**/
EFI_STATUS
ConstructPadIndexer (
IN OUT PAD_ENTRY_INDEXER *Indexer,
IN LIST_ENTRY *ParamPackage
)
{
EFI_STATUS Status;
UINT64 Value64;
CONST CHAR16 *ValueStr;
ValueStr = NULL;
if (ShellCommandLineGetFlag (ParamPackage, L"-i")) {
ValueStr = ShellCommandLineGetValue (ParamPackage, L"-i");
} else if (ShellCommandLineGetFlag (ParamPackage, L"-d")) {
ValueStr = ShellCommandLineGetValue (ParamPackage, L"-d");
} else if (ShellCommandLineGetFlag (ParamPackage, L"-e")) {
ValueStr = ShellCommandLineGetValue (ParamPackage, L"-e");
} else {
return EFI_INVALID_PARAMETER;
}
if (ValueStr == NULL) {
return EFI_INVALID_PARAMETER;
}
Value64 = StrToUInteger (ValueStr, &Status);
if (!EFI_ERROR (Status)) {
Indexer->Index = (UINTN) Value64;
ZeroMem (&Indexer->PadId, sizeof (EFI_IPSEC_PAD_ID));
} else {
if (ShellCommandLineGetFlag (ParamPackage, L"--lookup-peer-address")) {
ValueStr = ShellCommandLineGetValue (ParamPackage, L"--lookup-peer-address");
ASSERT (ValueStr != NULL);
Indexer->PadId.PeerIdValid = FALSE;
Status = EfiInetAddrRange ((CHAR16 *) ValueStr, &Indexer->PadId.Id.IpAddress);
if (EFI_ERROR (Status)) {
ShellPrintHiiEx (
-1,
-1,
NULL,
STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE),
mHiiHandle,
mAppName,
L"--lookup-peer-address",
ValueStr
);
return EFI_INVALID_PARAMETER;
}
} else {
ValueStr = ShellCommandLineGetValue (ParamPackage, L"--lookup-peer-id");
if (ValueStr == NULL) {
ShellPrintHiiEx (
-1,
-1,
NULL,
STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS),
mHiiHandle,
mAppName,
L"--lookup-peer-address --lookup-peer-id"
);
return EFI_INVALID_PARAMETER;
}
Indexer->PadId.PeerIdValid = TRUE;
ZeroMem (Indexer->PadId.Id.PeerId, MAX_PEERID_LEN);
StrnCpyS ((CHAR16 *) Indexer->PadId.Id.PeerId, MAX_PEERID_LEN / sizeof (CHAR16), ValueStr, MAX_PEERID_LEN / sizeof (CHAR16) - 1);
}
}
return EFI_SUCCESS;
}
CONSTRUCT_POLICY_ENTRY_INDEXER mConstructPolicyEntryIndexer[] = {
(CONSTRUCT_POLICY_ENTRY_INDEXER) ConstructSpdIndexer,
(CONSTRUCT_POLICY_ENTRY_INDEXER) ConstructSadIndexer,
(CONSTRUCT_POLICY_ENTRY_INDEXER) ConstructPadIndexer
};

52
NetworkPkg/Application/IpsecConfig/Indexer.h
View File

@ -1,52 +0,0 @@
/** @file
The internal structure and function declaration to construct ENTRY_INDEXER in
IpSecConfig application.
Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#ifndef _INDEXER_H_
#define _INDEXER_H_
typedef struct {
UINT8 Name[MAX_PEERID_LEN];
UINTN Index; // Used only if Name buffer is filled with zero.
} SPD_ENTRY_INDEXER;
typedef struct {
EFI_IPSEC_SA_ID SaId;
UINTN Index;
} SAD_ENTRY_INDEXER;
typedef struct {
EFI_IPSEC_PAD_ID PadId;
UINTN Index;
} PAD_ENTRY_INDEXER;
typedef union {
SPD_ENTRY_INDEXER Spd;
SAD_ENTRY_INDEXER Sad;
PAD_ENTRY_INDEXER Pad;
} POLICY_ENTRY_INDEXER;
/**
The prototype for the ConstructSpdIndexer()/ConstructSadIndexer()/ConstructPadIndexer().
Fill in SPD_ENTRY_INDEXER/SAD_ENTRY_INDEXER/PAD_ENTRY_INDEXER through ParamPackage list.
@param[in, out] Indexer The pointer to the POLICY_ENTRY_INDEXER union.
@param[in] ParamPackage The pointer to the ParamPackage list.
@retval EFI_SUCCESS Filled in POLICY_ENTRY_INDEXER successfully.
**/
typedef
EFI_STATUS
(* CONSTRUCT_POLICY_ENTRY_INDEXER) (
IN POLICY_ENTRY_INDEXER *Indexer,
IN LIST_ENTRY *ParamPackage
);
extern CONSTRUCT_POLICY_ENTRY_INDEXER mConstructPolicyEntryIndexer[];
#endif

806
NetworkPkg/Application/IpsecConfig/IpSecConfig.c
View File

@ -1,806 +0,0 @@
/** @file
The main process for IpSecConfig application.
Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#include <Library/UefiRuntimeServicesTableLib.h>
#include <Library/HiiLib.h>
#include <Protocol/IpSec.h>
#include "IpSecConfig.h"
#include "Dump.h"
#include "Indexer.h"
#include "PolicyEntryOperation.h"
#include "Delete.h"
#include "Helper.h"
//
// String token ID of IpSecConfig command help message text.
//
GLOBAL_REMOVE_IF_UNREFERENCED EFI_STRING_ID mStringIpSecHelpTokenId = STRING_TOKEN (STR_IPSEC_CONFIG_HELP);
//
// Used for ShellCommandLineParseEx only
// and to ensure user inputs are in valid format
//
SHELL_PARAM_ITEM mIpSecConfigParamList[] = {
{ L"-p", TypeValue },
{ L"-a", TypeValue },
{ L"-i", TypeValue },
{ L"-e", TypeValue },
{ L"-d", TypeValue },
{ L"-f", TypeFlag },
{ L"-l", TypeFlag },
{ L"-enable", TypeFlag },
{ L"-disable", TypeFlag },
{ L"-status", TypeFlag },
//
// SPD Selector
//
{ L"--local", TypeValue },
{ L"--remote", TypeValue },
{ L"--proto", TypeValue },
{ L"--local-port", TypeValue },
{ L"--remote-port", TypeValue },
{ L"--icmp-type", TypeValue },
{ L"--icmp-code", TypeValue },
//
// SPD Data
//
{ L"--name", TypeValue },
{ L"--packet-flag", TypeValue },
{ L"--action", TypeValue },
{ L"--lifebyte", TypeValue },
{ L"--lifetime-soft", TypeValue },
{ L"--lifetime", TypeValue },
{ L"--mode", TypeValue },
{ L"--tunnel-local", TypeValue },
{ L"--tunnel-remote", TypeValue },
{ L"--dont-fragment", TypeValue },
{ L"--ipsec-proto", TypeValue },
{ L"--auth-algo", TypeValue },
{ L"--encrypt-algo", TypeValue },
{ L"--ext-sequence", TypeFlag },
{ L"--sequence-overflow", TypeFlag },
{ L"--fragment-check", TypeFlag },
{ L"--ext-sequence-", TypeFlag },
{ L"--sequence-overflow-", TypeFlag },
{ L"--fragment-check-", TypeFlag },
//
// SA ID
// --ipsec-proto
//
{ L"--spi", TypeValue },
{ L"--tunnel-dest", TypeValue },
{ L"--tunnel-source", TypeValue },
{ L"--lookup-spi", TypeValue },
{ L"--lookup-ipsec-proto", TypeValue },
{ L"--lookup-dest", TypeValue },
//
// SA DATA
// --mode
// --auth-algo
// --encrypt-algo
//
{ L"--sequence-number", TypeValue },
{ L"--antireplay-window", TypeValue },
{ L"--auth-key", TypeValue },
{ L"--encrypt-key", TypeValue },
{ L"--path-mtu", TypeValue },
//
// PAD ID
//
{ L"--peer-id", TypeValue },
{ L"--peer-address", TypeValue },
{ L"--auth-proto", TypeValue },
{ L"--auth-method", TypeValue },
{ L"--ike-id", TypeValue },
{ L"--ike-id-", TypeValue },
{ L"--auth-data", TypeValue },
{ L"--revocation-data", TypeValue },
{ L"--lookup-peer-id", TypeValue },
{ L"--lookup-peer-address", TypeValue },
{ NULL, TypeMax },
};
//
// -P
//
STR2INT mMapPolicy[] = {
{ L"SPD", IPsecConfigDataTypeSpd },
{ L"SAD", IPsecConfigDataTypeSad },
{ L"PAD", IPsecConfigDataTypePad },
{ NULL, 0 },
};
//
// --proto
//
STR2INT mMapIpProtocol[] = {
{ L"TCP", EFI_IP4_PROTO_TCP },
{ L"UDP", EFI_IP4_PROTO_UDP },
{ L"ICMP", EFI_IP4_PROTO_ICMP },
{ NULL, 0 },
};
//
// --action
//
STR2INT mMapIpSecAction[] = {
{ L"Bypass", EfiIPsecActionBypass },
{ L"Discard", EfiIPsecActionDiscard },
{ L"Protect", EfiIPsecActionProtect },
{ NULL, 0 },
};
//
// --mode
//
STR2INT mMapIpSecMode[] = {
{ L"Transport", EfiIPsecTransport },
{ L"Tunnel", EfiIPsecTunnel },
{ NULL, 0 },
};
//
// --dont-fragment
//
STR2INT mMapDfOption[] = {
{ L"clear", EfiIPsecTunnelClearDf },
{ L"set", EfiIPsecTunnelSetDf },
{ L"copy", EfiIPsecTunnelCopyDf },
{ NULL, 0 },
};
//
// --ipsec-proto
//
STR2INT mMapIpSecProtocol[] = {
{ L"AH", EfiIPsecAH },
{ L"ESP", EfiIPsecESP },
{ NULL, 0 },
};
//
// --auth-algo
//
STR2INT mMapAuthAlgo[] = {
{ L"NONE", IPSEC_AALG_NONE },
{ L"MD5HMAC", IPSEC_AALG_MD5HMAC },
{ L"SHA1HMAC", IPSEC_AALG_SHA1HMAC },
{ L"SHA2-256HMAC", IPSEC_AALG_SHA2_256HMAC },
{ L"SHA2-384HMAC", IPSEC_AALG_SHA2_384HMAC },
{ L"SHA2-512HMAC", IPSEC_AALG_SHA2_512HMAC },
{ L"AES-XCBC-MAC", IPSEC_AALG_AES_XCBC_MAC },
{ L"NULL", IPSEC_AALG_NULL },
{ NULL, 0 },
};
//
// --encrypt-algo
//
STR2INT mMapEncAlgo[] = {
{ L"NONE", IPSEC_EALG_NONE },
{ L"DESCBC", IPSEC_EALG_DESCBC },
{ L"3DESCBC", IPSEC_EALG_3DESCBC },
{ L"CASTCBC", IPSEC_EALG_CASTCBC },
{ L"BLOWFISHCBC", IPSEC_EALG_BLOWFISHCBC },
{ L"NULL", IPSEC_EALG_NULL },
{ L"AESCBC", IPSEC_EALG_AESCBC },
{ L"AESCTR", IPSEC_EALG_AESCTR },
{ L"AES-CCM-ICV8", IPSEC_EALG_AES_CCM_ICV8 },
{ L"AES-CCM-ICV12",IPSEC_EALG_AES_CCM_ICV12 },
{ L"AES-CCM-ICV16",IPSEC_EALG_AES_CCM_ICV16 },
{ L"AES-GCM-ICV8", IPSEC_EALG_AES_GCM_ICV8 },
{ L"AES-GCM-ICV12",IPSEC_EALG_AES_GCM_ICV12 },
{ L"AES-GCM-ICV16",IPSEC_EALG_AES_GCM_ICV16 },
{ NULL, 0 },
};
//
// --auth-proto
//
STR2INT mMapAuthProto[] = {
{ L"IKEv1", EfiIPsecAuthProtocolIKEv1 },
{ L"IKEv2", EfiIPsecAuthProtocolIKEv2 },
{ NULL, 0 },
};
//
// --auth-method
//
STR2INT mMapAuthMethod[] = {
{ L"PreSharedSecret", EfiIPsecAuthMethodPreSharedSecret },
{ L"Certificates", EfiIPsecAuthMethodCertificates },
{ NULL, 0 },
};
EFI_IPSEC2_PROTOCOL *mIpSec;
EFI_IPSEC_CONFIG_PROTOCOL *mIpSecConfig;
EFI_HII_HANDLE mHiiHandle;
CHAR16 mAppName[] = L"IpSecConfig";
//
// Used for IpSecConfigRetriveCheckListByName only to check the validation of user input
//
VAR_CHECK_ITEM mIpSecConfigVarCheckList[] = {
{ L"-enable", BIT(1)|BIT(0), BIT(1), BIT(2)|BIT(1)|BIT(0), 0 },
{ L"-disable", BIT(1)|BIT(0), BIT(1), BIT(2)|BIT(1)|BIT(0), 0 },
{ L"-status", BIT(1)|BIT(0), BIT(1), BIT(2)|BIT(1)|BIT(0), 0 },
{ L"-p", BIT(1), 0, BIT(2)|BIT(1)|BIT(0), 0 },
{ L"-a", BIT(0), 0, BIT(2)|BIT(1)|BIT(0), 0 },
{ L"-i", BIT(0), 0, BIT(2)|BIT(1)|BIT(0), 0 },
{ L"-d", BIT(0), 0, BIT(2)|BIT(1)|BIT(0), 0 },
{ L"-e", BIT(0), 0, BIT(2)|BIT(1)|BIT(0), 0 },
{ L"-l", BIT(0), 0, BIT(2)|BIT(1)|BIT(0), 0 },
{ L"-f", BIT(0), 0, BIT(2)|BIT(1)|BIT(0), 0 },
{ L"-?", BIT(0), BIT(0), BIT(2)|BIT(1)|BIT(0), 0 },
//
// SPD Selector
//
{ L"--local", 0, 0, BIT(2)|BIT(1), 0 },
{ L"--remote", 0, 0, BIT(2)|BIT(1), 0 },
{ L"--proto", 0, 0, BIT(2)|BIT(1), 0 },
{ L"--local-port", 0, 0, BIT(2)|BIT(1), BIT(0) },
{ L"--remote-port", 0, 0, BIT(2)|BIT(1), BIT(0) },
{ L"--icmp-type", 0, 0, BIT(2)|BIT(1), BIT(1) },
{ L"--icmp-code", 0, 0, BIT(2)|BIT(1), BIT(1) },
//
// SPD Data
//
{ L"--name", 0, 0, BIT(2), 0 },
{ L"--packet-flag", 0, 0, BIT(2), 0 },
{ L"--action", 0, 0, BIT(2)|BIT(1), 0 },
{ L"--lifebyte", 0, 0, BIT(2)|BIT(1), 0 },
{ L"--lifetime-soft", 0, 0, BIT(2)|BIT(1), 0 },
{ L"--lifetime", 0, 0, BIT(2)|BIT(1), 0 },
{ L"--mode", 0, 0, BIT(2)|BIT(1), 0 },
{ L"--tunnel-local", 0, 0, BIT(2), 0 },
{ L"--tunnel-remote", 0, 0, BIT(2), 0 },
{ L"--dont-fragment", 0, 0, BIT(2), 0 },
{ L"--ipsec-proto", 0, 0, BIT(2)|BIT(1), 0 },
{ L"--auth-algo", 0, 0, BIT(2)|BIT(1), 0 },
{ L"--encrypt-algo", 0, 0, BIT(2)|BIT(1), 0 },
{ L"--ext-sequence", 0, 0, BIT(2), BIT(2) },
{ L"--sequence-overflow", 0, 0, BIT(2), BIT(2) },
{ L"--fragment-check", 0, 0, BIT(2), BIT(2) },
{ L"--ext-sequence-", 0, 0, BIT(2), BIT(3) },
{ L"--sequence-overflow-", 0, 0, BIT(2), BIT(3) },
{ L"--fragment-check-", 0, 0, BIT(2), BIT(3) },
//
// SA ID
// --ipsec-proto
//
{ L"--spi", 0, 0, BIT(1), 0 },
{ L"--tunnel-dest", 0, 0, BIT(1), 0 },
{ L"--tunnel-source", 0, 0, BIT(1), 0 },
{ L"--lookup-spi", 0, 0, BIT(1), 0 },
{ L"--lookup-ipsec-proto", 0, 0, BIT(1), 0 },
{ L"--lookup-dest", 0, 0, BIT(1), 0 },
//
// SA DATA
// --mode
// --auth-algo
// --encrypt-algo
//
{ L"--sequence-number", 0, 0, BIT(1), 0 },
{ L"--antireplay-window", 0, 0, BIT(1), 0 },
{ L"--auth-key", 0, 0, BIT(1), 0 },
{ L"--encrypt-key", 0, 0, BIT(1), 0 },
{ L"--path-mtu", 0, 0, BIT(1), 0 },
//
// The example to add a PAD:
// "-A --peer-id Mike [--peer-address 10.23.2.2] --auth-proto IKE1/IKE2
// --auth-method PreSharedSeceret/Certificate --ike-id
// --auth-data 343343 --revocation-data 2342432"
// The example to delete a PAD:
// "-D * --lookup-peer-id Mike [--lookup-peer-address 10.23.2.2]"
// "-D 1"
// The example to edit a PAD:
// "-E * --lookup-peer-id Mike --auth-method Certificate"
//
// PAD ID
//
{ L"--peer-id", 0, 0, BIT(0), BIT(4) },
{ L"--peer-address", 0, 0, BIT(0), BIT(5) },
{ L"--auth-proto", 0, 0, BIT(0), 0 },
{ L"--auth-method", 0, 0, BIT(0), 0 },
{ L"--IKE-ID", 0, 0, BIT(0), BIT(6) },
{ L"--IKE-ID-", 0, 0, BIT(0), BIT(7) },
{ L"--auth-data", 0, 0, BIT(0), 0 },
{ L"--revocation-data", 0, 0, BIT(0), 0 },
{ L"--lookup-peer-id", 0, 0, BIT(0), BIT(4) },
{ L"--lookup-peer-address",0, 0, BIT(0), BIT(5) },
{ NULL, 0, 0, 0, 0 },
};
/**
The function to allocate the proper sized buffer for various
EFI interfaces.
@param[in, out] Status Current status.
@param[in, out] Buffer Current allocated buffer, or NULL.
@param[in] BufferSize Current buffer size needed
@retval TRUE If the buffer was reallocated and the caller should try the API again.
@retval FALSE If the buffer was not reallocated successfully.
**/
BOOLEAN
GrowBuffer (
IN OUT EFI_STATUS *Status,
IN OUT VOID **Buffer,
IN UINTN BufferSize
)
{
BOOLEAN TryAgain;
ASSERT (Status != NULL);
ASSERT (Buffer != NULL);
//
// If this is an initial request, buffer will be null with a new buffer size.
//
if ((NULL == *Buffer) && (BufferSize != 0)) {
*Status = EFI_BUFFER_TOO_SMALL;
}
//
// If the status code is "buffer too small", resize the buffer.
//
TryAgain = FALSE;
if (*Status == EFI_BUFFER_TOO_SMALL) {
if (*Buffer != NULL) {
FreePool (*Buffer);
}
*Buffer = AllocateZeroPool (BufferSize);
if (*Buffer != NULL) {
TryAgain = TRUE;
} else {
*Status = EFI_OUT_OF_RESOURCES;
}
}
//
// If there's an error, free the buffer.
//
if (!TryAgain && EFI_ERROR (*Status) && (*Buffer != NULL)) {
FreePool (*Buffer);
*Buffer = NULL;
}
return TryAgain;
}
/**
Function returns an array of handles that support the requested protocol
in a buffer allocated from a pool.
@param[in] SearchType Specifies which handle(s) are to be returned.
@param[in] Protocol Provides the protocol to search by.
This parameter is only valid for SearchType ByProtocol.
@param[in] SearchKey Supplies the search key depending on the SearchType.
@param[in, out] NoHandles The number of handles returned in Buffer.
@param[out] Buffer A pointer to the buffer to return the requested array of
handles that support Protocol.
@retval EFI_SUCCESS The resulting array of handles was returned.
@retval Others Other mistake case.
**/
EFI_STATUS
LocateHandle (
IN EFI_LOCATE_SEARCH_TYPE SearchType,
IN EFI_GUID *Protocol OPTIONAL,
IN VOID *SearchKey OPTIONAL,
IN OUT UINTN *NoHandles,
OUT EFI_HANDLE **Buffer
)
{
EFI_STATUS Status;
UINTN BufferSize;
ASSERT (NoHandles != NULL);
ASSERT (Buffer != NULL);
//
// Initialize for GrowBuffer loop.
//
Status = EFI_SUCCESS;
*Buffer = NULL;
BufferSize = 50 * sizeof (EFI_HANDLE);
//
// Call the real function.
//
while (GrowBuffer (&Status, (VOID **) Buffer, BufferSize)) {
Status = gBS->LocateHandle (
SearchType,
Protocol,
SearchKey,
&BufferSize,
*Buffer
);
}
*NoHandles = BufferSize / sizeof (EFI_HANDLE);
if (EFI_ERROR (Status)) {
*NoHandles = 0;
}
return Status;
}
/**
Find the first instance of this protocol in the system and return its interface.
@param[in] ProtocolGuid The guid of the protocol.
@param[out] Interface The pointer to the first instance of the protocol.
@retval EFI_SUCCESS A protocol instance matching ProtocolGuid was found.
@retval Others A protocol instance matching ProtocolGuid was not found.
**/
EFI_STATUS
LocateProtocol (
IN EFI_GUID *ProtocolGuid,
OUT VOID **Interface
)
{
EFI_STATUS Status;
UINTN NumberHandles;
UINTN Index;
EFI_HANDLE *Handles;
*Interface = NULL;
Handles = NULL;
NumberHandles = 0;
Status = LocateHandle (ByProtocol, ProtocolGuid, NULL, &NumberHandles, &Handles);
if (EFI_ERROR (Status)) {
DEBUG ((EFI_D_INFO, "LibLocateProtocol: Handle not found\n"));
return Status;
}
for (Index = 0; Index < NumberHandles; Index++) {
ASSERT (Handles != NULL);
Status = gBS->HandleProtocol (
Handles[Index],
ProtocolGuid,
Interface
);
if (!EFI_ERROR (Status)) {
break;
}
}
if (Handles != NULL) {
FreePool (Handles);
}
return Status;
}
/**
Helper function called to check the conflicted flags.
@param[in] CheckList The pointer to the VAR_CHECK_ITEM table.
@param[in] ParamPackage The pointer to the ParamPackage list.
@retval EFI_SUCCESS No conflicted flags.
@retval EFI_INVALID_PARAMETER The input parameter is erroroneous or there are some conflicted flags.
**/
EFI_STATUS
IpSecConfigRetriveCheckListByName (
IN VAR_CHECK_ITEM *CheckList,
IN LIST_ENTRY *ParamPackage
)
{
LIST_ENTRY *Node;
VAR_CHECK_ITEM *Item;
UINT32 Attribute1;
UINT32 Attribute2;
UINT32 Attribute3;
UINT32 Attribute4;
UINT32 Index;
Attribute1 = 0;
Attribute2 = 0;
Attribute3 = 0;
Attribute4 = 0;
Index = 0;
Item = mIpSecConfigVarCheckList;
if ((ParamPackage == NULL) || (CheckList == NULL)) {
return EFI_INVALID_PARAMETER;
}
//
// Enumerate through the list of parameters that are input by user.
//
for (Node = GetFirstNode (ParamPackage); !IsNull (ParamPackage, Node); Node = GetNextNode (ParamPackage, Node)) {
if (((SHELL_PARAM_PACKAGE *) Node)->Name != NULL) {
//
// Enumerate the check list that defines the conflicted attributes of each flag.
//
for (; Item->VarName != NULL; Item++) {
if (StrCmp (((SHELL_PARAM_PACKAGE *) Node)->Name, Item->VarName) == 0) {
Index++;
if (Index == 1) {
Attribute1 = Item->Attribute1;
Attribute2 = Item->Attribute2;
Attribute3 = Item->Attribute3;
Attribute4 = Item->Attribute4;
} else {
Attribute1 &= Item->Attribute1;
Attribute2 |= Item->Attribute2;
Attribute3 &= Item->Attribute3;
Attribute4 |= Item->Attribute4;
if (Attribute1 != 0) {
return EFI_INVALID_PARAMETER;
}
if (Attribute2 != 0) {
if ((Index == 2) && (StrCmp (Item->VarName, L"-p") == 0)) {
continue;
}
return EFI_INVALID_PARAMETER;
}
if (Attribute3 == 0) {
return EFI_INVALID_PARAMETER;
}
if (((Attribute4 & 0xFF) == 0x03) || ((Attribute4 & 0xFF) == 0x0C) ||
((Attribute4 & 0xFF) == 0x30) || ((Attribute4 & 0xFF) == 0xC0)) {
return EFI_INVALID_PARAMETER;
}
}
break;
}
}
Item = mIpSecConfigVarCheckList;
}
}
return EFI_SUCCESS;
}
/**
This is the declaration of an EFI image entry point. This entry point is
the same for UEFI Applications, UEFI OS Loaders, and UEFI Drivers, including
both device drivers and bus drivers.
The entry point for IpSecConfig application that parse the command line input and call an IpSecConfig process.
@param[in] ImageHandle The image handle of this application.
@param[in] SystemTable The pointer to the EFI System Table.
@retval EFI_SUCCESS The operation completed successfully.
**/
EFI_STATUS
EFIAPI
InitializeIpSecConfig (
IN EFI_HANDLE ImageHandle,
IN EFI_SYSTEM_TABLE *SystemTable
)
{
EFI_STATUS Status;
EFI_IPSEC_CONFIG_DATA_TYPE DataType;
UINT8 Value;
LIST_ENTRY *ParamPackage;
CONST CHAR16 *ValueStr;
CHAR16 *ProblemParam;
UINTN NonOptionCount;
EFI_HII_PACKAGE_LIST_HEADER *PackageList;
//
// Retrieve HII package list from ImageHandle
//
Status = gBS->OpenProtocol (
ImageHandle,
&gEfiHiiPackageListProtocolGuid,
(VOID **) &PackageList,
ImageHandle,
NULL,
EFI_OPEN_PROTOCOL_GET_PROTOCOL
);
if (EFI_ERROR (Status)) {
return Status;
}
//
// Publish HII package list to HII Database.
//
Status = gHiiDatabase->NewPackageList (
gHiiDatabase,
PackageList,
NULL,
&mHiiHandle
);
if (EFI_ERROR (Status)) {
return Status;
}
ASSERT (mHiiHandle != NULL);
Status = ShellCommandLineParseEx (mIpSecConfigParamList, &ParamPackage, &ProblemParam, TRUE, FALSE);
if (EFI_ERROR (Status)) {
ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_UNKNOWN_OPERATION), mHiiHandle, ProblemParam);
goto Done;
}
Status = IpSecConfigRetriveCheckListByName (mIpSecConfigVarCheckList, ParamPackage);
if (EFI_ERROR (Status)) {
ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_MISTAKEN_OPTIONS), mHiiHandle);
goto Done;
}
Status = LocateProtocol (&gEfiIpSecConfigProtocolGuid, (VOID **) &mIpSecConfig);
if (EFI_ERROR (Status) || mIpSecConfig == NULL) {
ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_PROTOCOL_INEXISTENT), mHiiHandle, mAppName);
goto Done;
}
Status = LocateProtocol (&gEfiIpSec2ProtocolGuid, (VOID **) &mIpSec);
if (EFI_ERROR (Status) || mIpSec == NULL) {
ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_PROTOCOL_INEXISTENT), mHiiHandle, mAppName);
goto Done;
}
//
// Enable IPsec.
//
if (ShellCommandLineGetFlag (ParamPackage, L"-enable")) {
if (!(mIpSec->DisabledFlag)) {
ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_ALREADY_ENABLE), mHiiHandle, mAppName);
} else {
//
// Set enable flag.
//
Value = IPSEC_STATUS_ENABLED;
Status = gRT->SetVariable (
IPSECCONFIG_STATUS_NAME,
&gEfiIpSecConfigProtocolGuid,
EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_NON_VOLATILE,
sizeof (Value),
&Value
);
if (!EFI_ERROR (Status)) {
mIpSec->DisabledFlag = FALSE;
ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_ENABLE_SUCCESS), mHiiHandle, mAppName);
} else {
ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_ENABLE_FAILED), mHiiHandle, mAppName);
}
}
goto Done;
}
//
// Disable IPsec.
//
if (ShellCommandLineGetFlag (ParamPackage, L"-disable")) {
if (mIpSec->DisabledFlag) {
ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_ALREADY_DISABLE), mHiiHandle, mAppName);
} else {
//
// Set disable flag; however, leave it to be disabled in the callback function of DisabledEvent.
//
gBS->SignalEvent (mIpSec->DisabledEvent);
if (mIpSec->DisabledFlag) {
ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_DISABLE_SUCCESS), mHiiHandle, mAppName);
} else {
ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_DISABLE_FAILED), mHiiHandle, mAppName);
}
}
goto Done;
}
//
//IPsec Status.
//
if (ShellCommandLineGetFlag (ParamPackage, L"-status")) {
if (mIpSec->DisabledFlag) {
ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_STATUS_DISABLE), mHiiHandle, mAppName);
} else {
ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_STATUS_ENABLE), mHiiHandle, mAppName);
}
goto Done;
}
//
// Try to get policy database type.
//
DataType = (EFI_IPSEC_CONFIG_DATA_TYPE) - 1;
ValueStr = ShellCommandLineGetValue (ParamPackage, L"-p");
if (ValueStr != NULL) {
DataType = (EFI_IPSEC_CONFIG_DATA_TYPE) MapStringToInteger (ValueStr, mMapPolicy);
if (DataType == -1) {
ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_DB), mHiiHandle, mAppName, ValueStr);
goto Done;
}
}
NonOptionCount = ShellCommandLineGetCount (ParamPackage);
if ((NonOptionCount - 1) > 0) {
ValueStr = ShellCommandLineGetRawValue (ParamPackage, (UINT32) (NonOptionCount - 1));
ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_REDUNDANCY_MANY), mHiiHandle, mAppName, ValueStr);
goto Done;
}
if (DataType == -1) {
ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_DB), mHiiHandle, mAppName);
goto Done;
}
if (ShellCommandLineGetFlag (ParamPackage, L"-a")) {
Status = AddOrInsertPolicyEntry (DataType, ParamPackage);
if (EFI_ERROR (Status)) {
goto Done;
}
} else if (ShellCommandLineGetFlag (ParamPackage, L"-i")) {
Status = AddOrInsertPolicyEntry (DataType, ParamPackage);
if (EFI_ERROR (Status)) {
goto Done;
}
} else if (ShellCommandLineGetFlag (ParamPackage, L"-e")) {
Status = EditPolicyEntry (DataType, ParamPackage);
if (EFI_ERROR (Status)) {
goto Done;
}
} else if (ShellCommandLineGetFlag (ParamPackage, L"-d")) {
Status = FlushOrDeletePolicyEntry (DataType, ParamPackage);
if (EFI_ERROR (Status)) {
goto Done;
}
} else if (ShellCommandLineGetFlag (ParamPackage, L"-f")) {
Status = FlushOrDeletePolicyEntry (DataType, ParamPackage);
if (EFI_ERROR (Status)) {
goto Done;
}
} else if (ShellCommandLineGetFlag (ParamPackage, L"-l")) {
Status = ListPolicyEntry (DataType, ParamPackage);
if (EFI_ERROR (Status)) {
goto Done;
}
} else {
ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_UNKNOWN_OPERATION), mHiiHandle, mAppName);
goto Done;
}
Done:
ShellCommandLineFreeVarList (ParamPackage);
HiiRemovePackages (mHiiHandle);
return EFI_SUCCESS;
}

143
NetworkPkg/Application/IpsecConfig/IpSecConfig.h
View File

@ -1,143 +0,0 @@
/** @file
The internal structure and function declaration in IpSecConfig application.
Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#ifndef _IPSEC_CONFIG_H_
#define _IPSEC_CONFIG_H_
#include <Library/BaseMemoryLib.h>
#include <Library/UefiLib.h>
#include <Library/ShellLib.h>
#include <Library/DebugLib.h>
#include <Library/MemoryAllocationLib.h>
#include <Library/UefiBootServicesTableLib.h>
#include <Library/UefiHiiServicesLib.h>
#include <Library/NetLib.h>
#include <Protocol/IpSecConfig.h>
#define IPSECCONFIG_STATUS_NAME L"IpSecStatus"
#define BIT(x) (UINT32) (1 << (x))
#define IPSEC_STATUS_DISABLED 0x0
#define IPSEC_STATUS_ENABLED 0x1
#define EFI_IP4_PROTO_ICMP 0x1
#define EFI_IP4_PROTO_TCP 0x6
#define EFI_IP4_PROTO_UDP 0x11
#define EFI_IPSEC_ANY_PROTOCOL 0xFFFF
#define EFI_IPSEC_ANY_PORT 0
///
/// IPsec Authentication Algorithm Definition
/// The number value definition is aligned to IANA assignment
///
#define IPSEC_AALG_NONE 0x00
#define IPSEC_AALG_MD5HMAC 0x01
#define IPSEC_AALG_SHA1HMAC 0x02
#define IPSEC_AALG_SHA2_256HMAC 0x05
#define IPSEC_AALG_SHA2_384HMAC 0x06
#define IPSEC_AALG_SHA2_512HMAC 0x07
#define IPSEC_AALG_AES_XCBC_MAC 0x09
#define IPSEC_AALG_NULL 0xFB
///
/// IPsec Encryption Algorithm Definition
/// The number value definition is aligned to IANA assignment
///
#define IPSEC_EALG_NONE 0x00
#define IPSEC_EALG_DESCBC 0x02
#define IPSEC_EALG_3DESCBC 0x03
#define IPSEC_EALG_CASTCBC 0x06
#define IPSEC_EALG_BLOWFISHCBC 0x07
#define IPSEC_EALG_NULL 0x0B
#define IPSEC_EALG_AESCBC 0x0C
#define IPSEC_EALG_AESCTR 0x0D
#define IPSEC_EALG_AES_CCM_ICV8 0x0E
#define IPSEC_EALG_AES_CCM_ICV12 0x0F
#define IPSEC_EALG_AES_CCM_ICV16 0x10
#define IPSEC_EALG_AES_GCM_ICV8 0x12
#define IPSEC_EALG_AES_GCM_ICV12 0x13
#define IPSEC_EALG_AES_GCM_ICV16 0x14
typedef struct {
CHAR16 *VarName;
UINT32 Attribute1;
UINT32 Attribute2;
UINT32 Attribute3;
UINT32 Attribute4;
} VAR_CHECK_ITEM;
typedef struct {
LIST_ENTRY Link;
CHAR16 *Name;
SHELL_PARAM_TYPE Type;
CHAR16 *Value;
UINTN OriginalPosition;
} SHELL_PARAM_PACKAGE;
typedef struct {
CHAR16 *String;
UINT32 Integer;
} STR2INT;
extern EFI_IPSEC_CONFIG_PROTOCOL *mIpSecConfig;
extern EFI_HII_HANDLE mHiiHandle;
extern CHAR16 mAppName[];
//
// -P
//
extern STR2INT mMapPolicy[];
//
// --proto
//
extern STR2INT mMapIpProtocol[];
//
// --action
//
extern STR2INT mMapIpSecAction[];
//
// --mode
//
extern STR2INT mMapIpSecMode[];
//
// --dont-fragment
//
extern STR2INT mMapDfOption[];
//
// --ipsec-proto
//
extern STR2INT mMapIpSecProtocol[];
//
// --auth-algo
//
extern STR2INT mMapAuthAlgo[];
//
// --encrypt-algo
//
extern STR2INT mMapEncAlgo[];
//
// --auth-proto
//
extern STR2INT mMapAuthProto[];
//
// --auth-method
//
extern STR2INT mMapAuthMethod[];
#endif

70
NetworkPkg/Application/IpsecConfig/IpSecConfig.inf
View File

@ -1,70 +0,0 @@
## @file
# Shell application IpSecConfig.
#
# This application is used to set and retrieve security and policy related information
# for the EFI IPsec protocol driver.
#
# Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
#
# SPDX-License-Identifier: BSD-2-Clause-Patent
#
##
[Defines]
INF_VERSION = 0x00010006
BASE_NAME = IpSecConfig
FILE_GUID = 0922E604-F5EC-42ef-980D-A35E9A2B1844
MODULE_TYPE = UEFI_APPLICATION
VERSION_STRING = 1.0
ENTRY_POINT = InitializeIpSecConfig
MODULE_UNI_FILE = IpSecConfig.uni
#
#
# This flag specifies whether HII resource section is generated into PE image.
#
UEFI_HII_RESOURCE_SECTION = TRUE
[Sources]
IpSecConfigStrings.uni
IpSecConfig.c
IpSecConfig.h
Dump.c
Dump.h
Indexer.c
Indexer.h
Match.c
Match.h
Delete.h
Delete.c
Helper.c
Helper.h
ForEach.c
ForEach.h
PolicyEntryOperation.c
PolicyEntryOperation.h
[Packages]
MdePkg/MdePkg.dec
MdeModulePkg/MdeModulePkg.dec
ShellPkg/ShellPkg.dec
[LibraryClasses]
UefiBootServicesTableLib
UefiApplicationEntryPoint
UefiHiiServicesLib
BaseMemoryLib
ShellLib
MemoryAllocationLib
DebugLib
HiiLib
NetLib
UefiLib
[Protocols]
gEfiIpSec2ProtocolGuid ##CONSUMES
gEfiIpSecConfigProtocolGuid ##CONSUMES
gEfiHiiPackageListProtocolGuid ##CONSUMES
[UserExtensions.TianoCore."ExtraFiles"]
IpSecConfigExtra.uni

17
NetworkPkg/Application/IpsecConfig/IpSecConfig.uni
View File

@ -1,17 +0,0 @@
// /** @file
// Shell application IpSecConfig.
//
// This application is used to set and retrieve security and policy related information
// for the EFI IPsec protocol driver.
//
// Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
//
// SPDX-License-Identifier: BSD-2-Clause-Patent
//
// **/
#string STR_MODULE_ABSTRACT #language en-US "Shell application IpSecConfig"
#string STR_MODULE_DESCRIPTION #language en-US "This application is used to set and retrieve security and policy related information for the EFI IPsec protocol driver."

14
NetworkPkg/Application/IpsecConfig/IpSecConfigExtra.uni
View File

@ -1,14 +0,0 @@
// /** @file
// IpSecConfig Localized Strings and Content
//
// Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.<BR>
//
// SPDX-License-Identifier: BSD-2-Clause-Patent
//
// **/
#string STR_PROPERTIES_MODULE_NAME
#language en-US
"IpSec Config App"

127
NetworkPkg/Application/IpsecConfig/IpSecConfigStrings.uni
View File

@ -1,127 +0,0 @@
/** @file
String definitions for the Shell IpSecConfig application.
Copyright (c) 2009 - 2014, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#langdef en-US "English"
#string STR_IPSEC_CONFIG_UNKNOWN_OPERATION #language en-US "%s: Operation not specified.\n"
#string STR_IPSEC_CONFIG_INCORRECT_DB #language en-US "%s: Incorrect Database - %s.\n"
#string STR_IPSEC_CONFIG_PROTOCOL_INEXISTENT #language en-US "%s: IPSEC_CONFIG protocol inexistent.\n"
#string STR_IPSEC_CONFIG_MISSING_DB #language en-US "%s: Missing Database.\n"
#string STR_IPSEC_CONFIG_FILE_OPEN_FAILED #language en-US "%s: Open file failed - %s.\n"
#string STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE #language en-US "%s: Incorrect value of %s - %s.\n"
#string STR_IPSEC_CONFIG_ACCEPT_PARAMETERS #language en-US " Values could be:"
#string STR_IPSEC_CONFIG_MISSING_PARAMETER #language en-US "%s: Missing parameter - %s.\n"
#string STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS #language en-US "%s: Missing one of the parameters - %s.\n"
#string STR_IPSEC_CONFIG_UNWANTED_PARAMETER #language en-US "%s: Unwanted parameter - %s.\n"
#string STR_IPSEC_CONFIG_INSERT_FAILED #language en-US "%s: Policy entry insertion failed!\n"
#string STR_IPSEC_CONFIG_DELETE_FAILED #language en-US "%s: Policy entry deletion failed!\n"
#string STR_IPSEC_CONFIG_EDIT_FAILED #language en-US "%s: Policy entry edit failed!\n"
#string STR_IPSEC_CONFIG_ALREADY_EXISTS #language en-US "%s: Policy entry already exists!\n"
#string STR_IPSEC_CONFIG_INDEX_NOT_FOUND #language en-US "%s: Specified index not found!\n"
#string STR_IPSEC_CONFIG_INDEX_NOT_SPECIFIED #language en-US "%s: Index should be Specified!\n"
#string STR_IPSEC_CONFIG_INSERT_UNSUPPORT #language en-US "%s: Policy entry insertion not supported!\n"
#string STR_IPSEC_MISTAKEN_OPTIONS #language en-US "Mistaken Input. Please refer to %H"IpSecConfig -?"%N for more help information.\n"
#string STR_IPSEC_REDUNDANCY_MANY #language en-US "%s has one redundancy option: %H%s%N\n"
#string STR_IPSEC_CONFIG_ALREADY_ENABLE #language en-US "IPsec has been already enabled!\n"
#string STR_IPSEC_CONFIG_ENABLE_SUCCESS #language en-US "Enable IPsec ! \n"
#string STR_IPSEC_CONFIG_DISABLE_SUCCESS #language en-US "Disable IPsec ! \n"
#string STR_IPSEC_CONFIG_ALREADY_DISABLE #language en-US "IPsec has been already disabled !\n"
#string STR_IPSEC_CONFIG_STATUS_ENABLE #language en-US "IPsec Status : Enabled ! \n"
#string STR_IPSEC_CONFIG_STATUS_DISABLE #language en-US "IPsec Status : Disabled ! \n"
#string STR_IPSEC_CONFIG_ENABLE_FAILED #language en-US "Error: Enable IPsec failed !\n"
#string STR_IPSEC_CONFIG_DISABLE_FAILED #language en-US "Error: Disable IPsec failed !\n"
#string STR_IPSEC_CONFIG_HELP #language en-US ""
".TH IpSecConfig 0 "Displays or modifies the current IPsec configuration."\r\n"
".SH NAME\r\n"
"Displays or modifies the current IPsec configuration.\r\n"
".SH SYNOPSIS\r\n"
" \r\n"
"%HIpSecConfig [-p {SPD|SAD|PAD}] [command] [options[parameters]]\r\n"
".SH OPTIONS\r\n"
" \r\n"
"%H-p (SPD|SAD|PAD)%N required.point to certain policy database.\r\n"
" \r\n"
"%Hcommand%N:\r\n"
" -a [options[parameters]] Add new policy entry.\r\n"
" -i entryid [options[parameters]] Insert new policy entry before the one\r\n"
" matched by the entryid.\r\n"
" It's only supported on SPD policy database.\r\n"
" -d entryid Delete the policy entry matched by the \r\n"
" entryid.\r\n"
" -e entryid [options[parameters]] Edit the policy entry matched by the\r\n"
" entryid.\r\n"
" -f Flush the entire policy database.\r\n"
" -l List all entries for specified database.\r\n"
" -enable Enable IPsec.\r\n"
" -disable Disable IPsec.\r\n"
" -status Show IPsec current status.\r\n"
" \r\n"
"%H[options[parameters]]%N for %HSPD%N:\r\n"
" --local localaddress optional local address\r\n"
" --remote remoteaddress required remote address\r\n"
" --proto (TCP|UDP|ICMP|...) required IP protocol\r\n"
" --local-port port optional local port for tcp/udp protocol\r\n"
" --remote-port port optional remote port for tcp/udp protocol\r\n"
" --name name optional SPD name\r\n"
" --action (Bypass|Discard|Protect) required \r\n"
" required IPsec action\r\n"
" --mode (Transport|Tunnel) optional IPsec mode, transport by default\r\n"
" --ipsec-proto (AH|ESP) optional IPsec protocol, ESP by default\r\n"
" --auth-algo (NONE|SHA1HMAC) optional authentication algorithm\r\n"
" --encrypt-algo(NONE|DESCBC|3DESCBC)optional encryption algorithm\r\n"
" --tunnel-local tunnellocaladdr optional tunnel local address(only for tunnel mode)\r\n"
" --tunnel-remote tunnelremoteaddr optional tunnel remote address(only for tunnel mode)\r\n"
" \r\n"
"%H[options[parameters]]%N for %HSAD%N:\r\n"
" --spi spi required SPI value\r\n"
" --ipsec-proto (AH|ESP) required IPsec protocol\r\n"
" --local localaddress optional local address\r\n"
" --remote remoteaddress required destination address\r\n"
" --auth-algo (NONE|SHA1HMAC) required for AH. authentication algorithm\n"
" --auth-key key required for AH. key for authentication\r\n"
" --encrypt-algo (NONE|DESCBC|3DESCBC) required for ESP. encryption algorithm\r\n"
" --encrypt-key key required for ESP. key for encryption\r\n"
" --mode (Transport|Tunnel) optional IPsec mode, transport by default\r\n"
" --tunnel-dest tunneldestaddr optional tunnel destination address(only for tunnel mode)\r\n"
" --tunnel-source tunnelsourceaddr optional tunnel source address(only for tunnel mode)\r\n"
" \r\n"
"%H[options[parameters]]%N for %HPAD%N:\r\n"
" --peer-address address required peer address\r\n"
" --auth-proto (IKEv1|IKEv2) optional IKE protocol, IKEv1 by\r\n"
" default\r\n"
" --auth-method (PreSharedSecret|Certificates) required authentication method\r\n"
" --auth-data authdata required data for authentication\r\n"
" \r\n"

157
NetworkPkg/Application/IpsecConfig/Match.c
View File

@ -1,157 +0,0 @@
/** @file
The implementation of match policy entry function in IpSecConfig application.
Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#include "IpSecConfig.h"
#include "Indexer.h"
#include "Match.h"
/**
Private function to validate a buffer that should be filled with zero.
@param[in] Memory The pointer to the buffer.
@param[in] Size The size of the buffer.
@retval TRUE The memory is filled with zero.
@retval FALSE The memory isn't filled with zero.
**/
BOOLEAN
IsMemoryZero (
IN VOID *Memory,
IN UINTN Size
)
{
UINTN Index;
for (Index = 0; Index < Size; Index++) {
if (*((UINT8 *) Memory + Index) != 0) {
return FALSE;
}
}
return TRUE;
}
/**
Find the matching SPD with Indexer.
@param[in] Selector The pointer to the EFI_IPSEC_SPD_SELECTOR structure.
@param[in] Data The pointer to the EFI_IPSEC_SPD_DATA structure.
@param[in] Indexer The pointer to the SPD_ENTRY_INDEXER structure.
@retval TRUE The matched SPD is found.
@retval FALSE The matched SPD is not found.
**/
BOOLEAN
MatchSpdEntry (
IN EFI_IPSEC_SPD_SELECTOR *Selector,
IN EFI_IPSEC_SPD_DATA *Data,
IN SPD_ENTRY_INDEXER *Indexer
)
{
BOOLEAN Match;
Match = FALSE;
if (!IsMemoryZero (Indexer->Name, MAX_PEERID_LEN)) {
if ((Data->Name != NULL) && (AsciiStrCmp ((CHAR8 *) Indexer->Name, (CHAR8 *) Data->Name) == 0)) {
Match = TRUE;
}
} else {
if (Indexer->Index == 0) {
Match = TRUE;
}
Indexer->Index--;
}
return Match;
}
/**
Find the matching SAD with Indexer.
@param[in] SaId The pointer to the EFI_IPSEC_SA_ID structure.
@param[in] Data The pointer to the EFI_IPSEC_SA_DATA2 structure.
@param[in] Indexer The pointer to the SPD_ENTRY_INDEXER structure.
@retval TRUE The matched SAD is found.
@retval FALSE The matched SAD is not found.
**/
BOOLEAN
MatchSadEntry (
IN EFI_IPSEC_SA_ID *SaId,
IN EFI_IPSEC_SA_DATA2 *Data,
IN SAD_ENTRY_INDEXER *Indexer
)
{
BOOLEAN Match;
Match = FALSE;
if (!IsMemoryZero (&Indexer->SaId, sizeof (EFI_IPSEC_SA_ID))) {
Match = (BOOLEAN) (CompareMem (&Indexer->SaId, SaId, sizeof (EFI_IPSEC_SA_ID)) == 0);
} else {
if (Indexer->Index == 0) {
Match = TRUE;
}
Indexer->Index--;
}
return Match;
}
/**
Find the matching PAD with Indexer.
@param[in] PadId The pointer to the EFI_IPSEC_PAD_ID structure.
@param[in] Data The pointer to the EFI_IPSEC_PAD_DATA structure.
@param[in] Indexer The pointer to the SPD_ENTRY_INDEXER structure.
@retval TRUE The matched PAD is found.
@retval FALSE The matched PAD is not found.
**/
BOOLEAN
MatchPadEntry (
IN EFI_IPSEC_PAD_ID *PadId,
IN EFI_IPSEC_PAD_DATA *Data,
IN PAD_ENTRY_INDEXER *Indexer
)
{
BOOLEAN Match;
Match = FALSE;
if (!IsMemoryZero (&Indexer->PadId, sizeof (EFI_IPSEC_PAD_ID))) {
Match = (BOOLEAN) ((Indexer->PadId.PeerIdValid == PadId->PeerIdValid) &&
((PadId->PeerIdValid &&
(StrCmp (
(CONST CHAR16 *) Indexer->PadId.Id.PeerId,
(CONST CHAR16 *) PadId->Id.PeerId
) == 0)) ||
((!PadId->PeerIdValid) &&
(Indexer->PadId.Id.IpAddress.PrefixLength == PadId->Id.IpAddress.PrefixLength) &&
(CompareMem (
&Indexer->PadId.Id.IpAddress.Address,
&PadId->Id.IpAddress.Address,
sizeof (EFI_IP_ADDRESS)
) == 0))));
} else {
if (Indexer->Index == 0) {
Match = TRUE;
}
Indexer->Index--;
}
return Match;
}
MATCH_POLICY_ENTRY mMatchPolicyEntry[] = {
(MATCH_POLICY_ENTRY) MatchSpdEntry,
(MATCH_POLICY_ENTRY) MatchSadEntry,
(MATCH_POLICY_ENTRY) MatchPadEntry
};

35
NetworkPkg/Application/IpsecConfig/Match.h
View File

@ -1,35 +0,0 @@
/** @file
The internal structure and function declaration of
match policy entry function in IpSecConfig application.
Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#ifndef _MATCH_H_
#define _MATCH_H_
/**
The prototype for the MatchSpdEntry()/MatchSadEntry()/MatchPadEntry().
The functionality is to find the matching SPD/SAD/PAD with Indexer.
@param[in] Selector The pointer to the EFI_IPSEC_CONFIG_SELECTOR union.
@param[in] Data The pointer to corresponding Data.
@param[in] Indexer The pointer to the POLICY_ENTRY_INDEXER union.
@retval TRUE The matched SPD/SAD/PAD is found.
@retval FALSE The matched SPD/SAD/PAD is not found.
**/
typedef
BOOLEAN
(* MATCH_POLICY_ENTRY) (
IN EFI_IPSEC_CONFIG_SELECTOR *Selector,
IN VOID *Data,
IN POLICY_ENTRY_INDEXER *Indexer
);
extern MATCH_POLICY_ENTRY mMatchPolicyEntry[];
#endif

2070
NetworkPkg/Application/IpsecConfig/PolicyEntryOperation.c
View File

File diff suppressed because it is too large Load Diff

153
NetworkPkg/Application/IpsecConfig/PolicyEntryOperation.h
View File

@ -1,153 +0,0 @@
/** @file
The function declaration of policy entry operation in IpSecConfig application.
Copyright (c) 2009 - 2011, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#ifndef _POLICY_ENTRY_OPERATION_H_
#define _POLICY_ENTRY_OPERATION_H_
#define LOCAL BIT(0)
#define REMOTE BIT(1)
#define PROTO BIT(2)
#define LOCAL_PORT BIT(3)
#define REMOTE_PORT BIT(4)
#define ICMP_TYPE BIT(5)
#define ICMP_CODE BIT(6)
#define NAME BIT(7)
#define PACKET_FLAG BIT(8)
#define ACTION BIT(9)
#define EXT_SEQUENCE BIT(10)
#define SEQUENCE_OVERFLOW BIT(11)
#define FRAGMENT_CHECK BIT(12)
#define LIFEBYTE BIT(13)
#define LIFETIME_SOFT BIT(14)
#define LIFETIME BIT(15)
#define MODE BIT(16)
#define TUNNEL_LOCAL BIT(17)
#define TUNNEL_REMOTE BIT(18)
#define DONT_FRAGMENT BIT(19)
#define IPSEC_PROTO BIT(20)
#define AUTH_ALGO BIT(21)
#define ENCRYPT_ALGO BIT(22)
#define SPI BIT(23)
#define DEST BIT(24)
#define SEQUENCE_NUMBER BIT(25)
#define ANTIREPLAY_WINDOW BIT(26)
#define AUTH_KEY BIT(27)
#define ENCRYPT_KEY BIT(28)
#define PATH_MTU BIT(29)
#define SOURCE BIT(30)
#define PEER_ID BIT(0)
#define PEER_ADDRESS BIT(1)
#define AUTH_PROTO BIT(2)
#define AUTH_METHOD BIT(3)
#define IKE_ID BIT(4)
#define AUTH_DATA BIT(5)
#define REVOCATION_DATA BIT(6)
typedef struct {
EFI_IPSEC_CONFIG_DATA_TYPE DataType;
EFI_IPSEC_CONFIG_SELECTOR *Selector; // Data to be inserted.
VOID *Data;
UINT32 Mask;
POLICY_ENTRY_INDEXER Indexer;
EFI_STATUS Status; // Indicate whether insertion succeeds.
} EDIT_POLICY_ENTRY_CONTEXT;
typedef struct {
EFI_IPSEC_CONFIG_DATA_TYPE DataType;
EFI_IPSEC_CONFIG_SELECTOR *Selector; // Data to be inserted.
VOID *Data;
POLICY_ENTRY_INDEXER Indexer;
EFI_STATUS Status; // Indicate whether insertion succeeds.
} INSERT_POLICY_ENTRY_CONTEXT;
/**
The prototype for the CreateSpdEntry()/CreateSadEntry()/CreatePadEntry().
Fill in EFI_IPSEC_CONFIG_SELECTOR and corresponding data thru ParamPackage list.
@param[out] Selector The pointer to the EFI_IPSEC_CONFIG_SELECTOR union.
@param[out] Data The pointer to corresponding data.
@param[in] ParamPackage The pointer to the ParamPackage list.
@param[out] Mask The pointer to the Mask.
@param[in] CreateNew The switch to create new.
@retval EFI_SUCCESS Filled in EFI_IPSEC_CONFIG_SELECTOR and corresponding data successfully.
@retval EFI_INVALID_PARAMETER Invalid user input parameter.
**/
typedef
EFI_STATUS
(*CREATE_POLICY_ENTRY) (
OUT EFI_IPSEC_CONFIG_SELECTOR **Selector,
OUT VOID **Data,
IN LIST_ENTRY *ParamPackage,
OUT UINT32 *Mask,
IN BOOLEAN CreateNew
);
/**
The prototype for the CombineSpdEntry()/CombineSadEntry()/CombinePadEntry().
Combine old SPD/SAD/PAD entry with new SPD/SAD/PAD entry.
@param[in, out] OldSelector The pointer to the old EFI_IPSEC_CONFIG_SELECTOR union.
@param[in, out] OldData The pointer to the corresponding old data.
@param[in] NewSelector The pointer to the new EFI_IPSEC_CONFIG_SELECTOR union.
@param[in] NewData The pointer to the corresponding new data.
@param[in] Mask The pointer to the Mask.
@param[out] CreateNew The switch to create new.
@retval EFI_SUCCESS Combined successfully.
@retval EFI_INVALID_PARAMETER Invalid user input parameter.
**/
typedef
EFI_STATUS
(* COMBINE_POLICY_ENTRY) (
IN OUT EFI_IPSEC_CONFIG_SELECTOR *OldSelector,
IN OUT VOID *OldData,
IN EFI_IPSEC_CONFIG_SELECTOR *NewSelector,
IN VOID *NewData,
IN UINT32 Mask,
OUT BOOLEAN *CreateNew
);
/**
Insert or add entry information in database according to datatype.
@param[in] DataType The value of EFI_IPSEC_CONFIG_DATA_TYPE.
@param[in] ParamPackage The pointer to the ParamPackage list.
@retval EFI_SUCCESS Insert or add entry information successfully.
@retval EFI_NOT_FOUND Can't find the specified entry.
@retval EFI_BUFFER_TOO_SMALL The entry already existed.
@retval EFI_UNSUPPORTED The operation is not supported./
@retval Others Some mistaken case.
**/
EFI_STATUS
AddOrInsertPolicyEntry (
IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,
IN LIST_ENTRY *ParamPackage
);
/**
Edit entry information in the database according to datatype.
@param[in] DataType The value of EFI_IPSEC_CONFIG_DATA_TYPE.
@param[in] ParamPackage The pointer to the ParamPackage list.
@retval EFI_SUCCESS Edit entry information successfully.
@retval EFI_NOT_FOUND Can't find the specified entry.
@retval Others Some mistaken case.
**/
EFI_STATUS
EditPolicyEntry (
IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,
IN LIST_ENTRY *ParamPackage
);
#endif

345
NetworkPkg/IpSecDxe/ComponentName.c
View File

@ -1,345 +0,0 @@
/** @file
UEFI Component Name(2) protocol implementation for IPsec driver.
Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#include "IpSecImpl.h"
//
// EFI Component Name Functions
//
/**
Retrieves a Unicode string that is the user-readable name of the driver.
This function retrieves the user-readable name of a driver in the form of a
Unicode string. If the driver specified by This has a user-readable name in
the language specified by Language, then a pointer to the driver name is
returned in DriverName, and EFI_SUCCESS is returned. If the driver specified
by This does not support the language specified by Language,
then EFI_UNSUPPORTED is returned.
@param[in] This A pointer to the EFI_COMPONENT_NAME2_PROTOCOL or
EFI_COMPONENT_NAME_PROTOCOL instance.
@param[in] Language A pointer to a Null-terminated ASCII string
array indicating the language. This is the
language of the driver name that the caller is
requesting, and it must match one of the
languages specified in SupportedLanguages. The
number of languages supported by a driver is up
to the driver writer. Language is specified
in RFC 4646 or ISO 639-2 language code format.
@param[out] DriverName A pointer to the Unicode string to return.
This Unicode string is the name of the
driver specified by This in the language
specified by Language.
@retval EFI_SUCCESS The Unicode string for the Driver specified by
This and the language specified by Language was
returned in DriverName.
@retval EFI_INVALID_PARAMETER Language is NULL.
@retval EFI_INVALID_PARAMETER DriverName is NULL.
@retval EFI_UNSUPPORTED The driver specified by This does not support
the language specified by Language.
**/
EFI_STATUS
EFIAPI
IpSecComponentNameGetDriverName (
IN EFI_COMPONENT_NAME_PROTOCOL *This,
IN CHAR8 *Language,
OUT CHAR16 **DriverName
);
/**
Retrieves a Unicode string that is the user-readable name of the controller
that is being managed by a driver.
This function retrieves the user-readable name of the controller specified by
ControllerHandle and ChildHandle in the form of a Unicode string. If the
driver specified by This has a user-readable name in the language specified by
Language, then a pointer to the controller name is returned in ControllerName,
and EFI_SUCCESS is returned. If the driver specified by This is not currently
managing the controller specified by ControllerHandle and ChildHandle,
then EFI_UNSUPPORTED is returned. If the driver specified by This does not
support the language specified by Language, then EFI_UNSUPPORTED is returned.
@param[in] This A pointer to the EFI_COMPONENT_NAME2_PROTOCOL or
EFI_COMPONENT_NAME_PROTOCOL instance.
@param[in] ControllerHandle The handle of a controller that the driver
specified by This is managing. This handle
specifies the controller whose name is to be
returned.
@param[in] ChildHandle The handle of the child controller to retrieve
the name of. This is an optional parameter that
may be NULL. It will be NULL for device
drivers. It will also be NULL for a bus drivers
that wish to retrieve the name of the bus
controller. It will not be NULL for a bus
driver that wishes to retrieve the name of a
child controller.
@param[in] Language A pointer to a Null-terminated ASCII string
array indicating the language. This is the
language of the driver name that the caller is
requesting, and it must match one of the
languages specified in SupportedLanguages. The
number of languages supported by a driver is up
to the driver writer. Language is specified in
RFC 4646 or ISO 639-2 language code format.
@param[out] ControllerName A pointer to the Unicode string to return.
This Unicode string is the name of the
controller specified by ControllerHandle and
ChildHandle in the language specified by
Language from the point of view of the driver
specified by This.
@retval EFI_SUCCESS The Unicode string for the user-readable name in
the language specified by Language for the
driver specified by This was returned in
DriverName.
@retval EFI_INVALID_PARAMETER ControllerHandle is NULL.
@retval EFI_INVALID_PARAMETER ChildHandle is not NULL and it is not a valid
EFI_HANDLE.
@retval EFI_INVALID_PARAMETER Language is NULL.
@retval EFI_INVALID_PARAMETER ControllerName is NULL.
@retval EFI_UNSUPPORTED The driver specified by This is not currently
managing the controller specified by
ControllerHandle and ChildHandle.
@retval EFI_UNSUPPORTED The driver specified by This does not support
the language specified by Language.
**/
EFI_STATUS
EFIAPI
IpSecComponentNameGetControllerName (
IN EFI_COMPONENT_NAME_PROTOCOL *This,
IN EFI_HANDLE ControllerHandle,
IN EFI_HANDLE ChildHandle, OPTIONAL
IN CHAR8 *Language,
OUT CHAR16 **ControllerName
);
//
// EFI Component Name Protocol
//
GLOBAL_REMOVE_IF_UNREFERENCED EFI_COMPONENT_NAME_PROTOCOL gIpSecComponentName = {
IpSecComponentNameGetDriverName,
IpSecComponentNameGetControllerName,
"eng"
};
//
// EFI Component Name 2 Protocol
//
GLOBAL_REMOVE_IF_UNREFERENCED EFI_COMPONENT_NAME2_PROTOCOL gIpSecComponentName2 = {
(EFI_COMPONENT_NAME2_GET_DRIVER_NAME) IpSecComponentNameGetDriverName,
(EFI_COMPONENT_NAME2_GET_CONTROLLER_NAME) IpSecComponentNameGetControllerName,
"en"
};
GLOBAL_REMOVE_IF_UNREFERENCED EFI_UNICODE_STRING_TABLE mIpSecDriverNameTable[] = {
{
"eng;en",
L"IpSec Driver"
},
{
NULL,
NULL
}
};
GLOBAL_REMOVE_IF_UNREFERENCED EFI_UNICODE_STRING_TABLE mIpSecControllerNameTable[] = {
{
"eng;en",
L"IPsec Controller"
},
{
NULL,
NULL
}
};
/**
Retrieves a Unicode string that is the user-readable name of the driver.
This function retrieves the user-readable name of a driver in the form of a
Unicode string. If the driver specified by This has a user-readable name in
the language specified by Language, then a pointer to the driver name is
returned in DriverName, and EFI_SUCCESS is returned. If the driver specified
by This does not support the language specified by Language,
then EFI_UNSUPPORTED is returned.
@param[in] This A pointer to the EFI_COMPONENT_NAME2_PROTOCOL or
EFI_COMPONENT_NAME_PROTOCOL instance.
@param[in] Language A pointer to a Null-terminated ASCII string
array indicating the language. This is the
language of the driver name that the caller is
requesting, and it must match one of the
languages specified in SupportedLanguages. The
number of languages supported by a driver is up
to the driver writer. Language is specified
in RFC 4646 or ISO 639-2 language code format.
@param[out] DriverName A pointer to the Unicode string to return.
This Unicode string is the name of the
driver specified by This in the language
specified by Language.
@retval EFI_SUCCESS The Unicode string for the Driver specified by
This, and the language specified by Language was
returned in DriverName.
@retval EFI_INVALID_PARAMETER Language is NULL.
@retval EFI_INVALID_PARAMETER DriverName is NULL.
@retval EFI_UNSUPPORTED The driver specified by This does not support
the language specified by Language.
**/
EFI_STATUS
EFIAPI
IpSecComponentNameGetDriverName (
IN EFI_COMPONENT_NAME_PROTOCOL *This,
IN CHAR8 *Language,
OUT CHAR16 **DriverName
)
{
return LookupUnicodeString2 (
Language,
This->SupportedLanguages,
mIpSecDriverNameTable,
DriverName,
(BOOLEAN) (This == &gIpSecComponentName)
);
}
/**
Retrieves a Unicode string that is the user-readable name of the controller
that is being managed by a driver.
This function retrieves the user-readable name of the controller specified by
ControllerHandle and ChildHandle in the form of a Unicode string. If the
driver specified by This has a user-readable name in the language specified by
Language, then a pointer to the controller name is returned in ControllerName,
and EFI_SUCCESS is returned. If the driver specified by This is not currently
managing the controller specified by ControllerHandle and ChildHandle,
then EFI_UNSUPPORTED is returned. If the driver specified by This does not
support the language specified by Language, then EFI_UNSUPPORTED is returned.
@param[in] This A pointer to the EFI_COMPONENT_NAME2_PROTOCOL or
EFI_COMPONENT_NAME_PROTOCOL instance.
@param[in] ControllerHandle The handle of a controller that the driver
specified by This is managing. This handle
specifies the controller whose name is to be
returned.
@param[in] ChildHandle The handle of the child controller to retrieve
the name of. This is an optional parameter that
may be NULL. It will be NULL for device
drivers. It will also be NULL for a bus drivers
that wish to retrieve the name of the bus
controller. It will not be NULL for a bus
driver that wishes to retrieve the name of a
child controller.
@param[in] Language A pointer to a Null-terminated ASCII string
array indicating the language. This is the
language of the driver name that the caller is
requesting, and it must match one of the
languages specified in SupportedLanguages. The
number of languages supported by a driver is up
to the driver writer. Language is specified in
RFC 4646 or ISO 639-2 language code format.
@param[out] ControllerName A pointer to the Unicode string to return.
This Unicode string is the name of the
controller specified by ControllerHandle and
ChildHandle in the language specified by
Language from the point of view of the driver
specified by This.
@retval EFI_SUCCESS The Unicode string for the user-readable name in
the language specified by Language for the
driver specified by This was returned in
DriverName.
@retval EFI_INVALID_PARAMETER ControllerHandle is NULL.
@retval EFI_INVALID_PARAMETER ChildHandle is not NULL, and it is not a valid
EFI_HANDLE.
@retval EFI_INVALID_PARAMETER Language is NULL.
@retval EFI_INVALID_PARAMETER ControllerName is NULL.
@retval EFI_UNSUPPORTED The driver specified by This is not currently
managing the controller specified by
ControllerHandle and ChildHandle.
@retval EFI_UNSUPPORTED The driver specified by This does not support
the language specified by Language.
**/
EFI_STATUS
EFIAPI
IpSecComponentNameGetControllerName (
IN EFI_COMPONENT_NAME_PROTOCOL *This,
IN EFI_HANDLE ControllerHandle,
IN EFI_HANDLE ChildHandle, OPTIONAL
IN CHAR8 *Language,
OUT CHAR16 **ControllerName
)
{
EFI_STATUS Status;
//
// ChildHandle must be NULL for a Device Driver
//
if (ChildHandle != NULL) {
return EFI_UNSUPPORTED;
}
//
// Make sure this driver is currently managing ControllerHandle
//
Status = gBS->OpenProtocol (
ControllerHandle,
&gEfiIpSec2ProtocolGuid,
NULL,
NULL,
NULL,
EFI_OPEN_PROTOCOL_TEST_PROTOCOL
);
if (EFI_ERROR (Status)) {
return Status;
}
return LookupUnicodeString2 (
Language,
This->SupportedLanguages,
mIpSecControllerNameTable,
ControllerName,
(BOOLEAN) (This == &gIpSecComponentName)
);
}

382
NetworkPkg/IpSecDxe/IetfConstants.c
View File

@ -1,382 +0,0 @@
/** @file
Cryptographic Parameter Constant Definitions from IETF;
Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#include "Ike.h"
//
// "First Oakley Default Group" from RFC2409, section 6.1.
//
// The prime is: 2^768 - 2 ^704 - 1 + 2^64 * { [2^638 pi] + 149686 }
//
GLOBAL_REMOVE_IF_UNREFERENCED UINT8 Modp768Modulus[] = {
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xC9, 0x0F, 0xDA, 0xA2,
0x21, 0x68, 0xC2, 0x34, 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1,
0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, 0x02, 0x0B, 0xBE, 0xA6,
0x3B, 0x13, 0x9B, 0x22, 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD,
0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, 0x30, 0x2B, 0x0A, 0x6D,
0xF2, 0x5F, 0x14, 0x37, 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45,
0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, 0xF4, 0x4C, 0x42, 0xE9,
0xA6, 0x3A, 0x36, 0x20, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
};
//
// "Second Oakley Default Group" from RFC2409, section 6.2.
//
// The prime is: 2^1024 - 2^960 - 1 + 2^64 * { [2^894 pi] + 129093 }.
//
GLOBAL_REMOVE_IF_UNREFERENCED UINT8 Modp1024Modulus[] = {
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,
0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,
0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,0x02,0x0B,0xBE,0xA6,
0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,
0xF2,0x5F,0x14,0x37,0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,
0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,0xF4,0x4C,0x42,0xE9,
0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,
0x7C,0x4B,0x1F,0xE6,0x49,0x28,0x66,0x51,0xEC,0xE6,0x53,0x81,
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
};
//
// "1536-bit MODP Group" from RFC3526, Section 2.
//
// The prime is: 2^1536 - 2^1472 - 1 + 2^64 * { [2^1406 pi] + 741804 }
//
GLOBAL_REMOVE_IF_UNREFERENCED UINT8 Modp1536Modulus[]={
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,
0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,
0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,0x02,0x0B,0xBE,0xA6,
0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,
0xF2,0x5F,0x14,0x37,0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,
0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,0xF4,0x4C,0x42,0xE9,
0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,
0x7C,0x4B,0x1F,0xE6,0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,
0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,0x98,0xDA,0x48,0x36,
0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,
0x20,0x85,0x52,0xBB,0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,
0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,0xF1,0x74,0x6C,0x08,
0xCA,0x23,0x73,0x27,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
};
//
// "2048-bit MODP Group" from RFC3526, Section 3.
//
// The prime is: 2^2048 - 2^1984 - 1 + 2^64 * { [2^1918 pi] + 124476 }
//
GLOBAL_REMOVE_IF_UNREFERENCED UINT8 Modp2048Modulus[]={
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,
0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,
0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,0x02,0x0B,0xBE,0xA6,
0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,
0xF2,0x5F,0x14,0x37,0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,
0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,0xF4,0x4C,0x42,0xE9,
0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,
0x7C,0x4B,0x1F,0xE6,0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,
0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,0x98,0xDA,0x48,0x36,
0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,
0x20,0x85,0x52,0xBB,0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,
0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,0xF1,0x74,0x6C,0x08,
0xCA,0x18,0x21,0x7C,0x32,0x90,0x5E,0x46,0x2E,0x36,0xCE,0x3B,
0xE3,0x9E,0x77,0x2C,0x18,0x0E,0x86,0x03,0x9B,0x27,0x83,0xA2,
0xEC,0x07,0xA2,0x8F,0xB5,0xC5,0x5D,0xF0,0x6F,0x4C,0x52,0xC9,
0xDE,0x2B,0xCB,0xF6,0x95,0x58,0x17,0x18,0x39,0x95,0x49,0x7C,
0xEA,0x95,0x6A,0xE5,0x15,0xD2,0x26,0x18,0x98,0xFA,0x05,0x10,
0x15,0x72,0x8E,0x5A,0x8A,0xAC,0xAA,0x68,0xFF,0xFF,0xFF,0xFF,
0xFF,0xFF,0xFF,0xFF,
};
//
// "3072-bit MODP Group" from RFC3526, Section 4.
//
// The prime is: 2^3072 - 2^3008 - 1 + 2^64 * { [2^2942 pi] + 1690314 }
//
GLOBAL_REMOVE_IF_UNREFERENCED UINT8 Modp3072Modulus[]={
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,
0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,
0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,0x02,0x0B,0xBE,0xA6,
0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,
0xF2,0x5F,0x14,0x37,0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,
0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,0xF4,0x4C,0x42,0xE9,
0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,
0x7C,0x4B,0x1F,0xE6,0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,
0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,0x98,0xDA,0x48,0x36,
0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,
0x20,0x85,0x52,0xBB,0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,
0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,0xF1,0x74,0x6C,0x08,
0xCA,0x18,0x21,0x7C,0x32,0x90,0x5E,0x46,0x2E,0x36,0xCE,0x3B,
0xE3,0x9E,0x77,0x2C,0x18,0x0E,0x86,0x03,0x9B,0x27,0x83,0xA2,
0xEC,0x07,0xA2,0x8F,0xB5,0xC5,0x5D,0xF0,0x6F,0x4C,0x52,0xC9,
0xDE,0x2B,0xCB,0xF6,0x95,0x58,0x17,0x18,0x39,0x95,0x49,0x7C,
0xEA,0x95,0x6A,0xE5,0x15,0xD2,0x26,0x18,0x98,0xFA,0x05,0x10,
0x15,0x72,0x8E,0x5A,0x8A,0xAA,0xC4,0x2D,0xAD,0x33,0x17,0x0D,
0x04,0x50,0x7A,0x33,0xA8,0x55,0x21,0xAB,0xDF,0x1C,0xBA,0x64,
0xEC,0xFB,0x85,0x04,0x58,0xDB,0xEF,0x0A,0x8A,0xEA,0x71,0x57,
0x5D,0x06,0x0C,0x7D,0xB3,0x97,0x0F,0x85,0xA6,0xE1,0xE4,0xC7,
0xAB,0xF5,0xAE,0x8C,0xDB,0x09,0x33,0xD7,0x1E,0x8C,0x94,0xE0,
0x4A,0x25,0x61,0x9D,0xCE,0xE3,0xD2,0x26,0x1A,0xD2,0xEE,0x6B,
0xF1,0x2F,0xFA,0x06,0xD9,0x8A,0x08,0x64,0xD8,0x76,0x02,0x73,
0x3E,0xC8,0x6A,0x64,0x52,0x1F,0x2B,0x18,0x17,0x7B,0x20,0x0C,
0xBB,0xE1,0x17,0x57,0x7A,0x61,0x5D,0x6C,0x77,0x09,0x88,0xC0,
0xBA,0xD9,0x46,0xE2,0x08,0xE2,0x4F,0xA0,0x74,0xE5,0xAB,0x31,
0x43,0xDB,0x5B,0xFC,0xE0,0xFD,0x10,0x8E,0x4B,0x82,0xD1,0x20,
0xA9,0x3A,0xD2,0xCA,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
};
//
// "4096-bit MODP Group" from RFC3526, Section 5.
//
// The prime is: 2^4096 - 2^4032 - 1 + 2^64 * { [2^3966 pi] + 240904 }
//
GLOBAL_REMOVE_IF_UNREFERENCED UINT8 Modp4096Modulus[]={
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,
0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,
0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,0x02,0x0B,0xBE,0xA6,
0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,
0xF2,0x5F,0x14,0x37,0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,
0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,0xF4,0x4C,0x42,0xE9,
0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,
0x7C,0x4B,0x1F,0xE6,0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,
0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,0x98,0xDA,0x48,0x36,
0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,
0x20,0x85,0x52,0xBB,0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,
0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,0xF1,0x74,0x6C,0x08,
0xCA,0x18,0x21,0x7C,0x32,0x90,0x5E,0x46,0x2E,0x36,0xCE,0x3B,
0xE3,0x9E,0x77,0x2C,0x18,0x0E,0x86,0x03,0x9B,0x27,0x83,0xA2,
0xEC,0x07,0xA2,0x8F,0xB5,0xC5,0x5D,0xF0,0x6F,0x4C,0x52,0xC9,
0xDE,0x2B,0xCB,0xF6,0x95,0x58,0x17,0x18,0x39,0x95,0x49,0x7C,
0xEA,0x95,0x6A,0xE5,0x15,0xD2,0x26,0x18,0x98,0xFA,0x05,0x10,
0x15,0x72,0x8E,0x5A,0x8A,0xAA,0xC4,0x2D,0xAD,0x33,0x17,0x0D,
0x04,0x50,0x7A,0x33,0xA8,0x55,0x21,0xAB,0xDF,0x1C,0xBA,0x64,
0xEC,0xFB,0x85,0x04,0x58,0xDB,0xEF,0x0A,0x8A,0xEA,0x71,0x57,
0x5D,0x06,0x0C,0x7D,0xB3,0x97,0x0F,0x85,0xA6,0xE1,0xE4,0xC7,
0xAB,0xF5,0xAE,0x8C,0xDB,0x09,0x33,0xD7,0x1E,0x8C,0x94,0xE0,
0x4A,0x25,0x61,0x9D,0xCE,0xE3,0xD2,0x26,0x1A,0xD2,0xEE,0x6B,
0xF1,0x2F,0xFA,0x06,0xD9,0x8A,0x08,0x64,0xD8,0x76,0x02,0x73,
0x3E,0xC8,0x6A,0x64,0x52,0x1F,0x2B,0x18,0x17,0x7B,0x20,0x0C,
0xBB,0xE1,0x17,0x57,0x7A,0x61,0x5D,0x6C,0x77,0x09,0x88,0xC0,
0xBA,0xD9,0x46,0xE2,0x08,0xE2,0x4F,0xA0,0x74,0xE5,0xAB,0x31,
0x43,0xDB,0x5B,0xFC,0xE0,0xFD,0x10,0x8E,0x4B,0x82,0xD1,0x20,
0xA9,0x21,0x08,0x01,0x1A,0x72,0x3C,0x12,0xA7,0x87,0xE6,0xD7,
0x88,0x71,0x9A,0x10,0xBD,0xBA,0x5B,0x26,0x99,0xC3,0x27,0x18,
0x6A,0xF4,0xE2,0x3C,0x1A,0x94,0x68,0x34,0xB6,0x15,0x0B,0xDA,
0x25,0x83,0xE9,0xCA,0x2A,0xD4,0x4C,0xE8,0xDB,0xBB,0xC2,0xDB,
0x04,0xDE,0x8E,0xF9,0x2E,0x8E,0xFC,0x14,0x1F,0xBE,0xCA,0xA6,
0x28,0x7C,0x59,0x47,0x4E,0x6B,0xC0,0x5D,0x99,0xB2,0x96,0x4F,
0xA0,0x90,0xC3,0xA2,0x23,0x3B,0xA1,0x86,0x51,0x5B,0xE7,0xED,
0x1F,0x61,0x29,0x70,0xCE,0xE2,0xD7,0xAF,0xB8,0x1B,0xDD,0x76,
0x21,0x70,0x48,0x1C,0xD0,0x06,0x91,0x27,0xD5,0xB0,0x5A,0xA9,
0x93,0xB4,0xEA,0x98,0x8D,0x8F,0xDD,0xC1,0x86,0xFF,0xB7,0xDC,
0x90,0xA6,0xC0,0x8F,0x4D,0xF4,0x35,0xC9,0x34,0x06,0x31,0x99,
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
};
//
// "6144-bit MODP Group" from RFC3526, Section 6.
//
// The prime is: 2^6144 - 2^6080 - 1 + 2^64 * { [2^6014 pi] + 929484 }
//
GLOBAL_REMOVE_IF_UNREFERENCED UINT8 Modp6144Modulus[]={
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,
0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,
0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,0x02,0x0B,0xBE,0xA6,
0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,
0xF2,0x5F,0x14,0x37,0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,
0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,0xF4,0x4C,0x42,0xE9,
0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,
0x7C,0x4B,0x1F,0xE6,0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,
0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,0x98,0xDA,0x48,0x36,
0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,
0x20,0x85,0x52,0xBB,0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,
0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,0xF1,0x74,0x6C,0x08,
0xCA,0x18,0x21,0x7C,0x32,0x90,0x5E,0x46,0x2E,0x36,0xCE,0x3B,
0xE3,0x9E,0x77,0x2C,0x18,0x0E,0x86,0x03,0x9B,0x27,0x83,0xA2,
0xEC,0x07,0xA2,0x8F,0xB5,0xC5,0x5D,0xF0,0x6F,0x4C,0x52,0xC9,
0xDE,0x2B,0xCB,0xF6,0x95,0x58,0x17,0x18,0x39,0x95,0x49,0x7C,
0xEA,0x95,0x6A,0xE5,0x15,0xD2,0x26,0x18,0x98,0xFA,0x05,0x10,
0x15,0x72,0x8E,0x5A,0x8A,0xAA,0xC4,0x2D,0xAD,0x33,0x17,0x0D,
0x04,0x50,0x7A,0x33,0xA8,0x55,0x21,0xAB,0xDF,0x1C,0xBA,0x64,
0xEC,0xFB,0x85,0x04,0x58,0xDB,0xEF,0x0A,0x8A,0xEA,0x71,0x57,
0x5D,0x06,0x0C,0x7D,0xB3,0x97,0x0F,0x85,0xA6,0xE1,0xE4,0xC7,
0xAB,0xF5,0xAE,0x8C,0xDB,0x09,0x33,0xD7,0x1E,0x8C,0x94,0xE0,
0x4A,0x25,0x61,0x9D,0xCE,0xE3,0xD2,0x26,0x1A,0xD2,0xEE,0x6B,
0xF1,0x2F,0xFA,0x06,0xD9,0x8A,0x08,0x64,0xD8,0x76,0x02,0x73,
0x3E,0xC8,0x6A,0x64,0x52,0x1F,0x2B,0x18,0x17,0x7B,0x20,0x0C,
0xBB,0xE1,0x17,0x57,0x7A,0x61,0x5D,0x6C,0x77,0x09,0x88,0xC0,
0xBA,0xD9,0x46,0xE2,0x08,0xE2,0x4F,0xA0,0x74,0xE5,0xAB,0x31,
0x43,0xDB,0x5B,0xFC,0xE0,0xFD,0x10,0x8E,0x4B,0x82,0xD1,0x20,
0xA9,0x21,0x08,0x01,0x1A,0x72,0x3C,0x12,0xA7,0x87,0xE6,0xD7,
0x88,0x71,0x9A,0x10,0xBD,0xBA,0x5B,0x26,0x99,0xC3,0x27,0x18,
0x6A,0xF4,0xE2,0x3C,0x1A,0x94,0x68,0x34,0xB6,0x15,0x0B,0xDA,
0x25,0x83,0xE9,0xCA,0x2A,0xD4,0x4C,0xE8,0xDB,0xBB,0xC2,0xDB,
0x04,0xDE,0x8E,0xF9,0x2E,0x8E,0xFC,0x14,0x1F,0xBE,0xCA,0xA6,
0x28,0x7C,0x59,0x47,0x4E,0x6B,0xC0,0x5D,0x99,0xB2,0x96,0x4F,
0xA0,0x90,0xC3,0xA2,0x23,0x3B,0xA1,0x86,0x51,0x5B,0xE7,0xED,
0x1F,0x61,0x29,0x70,0xCE,0xE2,0xD7,0xAF,0xB8,0x1B,0xDD,0x76,
0x21,0x70,0x48,0x1C,0xD0,0x06,0x91,0x27,0xD5,0xB0,0x5A,0xA9,
0x93,0xB4,0xEA,0x98,0x8D,0x8F,0xDD,0xC1,0x86,0xFF,0xB7,0xDC,
0x90,0xA6,0xC0,0x8F,0x4D,0xF4,0x35,0xC9,0x34,0x02,0x84,0x92,
0x36,0xC3,0xFA,0xB4,0xD2,0x7C,0x70,0x26,0xC1,0xD4,0xDC,0xB2,
0x60,0x26,0x46,0xDE,0xC9,0x75,0x1E,0x76,0x3D,0xBA,0x37,0xBD,
0xF8,0xFF,0x94,0x06,0xAD,0x9E,0x53,0x0E,0xE5,0xDB,0x38,0x2F,
0x41,0x30,0x01,0xAE,0xB0,0x6A,0x53,0xED,0x90,0x27,0xD8,0x31,
0x17,0x97,0x27,0xB0,0x86,0x5A,0x89,0x18,0xDA,0x3E,0xDB,0xEB,
0xCF,0x9B,0x14,0xED,0x44,0xCE,0x6C,0xBA,0xCE,0xD4,0xBB,0x1B,
0xDB,0x7F,0x14,0x47,0xE6,0xCC,0x25,0x4B,0x33,0x20,0x51,0x51,
0x2B,0xD7,0xAF,0x42,0x6F,0xB8,0xF4,0x01,0x37,0x8C,0xD2,0xBF,
0x59,0x83,0xCA,0x01,0xC6,0x4B,0x92,0xEC,0xF0,0x32,0xEA,0x15,
0xD1,0x72,0x1D,0x03,0xF4,0x82,0xD7,0xCE,0x6E,0x74,0xFE,0xF6,
0xD5,0x5E,0x70,0x2F,0x46,0x98,0x0C,0x82,0xB5,0xA8,0x40,0x31,
0x90,0x0B,0x1C,0x9E,0x59,0xE7,0xC9,0x7F,0xBE,0xC7,0xE8,0xF3,
0x23,0xA9,0x7A,0x7E,0x36,0xCC,0x88,0xBE,0x0F,0x1D,0x45,0xB7,
0xFF,0x58,0x5A,0xC5,0x4B,0xD4,0x07,0xB2,0x2B,0x41,0x54,0xAA,
0xCC,0x8F,0x6D,0x7E,0xBF,0x48,0xE1,0xD8,0x14,0xCC,0x5E,0xD2,
0x0F,0x80,0x37,0xE0,0xA7,0x97,0x15,0xEE,0xF2,0x9B,0xE3,0x28,
0x06,0xA1,0xD5,0x8B,0xB7,0xC5,0xDA,0x76,0xF5,0x50,0xAA,0x3D,
0x8A,0x1F,0xBF,0xF0,0xEB,0x19,0xCC,0xB1,0xA3,0x13,0xD5,0x5C,
0xDA,0x56,0xC9,0xEC,0x2E,0xF2,0x96,0x32,0x38,0x7F,0xE8,0xD7,
0x6E,0x3C,0x04,0x68,0x04,0x3E,0x8F,0x66,0x3F,0x48,0x60,0xEE,
0x12,0xBF,0x2D,0x5B,0x0B,0x74,0x74,0xD6,0xE6,0x94,0xF9,0x1E,
0x6D,0xCC,0x40,0x24,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
};
//
// "8192-bit MODP Group" from RFC3526, Section 7.
//
// The prime is: 2^8192 - 2^8128 - 1 + 2^64 * { [2^8062 pi] + 4743158 }
//
GLOBAL_REMOVE_IF_UNREFERENCED UINT8 Modp8192Modulus[]={
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,
0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,
0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,0x02,0x0B,0xBE,0xA6,
0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,
0xF2,0x5F,0x14,0x37,0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,
0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,0xF4,0x4C,0x42,0xE9,
0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,
0x7C,0x4B,0x1F,0xE6,0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,
0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,0x98,0xDA,0x48,0x36,
0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,
0x20,0x85,0x52,0xBB,0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,
0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,0xF1,0x74,0x6C,0x08,
0xCA,0x18,0x21,0x7C,0x32,0x90,0x5E,0x46,0x2E,0x36,0xCE,0x3B,
0xE3,0x9E,0x77,0x2C,0x18,0x0E,0x86,0x03,0x9B,0x27,0x83,0xA2,
0xEC,0x07,0xA2,0x8F,0xB5,0xC5,0x5D,0xF0,0x6F,0x4C,0x52,0xC9,
0xDE,0x2B,0xCB,0xF6,0x95,0x58,0x17,0x18,0x39,0x95,0x49,0x7C,
0xEA,0x95,0x6A,0xE5,0x15,0xD2,0x26,0x18,0x98,0xFA,0x05,0x10,
0x15,0x72,0x8E,0x5A,0x8A,0xAA,0xC4,0x2D,0xAD,0x33,0x17,0x0D,
0x04,0x50,0x7A,0x33,0xA8,0x55,0x21,0xAB,0xDF,0x1C,0xBA,0x64,
0xEC,0xFB,0x85,0x04,0x58,0xDB,0xEF,0x0A,0x8A,0xEA,0x71,0x57,
0x5D,0x06,0x0C,0x7D,0xB3,0x97,0x0F,0x85,0xA6,0xE1,0xE4,0xC7,
0xAB,0xF5,0xAE,0x8C,0xDB,0x09,0x33,0xD7,0x1E,0x8C,0x94,0xE0,
0x4A,0x25,0x61,0x9D,0xCE,0xE3,0xD2,0x26,0x1A,0xD2,0xEE,0x6B,
0xF1,0x2F,0xFA,0x06,0xD9,0x8A,0x08,0x64,0xD8,0x76,0x02,0x73,
0x3E,0xC8,0x6A,0x64,0x52,0x1F,0x2B,0x18,0x17,0x7B,0x20,0x0C,
0xBB,0xE1,0x17,0x57,0x7A,0x61,0x5D,0x6C,0x77,0x09,0x88,0xC0,
0xBA,0xD9,0x46,0xE2,0x08,0xE2,0x4F,0xA0,0x74,0xE5,0xAB,0x31,
0x43,0xDB,0x5B,0xFC,0xE0,0xFD,0x10,0x8E,0x4B,0x82,0xD1,0x20,
0xA9,0x21,0x08,0x01,0x1A,0x72,0x3C,0x12,0xA7,0x87,0xE6,0xD7,
0x88,0x71,0x9A,0x10,0xBD,0xBA,0x5B,0x26,0x99,0xC3,0x27,0x18,
0x6A,0xF4,0xE2,0x3C,0x1A,0x94,0x68,0x34,0xB6,0x15,0x0B,0xDA,
0x25,0x83,0xE9,0xCA,0x2A,0xD4,0x4C,0xE8,0xDB,0xBB,0xC2,0xDB,
0x04,0xDE,0x8E,0xF9,0x2E,0x8E,0xFC,0x14,0x1F,0xBE,0xCA,0xA6,
0x28,0x7C,0x59,0x47,0x4E,0x6B,0xC0,0x5D,0x99,0xB2,0x96,0x4F,
0xA0,0x90,0xC3,0xA2,0x23,0x3B,0xA1,0x86,0x51,0x5B,0xE7,0xED,
0x1F,0x61,0x29,0x70,0xCE,0xE2,0xD7,0xAF,0xB8,0x1B,0xDD,0x76,
0x21,0x70,0x48,0x1C,0xD0,0x06,0x91,0x27,0xD5,0xB0,0x5A,0xA9,
0x93,0xB4,0xEA,0x98,0x8D,0x8F,0xDD,0xC1,0x86,0xFF,0xB7,0xDC,
0x90,0xA6,0xC0,0x8F,0x4D,0xF4,0x35,0xC9,0x34,0x02,0x84,0x92,
0x36,0xC3,0xFA,0xB4,0xD2,0x7C,0x70,0x26,0xC1,0xD4,0xDC,0xB2,
0x60,0x26,0x46,0xDE,0xC9,0x75,0x1E,0x76,0x3D,0xBA,0x37,0xBD,
0xF8,0xFF,0x94,0x06,0xAD,0x9E,0x53,0x0E,0xE5,0xDB,0x38,0x2F,
0x41,0x30,0x01,0xAE,0xB0,0x6A,0x53,0xED,0x90,0x27,0xD8,0x31,
0x17,0x97,0x27,0xB0,0x86,0x5A,0x89,0x18,0xDA,0x3E,0xDB,0xEB,
0xCF,0x9B,0x14,0xED,0x44,0xCE,0x6C,0xBA,0xCE,0xD4,0xBB,0x1B,
0xDB,0x7F,0x14,0x47,0xE6,0xCC,0x25,0x4B,0x33,0x20,0x51,0x51,
0x2B,0xD7,0xAF,0x42,0x6F,0xB8,0xF4,0x01,0x37,0x8C,0xD2,0xBF,
0x59,0x83,0xCA,0x01,0xC6,0x4B,0x92,0xEC,0xF0,0x32,0xEA,0x15,
0xD1,0x72,0x1D,0x03,0xF4,0x82,0xD7,0xCE,0x6E,0x74,0xFE,0xF6,
0xD5,0x5E,0x70,0x2F,0x46,0x98,0x0C,0x82,0xB5,0xA8,0x40,0x31,
0x90,0x0B,0x1C,0x9E,0x59,0xE7,0xC9,0x7F,0xBE,0xC7,0xE8,0xF3,
0x23,0xA9,0x7A,0x7E,0x36,0xCC,0x88,0xBE,0x0F,0x1D,0x45,0xB7,
0xFF,0x58,0x5A,0xC5,0x4B,0xD4,0x07,0xB2,0x2B,0x41,0x54,0xAA,
0xCC,0x8F,0x6D,0x7E,0xBF,0x48,0xE1,0xD8,0x14,0xCC,0x5E,0xD2,
0x0F,0x80,0x37,0xE0,0xA7,0x97,0x15,0xEE,0xF2,0x9B,0xE3,0x28,
0x06,0xA1,0xD5,0x8B,0xB7,0xC5,0xDA,0x76,0xF5,0x50,0xAA,0x3D,
0x8A,0x1F,0xBF,0xF0,0xEB,0x19,0xCC,0xB1,0xA3,0x13,0xD5,0x5C,
0xDA,0x56,0xC9,0xEC,0x2E,0xF2,0x96,0x32,0x38,0x7F,0xE8,0xD7,
0x6E,0x3C,0x04,0x68,0x04,0x3E,0x8F,0x66,0x3F,0x48,0x60,0xEE,
0x12,0xBF,0x2D,0x5B,0x0B,0x74,0x74,0xD6,0xE6,0x94,0xF9,0x1E,
0x6D,0xBE,0x11,0x59,0x74,0xA3,0x92,0x6F,0x12,0xFE,0xE5,0xE4,
0x38,0x77,0x7C,0xB6,0xA9,0x32,0xDF,0x8C,0xD8,0xBE,0xC4,0xD0,
0x73,0xB9,0x31,0xBA,0x3B,0xC8,0x32,0xB6,0x8D,0x9D,0xD3,0x00,
0x74,0x1F,0xA7,0xBF,0x8A,0xFC,0x47,0xED,0x25,0x76,0xF6,0x93,
0x6B,0xA4,0x24,0x66,0x3A,0xAB,0x63,0x9C,0x5A,0xE4,0xF5,0x68,
0x34,0x23,0xB4,0x74,0x2B,0xF1,0xC9,0x78,0x23,0x8F,0x16,0xCB,
0xE3,0x9D,0x65,0x2D,0xE3,0xFD,0xB8,0xBE,0xFC,0x84,0x8A,0xD9,
0x22,0x22,0x2E,0x04,0xA4,0x03,0x7C,0x07,0x13,0xEB,0x57,0xA8,
0x1A,0x23,0xF0,0xC7,0x34,0x73,0xFC,0x64,0x6C,0xEA,0x30,0x6B,
0x4B,0xCB,0xC8,0x86,0x2F,0x83,0x85,0xDD,0xFA,0x9D,0x4B,0x7F,
0xA2,0xC0,0x87,0xE8,0x79,0x68,0x33,0x03,0xED,0x5B,0xDD,0x3A,
0x06,0x2B,0x3C,0xF5,0xB3,0xA2,0x78,0xA6,0x6D,0x2A,0x13,0xF8,
0x3F,0x44,0xF8,0x2D,0xDF,0x31,0x0E,0xE0,0x74,0xAB,0x6A,0x36,
0x45,0x97,0xE8,0x99,0xA0,0x25,0x5D,0xC1,0x64,0xF3,0x1C,0xC5,
0x08,0x46,0x85,0x1D,0xF9,0xAB,0x48,0x19,0x5D,0xED,0x7E,0xA1,
0xB1,0xD5,0x10,0xBD,0x7E,0xE7,0x4D,0x73,0xFA,0xF3,0x6B,0xC3,
0x1E,0xCF,0xA2,0x68,0x35,0x90,0x46,0xF4,0xEB,0x87,0x9F,0x92,
0x40,0x09,0x43,0x8B,0x48,0x1C,0x6C,0xD7,0x88,0x9A,0x00,0x2E,
0xD5,0xEE,0x38,0x2B,0xC9,0x19,0x0D,0xA6,0xFC,0x02,0x6E,0x47,
0x95,0x58,0xE4,0x47,0x56,0x77,0xE9,0xAA,0x9E,0x30,0x50,0xE2,
0x76,0x56,0x94,0xDF,0xC8,0x1F,0x56,0xE8,0x80,0xB9,0x6E,0x71,
0x60,0xC9,0x80,0xDD,0x98,0xED,0xD3,0xDF,0xFF,0xFF,0xFF,0xFF,
0xFF,0xFF,0xFF,0xFF,
};
//
// Pre-defined Oakley MODP Groups
//
#define DH_GENERATOR_2 2
GLOBAL_REMOVE_IF_UNREFERENCED CONST MODP_GROUP OakleyModpGroup[] = {
{0, 0, NULL, 0}, //Undefined
{OakleyGroupModp768, 768, Modp768Modulus, DH_GENERATOR_2},
{OakleyGroupModp1024, 1024, Modp1024Modulus, DH_GENERATOR_2},
{0, 0, NULL, 0}, // For ECC. UnSupported
{0, 0, NULL, 0}, // For ECC. Unsupported
{OakleyGroupModp1536, 1536, Modp1536Modulus, DH_GENERATOR_2},
{0, 0, NULL, 0}, //Undefined
{0, 0, NULL, 0}, //Undefined
{0, 0, NULL, 0}, //Undefined
{0, 0, NULL, 0}, //Undefined
{0, 0, NULL, 0}, //Undefined
{0, 0, NULL, 0}, //Undefined
{0, 0, NULL, 0}, //Undefined
{0, 0, NULL, 0}, //Undefined
{OakleyGroupModp2048, 2048, Modp2048Modulus, DH_GENERATOR_2},
{OakleyGroupModp3072, 3072, Modp3072Modulus, DH_GENERATOR_2},
{OakleyGroupModp4096, 4096, Modp4096Modulus, DH_GENERATOR_2},
{OakleyGroupModp6144, 6144, Modp6144Modulus, DH_GENERATOR_2},
{OakleyGroupModp8192, 8192, Modp8192Modulus, DH_GENERATOR_2},
};

260
NetworkPkg/IpSecDxe/Ike.h
View File

@ -1,260 +0,0 @@
/** @file
The common definition of IPsec Key Exchange (IKE).
Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#ifndef _IKE_H_
#define _IKE_H_
#include <Library/UdpIoLib.h>
#include <Library/BaseCryptLib.h>
#include "IpSecImpl.h"
#define IKE_VERSION_MAJOR_MASK 0xf0
#define IKE_VERSION_MINOR_MASK 0x0f
#define IKE_MAJOR_VERSION(v) (((v) & IKE_VERSION_MAJOR_MASK) >> 4)
#define IKE_MINOR_VERSION(v) ((v) & IKE_VERSION_MINOR_MASK)
//
// Protocol Value Use in IKEv1 and IKEv2
//
#define IPSEC_PROTO_ISAKMP 1
#define IPSEC_PROTO_IPSEC_AH 2
#define IPSEC_PROTO_IPSEC_ESP 3
#define IPSEC_PROTO_IPCOMP 4 // For IKEv1 this value is reserved
//
// For Algorithm search in support list.Last two types are for IKEv2 only.
//
#define IKE_ENCRYPT_TYPE 0
#define IKE_AUTH_TYPE 1
#define IKE_PRF_TYPE 2
#define IKE_DH_TYPE 3
//
// Encryption Algorithm present in IKEv1 phasrs2 and IKEv2 transform payload (Transform Type 1)
//
#define IPSEC_ESP_DES_IV64 1
#define IPSEC_ESP_DES 2
#define IPSEC_ESP_3DES 3
#define IPSEC_ESP_RC5 4
#define IPSEC_ESP_IDEA 5
#define IPSEC_ESP_CAST 6
#define IPSEC_ESP_BLOWFISH 7
#define IPSEC_ESP_3IDEA 8
#define IPSEC_ESP_DES_IV32 9
#define IPSEC_ESP_RC4 10 // It's reserved in IKEv2
#define IPSEC_ESP_NULL 11
#define IPSEC_ESP_AES 12
#define IKE_XCG_TYPE_NONE 0
#define IKE_XCG_TYPE_BASE 1
#define IKE_XCG_TYPE_IDENTITY_PROTECT 2
#define IKE_XCG_TYPE_AUTH_ONLY 3
#define IKE_XCG_TYPE_AGGR 4
#define IKE_XCG_TYPE_INFO 5
#define IKE_XCG_TYPE_QM 32
#define IKE_XCG_TYPE_NGM 33
#define IKE_XCG_TYPE_SA_INIT 34
#define IKE_XCG_TYPE_AUTH 35
#define IKE_XCG_TYPE_CREATE_CHILD_SA 36
#define IKE_XCG_TYPE_INFO2 37
#define IKE_LIFE_TYPE_SECONDS 1
#define IKE_LIFE_TYPE_KILOBYTES 2
//
// Deafult IKE SA lifetime and CHILD SA lifetime
//
#define IKE_SA_DEFAULT_LIFETIME 1200
#define CHILD_SA_DEFAULT_LIFETIME 3600
//
// Next payload type presented within Proposal payload
//
#define IKE_PROPOSAL_NEXT_PAYLOAD_MORE 2
#define IKE_PROPOSAL_NEXT_PAYLOAD_NONE 0
//
// Next payload type presented within Transform payload
//
#define IKE_TRANSFORM_NEXT_PAYLOAD_MORE 3
#define IKE_TRANSFORM_NEXT_PAYLOAD_NONE 0
//
// Max size of the SA attribute
//
#define MAX_SA_ATTRS_SIZE 48
#define SA_ATTR_FORMAT_BIT 0x8000
//
// The definition for Information Message ID.
//
#define INFO_MID_SIGNATURE SIGNATURE_32 ('I', 'N', 'F', 'M')
//
// Type for the IKE SESSION COMMON
//
typedef enum {
IkeSessionTypeIkeSa,
IkeSessionTypeChildSa,
IkeSessionTypeInfo,
IkeSessionTypeMax
} IKE_SESSION_TYPE;
//
// The DH Group ID defined RFC3526 and RFC 2409
//
typedef enum {
OakleyGroupModp768 = 1,
OakleyGroupModp1024 = 2,
OakleyGroupGp155 = 3, // Unsupported Now.
OakleyGroupGp185 = 4, // Unsupported Now.
OakleyGroupModp1536 = 5,
OakleyGroupModp2048 = 14,
OakleyGroupModp3072 = 15,
OakleyGroupModp4096 = 16,
OakleyGroupModp6144 = 17,
OakleyGroupModp8192 = 18,
OakleyGroupMax
} OAKLEY_GROUP_ID;
//
// IKE Header
//
#pragma pack(1)
typedef struct {
UINT64 InitiatorCookie;
UINT64 ResponderCookie;
UINT8 NextPayload;
UINT8 Version;
UINT8 ExchangeType;
UINT8 Flags;
UINT32 MessageId;
UINT32 Length;
} IKE_HEADER;
#pragma pack()
typedef union {
UINT16 AttrLength;
UINT16 AttrValue;
} IKE_SA_ATTR_UNION;
//
// SA Attribute present in Transform Payload
//
#pragma pack(1)
typedef struct {
UINT16 AttrType;
IKE_SA_ATTR_UNION Attr;
} IKE_SA_ATTRIBUTE;
#pragma pack()
//
// Contains the IKE packet information.
//
typedef struct {
UINTN RefCount;
BOOLEAN IsHdrExt;
IKE_HEADER *Header;
BOOLEAN IsPayloadsBufExt;
UINT8 *PayloadsBuf; // The whole IkePakcet trimed the IKE header.
UINTN PayloadTotalSize;
LIST_ENTRY PayloadList;
EFI_IP_ADDRESS RemotePeerIp;
BOOLEAN IsEncoded; // whether HTON is done when sending the packet
UINT32 Spi; // For the Delete Information Exchange
BOOLEAN IsDeleteInfo; // For the Delete Information Exchange
IPSEC_PRIVATE_DATA *Private; // For the Delete Information Exchange
} IKE_PACKET;
//
// The generic structure to all kinds of IKE payloads.
//
typedef struct {
UINT32 Signature;
BOOLEAN IsPayloadBufExt;
UINT8 PayloadType;
UINT8 *PayloadBuf;
UINTN PayloadSize;
LIST_ENTRY ByPacket;
} IKE_PAYLOAD;
//
// Udp Service
//
typedef struct {
UINT32 Signature;
UINT8 IpVersion;
LIST_ENTRY List;
LIST_ENTRY *ListHead;
EFI_HANDLE NicHandle;
EFI_HANDLE ImageHandle;
UDP_IO *Input;
UDP_IO *Output;
EFI_IP_ADDRESS DefaultAddress;
BOOLEAN IsConfigured;
} IKE_UDP_SERVICE;
//
// Each IKE session has its own Key sets for local peer and remote peer.
//
typedef struct {
EFI_IPSEC_ALGO_INFO LocalPeerInfo;
EFI_IPSEC_ALGO_INFO RemotePeerInfo;
} SA_KEYMATS;
//
// Each algorithm has its own Id, Guid, BlockSize and KeyLength.
// This struct contains these information for each algorithm. It is generic structure
// for both encryption and authentication algorithm.
// For authentication algorithm, the AlgSize means IcvSize. For encryption algorithm,
// it means IvSize.
//
#pragma pack(1)
typedef struct {
UINT8 AlgorithmId; // Encryption or Authentication Id used by ESP/AH
EFI_GUID *AlgGuid;
UINT8 AlgSize; // IcvSize or IvSize
UINT8 BlockSize;
UINTN KeyMateLen;
} IKE_ALG_GUID_INFO; // For IPsec Authentication and Encryption Algorithm.
#pragma pack()
//
// Structure used to store the DH group
//
typedef struct {
UINT8 GroupId;
UINTN Size;
UINT8 *Modulus;
UINTN GroupGenerator;
} MODP_GROUP;
/**
This is prototype definition of general interface to phase the payloads
after/before the decode/encode.
@param[in] SessionCommon Point to the SessionCommon
@param[in] PayloadBuf Point to the buffer of Payload.
@param[in] PayloadSize The size of the PayloadBuf in bytes.
@param[in] PayloadType The type of Payload.
**/
typedef
VOID
(*IKE_ON_PAYLOAD_FROM_NET) (
IN UINT8 *SessionCommon,
IN UINT8 *PayloadBuf,
IN UINTN PayloadSize,
IN UINT8 PayloadType
);
#endif

324
NetworkPkg/IpSecDxe/IkeCommon.c
View File

@ -1,324 +0,0 @@
/** @file
Common operation of the IKE
Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#include "Ike.h"
#include "IkeCommon.h"
#include "IpSecConfigImpl.h"
#include "IpSecDebug.h"
/**
Check whether the new generated Spi has existed.
@param[in] IkeSaSession Pointer to the Child SA Session.
@param[in] SpiValue SPI Value.
@retval TRUE This SpiValue has existed in the Child SA Session
@retval FALSE This SpiValue doesn't exist in the Child SA Session.
**/
BOOLEAN
IkeSpiValueExisted (
IN IKEV2_SA_SESSION *IkeSaSession,
IN UINT32 SpiValue
)
{
LIST_ENTRY *Entry;
LIST_ENTRY *Next;
IKEV2_CHILD_SA_SESSION *SaSession;
Entry = NULL;
Next = NULL;
SaSession = NULL;
//
// Check whether the SPI value has existed in ChildSaEstablishSessionList.
//
NET_LIST_FOR_EACH_SAFE (Entry, Next, &IkeSaSession->ChildSaEstablishSessionList) {
SaSession= IKEV2_CHILD_SA_SESSION_BY_IKE_SA (Entry);
if (SaSession->LocalPeerSpi == SpiValue) {
return TRUE;
}
}
//
// Check whether the SPI value has existed in ChildSaSessionList.
//
NET_LIST_FOR_EACH_SAFE (Entry, Next, &IkeSaSession->ChildSaSessionList) {
SaSession= IKEV2_CHILD_SA_SESSION_BY_IKE_SA (Entry);
if (SaSession->LocalPeerSpi == SpiValue) {
return TRUE;
}
}
return FALSE;
}
/**
Call Crypto Lib to generate a random value with eight-octet length.
@return the 64 byte vaule.
**/
UINT64
IkeGenerateCookie (
VOID
)
{
UINT64 Cookie;
EFI_STATUS Status;
Status = IpSecCryptoIoGenerateRandomBytes ((UINT8 *)&Cookie, sizeof (UINT64));
if (EFI_ERROR (Status)) {
return 0;
} else {
return Cookie;
}
}
/**
Generate the random data for Nonce payload.
@param[in] NonceSize Size of the data in bytes.
@return Buffer which contains the random data of the spcified size.
**/
UINT8 *
IkeGenerateNonce (
IN UINTN NonceSize
)
{
UINT8 *Nonce;
EFI_STATUS Status;
Nonce = AllocateZeroPool (NonceSize);
if (Nonce == NULL) {
return NULL;
}
Status = IpSecCryptoIoGenerateRandomBytes (Nonce, NonceSize);
if (EFI_ERROR (Status)) {
FreePool (Nonce);
return NULL;
} else {
return Nonce;
}
}
/**
Convert the IKE Header from Network order to Host order.
@param[in, out] Header The pointer of the IKE_HEADER.
**/
VOID
IkeHdrNetToHost (
IN OUT IKE_HEADER *Header
)
{
Header->InitiatorCookie = NTOHLL (Header->InitiatorCookie);
Header->ResponderCookie = NTOHLL (Header->ResponderCookie);
Header->MessageId = NTOHL (Header->MessageId);
Header->Length = NTOHL (Header->Length);
}
/**
Convert the IKE Header from Host order to Network order.
@param[in, out] Header The pointer of the IKE_HEADER.
**/
VOID
IkeHdrHostToNet (
IN OUT IKE_HEADER *Header
)
{
Header->InitiatorCookie = HTONLL (Header->InitiatorCookie);
Header->ResponderCookie = HTONLL (Header->ResponderCookie);
Header->MessageId = HTONL (Header->MessageId);
Header->Length = HTONL (Header->Length);
}
/**
Allocate a buffer of IKE_PAYLOAD and set its Signature.
@return A buffer of IKE_PAYLOAD.
**/
IKE_PAYLOAD *
IkePayloadAlloc (
VOID
)
{
IKE_PAYLOAD *IkePayload;
IkePayload = (IKE_PAYLOAD *) AllocateZeroPool (sizeof (IKE_PAYLOAD));
if (IkePayload == NULL) {
return NULL;
}
IkePayload->Signature = IKE_PAYLOAD_SIGNATURE;
return IkePayload;
}
/**
Free a specified IKE_PAYLOAD buffer.
@param[in] IkePayload Pointer of IKE_PAYLOAD to be freed.
**/
VOID
IkePayloadFree (
IN IKE_PAYLOAD *IkePayload
)
{
if (IkePayload == NULL) {
return;
}
//
// If this IkePayload is not referred by others, free it.
//
if (!IkePayload->IsPayloadBufExt && (IkePayload->PayloadBuf != NULL)) {
FreePool (IkePayload->PayloadBuf);
}
FreePool (IkePayload);
}
/**
Generate an new SPI.
@param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to this Child SA
Session.
@param[in, out] SpiValue Pointer to the new generated SPI value.
@retval EFI_SUCCESS The operation performs successfully.
@retval Otherwise The operation is failed.
**/
EFI_STATUS
IkeGenerateSpi (
IN IKEV2_SA_SESSION *IkeSaSession,
IN OUT UINT32 *SpiValue
)
{
EFI_STATUS Status;
Status = EFI_SUCCESS;
while (TRUE) {
//
// Generate SPI randomly
//
Status = IpSecCryptoIoGenerateRandomBytes ((UINT8 *)SpiValue, sizeof (UINT32));
if (EFI_ERROR (Status)) {
break;
}
//
// The set of SPI values in the range 1 through 255 are reserved by the
// Internet Assigned Numbers Authority (IANA) for future use; a reserved
// SPI value will not normally be assigned by IANA unless the use of the
// assigned SPI value is specified in an RFC.
//
if (*SpiValue < IKE_SPI_BASE) {
*SpiValue += IKE_SPI_BASE;
}
//
// Check whether the new generated SPI has existed.
//
if (!IkeSpiValueExisted (IkeSaSession, *SpiValue)) {
break;
}
}
return Status;
}
/**
Generate a random data for IV
@param[in] IvBuffer The pointer of the IV buffer.
@param[in] IvSize The IV size.
@retval EFI_SUCCESS Create a random data for IV.
@retval otherwise Failed.
**/
EFI_STATUS
IkeGenerateIv (
IN UINT8 *IvBuffer,
IN UINTN IvSize
)
{
return IpSecCryptoIoGenerateRandomBytes (IvBuffer, IvSize);
}
/**
Find SPD entry by a specified SPD selector.
@param[in] SpdSel Point to SPD Selector to be searched for.
@retval Point to SPD Entry if the SPD entry found.
@retval NULL if not found.
**/
IPSEC_SPD_ENTRY *
IkeSearchSpdEntry (
IN EFI_IPSEC_SPD_SELECTOR *SpdSel
)
{
IPSEC_SPD_ENTRY *SpdEntry;
LIST_ENTRY *SpdList;
LIST_ENTRY *Entry;
SpdList = &mConfigData[IPsecConfigDataTypeSpd];
NET_LIST_FOR_EACH (Entry, SpdList) {
SpdEntry = IPSEC_SPD_ENTRY_FROM_LIST (Entry);
//
// Find the required SPD entry
//
if (CompareSpdSelector (
(EFI_IPSEC_CONFIG_SELECTOR *) SpdSel,
(EFI_IPSEC_CONFIG_SELECTOR *) SpdEntry->Selector
)) {
return SpdEntry;
}
}
return NULL;
}
/**
Get the IKE Version from the IKE_SA_SESSION.
@param[in] Session Pointer of the IKE_SA_SESSION.
**/
UINT8
IkeGetVersionFromSession (
IN UINT8 *Session
)
{
if (*(UINT32 *) Session == IKEV2_SA_SESSION_SIGNATURE) {
return ((IKEV2_SA_SESSION *) Session)->SessionCommon.IkeVer;
} else {
//
// Add IKEv1 support here.
//
return 0;
}
}

189
NetworkPkg/IpSecDxe/IkeCommon.h
View File

@ -1,189 +0,0 @@
/** @file
Common operation of the IKE.
Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#ifndef _IKE_COMMON_H_
#define _IKE_COMMON_H_
#include <Protocol/Udp4.h>
#include <Protocol/Udp6.h>
#include <Protocol/Ip4Config2.h>
#include <Library/BaseLib.h>
#include <Library/BaseMemoryLib.h>
#include <Library/MemoryAllocationLib.h>
#include <Library/UefiRuntimeServicesTableLib.h>
#include <Library/UefiBootServicesTableLib.h>
#include <Library/DebugLib.h>
#include <Library/UdpIoLib.h>
#include <Library/BaseCryptLib.h>
#include "Ikev2/Ikev2.h"
#include "IpSecImpl.h"
#include "IkePacket.h"
#include "IpSecCryptIo.h"
#define IKE_DEFAULT_PORT 500
#define IKE_DEFAULT_TIMEOUT_INTERVAL 10000 // 10s
#define IKE_NONCE_SIZE 16
#define IKE_MAX_RETRY 4
#define IKE_SPI_BASE 0x100
#define IKE_PAYLOAD_SIGNATURE SIGNATURE_32('I','K','E','P')
#define IKE_PAYLOAD_BY_PACKET(a) CR(a,IKE_PAYLOAD,ByPacket,IKE_PAYLOAD_SIGNATURE)
#define IKE_PACKET_APPEND_PAYLOAD(IkePacket,IkePayload) \
do { \
InsertTailList(&(IkePacket)->PayloadList, &(IkePayload)->ByPacket); \
} while (0)
#define IKE_PACKET_REMOVE_PAYLOAD(IkePacket,IkePayload) \
do { \
RemoveEntryList(&(IkePayload)->ByPacket); \
} while (0)
#define IKE_PACKET_END_PAYLOAD(IkePacket, Node) \
Node = GetFirstNode (&(IkePacket)->PayloadList); \
while (!IsNodeAtEnd (&(IkePacket)->PayloadList, Node)) { \
Node = GetNextNode (&(IkePacket)->PayloadList, Node); \
} \
/**
Call Crypto Lib to generate a random value with eight-octet length.
@return the 64 byte vaule.
**/
UINT64
IkeGenerateCookie (
VOID
);
/**
Generate the random data for Nonce payload.
@param[in] NonceSize Size of the data in bytes.
@return Buffer which contains the random data of the spcified size.
**/
UINT8 *
IkeGenerateNonce (
IN UINTN NonceSize
);
/**
Convert the IKE Header from Network order to Host order.
@param[in, out] Header The pointer of the IKE_HEADER.
**/
VOID
IkeHdrNetToHost (
IN OUT IKE_HEADER *Header
);
/**
Convert the IKE Header from Host order to Network order.
@param[in, out] Header The pointer of the IKE_HEADER.
**/
VOID
IkeHdrHostToNet (
IN OUT IKE_HEADER *Header
);
/**
Allocate a buffer of IKE_PAYLOAD and set its Signature.
@return A buffer of IKE_PAYLOAD.
**/
IKE_PAYLOAD *
IkePayloadAlloc (
VOID
);
/**
Free a specified IKE_PAYLOAD buffer.
@param[in] IkePayload Pointer of IKE_PAYLOAD to be freed.
**/
VOID
IkePayloadFree (
IN IKE_PAYLOAD *IkePayload
);
/**
Generate an new SPI.
@param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to this Child SA
Session.
@param[in, out] SpiValue Pointer to the new generated SPI value.
@retval EFI_SUCCESS The operation performs successfully.
@retval Otherwise The operation is failed.
**/
EFI_STATUS
IkeGenerateSpi (
IN IKEV2_SA_SESSION *IkeSaSession,
IN OUT UINT32 *SpiValue
);
/**
Generate a random data for IV
@param[in] IvBuffer The pointer of the IV buffer.
@param[in] IvSize The IV size.
@retval EFI_SUCCESS Create a random data for IV.
@retval otherwise Failed.
**/
EFI_STATUS
IkeGenerateIv (
IN UINT8 *IvBuffer,
IN UINTN IvSize
);
/**
Get the IKE Version from the IKE_SA_SESSION.
@param[in] Session Pointer of the IKE_SA_SESSION.
**/
UINT8
IkeGetVersionFromSession (
IN UINT8 *Session
);
/**
Find SPD entry by a specified SPD selector.
@param[in] SpdSel Point to SPD Selector to be searched for.
@retval Point to Spd Entry if the SPD entry found.
@retval NULL if not found.
**/
IPSEC_SPD_ENTRY *
IkeSearchSpdEntry (
IN EFI_IPSEC_SPD_SELECTOR *SpdSel
);
extern MODP_GROUP OakleyModpGroup[];
extern IKE_ALG_GUID_INFO mIPsecEncrAlgInfo[];
extern IKE_ALG_GUID_INFO mIPsecAuthAlgInfo[];
#endif

259
NetworkPkg/IpSecDxe/IkePacket.c
View File

@ -1,259 +0,0 @@
/** @file
IKE Packet related operation.
Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#include "IpSecDebug.h"
#include "Ikev2/Utility.h"
/**
Allocate a buffer for the IKE_PACKET and intitalize its Header and payloadlist.
@return The pointer of the IKE_PACKET.
**/
IKE_PACKET *
IkePacketAlloc (
VOID
)
{
IKE_PACKET *IkePacket;
IkePacket = (IKE_PACKET *) AllocateZeroPool (sizeof (IKE_PACKET));
if (IkePacket == NULL) {
return NULL;
}
IkePacket->RefCount = 1;
InitializeListHead (&IkePacket->PayloadList);
IkePacket->Header = (IKE_HEADER *) AllocateZeroPool (sizeof (IKE_HEADER));
if (IkePacket->Header == NULL) {
FreePool (IkePacket);
return NULL;
}
return IkePacket;
}
/**
Free the IkePacket by the specified IKE_PACKET pointer.
@param[in] IkePacket The pointer of the IKE_PACKET to be freed.
**/
VOID
IkePacketFree (
IN IKE_PACKET *IkePacket
)
{
LIST_ENTRY *Entry;
IKE_PAYLOAD *IkePayload;
if (IkePacket == NULL) {
return;
}
//
// Check if the Packet is referred by others.
//
if (--IkePacket->RefCount == 0) {
//
// Free IkePacket header
//
if (!IkePacket->IsHdrExt && IkePacket->Header != NULL) {
FreePool (IkePacket->Header);
}
//
// Free the PayloadsBuff
//
if (!IkePacket->IsPayloadsBufExt && IkePacket->PayloadsBuf != NULL) {
FreePool (IkePacket->PayloadsBuf);
}
//
// Iterate payloadlist and free all payloads
//
for (Entry = (IkePacket)->PayloadList.ForwardLink; Entry != &(IkePacket)->PayloadList;) {
IkePayload = IKE_PAYLOAD_BY_PACKET (Entry);
Entry = Entry->ForwardLink;
IkePayloadFree (IkePayload);
}
FreePool (IkePacket);
}
}
/**
Callback funtion of NetbufFromExt()
@param[in] Arg The data passed from the NetBufFromExe().
**/
VOID
EFIAPI
IkePacketNetbufFree (
IN VOID *Arg
)
{
//
// TODO: add something if need.
//
}
/**
Copy the NetBuf into a IKE_PACKET sturcture.
Create a IKE_PACKET and fill the received IKE header into the header of IKE_PACKET
and copy the recieved packet without IKE HEADER to the PayloadBuf of IKE_PACKET.
@param[in] Netbuf The pointer of the Netbuf which contains the whole received
IKE packet.
@return The pointer of the IKE_PACKET which contains the received packet.
**/
IKE_PACKET *
IkePacketFromNetbuf (
IN NET_BUF *Netbuf
)
{
IKE_PACKET *IkePacket;
IkePacket = NULL;
if (Netbuf->TotalSize < sizeof (IKE_HEADER)) {
goto Error;
}
IkePacket = IkePacketAlloc ();
if (IkePacket == NULL) {
return NULL;
}
//
// Copy the IKE header from Netbuf to IkePacket->Hdr
//
NetbufCopy (Netbuf, 0, sizeof (IKE_HEADER), (UINT8 *) IkePacket->Header);
//
// Net order to host order
//
IkeHdrNetToHost (IkePacket->Header);
if (IkePacket->Header->Length < Netbuf->TotalSize) {
goto Error;
}
IkePacket->PayloadTotalSize = IkePacket->Header->Length - sizeof (IKE_HEADER);
IkePacket->PayloadsBuf = (UINT8 *) AllocateZeroPool (IkePacket->PayloadTotalSize);
if (IkePacket->PayloadsBuf == NULL) {
goto Error;
}
//
// Copy the IKE packet without the header into the IkePacket->PayloadsBuf.
//
NetbufCopy (Netbuf, sizeof (IKE_HEADER), (UINT32) IkePacket->PayloadTotalSize, IkePacket->PayloadsBuf);
return IkePacket;
Error:
if (IkePacket != NULL) {
IkePacketFree (IkePacket);
}
return NULL;
}
/**
Convert the format from IKE_PACKET to NetBuf.
@param[in] SessionCommon Pointer of related IKE_COMMON_SESSION
@param[in] IkePacket Pointer of IKE_PACKET to be copy to NetBuf
@param[in] IkeType The IKE type to pointer the packet is for which IKE
phase. Now it supports IKE_SA_TYPE, IKE_CHILDSA_TYPE,
IKE_INFO_TYPE.
@return a pointer of Netbuff which contains the IKE_PACKE in network order.
**/
NET_BUF *
IkeNetbufFromPacket (
IN UINT8 *SessionCommon,
IN IKE_PACKET *IkePacket,
IN UINTN IkeType
)
{
NET_BUF *Netbuf;
NET_FRAGMENT *Fragments;
UINTN Index;
UINTN NumPayloads;
LIST_ENTRY *PacketEntry;
LIST_ENTRY *Entry;
IKE_PAYLOAD *IkePayload;
EFI_STATUS RetStatus;
RetStatus = EFI_SUCCESS;
if (!IkePacket->IsEncoded) {
IkePacket->IsEncoded = TRUE;
//
// Convert Host order to Network order for IKE_PACKET header and payloads
// Encryption payloads if needed
//
if (((IKEV2_SESSION_COMMON *) SessionCommon)->IkeVer == 2) {
RetStatus = Ikev2EncodePacket ((IKEV2_SESSION_COMMON *) SessionCommon, IkePacket, IkeType);
if (EFI_ERROR (RetStatus)) {
return NULL;
}
} else {
//
// If IKEv1 support, check it here.
//
return NULL;
}
}
NumPayloads = 0;
//
// Get the number of the payloads
//
NET_LIST_FOR_EACH (PacketEntry, &(IkePacket)->PayloadList) {
NumPayloads++;
}
//
// Allocate the Framgents according to the numbers of the IkePayload
//
Fragments = (NET_FRAGMENT *) AllocateZeroPool ((1 + NumPayloads) * sizeof (NET_FRAGMENT));
if (Fragments == NULL) {
return NULL;
}
Fragments[0].Bulk = (UINT8 *) IkePacket->Header;
Fragments[0].Len = sizeof (IKE_HEADER);
Index = 0;
//
// Set payloads to the Framgments.
//
NET_LIST_FOR_EACH (Entry, &(IkePacket)->PayloadList) {
IkePayload = IKE_PAYLOAD_BY_PACKET (Entry);
Fragments[Index + 1].Bulk = IkePayload->PayloadBuf;
Fragments[Index + 1].Len = (UINT32) IkePayload->PayloadSize;
Index++;
}
Netbuf = NetbufFromExt (
Fragments,
(UINT32) (NumPayloads + 1),
0,
0,
IkePacketNetbufFree,
NULL
);
FreePool (Fragments);
return Netbuf;
}

76
NetworkPkg/IpSecDxe/IkePacket.h
View File

@ -1,76 +0,0 @@
/** @file
IKE Packet related definitions and function declarations.
Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#ifndef _IKE_V1_PACKET_H_
#define _IKE_V1_PACKET_H_
#include "Ike.h"
#define IKE_PACKET_REF(p) ((p)->RefCount++)
/**
Allocate a buffer for the IKE_PACKET and intitalize its Header and payloadlist.
@return The pointer of the IKE_PACKET.
**/
IKE_PACKET *
IkePacketAlloc (
VOID
);
/**
Free the IkePacket by the specified IKE_PACKET pointer.
@param[in] IkePacket The pointer of the IKE_PACKET to be freed.
**/
VOID
IkePacketFree (
IN IKE_PACKET *IkePacket
);
/**
Copy the NetBuf into a IKE_PACKET sturcture.
Create a IKE_PACKET and fill the received IKE header into the header of IKE_PACKET
and copy the recieved packet without IKE HEADER to the PayloadBuf of IKE_PACKET.
@param[in] Netbuf The pointer of the Netbuf which contains the whole received
IKE packet.
@return The pointer of the IKE_PACKET which contains the received packet.
**/
IKE_PACKET *
IkePacketFromNetbuf (
IN NET_BUF *Netbuf
);
/**
Convert the format from IKE_PACKET to NetBuf.
@param[in] SessionCommon Pointer of related IKE_COMMON_SESSION
@param[in] IkePacket Pointer of IKE_PACKET to be copy to NetBuf
@param[in] IkeType The IKE type to pointer the packet is for which IKE
phase. Now it supports IKE_SA_TYPE, IKE_CHILDSA_TYPE,
IKE_INFO_TYPE.
@return A pointer of Netbuff which contains the contents of the IKE_PACKE in network order.
**/
NET_BUF *
IkeNetbufFromPacket (
IN UINT8 *SessionCommon,
IN IKE_PACKET *IkePacket,
IN UINTN IkeType
);
#endif

813
NetworkPkg/IpSecDxe/IkeService.c
View File

@ -1,813 +0,0 @@
/** @file
Provide IPsec Key Exchange (IKE) service general interfaces.
Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#include "IkeService.h"
#include "IpSecConfigImpl.h"
IKE_EXCHANGE_INTERFACE *mIkeExchange[] = {
&mIkev1Exchange,
&mIkev2Exchange
};
EFI_UDP4_CONFIG_DATA mUdp4Conf = {
FALSE,
FALSE,
FALSE,
TRUE,
//
// IO parameters
//
0,
64,
FALSE,
0,
1000000,
FALSE,
{{0,0,0,0}},
{{0,0,0,0}},
IKE_DEFAULT_PORT,
{{0,0,0,0}},
0
};
EFI_UDP6_CONFIG_DATA mUdp6Conf = {
FALSE,
FALSE,
TRUE,
//
// IO parameters
//
0,
128,
0,
1000000,
//Access Point
{{0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}},
IKE_DEFAULT_PORT,
{{0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}},
0
};
/**
Check if the NIC handle is binded to a Udp service.
@param[in] Private Pointer of IPSEC_PRIVATE_DATA.
@param[in] Handle The Handle of the NIC card.
@param[in] IpVersion The version of the IP stack.
@return a pointer of IKE_UDP_SERVICE.
**/
IKE_UDP_SERVICE *
IkeLookupUdp (
IN IPSEC_PRIVATE_DATA *Private,
IN EFI_HANDLE Handle,
IN UINT8 IpVersion
)
{
LIST_ENTRY *Head;
LIST_ENTRY *Entry;
LIST_ENTRY *Next;
IKE_UDP_SERVICE *Udp;
Udp = NULL;
Head = (IpVersion == IP_VERSION_4) ? &Private->Udp4List : &Private->Udp6List;
NET_LIST_FOR_EACH_SAFE (Entry, Next, Head) {
Udp = IPSEC_UDP_SERVICE_FROM_LIST (Entry);
//
// Find the right udp service which installed on the appointed NIC handle.
//
if (Handle == Udp->NicHandle) {
break;
} else {
Udp = NULL;
}
}
return Udp;
}
/**
Configure a UDPIO's UDP4 instance.
This fuction is called by the UdpIoCreateIo() to configures a
UDP4 instance.
@param[in] UdpIo The UDP_IO to be configured.
@param[in] Context User-defined data when calling UdpIoCreateIo().
@retval EFI_SUCCESS The configuration succeeded.
@retval Others The UDP4 instance fails to configure.
**/
EFI_STATUS
EFIAPI
IkeConfigUdp4 (
IN UDP_IO *UdpIo,
IN VOID *Context
)
{
EFI_UDP4_CONFIG_DATA Udp4Cfg;
EFI_UDP4_PROTOCOL *Udp4;
ZeroMem (&Udp4Cfg, sizeof (EFI_UDP4_CONFIG_DATA));
Udp4 = UdpIo->Protocol.Udp4;
CopyMem (
&Udp4Cfg,
&mUdp4Conf,
sizeof (EFI_UDP4_CONFIG_DATA)
);
if (Context != NULL) {
//
// Configure udp4 io with local default address.
//
Udp4Cfg.UseDefaultAddress = TRUE;
}
return Udp4->Configure (Udp4, &Udp4Cfg);
}
/**
Configure a UDPIO's UDP6 instance.
This fuction is called by the UdpIoCreateIo()to configure a
UDP6 instance.
@param[in] UdpIo The UDP_IO to be configured.
@param[in] Context User-defined data when calling UdpIoCreateIo().
@retval EFI_SUCCESS The configuration succeeded.
@retval Others The configuration fails.
**/
EFI_STATUS
EFIAPI
IkeConfigUdp6 (
IN UDP_IO *UdpIo,
IN VOID *Context
)
{
EFI_UDP6_PROTOCOL *Udp6;
EFI_UDP6_CONFIG_DATA Udp6Cfg;
ZeroMem (&Udp6Cfg, sizeof (EFI_UDP6_CONFIG_DATA));
Udp6 = UdpIo->Protocol.Udp6;
CopyMem (
&Udp6Cfg,
&mUdp6Conf,
sizeof (EFI_UDP6_CONFIG_DATA)
);
if (Context != NULL) {
//
// Configure instance with a destination address to start source address
// selection, and then get the configure data from the mode data to store
// the source address.
//
CopyMem (
&Udp6Cfg.RemoteAddress,
Context,
sizeof (EFI_IPv6_ADDRESS)
);
}
return Udp6->Configure (Udp6, &Udp6Cfg);
}
/**
Open and configure the related output UDPIO for IKE packet sending.
If the UdpService is not configured, this fuction calls UdpIoCreatIo() to
create UDPIO to bind this UdpService for IKE packet sending. If the UdpService
has already been configured, then return.
@param[in] UdpService The UDP_IO to be configured.
@param[in] RemoteIp User-defined data when calling UdpIoCreateIo().
@retval EFI_SUCCESS The configuration is successful.
@retval Others The configuration fails.
**/
EFI_STATUS
IkeOpenOutputUdp (
IN IKE_UDP_SERVICE *UdpService,
IN EFI_IP_ADDRESS *RemoteIp
)
{
EFI_STATUS Status;
EFI_IP4_CONFIG2_PROTOCOL *Ip4Cfg2;
EFI_IP4_CONFIG2_INTERFACE_INFO *IfInfo;
UINTN BufSize;
EFI_IP6_MODE_DATA Ip6ModeData;
EFI_UDP6_PROTOCOL *Udp6;
Status = EFI_SUCCESS;
IfInfo = NULL;
BufSize = 0;
//
// Check whether the input and output udp io are both configured.
//
if (UdpService->IsConfigured) {
goto ON_EXIT;
}
if (UdpService->IpVersion == UDP_IO_UDP4_VERSION) {
//
// Handle ip4config protocol to get local default address.
//
Status = gBS->HandleProtocol (
UdpService->NicHandle,
&gEfiIp4Config2ProtocolGuid,
(VOID **) &Ip4Cfg2
);
if (EFI_ERROR (Status)) {
goto ON_EXIT;
}
//
// Get the interface information size.
//
Status = Ip4Cfg2->GetData (
Ip4Cfg2,
Ip4Config2DataTypeInterfaceInfo,
&BufSize,
NULL
);
if (EFI_ERROR (Status) && Status != EFI_BUFFER_TOO_SMALL) {
goto ON_EXIT;
}
IfInfo = AllocateZeroPool (BufSize);
if (IfInfo == NULL) {
Status = EFI_OUT_OF_RESOURCES;
goto ON_EXIT;
}
//
// Get the interface info.
//
Status = Ip4Cfg2->GetData (
Ip4Cfg2,
Ip4Config2DataTypeInterfaceInfo,
&BufSize,
IfInfo
);
if (EFI_ERROR (Status)) {
goto ON_EXIT;
}
CopyMem (
&UdpService->DefaultAddress.v4,
&IfInfo->StationAddress,
sizeof (EFI_IPv4_ADDRESS)
);
//
// Create udp4 io for output with local default address.
//
UdpService->Output = UdpIoCreateIo (
UdpService->NicHandle,
UdpService->ImageHandle,
IkeConfigUdp4,
UDP_IO_UDP4_VERSION,
&UdpService->DefaultAddress
);
if (UdpService->Output == NULL) {
Status = EFI_OUT_OF_RESOURCES;
goto ON_EXIT;
}
} else {
//
// Create udp6 io for output with remote address.
//
UdpService->Output = UdpIoCreateIo (
UdpService->NicHandle,
UdpService->ImageHandle,
IkeConfigUdp6,
UDP_IO_UDP6_VERSION,
RemoteIp
);
if (UdpService->Output == NULL) {
Status = EFI_OUT_OF_RESOURCES;
goto ON_EXIT;
}
//
// Get ip6 mode data to get the result of source address selection.
//
ZeroMem (&Ip6ModeData, sizeof (EFI_IP6_MODE_DATA));
Udp6 = UdpService->Output->Protocol.Udp6;
Status = Udp6->GetModeData (Udp6, NULL, &Ip6ModeData, NULL, NULL);
if (EFI_ERROR (Status)) {
UdpIoFreeIo (UdpService->Output);
goto ON_EXIT;
}
if (Ip6ModeData.AddressList != NULL) {
FreePool (Ip6ModeData.AddressList);
}
if (Ip6ModeData.GroupTable != NULL) {
FreePool (Ip6ModeData.GroupTable);
}
if (Ip6ModeData.RouteTable != NULL) {
FreePool (Ip6ModeData.RouteTable);
}
if (Ip6ModeData.NeighborCache != NULL) {
FreePool (Ip6ModeData.NeighborCache);
}
if (Ip6ModeData.PrefixTable != NULL) {
FreePool (Ip6ModeData.PrefixTable);
}
if (Ip6ModeData.IcmpTypeList != NULL) {
FreePool (Ip6ModeData.IcmpTypeList);
}
//
// Reconfigure udp6 io without remote address.
//
Udp6->Configure (Udp6, NULL);
Status = IkeConfigUdp6 (UdpService->Output, NULL);
//
// Record the selected source address for ipsec process later.
//
CopyMem (
&UdpService->DefaultAddress.v6,
&Ip6ModeData.ConfigData.StationAddress,
sizeof (EFI_IPv6_ADDRESS)
);
}
UdpService->IsConfigured = TRUE;
ON_EXIT:
if (IfInfo != NULL) {
FreePool (IfInfo);
}
return Status;
}
/**
Open and configure a UDPIO of Udp4 for IKE packet receiving.
This function is called at the IPsecDriverBinding start. IPsec create a UDP4 and
UDP4 IO for each NIC handle.
@param[in] Private Point to IPSEC_PRIVATE_DATA
@param[in] Controller Handler for NIC card.
@param[in] ImageHandle The handle that contains the EFI_DRIVER_BINDING_PROTOCOL instance.
@retval EFI_SUCCESS The Operation is successful.
@retval EFI_OUT_OF_RESOURCE The required system resource can't be allocated.
**/
EFI_STATUS
IkeOpenInputUdp4 (
IN IPSEC_PRIVATE_DATA *Private,
IN EFI_HANDLE Controller,
IN EFI_HANDLE ImageHandle
)
{
IKE_UDP_SERVICE *Udp4Srv;
//
// Check whether udp4 io of the controller has already been opened.
//
Udp4Srv = IkeLookupUdp (Private, Controller, IP_VERSION_4);
if (Udp4Srv != NULL) {
return EFI_ALREADY_STARTED;
}
Udp4Srv = AllocateZeroPool (sizeof (IKE_UDP_SERVICE));
if (Udp4Srv == NULL) {
return EFI_OUT_OF_RESOURCES;
}
//
// Create udp4 io for iutput.
//
Udp4Srv->Input = UdpIoCreateIo (
Controller,
ImageHandle,
IkeConfigUdp4,
UDP_IO_UDP4_VERSION,
NULL
);
if (Udp4Srv->Input == NULL) {
FreePool (Udp4Srv);
return EFI_OUT_OF_RESOURCES;
}
Udp4Srv->NicHandle = Controller;
Udp4Srv->ImageHandle = ImageHandle;
Udp4Srv->ListHead = &(Private->Udp4List);
Udp4Srv->IpVersion = UDP_IO_UDP4_VERSION;
Udp4Srv->IsConfigured = FALSE;
ZeroMem (&Udp4Srv->DefaultAddress, sizeof (EFI_IP_ADDRESS));
//
// Insert the udp4 io into the list and increase the count.
//
InsertTailList (&Private->Udp4List, &Udp4Srv->List);
Private->Udp4Num++;
UdpIoRecvDatagram (Udp4Srv->Input, IkeDispatch, Udp4Srv, 0);
return EFI_SUCCESS;
}
/**
Open and configure a UDPIO of Udp6 for IKE packet receiving.
This function is called at the IPsecDriverBinding start. IPsec create a UDP6 and UDP6
IO for each NIC handle.
@param[in] Private Point to IPSEC_PRIVATE_DATA
@param[in] Controller Handler for NIC card.
@param[in] ImageHandle The handle that contains the EFI_DRIVER_BINDING_PROTOCOL instance.
@retval EFI_SUCCESS The Operation is successful.
@retval EFI_OUT_OF_RESOURCE The required system resource can't be allocated.
**/
EFI_STATUS
IkeOpenInputUdp6 (
IN IPSEC_PRIVATE_DATA *Private,
IN EFI_HANDLE Controller,
IN EFI_HANDLE ImageHandle
)
{
IKE_UDP_SERVICE *Udp6Srv;
Udp6Srv = IkeLookupUdp (Private, Controller, IP_VERSION_6);
if (Udp6Srv != NULL) {
return EFI_ALREADY_STARTED;
}
Udp6Srv = AllocateZeroPool (sizeof (IKE_UDP_SERVICE));
if (Udp6Srv == NULL) {
return EFI_OUT_OF_RESOURCES;
}
//
// Create udp6 io for input.
//
Udp6Srv->Input = UdpIoCreateIo (
Controller,
ImageHandle,
IkeConfigUdp6,
UDP_IO_UDP6_VERSION,
NULL
);
if (Udp6Srv->Input == NULL) {
FreePool (Udp6Srv);
return EFI_OUT_OF_RESOURCES;
}
Udp6Srv->NicHandle = Controller;
Udp6Srv->ImageHandle = ImageHandle;
Udp6Srv->ListHead = &(Private->Udp6List);
Udp6Srv->IpVersion = UDP_IO_UDP6_VERSION;
Udp6Srv->IsConfigured = FALSE;
ZeroMem (&Udp6Srv->DefaultAddress, sizeof (EFI_IP_ADDRESS));
//
// Insert the udp6 io into the list and increase the count.
//
InsertTailList (&Private->Udp6List, &Udp6Srv->List);
Private->Udp6Num++;
UdpIoRecvDatagram (Udp6Srv->Input, IkeDispatch, Udp6Srv, 0);
return EFI_SUCCESS;
}
/**
The general interface of starting IPsec Key Exchange.
This function is called when a IKE negotiation to start getting a Key.
@param[in] UdpService Point to IKE_UDP_SERVICE which will be used for
IKE packet sending.
@param[in] SpdEntry Point to the SPD entry related to the IKE negotiation.
@param[in] RemoteIp Point to EFI_IP_ADDRESS related to the IKE negotiation.
@retval EFI_SUCCESS The Operation is successful.
@retval EFI_ACCESS_DENIED No related PAD entry was found.
@retval EFI_INVALID_PARAMETER The IKE version is not supported.
**/
EFI_STATUS
IkeNegotiate (
IN IKE_UDP_SERVICE *UdpService,
IN IPSEC_SPD_ENTRY *SpdEntry,
IN EFI_IP_ADDRESS *RemoteIp
)
{
EFI_STATUS Status;
UINT8 *IkeSaSession;
IKE_EXCHANGE_INTERFACE *Exchange;
IPSEC_PRIVATE_DATA *Private;
IPSEC_PAD_ENTRY *PadEntry;
UINT8 IkeVersion;
Private = (UdpService->IpVersion == IP_VERSION_4) ?
IPSEC_PRIVATE_DATA_FROM_UDP4LIST(UdpService->ListHead) :
IPSEC_PRIVATE_DATA_FROM_UDP6LIST(UdpService->ListHead);
//
// Try to open udp io for output if it hasn't.
//
Status = IkeOpenOutputUdp (UdpService, RemoteIp);
if (EFI_ERROR (Status)) {
return Status;
}
//
// Try to find the IKE SA session in the IKEv1 and IKEv2 established SA session list.
//
IkeSaSession = (UINT8 *) Ikev2SaSessionLookup (&Private->Ikev2EstablishedList, RemoteIp);
if (IkeSaSession == NULL) {
//
// Find the pad entry by the remote ip address.
//
PadEntry = IpSecLookupPadEntry (UdpService->IpVersion, RemoteIp);
if (PadEntry == NULL) {
return EFI_ACCESS_DENIED;
}
//
// Determine the IKE exchange instance by the auth protocol in pad entry.
//
ASSERT (PadEntry->Data->AuthProtocol < EfiIPsecAuthProtocolMaximum);
if (PadEntry->Data->AuthProtocol == EfiIPsecAuthProtocolIKEv1) {
return EFI_INVALID_PARAMETER;
}
Exchange = mIkeExchange[PadEntry->Data->AuthProtocol];
//
// Start the main mode stage to negotiate IKE SA.
//
Status = Exchange->NegotiateSa (UdpService, SpdEntry, PadEntry, RemoteIp);
} else {
//
// Determine the IKE exchange instance by the IKE version in IKE SA session.
//
IkeVersion = IkeGetVersionFromSession (IkeSaSession);
if (IkeVersion != 2) {
return EFI_INVALID_PARAMETER;
}
Exchange = mIkeExchange[IkeVersion - 1];
//
// Start the quick mode stage to negotiate child SA.
//
Status = Exchange->NegotiateChildSa (IkeSaSession, SpdEntry, NULL);
}
return Status;
}
/**
The generic interface when receive a IKE packet.
This function is called when UDP IO receives a IKE packet.
@param[in] Packet Point to received IKE packet.
@param[in] EndPoint Point to UDP_END_POINT which contains the information of
Remote IP and Port.
@param[in] IoStatus The Status of Recieve Token.
@param[in] Context Point to data passed from the caller.
**/
VOID
EFIAPI
IkeDispatch (
IN NET_BUF *Packet,
IN UDP_END_POINT *EndPoint,
IN EFI_STATUS IoStatus,
IN VOID *Context
)
{
IPSEC_PRIVATE_DATA *Private;
IKE_PACKET *IkePacket;
IKE_HEADER *IkeHdr;
IKE_UDP_SERVICE *UdpService;
IKE_EXCHANGE_INTERFACE *Exchange;
EFI_STATUS Status;
UdpService = (IKE_UDP_SERVICE *) Context;
IkePacket = NULL;
Private = (UdpService->IpVersion == IP_VERSION_4) ?
IPSEC_PRIVATE_DATA_FROM_UDP4LIST(UdpService->ListHead) :
IPSEC_PRIVATE_DATA_FROM_UDP6LIST(UdpService->ListHead);
if (EFI_ERROR (IoStatus)) {
goto ON_EXIT;
}
//
// Check whether the ipsec is enabled or not.
//
if (Private->IpSec.DisabledFlag == TRUE) {
goto ON_EXIT;
}
if (EndPoint->RemotePort != IKE_DEFAULT_PORT) {
goto ON_EXIT;
}
//
// Build IKE packet from the received netbuf.
//
IkePacket = IkePacketFromNetbuf (Packet);
if (IkePacket == NULL) {
goto ON_EXIT;
}
//
// Get the remote address from the IKE packet.
//
if (UdpService->IpVersion == IP_VERSION_4) {
*(UINT32 *) IkePacket->RemotePeerIp.Addr = HTONL ((*(UINT32 *) EndPoint->RemoteAddr.Addr));
} else {
CopyMem (
&IkePacket->RemotePeerIp,
NTOHLLL (&EndPoint->RemoteAddr.v6),
sizeof (EFI_IPv6_ADDRESS)
);
}
//
// Try to open udp io for output if hasn't.
//
Status = IkeOpenOutputUdp (UdpService, &IkePacket->RemotePeerIp);
if (EFI_ERROR (Status)) {
goto ON_EXIT;
}
IkeHdr = IkePacket->Header;
//
// Determine the IKE exchange instance by the IKE version in IKE header.
//
if (IKE_MAJOR_VERSION (IkeHdr->Version) == 2) {
Exchange = mIkeExchange[IKE_MAJOR_VERSION (IkeHdr->Version) - 1];
} else {
goto ON_EXIT;
}
switch (IkeHdr->ExchangeType) {
case IKE_XCG_TYPE_IDENTITY_PROTECT:
case IKE_XCG_TYPE_SA_INIT:
case IKE_XCG_TYPE_AUTH:
Exchange->HandleSa (UdpService, IkePacket);
break;
case IKE_XCG_TYPE_QM:
case IKE_XCG_TYPE_CREATE_CHILD_SA:
Exchange->HandleChildSa (UdpService, IkePacket);
break;
case IKE_XCG_TYPE_INFO:
case IKE_XCG_TYPE_INFO2:
Exchange->HandleInfo (UdpService, IkePacket);
break;
default:
break;
}
ON_EXIT:
if (IkePacket != NULL) {
IkePacketFree (IkePacket);
}
if (Packet != NULL) {
NetbufFree (Packet);
}
UdpIoRecvDatagram (UdpService->Input, IkeDispatch, UdpService, 0);
return ;
}
/**
Delete all established IKE SAs and related Child SAs.
This function is the subfunction of the IpSecCleanupAllSa(). It first calls
IkeDeleteChildSa() to delete all Child SAs then send out the related
Information packet.
@param[in] Private Pointer of the IPSEC_PRIVATE_DATA
@param[in] IsDisableIpsec Indicate whether needs to disable IPsec.
**/
VOID
IkeDeleteAllSas (
IN IPSEC_PRIVATE_DATA *Private,
IN BOOLEAN IsDisableIpsec
)
{
LIST_ENTRY *Entry;
LIST_ENTRY *NextEntry;
IKEV2_SA_SESSION *Ikev2SaSession;
UINT8 Value;
EFI_STATUS Status;
IKE_EXCHANGE_INTERFACE *Exchange;
UINT8 IkeVersion;
Exchange = NULL;
//
// If the IKEv1 is supported, first deal with the Ikev1Estatblished list.
//
//
// If IKEv2 SAs are under establishing, delete it directly.
//
if (!IsListEmpty (&Private->Ikev2SessionList)) {
NET_LIST_FOR_EACH_SAFE (Entry, NextEntry, &Private->Ikev2SessionList) {
Ikev2SaSession = IKEV2_SA_SESSION_BY_SESSION (Entry);
RemoveEntryList (Entry);
Ikev2SaSessionFree (Ikev2SaSession);
}
}
//
// If there is no existing established IKE SA, set the Ipsec DisableFlag to TRUE
// and turn off the IsIPsecDisabling flag.
//
if (IsListEmpty (&Private->Ikev2EstablishedList) && IsDisableIpsec) {
Value = IPSEC_STATUS_DISABLED;
Status = gRT->SetVariable (
IPSECCONFIG_STATUS_NAME,
&gEfiIpSecConfigProtocolGuid,
EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_NON_VOLATILE,
sizeof (Value),
&Value
);
if (!EFI_ERROR (Status)) {
Private->IpSec.DisabledFlag = TRUE;
Private->IsIPsecDisabling = FALSE;
return ;
}
}
//
// Delete established IKEv2 SAs.
//
if (!IsListEmpty (&Private->Ikev2EstablishedList)) {
for (Entry = Private->Ikev2EstablishedList.ForwardLink; Entry != &Private->Ikev2EstablishedList;) {
Ikev2SaSession = IKEV2_SA_SESSION_BY_SESSION (Entry);
Entry = Entry->ForwardLink;
Ikev2SaSession->SessionCommon.State = IkeStateSaDeleting;
//
// Call for Information Exchange.
//
IkeVersion = IkeGetVersionFromSession ((UINT8*)Ikev2SaSession);
if (IkeVersion == 2) {
Exchange = mIkeExchange[IkeVersion - 1];
Exchange->NegotiateInfo((UINT8*)Ikev2SaSession, NULL);
}
}
}
}

256
NetworkPkg/IpSecDxe/IkeService.h
View File

@ -1,256 +0,0 @@
/** @file
Prototypes definitions of IKE service.
Copyright (c) 2010 - 2015, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#ifndef _IKE_SERVICE_H_
#define _IKE_SERVICE_H_
#include "Ike.h"
#include "IpSecImpl.h"
#include "IkeCommon.h"
#include "Ikev2/Utility.h"
#define IPSEC_CRYPTO_LIB_MEMORY 128 * 1024
/**
This is prototype definition of general interface to intialize a IKE negotiation.
@param[in] UdpService Point to Udp Servcie used for the IKE packet sending.
@param[in] SpdEntry Point to SPD entry related to this IKE negotiation.
@param[in] PadEntry Point to PAD entry related to this IKE negotiation.
@param[in] RemoteIp Point to IP Address which the remote peer to negnotiate.
@retval EFI_SUCCESS The operation is successful.
@return Otherwise The operation is failed.
**/
typedef
EFI_STATUS
(*IKE_NEGOTIATE_SA) (
IN IKE_UDP_SERVICE * UdpService,
IN IPSEC_SPD_ENTRY * SpdEntry,
IN IPSEC_PAD_ENTRY * PadEntry,
IN EFI_IP_ADDRESS * RemoteIp
);
/**
This is prototype definition fo general interface to start a IKE negotiation at Quick Mode.
This function will be called when the related IKE SA is existed and start to
create a Child SA.
@param[in] IkeSaSession Point to IKE SA Session related to this Negotiation.
@param[in] SpdEntry Point to SPD entry related to this Negotiation.
@param[in] Context Point to data passed from the caller.
@retval EFI_SUCCESS The operation is successful.
@retval Otherwise The operation is failed.
**/
typedef
EFI_STATUS
(*IKE_NEGOTIATE_CHILD_SA) (
IN UINT8 *IkeSaSession,
IN IPSEC_SPD_ENTRY *SpdEntry,
IN UINT8 *Context
);
/**
This is prototype definition of the general interface when initialize a Inforamtion
Exchange.
@param[in] IkeSaSession Point to IKE SA Session related to.
@param[in] Context Point to data passed from caller.
**/
typedef
EFI_STATUS
(*IKE_NEGOTIATE_INFO) (
IN UINT8 *IkeSaSession,
IN UINT8 *Context
);
/**
This is prototype definition of the general interface when recived a IKE Pakcet
for the IKE SA establishing.
@param[in] UdpService Point to UDP service used to send IKE Packet.
@param[in] IkePacket Point to received IKE packet.
**/
typedef
VOID
(*IKE_HANDLE_SA) (
IN IKE_UDP_SERVICE *UdpService,
IN IKE_PACKET *IkePacket
);
/**
This is prototyp definition of the general interface when recived a IKE Packet
xfor the Child SA establishing.
@param[in] UdpService Point to UDP service used to send IKE packet.
@param[in] IkePacket Point to received IKE packet.
**/
typedef
VOID
(*IKE_HANDLE_CHILD_SA) (
IN IKE_UDP_SERVICE *UdpService,
IN IKE_PACKET *IkePacket
);
/**
This is prototype definition of the general interface when received a IKE
information Packet.
@param[in] UdpService Point to UDP service used to send IKE packet.
@param[in] IkePacket Point to received IKE packet.
**/
typedef
VOID
(*IKE_HANDLE_INFO) (
IN IKE_UDP_SERVICE *UdpService,
IN IKE_PACKET *IkePacket
);
typedef struct _IKE_EXCHANGE_INTERFACE {
UINT8 IkeVer;
IKE_NEGOTIATE_SA NegotiateSa;
IKE_NEGOTIATE_CHILD_SA NegotiateChildSa;
IKE_NEGOTIATE_INFO NegotiateInfo;
IKE_HANDLE_SA HandleSa;
IKE_HANDLE_CHILD_SA HandleChildSa;
IKE_HANDLE_INFO HandleInfo;
} IKE_EXCHANGE_INTERFACE;
/**
Open and configure a UDPIO of Udp4 for IKE packet receiving.
This function is called at the IPsecDriverBinding start. IPsec create a UDP4 and
a UDP4 IO for each NIC handle.
@param[in] Private Point to IPSEC_PRIVATE_DATA
@param[in] Controller Handler for NIC card.
@param[in] ImageHandle The handle that contains the EFI_DRIVER_BINDING_PROTOCOL instance.
@retval EFI_SUCCESS The Operation is successful.
@retval EFI_OUT_OF_RESOURCE The required system resource can't be allocated.
**/
EFI_STATUS
IkeOpenInputUdp4 (
IN IPSEC_PRIVATE_DATA *Private,
IN EFI_HANDLE Controller,
IN EFI_HANDLE ImageHandle
);
/**
Open and configure a UDPIO of Udp6 for IKE packet receiving.
This function is called at the IPsecDriverBinding start. IPsec create a UDP6 and UDP6
IO for each NIC handle.
@param[in] Private Point to IPSEC_PRIVATE_DATA
@param[in] Controller Handler for NIC card.
@param[in] ImageHandle The handle that contains the EFI_DRIVER_BINDING_PROTOCOL instance.
@retval EFI_SUCCESS The Operation is successful.
@retval EFI_OUT_OF_RESOURCE The required system resource can't be allocated.
**/
EFI_STATUS
IkeOpenInputUdp6 (
IN IPSEC_PRIVATE_DATA *Private,
IN EFI_HANDLE Controller,
IN EFI_HANDLE ImageHandle
);
/**
The general interface of starting IPsec Key Exchange.
This function is called when start a IKE negotiation to get a Key.
@param[in] UdpService Point to IKE_UDP_SERVICE which will be used for
IKE packet sending.
@param[in] SpdEntry Point to the SPD entry related to the IKE negotiation.
@param[in] RemoteIp Point to EFI_IP_ADDRESS related to the IKE negotiation.
@retval EFI_SUCCESS The Operation is successful.
@retval EFI_ACCESS_DENIED No related PAD entry was found.
**/
EFI_STATUS
IkeNegotiate (
IN IKE_UDP_SERVICE *UdpService,
IN IPSEC_SPD_ENTRY *SpdEntry,
IN EFI_IP_ADDRESS *RemoteIp
);
/**
The general interface when receive a IKE packet.
This function is called when UDP IO receives a IKE packet.
@param[in] Packet Point to received IKE packet.
@param[in] EndPoint Point to UDP_END_POINT which contains the information of
Remote IP and Port.
@param[in] IoStatus The Status of Recieve Token.
@param[in] Context Point to data passed from the caller.
**/
VOID
EFIAPI
IkeDispatch (
IN NET_BUF *Packet,
IN UDP_END_POINT *EndPoint,
IN EFI_STATUS IoStatus,
IN VOID *Context
);
/**
Check if the NIC handle is binded to a Udp service.
@param[in] Private Pointer of IPSEC_PRIVATE_DATA
@param[in] Handle The Handle of the NIC card
@param[in] IpVersion The version of the IP stack.
@return a pointer of IKE_UDP_SERVICE.
**/
IKE_UDP_SERVICE *
IkeLookupUdp (
IN IPSEC_PRIVATE_DATA *Private,
IN EFI_HANDLE Handle,
IN UINT8 IpVersion
);
/**
Delete all established IKE SAs and related Child SAs.
This function is the subfunction of the IpSecCleanupAllSa(). It first calls
IkeDeleteChildSa() to delete all Child SAs then send out the related
Information packet.
@param[in] Private Pointer of the IPSEC_PRIVATE_DATA.
@param[in] IsDisableIpsec Indicate whether needs to disable IPsec.
**/
VOID
IkeDeleteAllSas (
IN IPSEC_PRIVATE_DATA *Private,
IN BOOLEAN IsDisableIpsec
);
extern IKE_EXCHANGE_INTERFACE mIkev1Exchange;
extern IKE_EXCHANGE_INTERFACE mIkev2Exchange;
#endif

193
NetworkPkg/IpSecDxe/Ikev2/ChildSa.c
View File

@ -1,193 +0,0 @@
/** @file
The operations for Child SA.
Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#include "Utility.h"
/**
Generate IKE Packet for CREATE_CHILD_SA exchange.
This IKE Packet would be the packet for creating new CHILD SA, or the packet for
rekeying existing IKE SA, or the packet for existing CHILD SA.
@param[in] SaSession Pointer to related SA session.
@param[in] Context The data passed by the caller.
return a pointer of IKE packet.
**/
IKE_PACKET *
Ikev2CreateChildGenerator (
IN UINT8 *SaSession,
IN VOID *Context
)
{
IKEV2_CHILD_SA_SESSION *ChildSaSession;
IKEV2_SA_SESSION *IkeSaSession;
IKE_PACKET *IkePacket;
IKE_PAYLOAD *NotifyPayload;
UINT32 *MessageId;
NotifyPayload = NULL;
MessageId = NULL;
ChildSaSession = (IKEV2_CHILD_SA_SESSION *) SaSession;
if (ChildSaSession == NULL) {
return NULL;
}
IkePacket = IkePacketAlloc();
if (IkePacket == NULL) {
return NULL;
}
if (Context != NULL) {
MessageId = (UINT32 *) Context;
}
IkePacket->Header->Version = (UINT8) (2 << 4);
IkePacket->Header->NextPayload = IKEV2_PAYLOAD_TYPE_NOTIFY;
IkePacket->Header->ExchangeType = IKE_XCG_TYPE_CREATE_CHILD_SA;
if (ChildSaSession->SessionCommon.IkeSessionType == IkeSessionTypeChildSa) {
//
// 1.a Fill the IkePacket->Hdr
//
IkePacket->Header->InitiatorCookie = ChildSaSession->IkeSaSession->InitiatorCookie;
IkePacket->Header->ResponderCookie = ChildSaSession->IkeSaSession->ResponderCookie;
if (MessageId != NULL) {
IkePacket->Header->MessageId = *MessageId;
} else {
IkePacket->Header->MessageId = ChildSaSession->MessageId;
}
if (ChildSaSession->SessionCommon.IsInitiator) {
IkePacket->Header->Flags = IKE_HEADER_FLAGS_INIT;
}
} else {
IkeSaSession = (IKEV2_SA_SESSION *) SaSession;
//
// 1.a Fill the IkePacket->Hdr
//
IkePacket->Header->InitiatorCookie = IkeSaSession->InitiatorCookie;
IkePacket->Header->ResponderCookie = IkeSaSession->ResponderCookie;
if (MessageId != NULL) {
IkePacket->Header->MessageId = *MessageId;
} else {
IkePacket->Header->MessageId = IkeSaSession->MessageId;
}
if (IkeSaSession->SessionCommon.IsInitiator) {
IkePacket->Header->Flags = IKE_HEADER_FLAGS_INIT;
}
}
if (MessageId != NULL) {
IkePacket->Header->Flags |= IKE_HEADER_FLAGS_RESPOND;
}
//
// According to RFC4306, Chapter 4.
// A minimal implementation may support the CREATE_CHILD_SA exchange only to
// recognize requests and reject them with a Notify payload of type NO_ADDITIONAL_SAS.
//
NotifyPayload = Ikev2GenerateNotifyPayload (
0,
IKEV2_PAYLOAD_TYPE_NONE,
0,
IKEV2_NOTIFICATION_NO_ADDITIONAL_SAS,
NULL,
NULL,
0
);
if (NotifyPayload == NULL) {
IkePacketFree (IkePacket);
return NULL;
}
IKE_PACKET_APPEND_PAYLOAD (IkePacket, NotifyPayload);
//
// TODO: Support the CREATE_CHILD_SA exchange.
//
return IkePacket;
}
/**
Parse the IKE packet of CREATE_CHILD_SA exchange.
This function parse the IKE packet and save the related information to further
calculation.
@param[in] SaSession Pointer to IKEv2_CHILD_SA_SESSION related to this Exchange.
@param[in] IkePacket Received packet to be parsed.
@retval EFI_SUCCESS The IKE Packet is acceptable.
@retval EFI_UNSUPPORTED Not support the CREATE_CHILD_SA request.
**/
EFI_STATUS
Ikev2CreateChildParser (
IN UINT8 *SaSession,
IN IKE_PACKET *IkePacket
)
{
return EFI_UNSUPPORTED;
}
/**
Routine process before the payload decoding.
@param[in] SessionCommon Pointer to ChildSa SessionCommon.
@param[in] PayloadBuf Pointer to the payload.
@param[in] PayloadSize Size of PayloadBuf in byte.
@param[in] PayloadType Type of Payload.
**/
VOID
Ikev2ChildSaBeforeDecodePayload (
IN UINT8 *SessionCommon,
IN UINT8 *PayloadBuf,
IN UINTN PayloadSize,
IN UINT8 PayloadType
)
{
}
/**
Routine Process after the payload encoding.
@param[in] SessionCommon Pointer to ChildSa SessionCommon.
@param[in] PayloadBuf Pointer to the payload.
@param[in] PayloadSize Size of PayloadBuf in byte.
@param[in] PayloadType Type of Payload.
**/
VOID
Ikev2ChildSaAfterEncodePayload (
IN UINT8 *SessionCommon,
IN UINT8 *PayloadBuf,
IN UINTN PayloadSize,
IN UINT8 PayloadType
)
{
}
IKEV2_PACKET_HANDLER mIkev2CreateChild = {
//
// Create Child
//
Ikev2CreateChildParser,
Ikev2CreateChildGenerator
};

803
NetworkPkg/IpSecDxe/Ikev2/Exchange.c
View File

@ -1,803 +0,0 @@
/** @file
The general interfaces of the IKEv2.
Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#include "Utility.h"
#include "IpSecDebug.h"
#include "IkeService.h"
#include "IpSecConfigImpl.h"
/**
General interface to intialize a IKEv2 negotiation.
@param[in] UdpService Point to Udp Servcie used for the IKE packet sending.
@param[in] SpdEntry Point to SPD entry related to this IKE negotiation.
@param[in] PadEntry Point to PAD entry related to this IKE negotiation.
@param[in] RemoteIp Point to IP Address which the remote peer to negnotiate.
@retval EFI_SUCCESS The operation is successful.
@retval EFI_OUT_OF_RESOURCES The required system resource can't be allocated.
@retval EFI_INVALID_PARAMETER If UdpService or RemoteIp is NULL.
@return Others The operation is failed.
**/
EFI_STATUS
Ikev2NegotiateSa (
IN IKE_UDP_SERVICE *UdpService,
IN IPSEC_SPD_ENTRY *SpdEntry,
IN IPSEC_PAD_ENTRY *PadEntry,
IN EFI_IP_ADDRESS *RemoteIp
)
{
IPSEC_PRIVATE_DATA *Private;
IKEV2_SA_SESSION *IkeSaSession;
IKEV2_SESSION_COMMON *SessionCommon;
IKEV2_PACKET_HANDLER Handler;
IKE_PACKET *IkePacket;
EFI_STATUS Status;
if (UdpService == NULL || RemoteIp == NULL) {
return EFI_INVALID_PARAMETER;
}
IkePacket = NULL;
Private = (UdpService->IpVersion == IP_VERSION_4) ?
IPSEC_PRIVATE_DATA_FROM_UDP4LIST(UdpService->ListHead) :
IPSEC_PRIVATE_DATA_FROM_UDP6LIST(UdpService->ListHead);
//
// Lookup the remote ip address in the processing IKE SA session list.
//
IkeSaSession = Ikev2SaSessionLookup (&Private->Ikev2SessionList, RemoteIp);
if (IkeSaSession != NULL) {
//
// Drop the packet if already in process.
//
return EFI_SUCCESS;
}
//
// Create a new IkeSaSession and initiate the common parameters.
//
IkeSaSession = Ikev2SaSessionAlloc (Private, UdpService);
if (IkeSaSession == NULL) {
return EFI_OUT_OF_RESOURCES;
}
//
// Set the specific parameters and state(IKE_STATE_INIT).
//
IkeSaSession->Spd = SpdEntry;
IkeSaSession->Pad = PadEntry;
SessionCommon = &IkeSaSession->SessionCommon;
SessionCommon->IsInitiator = TRUE;
SessionCommon->State = IkeStateInit;
//
// TODO: Get the prefer DH Group from the IPsec Configuration, after the IPsecconfig application update
// to support it.
//
SessionCommon->PreferDhGroup = IKEV2_TRANSFORM_ID_DH_1024MODP;
CopyMem (
&SessionCommon->RemotePeerIp,
RemoteIp,
sizeof (EFI_IP_ADDRESS)
);
CopyMem (
&SessionCommon->LocalPeerIp,
&UdpService->DefaultAddress,
sizeof (EFI_IP_ADDRESS)
);
IKEV2_DUMP_STATE (SessionCommon->State, IkeStateInit);
//
// Initiate the SAD data of the IkeSaSession.
//
IkeSaSession->SaData = Ikev2InitializeSaData (SessionCommon);
if (IkeSaSession->SaData == NULL) {
Status = EFI_OUT_OF_RESOURCES;
goto ON_ERROR;
}
//
// Generate an IKE request packet and send it out.
//
Handler = mIkev2Initial[IkeSaSession->Pad->Data->AuthMethod][SessionCommon->State];
IkePacket = Handler.Generator ((UINT8 *) IkeSaSession, NULL);
if (IkePacket == NULL) {
Status = EFI_OUT_OF_RESOURCES;
goto ON_ERROR;
}
Status = Ikev2SendIkePacket (UdpService, (UINT8 *) SessionCommon, IkePacket, 0);
if (EFI_ERROR (Status)) {
goto ON_ERROR;
}
//
// Insert the current IkeSaSession into the processing IKE SA list.
//
Ikev2SaSessionInsert (&Private->Ikev2SessionList, IkeSaSession, RemoteIp);
return EFI_SUCCESS;
ON_ERROR:
if (IkePacket != NULL) {
IkePacketFree (IkePacket);
}
Ikev2SaSessionFree (IkeSaSession);
return Status;
}
/**
It is general interface to negotiate the Child SA.
There are three situations which will invoke this function. First, create a CHILD
SA if the input Context is NULL. Second, rekeying the existing IKE SA if the Context
is a IKEv2_SA_SESSION. Third, rekeying the existing CHILD SA if the context is a
IKEv2_CHILD_SA_SESSION.
@param[in] IkeSaSession Pointer to IKEv2_SA_SESSION related to this operation.
@param[in] SpdEntry Pointer to IPSEC_SPD_ENTRY related to this operation.
@param[in] Context The data pass from the caller.
@retval EFI_SUCCESS The operation is successful.
@retval EFI_OUT_OF_RESOURCES The required system resource can't be allocated.
@retval EFI_UNSUPPORTED The condition is not support yet.
@return Others The operation is failed.
**/
EFI_STATUS
Ikev2NegotiateChildSa (
IN UINT8 *IkeSaSession,
IN IPSEC_SPD_ENTRY *SpdEntry,
IN UINT8 *Context
)
{
EFI_STATUS Status;
IKEV2_SA_SESSION *SaSession;
IKEV2_CHILD_SA_SESSION *ChildSaSession;
IKEV2_SESSION_COMMON *ChildSaCommon;
IKE_PACKET *IkePacket;
IKE_UDP_SERVICE *UdpService;
SaSession = (IKEV2_SA_SESSION*) IkeSaSession;
UdpService = SaSession->SessionCommon.UdpService;
IkePacket = NULL;
//
// 1. Create another child SA session if context is null.
// 2. Rekeying the IKE SA session if the context is IKE SA session.
// 3. Rekeying the child SA session if the context is child SA session.
//
if (Context == NULL) {
//
// Create a new ChildSaSession and initiate the common parameters.
//
ChildSaSession = Ikev2ChildSaSessionAlloc (UdpService, SaSession);
if (ChildSaSession == NULL) {
return EFI_OUT_OF_RESOURCES;
}
//
// Set the specific parameters and state as IKE_STATE_CREATE_CHILD.
//
ChildSaSession->Spd = SpdEntry;
ChildSaCommon = &ChildSaSession->SessionCommon;
ChildSaCommon->IsInitiator = TRUE;
ChildSaCommon->State = IkeStateCreateChild;
IKEV2_DUMP_STATE (ChildSaCommon->State, IkeStateCreateChild);
if (SpdEntry->Selector->NextLayerProtocol != EFI_IPSEC_ANY_PROTOCOL) {
ChildSaSession->ProtoId = SpdEntry->Selector->NextLayerProtocol;
}
if (SpdEntry->Selector->LocalPort != EFI_IPSEC_ANY_PORT) {
ChildSaSession->LocalPort = SpdEntry->Selector->LocalPort;
}
if (SpdEntry->Selector->RemotePort != EFI_IPSEC_ANY_PORT) {
ChildSaSession->RemotePort = SpdEntry->Selector->RemotePort;
}
//
// Initiate the SAD data parameters of the ChildSaSession.
//
ChildSaSession->SaData = Ikev2InitializeSaData (ChildSaCommon);
if (ChildSaSession->SaData == NULL) {
Status = EFI_OUT_OF_RESOURCES;
goto ON_ERROR;
}
//
// Generate an IKE request packet and send it out.
//
IkePacket = mIkev2CreateChild.Generator ((UINT8 *) ChildSaSession, NULL);
if (IkePacket == NULL) {
Status = EFI_OUT_OF_RESOURCES;
goto ON_ERROR;
}
Status = Ikev2SendIkePacket (UdpService, (UINT8 *) ChildSaCommon, IkePacket, 0);
if (EFI_ERROR (Status)) {
goto ON_ERROR;
}
//
// Insert the ChildSaSession into processing child SA list.
//
Ikev2ChildSaSessionInsert (&SaSession->ChildSaSessionList, ChildSaSession);
} else {
//
// TODO: Rekeying IkeSaSession or ChildSaSession, NOT support yet.
//
// Rekey IkeSa, set IkeSaSession->State and pass over IkeSaSession
// Rekey ChildSa, set ChildSaSession->State and pass over ChildSaSession
//
return EFI_UNSUPPORTED;
}
return EFI_SUCCESS;
ON_ERROR:
if (ChildSaSession->SaData != NULL) {
FreePool (ChildSaSession->SaData);
}
if (ChildSaSession->SessionCommon.TimeoutEvent != NULL) {
gBS->CloseEvent (ChildSaSession->SessionCommon.TimeoutEvent);
}
if (IkePacket != NULL) {
IkePacketFree (IkePacket);
}
Ikev2ChildSaSessionFree (ChildSaSession);
return Status;
}
/**
It is general interface to start the Information Exchange.
There are three situations which will invoke this function. First, deliver a Delete Information
to delete the IKE SA if the input Context is NULL and the state of related IkeSaSeesion's is on
deleting.Second, deliver a Notify Information without the contents if the input Context is NULL.
Third, deliver a Notify Information if the input Context is not NULL.
@param[in] IkeSaSession Pointer to IKEv2_SA_SESSION related to this operation.
@param[in] Context Data passed by caller.
@retval EFI_SUCCESS The operation is successful.
@retval EFI_OUT_OF_RESOURCES The required system resource can't be allocated.
@retval EFI_UNSUPPORTED The condition is not support yet.
@return Otherwise The operation is failed.
**/
EFI_STATUS
Ikev2NegotiateInfo (
IN UINT8 *IkeSaSession,
IN UINT8 *Context
)
{
EFI_STATUS Status;
IKEV2_SA_SESSION *Ikev2SaSession;
IKEV2_CHILD_SA_SESSION *ChildSaSession;
IKEV2_SESSION_COMMON *SaCommon;
IKE_PACKET *IkePacket;
IKE_UDP_SERVICE *UdpService;
LIST_ENTRY *Entry;
LIST_ENTRY *NextEntry;
Ikev2SaSession = (IKEV2_SA_SESSION *) IkeSaSession;
UdpService = Ikev2SaSession->SessionCommon.UdpService;
SaCommon = &Ikev2SaSession->SessionCommon;
IkePacket = NULL;
Status = EFI_SUCCESS;
//
// Delete the IKE SA.
//
if (Ikev2SaSession->SessionCommon.State == IkeStateSaDeleting && Context == NULL) {
//
// Generate Information Packet which contains the Delete Payload.
//
IkePacket = mIkev2Info.Generator ((UINT8 *) Ikev2SaSession, NULL);
if (IkePacket == NULL) {
Status = EFI_OUT_OF_RESOURCES;
goto ON_ERROR;
}
//
// Send out the Packet
//
if (UdpService != NULL && UdpService->Output != NULL) {
Status = Ikev2SendIkePacket (UdpService, (UINT8 *) SaCommon, IkePacket, 0);
if (EFI_ERROR (Status)) {
goto ON_ERROR;
}
}
} else if (!IsListEmpty (&Ikev2SaSession->DeleteSaList)) {
//
// Iterate all Deleting Child SAs.
//
NET_LIST_FOR_EACH_SAFE (Entry, NextEntry, &Ikev2SaSession->DeleteSaList) {
ChildSaSession = IKEV2_CHILD_SA_SESSION_BY_DEL_SA (Entry);
ChildSaSession->SessionCommon.State = IkeStateSaDeleting;
//
// Generate Information Packet which contains the Child SA Delete Payload.
//
IkePacket = mIkev2Info.Generator ((UINT8 *) ChildSaSession, NULL);
if (IkePacket == NULL) {
Status = EFI_OUT_OF_RESOURCES;
goto ON_ERROR;
}
//
// Send out the Packet
//
if (UdpService != NULL && UdpService->Output != NULL) {
Status = Ikev2SendIkePacket (UdpService, (UINT8 *) &ChildSaSession->SessionCommon, IkePacket, 0);
if (EFI_ERROR (Status)) {
goto ON_ERROR;
}
}
}
} else if (Context == NULL) {
//
// TODO: Deliver null notification message.
//
} else if (Context != NULL) {
//
// TODO: Send out the Information Exchange which contains the Notify Payload.
//
}
ON_ERROR:
if (IkePacket != NULL) {
IkePacketFree (IkePacket);
}
return Status;
}
/**
The general interface when received a IKEv2 packet for the IKE SA establishing.
This function first find the related IKE SA Session according to the IKE packet's
remote IP. Then call the corresponding function to handle this IKE packet according
to the related IKE SA Session's State.
@param[in] UdpService Pointer of related UDP Service.
@param[in] IkePacket Data passed by caller.
**/
VOID
Ikev2HandleSa (
IN IKE_UDP_SERVICE *UdpService,
IN IKE_PACKET *IkePacket
)
{
EFI_STATUS Status;
IKEV2_SA_SESSION *IkeSaSession;
IKEV2_CHILD_SA_SESSION *ChildSaSession;
IKEV2_SESSION_COMMON *IkeSaCommon;
IKEV2_SESSION_COMMON *ChildSaCommon;
IKEV2_PACKET_HANDLER Handler;
IKE_PACKET *Reply;
IPSEC_PAD_ENTRY *PadEntry;
IPSEC_PRIVATE_DATA *Private;
BOOLEAN IsNewSession;
Private = (UdpService->IpVersion == IP_VERSION_4) ?
IPSEC_PRIVATE_DATA_FROM_UDP4LIST(UdpService->ListHead) :
IPSEC_PRIVATE_DATA_FROM_UDP6LIST(UdpService->ListHead);
ChildSaSession = NULL;
ChildSaCommon = NULL;
//
// Lookup the remote ip address in the processing IKE SA session list.
//
IkeSaSession = Ikev2SaSessionLookup (&Private->Ikev2SessionList, &IkePacket->RemotePeerIp);
IsNewSession = FALSE;
if (IkeSaSession == NULL) {
//
// Lookup the remote ip address in the pad.
//
PadEntry = IpSecLookupPadEntry (UdpService->IpVersion, &IkePacket->RemotePeerIp);
if (PadEntry == NULL) {
//
// Drop the packet if no pad entry matched, this is the request from RFC 4301.
//
return ;
}
//
// Create a new IkeSaSession and initiate the common parameters.
//
IkeSaSession = Ikev2SaSessionAlloc (Private, UdpService);
if (IkeSaSession == NULL) {
return;
}
IkeSaSession->Pad = PadEntry;
IkeSaCommon = &IkeSaSession->SessionCommon;
IkeSaCommon->IsInitiator = FALSE;
IkeSaCommon->State = IkeStateInit;
IKEV2_DUMP_STATE (IkeSaCommon->State, IkeStateInit);
CopyMem (
&IkeSaCommon->RemotePeerIp,
&IkePacket->RemotePeerIp,
sizeof (EFI_IP_ADDRESS)
);
CopyMem (
&IkeSaCommon->LocalPeerIp,
&UdpService->DefaultAddress,
sizeof (EFI_IP_ADDRESS)
);
IsNewSession = TRUE;
}
//
// Validate the IKE packet header.
//
if (!Ikev2ValidateHeader (IkeSaSession, IkePacket->Header)) {
//
// Drop the packet if invalid IKE header.
//
goto ON_ERROR;
}
//
// Decode all the payloads in the IKE packet.
//
IkeSaCommon = &IkeSaSession->SessionCommon;
Status = Ikev2DecodePacket (IkeSaCommon, IkePacket, IkeSessionTypeIkeSa);
if (EFI_ERROR (Status)) {
goto ON_ERROR;
}
//
// Try to reate the first ChildSa Session of that IkeSaSession.
// If the IkeSaSession is responder, here will create the first ChildSaSession.
//
if (IkeSaCommon->State == IkeStateAuth && IsListEmpty(&IkeSaSession->ChildSaSessionList)) {
//
// Generate a piggyback child SA in IKE_STATE_AUTH state.
//
ASSERT (IsListEmpty (&IkeSaSession->ChildSaSessionList) &&
IsListEmpty (&IkeSaSession->ChildSaEstablishSessionList));
ChildSaSession = Ikev2ChildSaSessionCreate (IkeSaSession, UdpService);
if (ChildSaSession == NULL) {
goto ON_ERROR;
}
ChildSaCommon = &ChildSaSession->SessionCommon;
}
//
// Parse the IKE request packet according to the auth method and current state.
//
Handler = mIkev2Initial[IkeSaSession->Pad->Data->AuthMethod][IkeSaCommon->State];
Status = Handler.Parser ((UINT8 *)IkeSaSession, IkePacket);
if (EFI_ERROR (Status)) {
goto ON_ERROR;
}
//
// Try to reate the first ChildSa Session of that IkeSaSession.
// If the IkeSaSession is initiator, here will create the first ChildSaSession.
//
if (IkeSaCommon->State == IkeStateAuth && IsListEmpty(&IkeSaSession->ChildSaSessionList)) {
//
// Generate a piggyback child SA in IKE_STATE_AUTH state.
//
ASSERT (IsListEmpty (&IkeSaSession->ChildSaSessionList) &&
IsListEmpty (&IkeSaSession->ChildSaEstablishSessionList));
ChildSaSession = Ikev2ChildSaSessionCreate (IkeSaSession, UdpService);
if (ChildSaSession == NULL) {
goto ON_ERROR;
}
ChildSaCommon = &ChildSaSession->SessionCommon;
//
// Initialize the SA data for Child SA.
//
ChildSaSession->SaData = Ikev2InitializeSaData (ChildSaCommon);
}
//
// Generate the IKE response packet and send it out if not established.
//
if (IkeSaCommon->State != IkeStateIkeSaEstablished) {
Handler = mIkev2Initial[IkeSaSession->Pad->Data->AuthMethod][IkeSaCommon->State];
Reply = Handler.Generator ((UINT8 *) IkeSaSession, NULL);
if (Reply == NULL) {
goto ON_ERROR;
}
Status = Ikev2SendIkePacket (UdpService, (UINT8 *) IkeSaCommon, Reply, 0);
if (EFI_ERROR (Status)) {
goto ON_ERROR;
}
if (!IkeSaCommon->IsInitiator) {
IkeSaCommon->State ++;
IKEV2_DUMP_STATE (IkeSaCommon->State - 1, IkeSaCommon->State);
}
}
//
// Insert the new IkeSaSession into the Private processing IkeSaSession List.
//
if (IsNewSession) {
Ikev2SaSessionInsert (&Private->Ikev2SessionList, IkeSaSession, &IkePacket->RemotePeerIp);
}
//
// Register the IkeSaSession and remove it from processing list.
//
if (IkeSaCommon->State == IkeStateIkeSaEstablished) {
//
// Remove the Established IKE SA Session from the IKE SA Session Negotiating list
// and insert it into IKE SA Session Established list.
//
Ikev2SaSessionRemove (&Private->Ikev2SessionList, &IkePacket->RemotePeerIp);
Ikev2SaSessionReg (IkeSaSession, Private);
//
// Remove the Established Child SA Session from the IkeSaSession->ChildSaSessionList
// ,insert it into IkeSaSession->ChildSaEstablishSessionList and save this Child SA
// into SAD.
//
ChildSaSession = IKEV2_CHILD_SA_SESSION_BY_IKE_SA (IkeSaSession->ChildSaSessionList.BackLink);
Ikev2ChildSaSessionRemove (
&IkeSaSession->ChildSaSessionList,
ChildSaSession->LocalPeerSpi,
IKEV2_ESTABLISHING_CHILDSA_LIST
);
Ikev2ChildSaSessionReg (ChildSaSession, Private);
}
return ;
ON_ERROR:
if (ChildSaSession != NULL) {
//
// Remove the ChildSa from the list (Established list or Negotiating list).
//
RemoveEntryList (&ChildSaSession->ByIkeSa);
Ikev2ChildSaSessionFree (ChildSaSession);
}
if (IsNewSession && IkeSaSession != NULL) {
//
// Remove the IkeSa from the list (Established list or Negotiating list).
//
if ((&IkeSaSession->BySessionTable)->ForwardLink != NULL &&
!IsListEmpty (&IkeSaSession->BySessionTable
)){
RemoveEntryList (&IkeSaSession->BySessionTable);
}
Ikev2SaSessionFree (IkeSaSession);
}
return ;
}
/**
The general interface when received a IKEv2 packet for the IKE Child SA establishing
or IKE SA/CHILD SA rekeying.
This function first find the related IKE SA Session according to the IKE packet's
remote IP. Then call the corresponding function to handle this IKE packet according
to the related IKE Child Session's State.
@param[in] UdpService Pointer of related UDP Service.
@param[in] IkePacket Data passed by caller.
**/
VOID
Ikev2HandleChildSa (
IN IKE_UDP_SERVICE *UdpService,
IN IKE_PACKET *IkePacket
)
{
EFI_STATUS Status;
IKEV2_SA_SESSION *IkeSaSession;
IKEV2_CREATE_CHILD_REQUEST_TYPE RequestType;
IKE_PACKET *Reply;
IPSEC_PRIVATE_DATA *Private;
Private = (UdpService->IpVersion == IP_VERSION_4) ?
IPSEC_PRIVATE_DATA_FROM_UDP4LIST(UdpService->ListHead) :
IPSEC_PRIVATE_DATA_FROM_UDP6LIST(UdpService->ListHead);
Reply = NULL;
//
// Lookup the remote ip address in the processing IKE SA session list.
//
IkeSaSession = Ikev2SaSessionLookup (&Private->Ikev2EstablishedList, &IkePacket->RemotePeerIp);
if (IkeSaSession == NULL) {
//
// Drop the packet if no IKE SA associated.
//
return ;
}
//
// Validate the IKE packet header.
//
if (!Ikev2ValidateHeader (IkeSaSession, IkePacket->Header)) {
//
// Drop the packet if invalid IKE header.
//
return;
}
//
// Decode all the payloads in the IKE packet.
//
Status = Ikev2DecodePacket (&IkeSaSession->SessionCommon, IkePacket, IkeSessionTypeIkeSa);
if (EFI_ERROR (Status)) {
return;
}
//
// Get the request type: CreateChildSa/RekeyChildSa/RekeyIkeSa.
//
RequestType = Ikev2ChildExchangeRequestType (IkePacket);
switch (RequestType) {
case IkeRequestTypeCreateChildSa:
case IkeRequestTypeRekeyChildSa:
case IkeRequestTypeRekeyIkeSa:
//
// Parse the IKE request packet. Not support CREATE_CHILD_SA exchange yet, so
// only EFI_UNSUPPORTED will be returned and that will trigger a reply with a
// Notify payload of type NO_ADDITIONAL_SAS.
//
Status = mIkev2CreateChild.Parser ((UINT8 *) IkeSaSession, IkePacket);
if (EFI_ERROR (Status)) {
goto ON_REPLY;
}
default:
//
// No support.
//
return ;
}
ON_REPLY:
//
// Generate the reply packet if needed and send it out.
//
if (!(IkePacket->Header->Flags & IKE_HEADER_FLAGS_RESPOND)) {
Reply = mIkev2CreateChild.Generator ((UINT8 *) IkeSaSession, &IkePacket->Header->MessageId);
if (Reply != NULL) {
Status = Ikev2SendIkePacket (UdpService, (UINT8 *) &(IkeSaSession->SessionCommon), Reply, 0);
if (EFI_ERROR (Status)) {
//
// Delete Reply payload.
//
if (Reply != NULL) {
IkePacketFree (Reply);
}
}
}
}
return ;
}
/**
It is general interface to handle IKEv2 information Exchange.
@param[in] UdpService Point to IKE UPD Service related to this information exchange.
@param[in] IkePacket The IKE packet to be parsed.
**/
VOID
Ikev2HandleInfo (
IN IKE_UDP_SERVICE *UdpService,
IN IKE_PACKET *IkePacket
)
{
EFI_STATUS Status;
IKEV2_SESSION_COMMON *SessionCommon;
IKEV2_SA_SESSION *IkeSaSession;
IPSEC_PRIVATE_DATA *Private;
Private = (UdpService->IpVersion == IP_VERSION_4) ?
IPSEC_PRIVATE_DATA_FROM_UDP4LIST(UdpService->ListHead) :
IPSEC_PRIVATE_DATA_FROM_UDP6LIST(UdpService->ListHead);
//
// Lookup the remote ip address in the processing IKE SA session list.
//
IkeSaSession = Ikev2SaSessionLookup (&Private->Ikev2EstablishedList, &IkePacket->RemotePeerIp);
if (IkeSaSession == NULL) {
//
// Drop the packet if no IKE SA associated.
//
return ;
}
//
// Validate the IKE packet header.
//
if (!Ikev2ValidateHeader (IkeSaSession, IkePacket->Header)) {
//
// Drop the packet if invalid IKE header.
//
return;
}
SessionCommon = &IkeSaSession->SessionCommon;
//
// Decode all the payloads in the IKE packet.
//
Status = Ikev2DecodePacket (SessionCommon, IkePacket, IkeSessionTypeIkeSa);
if (EFI_ERROR (Status)) {
return;
}
Status = mIkev2Info.Parser ((UINT8 *)IkeSaSession, IkePacket);
if (EFI_ERROR (Status)) {
//
// Drop the packet if fail to parse.
//
return;
}
}
IKE_EXCHANGE_INTERFACE mIkev1Exchange = {
1,
NULL, //Ikev1NegotiateSa
NULL, //Ikev1NegotiateChildSa
NULL,
NULL, //Ikev1HandleSa,
NULL, //Ikev1HandleChildSa
NULL, //Ikev1HandleInfo
};
IKE_EXCHANGE_INTERFACE mIkev2Exchange = {
2,
Ikev2NegotiateSa,
Ikev2NegotiateChildSa,
Ikev2NegotiateInfo,
Ikev2HandleSa,
Ikev2HandleChildSa,
Ikev2HandleInfo
};

252
NetworkPkg/IpSecDxe/Ikev2/Ikev2.h
View File

@ -1,252 +0,0 @@
/** @file
IKEv2 related definitions.
Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#ifndef _IKE_V2_H_
#define _IKE_V2_H_
#include "Ike.h"
#include "Payload.h"
#define IKEV2_TS_ANY_PORT 0xffff
#define IKEV2_TS_ANY_PROTOCOL 0
#define IKEV2_DELET_CHILDSA_LIST 0
#define IKEV2_ESTABLISHING_CHILDSA_LIST 1
#define IKEV2_ESTABLISHED_CHILDSA_LIST 2
#define IKEV2_SA_SESSION_SIGNATURE SIGNATURE_32 ('I', 'K', 'E', 'I')
#define IKEV2_SA_SESSION_FROM_COMMON(a) CR (a, IKEV2_SA_SESSION, SessionCommon, IKEV2_SA_SESSION_SIGNATURE)
#define IKEV2_SA_SESSION_BY_SESSION(a) CR (a, IKEV2_SA_SESSION, BySessionTable, IKEV2_SA_SESSION_SIGNATURE)
#define IKEV2_SA_SESSION_BY_ESTABLISHED(a) CR (a, IKEV2_SA_SESSION, ByEstablishedTable, IKEV2_SA_SESSION_SIGNATURE)
#define IKEV2_CHILD_SA_SESSION_SIGNATURE SIGNATURE_32 ('I', 'K', 'E', 'C')
#define IKEV2_CHILD_SA_SESSION_FROM_COMMON(a) CR (a, IKEV2_CHILD_SA_SESSION, SessionCommon, IKEV2_CHILD_SA_SESSION_SIGNATURE)
#define IKEV2_CHILD_SA_SESSION_BY_IKE_SA(a) CR (a, IKEV2_CHILD_SA_SESSION, ByIkeSa, IKEV2_CHILD_SA_SESSION_SIGNATURE)
#define IKEV2_CHILD_SA_SESSION_BY_DEL_SA(a) CR (a, IKEV2_CHILD_SA_SESSION, ByDelete, IKEV2_CHILD_SA_SESSION_SIGNATURE)
#define IS_IKEV2_SA_SESSION(s) ((s)->Common.IkeSessionType == IkeSessionTypeIkeSa)
#define IKEV2_SA_FIRST_PROPOSAL(Sa) (IKEV2_PROPOSAL *)((IKEV2_SA *)(Sa)+1)
#define IKEV2_NEXT_TRANSFORM_WITH_SIZE(Transform,TransformSize) \
(IKEV2_TRANSFORM *) ((UINT8 *)(Transform) + (TransformSize))
#define IKEV2_NEXT_PROPOSAL_WITH_SIZE(Proposal, ProposalSize) \
(IKEV2_PROPOSAL *) ((UINT8 *)(Proposal) + (ProposalSize))
#define IKEV2_PROPOSAL_FIRST_TRANSFORM(Proposal) \
(IKEV2_TRANSFORM *)((UINT8 *)((IKEV2_PROPOSAL *)(Proposal)+1) + \
(((IKEV2_PROPOSAL *)(Proposal))->SpiSize))
#define IKEV2_PROPOSAL_FIRST_TRANSFORM(Proposal) \
(IKEV2_TRANSFORM *)((UINT8 *)((IKEV2_PROPOSAL *)(Proposal)+1) + \
(((IKEV2_PROPOSAL *)(Proposal))->SpiSize))
typedef enum {
IkeStateInit,
IkeStateAuth,
IkeStateIkeSaEstablished,
IkeStateCreateChild,
IkeStateSaRekeying,
IkeStateChildSaEstablished,
IkeStateSaDeleting,
IkeStateMaximum
} IKEV2_SESSION_STATE;
typedef enum {
IkeRequestTypeCreateChildSa,
IkeRequestTypeRekeyChildSa,
IkeRequestTypeRekeyIkeSa,
IkeRequestTypeMaximum
} IKEV2_CREATE_CHILD_REQUEST_TYPE;
typedef struct {
UINT8 *GxBuffer;
UINTN GxSize;
UINT8 *GyBuffer;
UINTN GySize;
UINT8 *GxyBuffer;
UINTN GxySize;
UINT8 *DhContext;
} IKEV2_DH_BUFFER;
typedef struct {
IKEV2_DH_BUFFER *DhBuffer;
UINT8 *SkdKey;
UINTN SkdKeySize;
UINT8 *SkAiKey;
UINTN SkAiKeySize;
UINT8 *SkArKey;
UINTN SkArKeySize;
UINT8 *SkEiKey;
UINTN SkEiKeySize;
UINT8 *SkErKey;
UINTN SkErKeySize;
UINT8 *SkPiKey;
UINTN SkPiKeySize;
UINT8 *SkPrKey;
UINTN SkPrKeySize;
} IKEV2_SESSION_KEYS;
typedef struct {
UINT16 LifeType;
UINT64 LifeDuration;
UINT16 EncAlgId;
UINTN EnckeyLen;
UINT16 Prf;
UINT16 IntegAlgId;
UINTN IntegKeyLen;
UINT16 DhGroup;
UINT8 ExtSeq;
} IKEV2_SA_PARAMS;
//
// Internal Payload
//
typedef struct {
IKEV2_SA SaHeader;
UINTN NumProposals;
//
// IKE_PROPOSAL_DATA Proposals[1];
//
} IKEV2_SA_DATA;
typedef struct {
UINT8 ProposalIndex;
UINT8 ProtocolId;
UINT8 *Spi;
UINT8 NumTransforms;
//
// IKE_TRANSFORM_DATA Transforms[1];
//
} IKEV2_PROPOSAL_DATA;
typedef struct {
UINT8 TransformIndex;
UINT8 TransformType;
UINT16 TransformId;
IKE_SA_ATTRIBUTE Attribute;
} IKEV2_TRANSFORM_DATA;
typedef struct {
UINT8 IkeVer;
IKE_SESSION_TYPE IkeSessionType;
BOOLEAN IsInitiator;
BOOLEAN IsOnDeleting; // Flag to indicate whether the SA is on deleting.
IKEV2_SESSION_STATE State;
EFI_EVENT TimeoutEvent;
UINT64 TimeoutInterval;
UINTN RetryCount;
IKE_PACKET *LastSentPacket;
IKEV2_SA_PARAMS *SaParams;
UINT16 PreferDhGroup;
EFI_IP_ADDRESS RemotePeerIp;
EFI_IP_ADDRESS LocalPeerIp;
IKE_ON_PAYLOAD_FROM_NET BeforeDecodePayload;
IKE_ON_PAYLOAD_FROM_NET AfterEncodePayload;
IKE_UDP_SERVICE *UdpService;
IPSEC_PRIVATE_DATA *Private;
} IKEV2_SESSION_COMMON;
typedef struct {
UINT32 Signature;
IKEV2_SESSION_COMMON SessionCommon;
UINT64 InitiatorCookie;
UINT64 ResponderCookie;
//
// Initiator: SA proposals to be sent
// Responder: SA proposals to be matched
//
IKEV2_SA_DATA *SaData; // SA Private struct used for SA payload generation
IKEV2_SESSION_KEYS *IkeKeys;
UINT8 *NiBlock;
UINTN NiBlkSize;
UINT8 *NrBlock;
UINTN NrBlkSize;
UINT8 *NCookie; // Buffer Contains the Notify Cookie
UINTN NCookieSize; // Size of NCookie
IPSEC_PAD_ENTRY *Pad;
IPSEC_SPD_ENTRY *Spd; // SPD that requested the negotiation, TODO: better use SPD selector
LIST_ENTRY ChildSaSessionList;
LIST_ENTRY ChildSaEstablishSessionList; // For Establish Child SA.
LIST_ENTRY InfoMIDList; // For Information MID
LIST_ENTRY DeleteSaList; // For deteling Child SA.
UINT8 *InitPacket;
UINTN InitPacketSize;
UINT8 *RespPacket;
UINTN RespPacketSize;
UINT32 MessageId;
LIST_ENTRY BySessionTable; // Use for all IkeSaSession Links
} IKEV2_SA_SESSION;
typedef struct {
UINT32 Signature;
IKEV2_SESSION_COMMON SessionCommon;
IKEV2_SA_SESSION *IkeSaSession;
UINT32 MessageId;
IKEV2_SA_DATA *SaData;
UINT8 IpsecProtocol;
UINT32 LocalPeerSpi;
UINT32 RemotePeerSpi;
UINT8 *NiBlock;
UINTN NiBlkSize;
UINT8 *NrBlock;
UINTN NrBlkSize;
SA_KEYMATS ChildKeymats;
IKEV2_DH_BUFFER *DhBuffer; //New DH exchnaged by CREATE_CHILD_SA
IPSEC_SPD_ENTRY *Spd;
EFI_IPSEC_SPD_SELECTOR *SpdSelector;
UINT16 ProtoId;
UINT16 RemotePort;
UINT16 LocalPort;
LIST_ENTRY ByIkeSa;
LIST_ENTRY ByDelete;
} IKEV2_CHILD_SA_SESSION;
typedef enum {
Ikev2InfoNotify,
Ikev2InfoDelete,
Ikev2InfoLiveCheck
} IKEV2_INFO_TYPE;
//
// This struct is used to pass the detail infromation to the InfoGenerator() for
// the response Information Exchange Message creatation.
//
typedef struct {
UINT32 MessageId;
IKEV2_INFO_TYPE InfoType;
} IKEV2_INFO_EXCHANGE_CONTEXT;
typedef struct {
UINTN DataSize;
UINT8 *Data;
} PRF_DATA_FRAGMENT;
typedef
IKE_PACKET *
(*IKEV2_PACKET_GENERATOR) (
IN UINT8 *SaSession,
IN VOID *Context
);
typedef
EFI_STATUS
(*IKEV2_PACKET_PARSER) (
IN UINT8 *SaSession,
IN IKE_PACKET *IkePacket
);
typedef struct {
IKEV2_PACKET_PARSER Parser;
IKEV2_PACKET_GENERATOR Generator;
} IKEV2_PACKET_HANDLER;
extern IKEV2_PACKET_HANDLER mIkev2Initial[][2];
extern IKEV2_PACKET_HANDLER mIkev2CreateChild;
extern IKEV2_PACKET_HANDLER mIkev2Info;
#endif

403
NetworkPkg/IpSecDxe/Ikev2/Info.c
View File

@ -1,403 +0,0 @@
/** @file
The Implementations for Information Exchange.
(C) Copyright 2015 Hewlett-Packard Development Company, L.P.<BR>
Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#include "Utility.h"
#include "IpSecDebug.h"
#include "IpSecConfigImpl.h"
/**
Generate Information Packet.
The information Packet may contain one Delete Payload, or Notify Payload, which
dependes on the Context's parameters.
@param[in] SaSession Pointer to IKE SA Session or Child SA Session which is
related to the information Exchange.
@param[in] Context The Data passed from the caller. If the Context is not NULL
it should contain the information for Notification Data.
@retval Pointer of IKE_PACKET generated.
**/
IKE_PACKET *
Ikev2InfoGenerator (
IN UINT8 *SaSession,
IN VOID *Context
)
{
IKEV2_SA_SESSION *IkeSaSession;
IKEV2_CHILD_SA_SESSION *ChildSaSession;
IKE_PACKET *IkePacket;
IKE_PAYLOAD *IkePayload;
IKEV2_INFO_EXCHANGE_CONTEXT *InfoContext;
InfoContext = NULL;
IkeSaSession = (IKEV2_SA_SESSION *) SaSession;
IkePacket = IkePacketAlloc ();
if (IkePacket == NULL) {
return NULL;
}
//
// Fill IkePacket Header.
//
IkePacket->Header->ExchangeType = IKEV2_EXCHANGE_TYPE_INFO;
IkePacket->Header->Version = (UINT8) (2 << 4);
if (Context != NULL) {
InfoContext = (IKEV2_INFO_EXCHANGE_CONTEXT *) Context;
}
//
// For Liveness Check
//
if (InfoContext != NULL &&
(InfoContext->InfoType == Ikev2InfoLiveCheck || InfoContext->InfoType == Ikev2InfoNotify)
) {
IkePacket->Header->MessageId = InfoContext->MessageId;
IkePacket->Header->InitiatorCookie = IkeSaSession->InitiatorCookie;
IkePacket->Header->ResponderCookie = IkeSaSession->ResponderCookie;
IkePacket->Header->NextPayload = IKEV2_PAYLOAD_TYPE_NONE;
IkePacket->Header->Flags = IKE_HEADER_FLAGS_RESPOND;
//
// TODO: add Notify Payload for Notification Information.
//
return IkePacket;
}
//
// For delete SAs
//
if (IkeSaSession->SessionCommon.IkeSessionType == IkeSessionTypeIkeSa) {
IkePacket->Header->InitiatorCookie = IkeSaSession->InitiatorCookie;
IkePacket->Header->ResponderCookie = IkeSaSession->ResponderCookie;
//
// If the information message is response message,the MessageId should
// be same as the request MessageId which passed through the Context.
//
if (InfoContext != NULL) {
IkePacket->Header->MessageId = InfoContext->MessageId;
} else {
IkePacket->Header->MessageId = IkeSaSession->MessageId;
Ikev2SaSessionIncreaseMessageId (IkeSaSession);
}
//
// If the state is on deleting generate a Delete Payload for it.
//
if (IkeSaSession->SessionCommon.State == IkeStateSaDeleting ) {
IkePayload = Ikev2GenerateDeletePayload (
IkeSaSession,
IKEV2_PAYLOAD_TYPE_NONE,
0,
0,
NULL
);
if (IkePayload == NULL) {
goto ERROR_EXIT;
}
//
// Fill the next payload in IkePacket's Header.
//
IkePacket->Header->NextPayload = IKEV2_PAYLOAD_TYPE_DELETE;
IKE_PACKET_APPEND_PAYLOAD (IkePacket, IkePayload);
IkePacket->Private = IkeSaSession->SessionCommon.Private;
IkePacket->Spi = 0;
IkePacket->IsDeleteInfo = TRUE;
} else if (Context != NULL) {
//
// TODO: If contest is not NULL Generate a Notify Payload.
//
} else {
//
// The input parameter is not correct.
//
goto ERROR_EXIT;
}
if (IkeSaSession->SessionCommon.IsInitiator) {
IkePacket->Header->Flags = IKE_HEADER_FLAGS_INIT ;
}
} else {
//
// Delete the Child SA Information Exchagne
//
ChildSaSession = (IKEV2_CHILD_SA_SESSION *) SaSession;
IkeSaSession = ChildSaSession->IkeSaSession;
IkePacket->Header->InitiatorCookie = ChildSaSession->IkeSaSession->InitiatorCookie;
IkePacket->Header->ResponderCookie = ChildSaSession->IkeSaSession->ResponderCookie;
//
// If the information message is response message,the MessageId should
// be same as the request MessageId which passed through the Context.
//
if (InfoContext != NULL && InfoContext->MessageId != 0) {
IkePacket->Header->MessageId = InfoContext->MessageId;
} else {
IkePacket->Header->MessageId = ChildSaSession->IkeSaSession->MessageId;
Ikev2SaSessionIncreaseMessageId (IkeSaSession);
}
IkePayload = Ikev2GenerateDeletePayload (
ChildSaSession->IkeSaSession,
IKEV2_PAYLOAD_TYPE_DELETE,
4,
1,
(UINT8 *)&ChildSaSession->LocalPeerSpi
);
if (IkePayload == NULL) {
goto ERROR_EXIT;
}
//
// Fill the Next Payload in IkePacket's Header.
//
IkePacket->Header->NextPayload = IKEV2_PAYLOAD_TYPE_DELETE;
IKE_PACKET_APPEND_PAYLOAD (IkePacket, IkePayload);
IkePacket->Private = IkeSaSession->SessionCommon.Private;
IkePacket->Spi = ChildSaSession->LocalPeerSpi;
IkePacket->IsDeleteInfo = TRUE;
if (!ChildSaSession->SessionCommon.IsInitiator) {
//
// If responder, use the MessageId fromt the initiator.
//
IkePacket->Header->MessageId = ChildSaSession->MessageId;
}
//
// Change the IsOnDeleting Flag
//
ChildSaSession->SessionCommon.IsOnDeleting = TRUE;
if (ChildSaSession->SessionCommon.IsInitiator) {
IkePacket->Header->Flags = IKE_HEADER_FLAGS_INIT ;
}
}
if (InfoContext != NULL) {
IkePacket->Header->Flags |= IKE_HEADER_FLAGS_RESPOND;
}
return IkePacket;
ERROR_EXIT:
if (IkePacket != NULL) {
FreePool (IkePacket);
}
return NULL;
}
/**
Parse the Info Exchange.
@param[in] SaSession Pointer to IKEV2_SA_SESSION.
@param[in] IkePacket Pointer to IkePacket related to the Information Exchange.
@retval EFI_SUCCESS The operation finised successed.
**/
EFI_STATUS
Ikev2InfoParser (
IN UINT8 *SaSession,
IN IKE_PACKET *IkePacket
)
{
IKEV2_CHILD_SA_SESSION *ChildSaSession;
IKEV2_SA_SESSION *IkeSaSession;
IKE_PAYLOAD *DeletePayload;
IKE_PAYLOAD *IkePayload;
IKEV2_DELETE *Delete;
LIST_ENTRY *Entry;
LIST_ENTRY *ListEntry;
UINT8 Index;
UINT32 Spi;
UINT8 *SpiBuffer;
IPSEC_PRIVATE_DATA *Private;
UINT8 Value;
EFI_STATUS Status;
IKE_PACKET *RespondPacket;
IKEV2_INFO_EXCHANGE_CONTEXT Context;
IkeSaSession = (IKEV2_SA_SESSION *) SaSession;
DeletePayload = NULL;
Private = NULL;
RespondPacket = NULL;
Status = EFI_SUCCESS;
//
// For Liveness Check
//
if (IkePacket->Header->NextPayload == IKEV2_PAYLOAD_TYPE_NONE &&
(IkePacket->PayloadTotalSize == 0)
) {
if (IkePacket->Header->Flags == IKE_HEADER_FLAGS_INIT) {
//
// If it is Liveness check request, reply it.
//
Context.InfoType = Ikev2InfoLiveCheck;
Context.MessageId = IkePacket->Header->MessageId;
RespondPacket = Ikev2InfoGenerator ((UINT8 *)IkeSaSession, &Context);
if (RespondPacket == NULL) {
Status = EFI_INVALID_PARAMETER;
return Status;
}
Status = Ikev2SendIkePacket (
IkeSaSession->SessionCommon.UdpService,
(UINT8 *)(&IkeSaSession->SessionCommon),
RespondPacket,
0
);
} else {
//
// Todo: verify the liveness check response packet.
//
}
return Status;
}
//
// For SA Delete
//
NET_LIST_FOR_EACH (Entry, &(IkePacket)->PayloadList) {
//
// Iterate payloads to find the Delete/Notify Payload.
//
IkePayload = IKE_PAYLOAD_BY_PACKET (Entry);
if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_DELETE) {
DeletePayload = IkePayload;
Delete = (IKEV2_DELETE *)DeletePayload->PayloadBuf;
if (Delete->SpiSize == 0) {
//
// Delete IKE SA.
//
if (IkeSaSession->SessionCommon.State == IkeStateSaDeleting) {
RemoveEntryList (&IkeSaSession->BySessionTable);
Ikev2SaSessionFree (IkeSaSession);
//
// Checking the Private status.
//
//
// when all IKE SAs were disabled by calling "IPsecConfig -disable", the IPsec
// status should be changed.
//
Private = IkeSaSession->SessionCommon.Private;
if (Private != NULL && Private->IsIPsecDisabling) {
//
// After all IKE SAs were deleted, set the IPSEC_STATUS_DISABLED value in
// IPsec status variable.
//
if (IsListEmpty (&Private->Ikev1EstablishedList) &&
(IsListEmpty (&Private->Ikev2EstablishedList))
) {
Value = IPSEC_STATUS_DISABLED;
Status = gRT->SetVariable (
IPSECCONFIG_STATUS_NAME,
&gEfiIpSecConfigProtocolGuid,
EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_NON_VOLATILE,
sizeof (Value),
&Value
);
if (!EFI_ERROR (Status)) {
//
// Set the DisabledFlag in Private data.
//
Private->IpSec.DisabledFlag = TRUE;
Private->IsIPsecDisabling = FALSE;
}
}
}
} else {
IkeSaSession->SessionCommon.State = IkeStateSaDeleting;
Context.InfoType = Ikev2InfoDelete;
Context.MessageId = IkePacket->Header->MessageId;
RespondPacket = Ikev2InfoGenerator ((UINT8 *)IkeSaSession, &Context);
if (RespondPacket == NULL) {
Status = EFI_INVALID_PARAMETER;
return Status;
}
Status = Ikev2SendIkePacket (
IkeSaSession->SessionCommon.UdpService,
(UINT8 *)(&IkeSaSession->SessionCommon),
RespondPacket,
0
);
}
} else if (Delete->SpiSize == 4) {
//
// Move the Child SAs to DeleteList
//
SpiBuffer = (UINT8 *)(Delete + 1);
for (Index = 0; Index < Delete->NumSpis; Index++) {
Spi = ReadUnaligned32 ((UINT32 *)SpiBuffer);
for (ListEntry = IkeSaSession->ChildSaEstablishSessionList.ForwardLink;
ListEntry != &IkeSaSession->ChildSaEstablishSessionList;
) {
ChildSaSession = IKEV2_CHILD_SA_SESSION_BY_IKE_SA (ListEntry);
ListEntry = ListEntry->ForwardLink;
if (ChildSaSession->RemotePeerSpi == HTONL(Spi)) {
if (ChildSaSession->SessionCommon.State != IkeStateSaDeleting) {
//
// Insert the ChildSa Session into Delete List.
//
InsertTailList (&IkeSaSession->DeleteSaList, &ChildSaSession->ByDelete);
ChildSaSession->SessionCommon.State = IkeStateSaDeleting;
ChildSaSession->SessionCommon.IsInitiator = FALSE;
ChildSaSession->MessageId = IkePacket->Header->MessageId;
Context.InfoType = Ikev2InfoDelete;
Context.MessageId = IkePacket->Header->MessageId;
RespondPacket = Ikev2InfoGenerator ((UINT8 *)ChildSaSession, &Context);
if (RespondPacket == NULL) {
Status = EFI_INVALID_PARAMETER;
return Status;
}
Status = Ikev2SendIkePacket (
ChildSaSession->SessionCommon.UdpService,
(UINT8 *)(&ChildSaSession->SessionCommon),
RespondPacket,
0
);
} else {
//
// Delete the Child SA.
//
Ikev2ChildSaSilentDelete (IkeSaSession, Spi);
RemoveEntryList (&ChildSaSession->ByDelete);
}
}
}
SpiBuffer = SpiBuffer + sizeof (Spi);
}
}
}
}
return Status;
}
GLOBAL_REMOVE_IF_UNREFERENCED IKEV2_PACKET_HANDLER mIkev2Info = {
Ikev2InfoParser,
Ikev2InfoGenerator
};

3329
NetworkPkg/IpSecDxe/Ikev2/Payload.c
View File

File diff suppressed because it is too large Load Diff

437
NetworkPkg/IpSecDxe/Ikev2/Payload.h
View File

@ -1,437 +0,0 @@
/** @file
The Definitions related to IKEv2 payload.
Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#ifndef _IKE_V2_PAYLOAD_H_
#define _IKE_V2_PAYLOAD_H_
//
// Payload Type for IKEv2
//
#define IKEV2_PAYLOAD_TYPE_NONE 0
#define IKEV2_PAYLOAD_TYPE_SA 33
#define IKEV2_PAYLOAD_TYPE_KE 34
#define IKEV2_PAYLOAD_TYPE_ID_INIT 35
#define IKEV2_PAYLOAD_TYPE_ID_RSP 36
#define IKEV2_PAYLOAD_TYPE_CERT 37
#define IKEV2_PAYLOAD_TYPE_CERTREQ 38
#define IKEV2_PAYLOAD_TYPE_AUTH 39
#define IKEV2_PAYLOAD_TYPE_NONCE 40
#define IKEV2_PAYLOAD_TYPE_NOTIFY 41
#define IKEV2_PAYLOAD_TYPE_DELETE 42
#define IKEV2_PAYLOAD_TYPE_VENDOR 43
#define IKEV2_PAYLOAD_TYPE_TS_INIT 44
#define IKEV2_PAYLOAD_TYPE_TS_RSP 45
#define IKEV2_PAYLOAD_TYPE_ENCRYPT 46
#define IKEV2_PAYLOAD_TYPE_CP 47
#define IKEV2_PAYLOAD_TYPE_EAP 48
//
// IKE header Flag (1 octet) for IKEv2, defined in RFC 4306 section 3.1
//
// I(nitiator) (bit 3 of Flags, 0x08) - This bit MUST be set in messages sent by the
// original initiator of the IKE_SA
//
// R(esponse) (bit 5 of Flags, 0x20) - This bit indicates that this message is a response to
// a message containing the same message ID.
//
#define IKE_HEADER_FLAGS_INIT 0x08
#define IKE_HEADER_FLAGS_RESPOND 0x20
//
// IKE Header Exchange Type for IKEv2
//
#define IKEV2_EXCHANGE_TYPE_INIT 34
#define IKEV2_EXCHANGE_TYPE_AUTH 35
#define IKEV2_EXCHANGE_TYPE_CREATE_CHILD 36
#define IKEV2_EXCHANGE_TYPE_INFO 37
#pragma pack(1)
typedef struct {
UINT8 NextPayload;
UINT8 Reserved;
UINT16 PayloadLength;
} IKEV2_COMMON_PAYLOAD_HEADER;
#pragma pack()
#pragma pack(1)
typedef struct {
IKEV2_COMMON_PAYLOAD_HEADER Header;
//
// Proposals
//
} IKEV2_SA;
#pragma pack()
#pragma pack(1)
typedef struct {
IKEV2_COMMON_PAYLOAD_HEADER Header;
UINT8 ProposalIndex;
UINT8 ProtocolId;
UINT8 SpiSize;
UINT8 NumTransforms;
} IKEV2_PROPOSAL;
#pragma pack()
//
// IKEv2 Transform Type Values presented within Transform Payload
//
#define IKEV2_TRANSFORM_TYPE_ENCR 1 // Encryption Algorithm
#define IKEV2_TRANSFORM_TYPE_PRF 2 // Pseduo-Random Func
#define IKEV2_TRANSFORM_TYPE_INTEG 3 // Integrity Algorithm
#define IKEV2_TRANSFORM_TYPE_DH 4 // DH Group
#define IKEV2_TRANSFORM_TYPE_ESN 5 // Extended Sequence Number
//
// IKEv2 Transform ID for Encrypt Algorithm (ENCR)
//
#define IKEV2_TRANSFORM_ID_ENCR_DES_IV64 1
#define IKEV2_TRANSFORM_ID_ENCR_DES 2
#define IKEV2_TRANSFORM_ID_ENCR_3DES 3
#define IKEV2_TRANSFORM_ID_ENCR_RC5 4
#define IKEV2_TRANSFORM_ID_ENCR_IDEA 5
#define IKEV2_TRANSFORM_ID_ENCR_CAST 6
#define IKEV2_TRANSFORM_ID_ENCR_BLOWFISH 7
#define IKEV2_TRANSFORM_ID_ENCR_3IDEA 8
#define IKEV2_TRANSFORM_ID_ENCR_DES_IV32 9
#define IKEV2_TRANSFORM_ID_ENCR_NULL 11
#define IKEV2_TRANSFORM_ID_ENCR_AES_CBC 12
#define IKEV2_TRANSFORM_ID_ENCR_AES_CTR 13
//
// IKEv2 Transform ID for Pseudo-Random Function (PRF)
//
#define IKEV2_TRANSFORM_ID_PRF_HMAC_MD5 1
#define IKEV2_TRANSFORM_ID_PRF_HMAC_SHA1 2
#define IKEV2_TRANSFORM_ID_PRF_HMAC_TIGER 3
#define IKEV2_TRANSFORM_ID_PRF_AES128_XCBC 4
//
// IKEv2 Transform ID for Integrity Algorithm (INTEG)
//
#define IKEV2_TRANSFORM_ID_AUTH_NONE 0
#define IKEV2_TRANSFORM_ID_AUTH_HMAC_MD5_96 1
#define IKEV2_TRANSFORM_ID_AUTH_HMAC_SHA1_96 2
#define IKEV2_TRANSFORM_ID_AUTH_HMAC_DES_MAC 3
#define IKEV2_TRANSFORM_ID_AUTH_HMAC_KPDK_MD5 4
#define IKEV2_TRANSFORM_ID_AUTH_HMAC_AES_XCBC_96 5
//
// IKEv2 Transform ID for Diffie-Hellman Group (DH)
//
#define IKEV2_TRANSFORM_ID_DH_768MODP 1
#define IKEV2_TRANSFORM_ID_DH_1024MODP 2
#define IKEV2_TRANSFORM_ID_DH_2048MODP 14
//
// IKEv2 Attribute Type Values
//
#define IKEV2_ATTRIBUTE_TYPE_KEYLEN 14
//
// Transform Payload
//
#pragma pack(1)
typedef struct {
IKEV2_COMMON_PAYLOAD_HEADER Header;
UINT8 TransformType;
UINT8 Reserved;
UINT16 TransformId;
//
// SA Attributes
//
} IKEV2_TRANSFORM;
#pragma pack()
#pragma pack(1)
typedef struct {
IKEV2_COMMON_PAYLOAD_HEADER Header;
UINT16 DhGroup;
UINT16 Reserved;
//
// Remaining part contains the key exchanged
//
} IKEV2_KEY_EXCHANGE;
#pragma pack()
//
// Identification Type Values presented within Ikev2 ID payload
//
#define IKEV2_ID_TYPE_IPV4_ADDR 1
#define IKEV2_ID_TYPE_FQDN 2
#define IKEV2_ID_TYPE_RFC822_ADDR 3
#define IKEV2_ID_TYPE_IPV6_ADDR 5
#define IKEV2_ID_TYPE_DER_ASN1_DN 9
#define IKEV2_ID_TYPE_DER_ASN1_GN 10
#define IKEV2_ID_TYPE_KEY_ID 11
//
// Identification Payload
//
#pragma pack(1)
typedef struct {
IKEV2_COMMON_PAYLOAD_HEADER Header;
UINT8 IdType;
UINT8 Reserver1;
UINT16 Reserver2;
//
// Identification Data
//
} IKEV2_ID;
#pragma pack()
//
// Encoding Type presented in IKEV2 Cert Payload
//
#define IKEV2_CERT_ENCODEING_RESERVED 0
#define IKEV2_CERT_ENCODEING_X509_CERT_WRAP 1
#define IKEV2_CERT_ENCODEING_PGP_CERT 2
#define IKEV2_CERT_ENCODEING_DNS_SIGN_KEY 3
#define IKEV2_CERT_ENCODEING_X509_CERT_SIGN 4
#define IKEV2_CERT_ENCODEING_KERBEROS_TOKEN 6
#define IKEV2_CERT_ENCODEING_REVOCATION_LIST_CERT 7
#define IKEV2_CERT_ENCODEING_AUTH_REVOCATION_LIST 8
#define IKEV2_CERT_ENCODEING_SPKI_CERT 9
#define IKEV2_CERT_ENCODEING_X509_CERT_ATTRIBUTE 10
#define IKEV2_CERT_ENCODEING_RAW_RSA_KEY 11
#define IKEV2_CERT_ENCODEING_HASH_AND_URL_OF_X509_CERT 12
//
// IKEV2 Certificate Payload
//
#pragma pack(1)
typedef struct {
IKEV2_COMMON_PAYLOAD_HEADER Header;
UINT8 CertEncoding;
//
// Cert Data
//
} IKEV2_CERT;
#pragma pack()
//
// IKEV2 Certificate Request Payload
//
#pragma pack(1)
typedef struct {
IKEV2_COMMON_PAYLOAD_HEADER Header;
UINT8 CertEncoding;
//
// Cert Authority
//
} IKEV2_CERT_REQ;
#pragma pack()
//
// Authentication Payload
//
#pragma pack(1)
typedef struct {
IKEV2_COMMON_PAYLOAD_HEADER Header;
UINT8 AuthMethod;
UINT8 Reserved1;
UINT16 Reserved2;
//
// Auth Data
//
} IKEV2_AUTH;
#pragma pack()
//
// Authmethod in Authentication Payload
//
#define IKEV2_AUTH_METHOD_RSA 1; // RSA Digital Signature
#define IKEV2_AUTH_METHOD_SKMI 2; // Shared Key Message Integrity
#define IKEV2_AUTH_METHOD_DSS 3; // DSS Digital Signature
//
// IKEv2 Nonce Payload
//
#pragma pack(1)
typedef struct {
IKEV2_COMMON_PAYLOAD_HEADER Header;
//
// Nonce Data
//
} IKEV2_NONCE;
#pragma pack()
//
// Notification Payload
//
#pragma pack(1)
typedef struct {
IKEV2_COMMON_PAYLOAD_HEADER Header;
UINT8 ProtocolId;
UINT8 SpiSize;
UINT16 MessageType;
//
// SPI and Notification Data
//
} IKEV2_NOTIFY;
#pragma pack()
//
// Notify Message Types presented within IKEv2 Notify Payload
//
#define IKEV2_NOTIFICATION_UNSUPPORT_CRITICAL_PAYLOAD 1
#define IKEV2_NOTIFICATION_INVALID_IKE_SPI 4
#define IKEV2_NOTIFICATION_INVALID_MAJOR_VERSION 5
#define IKEV2_NOTIFICATION_INVALID_SYNTAX 7
#define IKEV2_NOTIFICATION_INVALID_MESSAGE_ID 9
#define IKEV2_NOTIFICATION_INVALID_SPI 11
#define IKEV2_NOTIFICATION_NO_PROPOSAL_CHOSEN 14
#define IKEV2_NOTIFICATION_INVALID_KEY_PAYLOAD 17
#define IKEV2_NOTIFICATION_AUTHENTICATION_FAILED 24
#define IKEV2_NOTIFICATION_SINGLE_PAIR_REQUIRED 34
#define IKEV2_NOTIFICATION_NO_ADDITIONAL_SAS 35
#define IKEV2_NOTIFICATION_INTERNAL_ADDRESS_FAILURE 36
#define IKEV2_NOTIFICATION_FAILED_CP_REQUIRED 37
#define IKEV2_NOTIFICATION_TS_UNCCEPTABLE 38
#define IKEV2_NOTIFICATION_INVALID_SELECTORS 39
#define IKEV2_NOTIFICATION_COOKIE 16390
#define IKEV2_NOTIFICATION_USE_TRANSPORT_MODE 16391
#define IKEV2_NOTIFICATION_REKEY_SA 16393
//
// IKEv2 Protocol ID
//
//
// IKEv2 Delete Payload
//
#pragma pack(1)
typedef struct {
IKEV2_COMMON_PAYLOAD_HEADER Header;
UINT8 ProtocolId;
UINT8 SpiSize;
UINT16 NumSpis;
//
// SPIs
//
} IKEV2_DELETE;
#pragma pack()
//
// Traffic Selector Payload
//
#pragma pack(1)
typedef struct {
IKEV2_COMMON_PAYLOAD_HEADER Header;
UINT8 TSNumbers;
UINT8 Reserved1;
UINT16 Reserved2;
//
// Traffic Selector
//
} IKEV2_TS;
#pragma pack()
//
// Traffic Selector
//
#pragma pack(1)
typedef struct {
UINT8 TSType;
UINT8 IpProtocolId;
UINT16 SelecorLen;
UINT16 StartPort;
UINT16 EndPort;
//
// Starting Address && Ending Address
//
} TRAFFIC_SELECTOR;
#pragma pack()
//
// Ts Type in Traffic Selector
//
#define IKEV2_TS_TYPE_IPV4_ADDR_RANGE 7
#define IKEV2_TS_TYPS_IPV6_ADDR_RANGE 8
//
// Vendor Payload
//
#pragma pack(1)
typedef struct {
IKEV2_COMMON_PAYLOAD_HEADER Header;
//
// Vendor ID
//
} IKEV2_VENDOR;
#pragma pack()
//
// Encrypted Payload
//
#pragma pack(1)
typedef struct {
IKEV2_COMMON_PAYLOAD_HEADER Header;
//
// IV, Encrypted IKE Payloads, Padding, PAD length, Integrity CheckSum
//
} IKEV2_ENCRYPTED;
#pragma pack()
#pragma pack(1)
typedef struct {
UINT8 PadLength;
} IKEV2_PAD_LEN;
#pragma pack()
//
// Configuration Payload
//
#pragma pack(1)
typedef struct {
IKEV2_COMMON_PAYLOAD_HEADER Header;
UINT8 CfgType;
UINT8 Reserve1;
UINT16 Reserve2;
//
// Configuration Attributes
//
} IKEV2_CFG;
#pragma pack()
//
// Configuration Payload CPG type
//
#define IKEV2_CFG_TYPE_REQUEST 1
#define IKEV2_CFG_TYPE_REPLY 2
#define IKEV2_CFG_TYPE_SET 3
#define IKEV2_CFG_TYPE_ACK 4
//
// Configuration Attributes
//
#pragma pack(1)
typedef struct {
UINT16 AttritType;
UINT16 ValueLength;
} IKEV2_CFG_ATTRIBUTES;
#pragma pack()
//
// Configuration Attributes
//
#define IKEV2_CFG_ATTR_INTERNAL_IP4_ADDRESS 1
#define IKEV2_CFG_ATTR_INTERNAL_IP4_NBTMASK 2
#define IKEV2_CFG_ATTR_INTERNAL_IP4_DNS 3
#define IKEV2_CFG_ATTR_INTERNAL_IP4_NBNS 4
#define IKEV2_CFG_ATTR_INTERNA_ADDRESS_BXPIRY 5
#define IKEV2_CFG_ATTR_INTERNAL_IP4_DHCP 6
#define IKEV2_CFG_ATTR_APPLICATION_VERSION 7
#define IKEV2_CFG_ATTR_INTERNAL_IP6_ADDRESS 8
#define IKEV2_CFG_ATTR_INTERNAL_IP6_DNS 10
#define IKEV2_CFG_ATTR_INTERNAL_IP6_NBNS 11
#define IKEV2_CFG_ATTR_INTERNAL_IP6_DHCP 12
#define IKEV2_CFG_ATTR_INTERNAL_IP4_SUBNET 13
#define IKEV2_CFG_ATTR_SUPPORTED_ATTRIBUTES 14
#define IKEV2_CFG_ATTR_IP6_SUBNET 15
#endif

2255
NetworkPkg/IpSecDxe/Ikev2/Sa.c
View File

File diff suppressed because it is too large Load Diff

2738
NetworkPkg/IpSecDxe/Ikev2/Utility.c
View File

File diff suppressed because it is too large Load Diff

1061
NetworkPkg/IpSecDxe/Ikev2/Utility.h
View File

File diff suppressed because it is too large Load Diff

3156
NetworkPkg/IpSecDxe/IpSecConfigImpl.c
View File

File diff suppressed because it is too large Load Diff

949
NetworkPkg/IpSecDxe/IpSecConfigImpl.h
View File

@ -1,949 +0,0 @@
/** @file
Definitions related to IPSEC_CONFIG_PROTOCOL implementations.
Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#ifndef _IPSEC_CONFIG_IMPL_H_
#define _IPSEC_CONFIG_IMPL_H_
#include <Protocol/IpSec.h>
#include <Protocol/IpSecConfig.h>
#include <Library/BaseLib.h>
#include <Library/BaseMemoryLib.h>
#include <Library/PrintLib.h>
#include <Library/MemoryAllocationLib.h>
#include <Library/UefiRuntimeServicesTableLib.h>
#include <Library/UefiBootServicesTableLib.h>
#include <Library/DebugLib.h>
#include "IpSecImpl.h"
#define EFI_IPSEC_ANY_PROTOCOL 0xFFFF
#define EFI_IPSEC_ANY_PORT 0
#define IPSEC_VAR_ITEM_HEADER_LOGO_BIT 0x80
#define IPSEC_VAR_ITEM_HEADER_CONTENT_BIT 0x7F
#define IPSECCONFIG_VARIABLE_NAME L"IpSecConfig"
#define IPSECCONFIG_STATUS_NAME L"IpSecStatus"
#define SIZE_OF_SPD_SELECTOR(x) (sizeof (EFI_IPSEC_SPD_SELECTOR) \
+ sizeof (EFI_IP_ADDRESS_INFO) * ((x)->LocalAddressCount + (x)->RemoteAddressCount))
#define FIX_REF_BUF_ADDR(addr, base) addr = (VOID *) ((UINTN) (addr) - (UINTN) (base))
#define UNFIX_REF_BUF_ADDR(addr, base) addr = (VOID *) ((UINTN) (addr) + (UINTN) (base))
//
// The data structure used to store the genernall information of IPsec configuration.
//
typedef struct {
UINT32 VariableCount; // the total number of the IPsecConfig variables.
UINT32 VariableSize; // The total size of all IpsecConfig variables.
UINT32 SingleVariableSize; // The max size of single variable
} IP_SEC_VARIABLE_INFO;
typedef struct {
EFI_IPSEC_CONFIG_SELECTOR *Selector;
VOID *Data;
LIST_ENTRY List;
} IPSEC_COMMON_POLICY_ENTRY;
typedef struct {
UINT8 *Ptr;
UINTN Size;
UINTN Capacity;
} IPSEC_VARIABLE_BUFFER;
#pragma pack(1)
typedef struct {
UINT8 Type;
UINT16 Size;
} IPSEC_VAR_ITEM_HEADER;
#pragma pack()
/**
The prototype of Copy Source Selector to the Destination Selector.
@param[in, out] DstSel Pointer of Destination Selector. It would be
SPD Selector, or SAD Selector or PAD Selector.
@param[in] SrcSel Pointer of Source Selector. It would be
SPD Selector, or SAD Selector or PAD Selector.
@param[in, out] Size The size of the Destination Selector. If it
is not NULL and its value is less than the size of
Source Selector, the value of Source Selector's
size will be passed to the caller by this parameter.
@retval EFI_INVALID_PARAMETER If the Destination or Source Selector is NULL.
@retval EFI_BUFFER_TOO_SMALL If the input Size is less than size of Source Selector.
@retval EFI_SUCCESS Copy Source Selector to the Destination
Selector successfully.
**/
typedef
EFI_STATUS
(*IPSEC_DUPLICATE_SELECTOR) (
IN OUT EFI_IPSEC_CONFIG_SELECTOR *DstSel,
IN EFI_IPSEC_CONFIG_SELECTOR *SrcSel,
IN OUT UINTN *Size
);
/**
It is prototype of compare two Selectors. The Selector would be SPD Selector,
or SAD Selector, or PAD selector.
@param[in] Selector1 Pointer of the first Selector.
@param[in] Selector2 Pointer of the second Selector.
@retval TRUE These two Selectors have the same value in certain fields.
@retval FALSE Not all fields have the same value in these two Selectors.
**/
typedef
BOOLEAN
(*IPSEC_COMPARE_SELECTOR) (
IN EFI_IPSEC_CONFIG_SELECTOR *Selector1,
IN EFI_IPSEC_CONFIG_SELECTOR *Selector2
);
/**
The prototype of a function to check if the Selector is Zero by its certain fields.
@param[in] Selector Pointer of the Selector.
@retval TRUE If the Selector is Zero.
@retval FALSE If the Selector is not Zero.
**/
typedef
BOOLEAN
(*IPSEC_IS_ZERO_SELECTOR) (
IN EFI_IPSEC_CONFIG_SELECTOR *Selector
);
/**
The prototype of a function to fix the value of particular members of the Selector.
@param[in] Selector Pointer of Selector.
@param[in] Data Pointer of Data.
**/
typedef
VOID
(*IPSEC_FIX_POLICY_ENTRY) (
IN EFI_IPSEC_CONFIG_SELECTOR *Selector,
IN VOID *Data
);
/**
It is prototype function to define a routine function by the caller of IpSecVisitConfigData().
@param[in] Type A specified IPSEC_CONFIG_DATA_TYPE.
@param[in] Selector Points to EFI_IPSEC_CONFIG_SELECTOR to be copied
to the buffer.
@param[in] Data Points to data to be copied to the buffer. The
Data type is related to the Type.
@param[in] SelectorSize The size of the Selector.
@param[in] DataSize The size of the Data.
@param[in, out] Buffer The buffer to store the Selector and Data.
@retval EFI_SUCCESS Copied the Selector and Data to a buffer successfully.
@retval EFI_OUT_OF_RESOURCES The required system resource could not be allocated.
**/
typedef
EFI_STATUS
(*IPSEC_COPY_POLICY_ENTRY) (
IN EFI_IPSEC_CONFIG_DATA_TYPE Type,
IN EFI_IPSEC_CONFIG_SELECTOR *Selector,
IN VOID *Data,
IN UINTN SelectorSize,
IN UINTN DataSize,
IN OUT VOID *Context
);
/**
Set the security policy information for the EFI IPsec driver.
The IPsec configuration data has a unique selector/identifier separately to
identify a data entry.
@param[in] Selector Pointer to an entry selector on operated
configuration data specified by DataType.
A NULL Selector causes the entire specified-type
configuration information to be flushed.
@param[in] Data The data buffer to be set.
@param[in] Context Pointer to one entry selector that describes
the expected position the new data entry will
be added. If Context is NULL, the new entry will
be appended to the end of the database.
@retval EFI_INVALID_PARAMETER Certain Parameters are not correct. The Parameter
requiring a check depends on the Selector type.
@retval EFI_OUT_OF_RESOURCED The required system resource could not be allocated.
@retval EFI_SUCCESS The specified configuration data was obtained successfully.
**/
typedef
EFI_STATUS
(*IPSEC_SET_POLICY_ENTRY) (
IN EFI_IPSEC_CONFIG_SELECTOR *Selector,
IN VOID *Data,
IN VOID *Context OPTIONAL
);
/**
A prototype function definition to lookup the data entry from IPsec. Return the configuration
value of the specified Entry.
@param[in] Selector Pointer to an entry selector that is an identifier
of the entry.
@param[in, out] DataSize On output, the size of data returned in Data.
@param[out] Data The buffer to return the contents of the IPsec
configuration data. The type of the data buffer
is associated with the DataType.
@retval EFI_SUCCESS The specified configuration data was obtained successfully.
@retval EFI_INVALID_PARAMETER Data is NULL and *DataSize is not zero.
@retval EFI_NOT_FOUND The configuration data specified by Selector is not found.
@retval EFI_BUFFER_TOO_SMALL The DataSize is too small for the result. DataSize has been
updated with the size needed to complete the request.
**/
typedef
EFI_STATUS
(*IPSEC_GET_POLICY_ENTRY) (
IN EFI_IPSEC_CONFIG_SELECTOR *Selector,
IN OUT UINTN *DataSize,
IN VOID *Data
);
/**
Compare two SPD Selectors.
Compare two SPD Selector by the fields of LocalAddressCount/RemoteAddressCount/
NextLayerProtocol/LocalPort/LocalPortRange/RemotePort/RemotePortRange and the
Local Addresses and remote Addresses.
@param[in] Selector1 Pointer of the first SPD Selector.
@param[in] Selector2 Pointer of the second SPD Selector.
@retval TRUE These two Selectors have the same value in above fields.
@retval FALSE Not all of the above fields have the same value in these two Selectors.
**/
BOOLEAN
CompareSpdSelector (
IN EFI_IPSEC_CONFIG_SELECTOR *Selector1,
IN EFI_IPSEC_CONFIG_SELECTOR *Selector2
);
/**
Visit all IPsec Configurations of specified Type and call the caller defined
interface.
@param[in] DataType The specified IPsec Config Data Type.
@param[in] Routine The function caller defined.
@param[in] Context The data passed to the Routine.
@retval EFI_OUT_OF_RESOURCES The required system resource could not be allocated.
@retval EFI_SUCCESS This function complete successfully.
**/
EFI_STATUS
IpSecVisitConfigData (
IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,
IN IPSEC_COPY_POLICY_ENTRY Routine,
IN VOID *Context
);
/**
This function is the subfunction of the EFIIpSecConfigSetData.
This function call IpSecSetVaraible to set the IPsec Configuration into the firmware.
@retval EFI_OUT_OF_RESOURCES The required system resource could not be allocated.
@retval EFI_SUCCESS Saved the configration successfully.
@retval Others Other errors were found while obtaining the variable.
**/
EFI_STATUS
IpSecConfigSave (
VOID
);
/**
Initialize IPsecConfig protocol
@param[in, out] Private Pointer to IPSEC_PRIVATE_DATA. After this function finish,
the pointer of IPsecConfig Protocol implementation will copy
into its IPsecConfig member.
@retval EFI_SUCCESS Initialized the IPsecConfig Protocol successfully.
@retval Others Initializing the IPsecConfig Protocol failed.
**/
EFI_STATUS
IpSecConfigInitialize (
IN OUT IPSEC_PRIVATE_DATA *Private
);
/**
Calculate the entire size of EFI_IPSEC_SPD_DATA, which includes the buffer size pointed
by the pointer members.
@param[in] SpdData Pointer to a specified EFI_IPSEC_SPD_DATA.
@return The entire size of the specified EFI_IPSEC_SPD_DATA.
**/
UINTN
IpSecGetSizeOfEfiSpdData (
IN EFI_IPSEC_SPD_DATA *SpdData
);
/**
Calculate the a entire size of IPSEC_SPD_DATA, which includes the buffer size pointed
by the pointer members and the buffer size used by Sa List.
@param[in] SpdData Pointer to the specified IPSEC_SPD_DATA.
@return The entire size of IPSEC_SPD_DATA.
**/
UINTN
IpSecGetSizeOfSpdData (
IN IPSEC_SPD_DATA *SpdData
);
/**
Copy Source Process Policy to the Destination Process Policy.
@param[in] Dst Pointer to the Source Process Policy.
@param[in] Src Pointer to the Destination Process Policy.
**/
VOID
IpSecDuplicateProcessPolicy (
IN EFI_IPSEC_PROCESS_POLICY *Dst,
IN EFI_IPSEC_PROCESS_POLICY *Src
);
/**
Find if the two SPD Selectors has subordinative.
Compare two SPD Selector by the fields of LocalAddressCount/RemoteAddressCount/
NextLayerProtocol/LocalPort/LocalPortRange/RemotePort/RemotePortRange and the
Local Addresses and remote Addresses.
@param[in] Selector1 Pointer of first SPD Selector.
@param[in] Selector2 Pointer of second SPD Selector.
@retval TRUE The first SPD Selector is subordinate Selector of second SPD Selector.
@retval FALSE The first SPD Selector is not subordinate Selector of second
SPD Selector.
**/
BOOLEAN
IsSubSpdSelector (
IN EFI_IPSEC_CONFIG_SELECTOR *Selector1,
IN EFI_IPSEC_CONFIG_SELECTOR *Selector2
);
/**
Compare two SA IDs.
@param[in] Selector1 Pointer of the first SA ID.
@param[in] Selector2 Pointer of the second SA ID.
@retval TRUE This two Selectors have the same SA ID.
@retval FALSE This two Selecotrs don't have the same SA ID.
**/
BOOLEAN
CompareSaId (
IN EFI_IPSEC_CONFIG_SELECTOR *Selector1,
IN EFI_IPSEC_CONFIG_SELECTOR *Selector2
);
/**
Compare two PAD IDs.
@param[in] Selector1 Pointer of the first PAD ID.
@param[in] Selector2 Pointer of the second PAD ID.
@retval TRUE This two Selectors have the same PAD ID.
@retval FALSE This two Selecotrs don't have the same PAD ID.
**/
BOOLEAN
ComparePadId (
IN EFI_IPSEC_CONFIG_SELECTOR *Selector1,
IN EFI_IPSEC_CONFIG_SELECTOR *Selector2
);
/**
Check if the SPD Selector is Zero by its LocalAddressCount and RemoteAddressCount
fields.
@param[in] Selector Pointer of the SPD Selector.
@retval TRUE If the SPD Selector is Zero.
@retval FALSE If the SPD Selector is not Zero.
**/
BOOLEAN
IsZeroSpdSelector (
IN EFI_IPSEC_CONFIG_SELECTOR *Selector
);
/**
Check if the SA ID is Zero by its DestAddress.
@param[in] Selector Pointer of the SA ID.
@retval TRUE If the SA ID is Zero.
@retval FALSE If the SA ID is not Zero.
**/
BOOLEAN
IsZeroSaId (
IN EFI_IPSEC_CONFIG_SELECTOR *Selector
);
/**
Check if the PAD ID is Zero.
@param[in] Selector Pointer of the PAD ID.
@retval TRUE If the PAD ID is Zero.
@retval FALSE If the PAD ID is not Zero.
**/
BOOLEAN
IsZeroPadId (
IN EFI_IPSEC_CONFIG_SELECTOR *Selector
);
/**
Copy Source SPD Selector to the Destination SPD Selector.
@param[in, out] DstSel Pointer of Destination SPD Selector.
@param[in] SrcSel Pointer of Source SPD Selector.
@param[in, out] Size The size of the Destination SPD Selector. If
it is not NULL and its value is less than the
size of Source SPD Selector, the value of
Source SPD Selector's size will be passed to
the caller by this parameter.
@retval EFI_INVALID_PARAMETER If the Destination or Source SPD Selector is NULL.
@retval EFI_BUFFER_TOO_SMALL If the input Size is less than size of Source SPD Selector.
@retval EFI_SUCCESS Copy Source SPD Selector to the Destination SPD
Selector successfully.
**/
EFI_STATUS
DuplicateSpdSelector (
IN OUT EFI_IPSEC_CONFIG_SELECTOR *DstSel,
IN EFI_IPSEC_CONFIG_SELECTOR *SrcSel,
IN OUT UINTN *Size
);
/**
Copy Source SA ID to the Destination SA ID.
@param[in, out] DstSel Pointer of the Destination SA ID.
@param[in] SrcSel Pointer of the Source SA ID.
@param[in, out] Size The size of the Destination SA ID. If it
not NULL, and its value is less than the size of
Source SA ID, the value of Source SA ID's size
will be passed to the caller by this parameter.
@retval EFI_INVALID_PARAMETER If the Destination or Source SA ID is NULL.
@retval EFI_BUFFER_TOO_SMALL If the input Size less than size of source SA ID.
@retval EFI_SUCCESS Copied Source SA ID to the Destination SA ID successfully.
**/
EFI_STATUS
DuplicateSaId (
IN OUT EFI_IPSEC_CONFIG_SELECTOR *DstSel,
IN EFI_IPSEC_CONFIG_SELECTOR *SrcSel,
IN OUT UINTN *Size
);
/**
Copy Source PAD ID to the Destination PAD ID.
@param[in, out] DstSel Pointer of Destination PAD ID.
@param[in] SrcSel Pointer of Source PAD ID.
@param[in, out] Size The size of the Destination PAD ID. If it
not NULL, and its value less than the size of
Source PAD ID, the value of Source PAD ID's size
will be passed to the caller by this parameter.
@retval EFI_INVALID_PARAMETER If the Destination or Source PAD ID is NULL.
@retval EFI_BUFFER_TOO_SMALL If the input Size less than size of source PAD ID.
@retval EFI_SUCCESS Copied Source PAD ID to the Destination PAD ID successfully.
**/
EFI_STATUS
DuplicatePadId (
IN OUT EFI_IPSEC_CONFIG_SELECTOR *DstSel,
IN EFI_IPSEC_CONFIG_SELECTOR *SrcSel,
IN OUT UINTN *Size
);
/**
Fix the value of some members of the SPD Selector.
This function is called by IpSecCopyPolicyEntry(), which copies the Policy
Entry into the Variable. Since some members in SPD Selector are pointers,
a physical address to relative address conversion is required before copying
this SPD entry into the variable.
@param[in] Selector Pointer of SPD Selector.
@param[in, out] Data Pointer of SPD Data.
**/
VOID
FixSpdEntry (
IN EFI_IPSEC_SPD_SELECTOR *Selector,
IN OUT EFI_IPSEC_SPD_DATA *Data
);
/**
Fix the value of some members of SA ID.
This function is called by IpSecCopyPolicyEntry(), which copies the Policy
Entry into the Variable. Since some members in SA ID are pointers,
a physical address to relative address conversion is required before copying
this SAD into the variable.
@param[in] SaId Pointer of SA ID.
@param[in, out] Data Pointer of SA Data.
**/
VOID
FixSadEntry (
IN EFI_IPSEC_SA_ID *SaId,
IN OUT EFI_IPSEC_SA_DATA2 *Data
);
/**
Fix the value of some members of PAD ID.
This function is called by IpSecCopyPolicyEntry(), which copy the Policy
Entry into the Variable. Since some members in PAD ID are pointers,
a physical address to relative address conversion is required before copying
this PAD into the variable.
@param[in] PadId Pointer of PAD ID.
@param[in, out] Data Pointer of PAD Data.
**/
VOID
FixPadEntry (
IN EFI_IPSEC_PAD_ID *PadId,
IN OUT EFI_IPSEC_PAD_DATA *Data
);
/**
Recover the value of some members of SPD Selector.
This function is corresponding to FixSpdEntry(). It recovers the value of members
of SPD Selector which fix by the FixSpdEntry().
@param[in, out] Selector Pointer of SPD Selector.
@param[in, out] Data Pointer of SPD Data.
**/
VOID
UnfixSpdEntry (
IN OUT EFI_IPSEC_SPD_SELECTOR *Selector,
IN OUT EFI_IPSEC_SPD_DATA *Data
);
/**
Recover the value of some members of SA ID.
This function is corresponding to FixSadEntry(). It recovers the value of members
of SAD ID which fix by the FixSadEntry().
@param[in, out] SaId Pointer of SAD ID
@param[in, out] Data Pointer of SAD Data.
**/
VOID
UnfixSadEntry (
IN OUT EFI_IPSEC_SA_ID *SaId,
IN OUT EFI_IPSEC_SA_DATA2 *Data
);
/**
Recover the value of some members of PAD ID.
This function is corresponding to FixPadEntry(). It recovers the value of members
of PAD ID which fix by the FixPadEntry().
@param[in] PadId Pointer of PAD ID
@param[in, out] Data Pointer of PAD Data.
**/
VOID
UnfixPadEntry (
IN EFI_IPSEC_PAD_ID *PadId,
IN OUT EFI_IPSEC_PAD_DATA *Data
);
/**
Set the security policy information for the EFI IPsec driver.
The IPsec configuration data has a unique selector/identifier separately to
identify a data entry.
@param[in] Selector Pointer to an entry selector on operated
configuration data specified by DataType.
A NULL Selector causes the entire specified-type
configuration information to be flushed.
@param[in] Data The data buffer to be set. The structure
of the data buffer should be EFI_IPSEC_SPD_DATA.
@param[in] Context Pointer to one entry selector that describes
the expected position the new data entry will
be added. If Context is NULL,the new entry will
be appended the end of database.
@retval EFI_INVALID_PARAMETER One or more of the following are TRUE:
- Selector is not NULL and its LocalAddress
is NULL or its RemoteAddress is NULL.
- Data is not NULL, its Action is Protected,
and its policy is NULL.
- Data is not NULL and its Action is not protected
and its policy is not NULL.
- The Action of Data is Protected, its policy
mode is Tunnel, and its tunnel option is NULL.
- The Action of Data is protected, its policy
mode is not Tunnel, and it tunnel option is not NULL.
@retval EFI_OUT_OF_RESOURCED The required system resource could not be allocated.
@retval EFI_SUCCESS The specified configuration data was obtained successfully.
**/
EFI_STATUS
SetSpdEntry (
IN EFI_IPSEC_CONFIG_SELECTOR *Selector,
IN VOID *Data,
IN VOID *Context OPTIONAL
);
/**
Set the security association information for the EFI IPsec driver.
The IPsec configuration data has a unique selector/identifier separately to
identify a data entry.
@param[in] Selector Pointer to an entry selector on operated
configuration data specified by DataType.
A NULL Selector causes the entire specified-type
configuration information to be flushed.
@param[in] Data The data buffer to be set. The structure
of the data buffer should be EFI_IPSEC_SA_DATA.
@param[in] Context Pointer to one entry selector which describes
the expected position the new data entry will
be added. If Context is NULL,the new entry will
be appended to the end of database.
@retval EFI_OUT_OF_RESOURCED The required system resource could not be allocated.
@retval EFI_SUCCESS The specified configuration data was obtained successfully.
**/
EFI_STATUS
SetSadEntry (
IN EFI_IPSEC_CONFIG_SELECTOR *Selector,
IN VOID *Data,
IN VOID *Context OPTIONAL
);
/**
Set the peer authorization configuration information for the EFI IPsec driver.
The IPsec configuration data has a unique selector/identifier separately to
identify a data entry.
@param[in] Selector Pointer to an entry selector on operated
configuration data specified by DataType.
A NULL Selector causes the entire specified-type
configuration information to be flushed.
@param[in] Data The data buffer to be set. The structure
of the data buffer should be EFI_IPSEC_PAD_DATA.
@param[in] Context Pointer to one entry selector that describes
the expected position where the new data entry will
be added. If Context is NULL, the new entry will
be appended the end of database.
@retval EFI_OUT_OF_RESOURCED The required system resource could not be allocated.
@retval EFI_SUCCESS The specified configuration data was obtained successfully.
**/
EFI_STATUS
SetPadEntry (
IN EFI_IPSEC_CONFIG_SELECTOR *Selector,
IN VOID *Data,
IN VOID *Context OPTIONAL
);
/**
This function looks up the data entry from IPsec SPD, and returns the configuration
value of the specified SPD Entry.
@param[in] Selector Pointer to an entry selector which is an identifier
of the SPD entry.
@param[in, out] DataSize On output the size of data returned in Data.
@param[out] Data The buffer to return the contents of the IPsec
configuration data. The type of the data buffer
is associated with the DataType.
@retval EFI_SUCCESS The specified configuration data was obtained successfully.
@retval EFI_INVALID_PARAMETER Data is NULL and *DataSize is not zero.
@retval EFI_NOT_FOUND The configuration data specified by Selector is not found.
@retval EFI_BUFFER_TOO_SMALL The DataSize is too small for the result. DataSize has been
updated with the size needed to complete the request.
**/
EFI_STATUS
GetSpdEntry (
IN EFI_IPSEC_CONFIG_SELECTOR *Selector,
IN OUT UINTN *DataSize,
OUT VOID *Data
);
/**
This function looks up the data entry from IPsec SAD and returns the configuration
value of the specified SAD Entry.
@param[in] Selector Pointer to an entry selector that is an identifier
of the SAD entry.
@param[in, out] DataSize On output, the size of data returned in Data.
@param[out] Data The buffer to return the contents of the IPsec
configuration data. This type of the data buffer
is associated with the DataType.
@retval EFI_SUCCESS The specified configuration data was obtained successfully.
@retval EFI_NOT_FOUND The configuration data specified by Selector is not found.
@retval EFI_BUFFER_TOO_SMALL The DataSize is too small for the result. DataSize has been
updated with the size needed to complete the request.
**/
EFI_STATUS
GetSadEntry (
IN EFI_IPSEC_CONFIG_SELECTOR *Selector,
IN OUT UINTN *DataSize,
OUT VOID *Data
);
/**
This function looks up the data entry from IPsec PADand returns the configuration
value of the specified PAD Entry.
@param[in] Selector Pointer to an entry selector that is an identifier
of the PAD entry.
@param[in, out] DataSize On output the size of data returned in Data.
@param[out] Data The buffer to return the contents of the IPsec
configuration data. This type of the data buffer
is associated with the DataType.
@retval EFI_SUCCESS The specified configuration data was obtained successfully.
@retval EFI_NOT_FOUND The configuration data specified by Selector is not found.
@retval EFI_BUFFER_TOO_SMALL The DataSize is too small for the result. DataSize has been
updated with the size needed to complete the request.
**/
EFI_STATUS
GetPadEntry (
IN EFI_IPSEC_CONFIG_SELECTOR *Selector,
IN OUT UINTN *DataSize,
OUT VOID *Data
);
/**
Return the configuration value for the EFI IPsec driver.
This function lookup the data entry from IPsec database or IKEv2 configuration
information. The expected data type and unique identification are described in
DataType and Selector parameters.
@param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.
@param[in] DataType The type of data to retrieve.
@param[in] Selector Pointer to an entry selector that is an identifier of the IPsec
configuration data entry.
@param[in, out] DataSize On output the size of data returned in Data.
@param[out] Data The buffer to return the contents of the IPsec configuration data.
The type of the data buffer is associated with the DataType.
@retval EFI_SUCCESS The specified configuration data was obtained successfully.
@retval EFI_INVALID_PARAMETER One or more of the followings are TRUE:
- This is NULL.
- Selector is NULL.
- DataSize is NULL.
- Data is NULL and *DataSize is not zero
@retval EFI_NOT_FOUND The configuration data specified by Selector is not found.
@retval EFI_UNSUPPORTED The specified DataType is not supported.
@retval EFI_BUFFER_TOO_SMALL The DataSize is too small for the result. DataSize has been
updated with the size needed to complete the request.
**/
EFI_STATUS
EFIAPI
EfiIpSecConfigGetData (
IN EFI_IPSEC_CONFIG_PROTOCOL *This,
IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,
IN EFI_IPSEC_CONFIG_SELECTOR *Selector,
IN OUT UINTN *DataSize,
OUT VOID *Data
);
/**
Set the security association, security policy and peer authorization configuration
information for the EFI IPsec driver.
This function is used to set the IPsec configuration information of type DataType for
the EFI IPsec driver.
The IPsec configuration data has a unique selector/identifier separately to identify
a data entry. The selector structure depends on DataType's definition.
Using SetData() with a Data of NULL causes the IPsec configuration data entry identified
by DataType and Selector to be deleted.
@param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.
@param[in] DataType The type of data to be set.
@param[in] Selector Pointer to an entry selector on operated configuration data
specified by DataType. A NULL Selector causes the entire
specified-type configuration information to be flushed.
@param[in] Data The data buffer to be set. The structure of the data buffer is
associated with the DataType.
@param[in] InsertBefore Pointer to one entry selector which describes the expected
position the new data entry will be added. If InsertBefore is NULL,
the new entry will be appended the end of database.
@retval EFI_SUCCESS The specified configuration entry data was set successfully.
@retval EFI_INVALID_PARAMETER One or more of the following are TRUE:
- This is NULL.
@retval EFI_UNSUPPORTED The specified DataType is not supported.
@retval EFI_OUT_OF_RESOURCED The required system resource could not be allocated.
**/
EFI_STATUS
EFIAPI
EfiIpSecConfigSetData (
IN EFI_IPSEC_CONFIG_PROTOCOL *This,
IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,
IN EFI_IPSEC_CONFIG_SELECTOR *Selector,
IN VOID *Data,
IN EFI_IPSEC_CONFIG_SELECTOR *InsertBefore OPTIONAL
);
/**
Enumerates the current selector for IPsec configuration data entry.
This function is called multiple times to retrieve the entry Selector in IPsec
configuration database. On each call to GetNextSelector(), the next entry
Selector are retrieved into the output interface.
If the entire IPsec configuration database has been iterated, the error
EFI_NOT_FOUND is returned.
If the Selector buffer is too small for the next Selector copy, an
EFI_BUFFER_TOO_SMALL error is returned, and SelectorSize is updated to reflect
the size of buffer needed.
On the initial call to GetNextSelector() to start the IPsec configuration database
search, a pointer to the buffer with all zero value is passed in Selector. Calls
to SetData() between calls to GetNextSelector may produce unpredictable results.
@param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.
@param[in] DataType The type of IPsec configuration data to retrieve.
@param[in, out] SelectorSize The size of the Selector buffer.
@param[in, out] Selector On input, supplies the pointer to last Selector that was
returned by GetNextSelector().
On output, returns one copy of the current entry Selector
of a given DataType.
@retval EFI_SUCCESS The specified configuration data was obtained successfully.
@retval EFI_INVALID_PARAMETER One or more of the followings are TRUE:
- This is NULL.
- SelectorSize is NULL.
- Selector is NULL.
@retval EFI_NOT_FOUND The next configuration data entry was not found.
@retval EFI_UNSUPPORTED The specified DataType is not supported.
@retval EFI_BUFFER_TOO_SMALL The SelectorSize is too small for the result. This parameter
has been updated with the size needed to complete the search
request.
**/
EFI_STATUS
EFIAPI
EfiIpSecConfigGetNextSelector (
IN EFI_IPSEC_CONFIG_PROTOCOL *This,
IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,
IN OUT UINTN *SelectorSize,
IN OUT EFI_IPSEC_CONFIG_SELECTOR *Selector
);
/**
Register an event that is to be signaled whenever a configuration process on the
specified IPsec configuration information is done.
The register function is not surpport now and always returns EFI_UNSUPPORTED.
@param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.
@param[in] DataType The type of data to be registered the event for.
@param[in] Event The event to be registered.
@retval EFI_SUCCESS The event is registered successfully.
@retval EFI_INVALID_PARAMETER This is NULL, or Event is NULL.
@retval EFI_ACCESS_DENIED The Event is already registered for the DataType.
@retval EFI_UNSUPPORTED The notify registration unsupported, or the specified
DataType is not supported.
**/
EFI_STATUS
EFIAPI
EfiIpSecConfigRegisterNotify (
IN EFI_IPSEC_CONFIG_PROTOCOL *This,
IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,
IN EFI_EVENT Event
);
/**
Remove the specified event that was previously registered on the specified IPsec
configuration data.
This function is not supported now and always returns EFI_UNSUPPORTED.
@param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.
@param[in] DataType The configuration data type to remove the registered event for.
@param[in] Event The event to be unregistered.
@retval EFI_SUCCESS The event was removed successfully.
@retval EFI_NOT_FOUND The Event specified by DataType could not be found in the
database.
@retval EFI_INVALID_PARAMETER This is NULL or Event is NULL.
@retval EFI_UNSUPPORTED The notify registration unsupported or the specified
DataType is not supported.
**/
EFI_STATUS
EFIAPI
EfiIpSecConfigUnregisterNotify (
IN EFI_IPSEC_CONFIG_PROTOCOL *This,
IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,
IN EFI_EVENT Event
);
extern LIST_ENTRY mConfigData[IPsecConfigDataTypeMaximum];
#endif

1015
NetworkPkg/IpSecDxe/IpSecCryptIo.c
View File

File diff suppressed because it is too large Load Diff

821
NetworkPkg/IpSecDxe/IpSecCryptIo.h
View File

@ -1,821 +0,0 @@
/** @file
Definitions related to the Cryptographic Operations in IPsec.
Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#ifndef _EFI_IPSEC_CRYPTIO_H_
#define _EFI_IPSEC_CRYPTIO_H_
#include <Protocol/IpSecConfig.h>
#include <Library/DebugLib.h>
#include <Library/BaseCryptLib.h>
#include <Library/BaseMemoryLib.h>
#include <Library/MemoryAllocationLib.h>
#include "IpSecImpl.h"
#include "IkeCommon.h"
#define IPSEC_ENCRYPT_ALGORITHM_LIST_SIZE 4
#define IPSEC_AUTH_ALGORITHM_LIST_SIZE 3
#define IPSEC_HASH_ALGORITHM_LIST_SIZE 3
///
/// Authentication Algorithm Definition
/// The number value definition is aligned to IANA assignment
///
#define IKE_AALG_NONE 0x00
#define IKE_AALG_SHA1HMAC 0x02
#define IKE_AALG_NULL 0xFB
///
/// Encryption Algorithm Definition
/// The number value definition is aligned to IANA assignment
///
#define IKE_EALG_NONE 0x00
#define IKE_EALG_3DESCBC 0x03
#define IKE_EALG_NULL 0x0B
#define IKE_EALG_AESCBC 0x0C
/**
Prototype of HMAC GetContextSize.
Retrieves the size, in bytes, of the context buffer required.
@return The size, in bytes, of the context buffer required.
**/
typedef
UINTN
(EFIAPI *CRYPTO_HMAC_GETCONTEXTSIZE)(
VOID
);
/**
Prototype of HMAC Operation Initiating.
Initialization with a new context.
@param[out] Context Input Context.
@param[in] Key Pointer to the key for HMAC.
@param[in] KeySize The length of the Key in bytes.
@retval TRUE Initialization Successfully.
**/
typedef
BOOLEAN
(EFIAPI *CRYPTO_HMAC_INIT)(
OUT VOID *Context,
IN CONST UINT8 *Key,
IN UINTN KeySize
);
/**
Prototype of HMAC update.
HMAC update operation. Continue an HMAC message digest operation, processing
another message block, and updating the HMAC context.
If Context is NULL, then ASSERT().
If Data is NULL, then ASSERT().
@param[in,out] Context The Specified Context.
@param[in,out] Data The Input Data to be digested.
@param[in] DataLength The length, in bytes, of Data.
@retval TRUE Update data successfully.
@retval FALSE The Context has been finalized.
**/
typedef
BOOLEAN
(EFIAPI *CRYPTO_HMAC_UPDATE)(
IN OUT VOID *Context,
IN CONST VOID *Data,
IN UINTN DataLength
);
/**
Prototype of HMAC finalization.
Terminate a HMAC message digest operation and output the message digest.
If Context is NULL, then ASSERT().
If HashValue is NULL, then ASSERT().
@param[in,out] Context The specified Context.
@param[out] HmacValue Pointer to a 16-byte message digest output buffer.
@retval TRUE Finalized successfully.
**/
typedef
BOOLEAN
(EFIAPI *CRYPTO_HMAC_FINAL)(
IN OUT VOID *Context,
OUT UINT8 *HmacValue
);
/**
Prototype of Block Cipher GetContextSize.
Retrieves the size, in bytes, of the context buffer required.
@return The size, in bytes, of the context buffer required.
**/
typedef
UINTN
(EFIAPI *CRYPTO_CIPHER_GETCONTEXTSIZE)(
VOID
);
/**
Prototype of Block Cipher initiation.
Initializes the user-supplied key as the specified context (key materials) for both
encryption and decryption operations.
If Context is NULL, then ASSERT().
If Key is NULL, then generate random key for usage.
@param[in,out] Context The specified Context.
@param[in] Key User-supplied cipher key.
@param[in] KeyBits Key length in bits.
@retval TRUE Block Cipher Initialization was successful.
**/
typedef
BOOLEAN
(EFIAPI *CRYPTO_CIPHER_INIT)(
IN OUT VOID *Context,
IN CONST UINT8 *Key,
IN UINTN KeyBits
);
/**
Prototype of Cipher encryption.
Encrypts plaintext message with the specified cipher.
If Context is NULL, then ASSERT().
If InData is NULL, then ASSERT().
If Size of input data is not multiple of Cipher algorithm related block size,
then ASSERT().
@param[in] Context The specified Context.
@param[in] InData The input plaintext data to be encrypted.
@param[in] InputSize The size of input data.
@param[in] Ivec Pointer to Initial Vector data for encryption.
@param[out] OutData The resultant encrypted ciphertext.
@retval TRUE Encryption successful.
**/
typedef
BOOLEAN
(EFIAPI *CRYPTO_CIPHER_ENCRYPT)(
IN VOID *Context,
IN CONST UINT8 *InData,
IN UINTN InputSize,
IN CONST UINT8 *Ivec,
OUT UINT8 *OutData
);
/**
Prototype of Cipher decryption.
Decrypts cipher message with specified cipher.
If Context is NULL, then ASSERT().
If InData is NULL, then ASSERT().
If Size of input data is not a multiple of a certaion block size , then ASSERT().
@param[in] Context The specified Context.
@param[in] InData The input ciphertext data to be decrypted.
@param[in] InputSize The InData size.
@param[in] Ivec Pointer to the Initial Vector data for decryption.
@param[out] OutData The resultant decrypted plaintext.
@retval TRUE Decryption successful.
**/
typedef
BOOLEAN
(EFIAPI *CRYPTO_CIPHER_DECRYPT)(
IN VOID *Context,
IN CONST UINT8 *InData,
IN UINTN InputSize,
IN CONST UINT8 *Ivec,
OUT UINT8 *OutData
);
/**
Prototype of Hash ContextSize.
Retrieves the size, in bytes, of the context buffer required for specified hash operations.
@return The size, in bytes, of the context buffer required for certain hash operations.
**/
typedef
UINTN
(EFIAPI *CRYPTO_HASH_GETCONTEXTSIZE)(
VOID
);
/**
Prototype of Hash Initiate.
Initializes user-supplied memory pointed by Context as specified hash context for
subsequent use.
If Context is NULL, then ASSERT().
@param[out] Context Pointer to specified context being initialized.
@retval TRUE context initialization succeeded.
@retval FALSE context initialization failed.
**/
typedef
BOOLEAN
(EFIAPI *CRYPTO_HASH_INIT)(
OUT VOID *Context
);
/**
Prototype of Hash Update
Digests the input data and updates hash context.
This function performs digest on a data buffer of the specified size.
It can be called multiple times to compute the digest of long or discontinuous data streams.
Context should be already correctly initialized by HashInit(), and should not be finalized
by HashFinal(). Behavior with invalid context is undefined.
If Context is NULL, then ASSERT().
@param[in, out] Context Pointer to the specified context.
@param[in] Data Pointer to the buffer containing the data to be hashed.
@param[in] DataSize Size of Data buffer in bytes.
@retval TRUE data digest succeeded.
@retval FALSE data digest failed.
**/
typedef
BOOLEAN
(EFIAPI *CRYPTO_HASH_UPDATE)(
IN OUT VOID *Context,
IN CONST VOID *Data,
IN UINTN DataSize
);
/**
Prototype of Hash Finalization.
Completes computation of the digest value.
This function completes hash computation and retrieves the digest value into
the specified memory. After this function has been called, the context cannot
be used again.
context should be already correctly initialized by HashInit(), and should not be
finalized by HashFinal(). Behavior with invalid context is undefined.
If Context is NULL, then ASSERT().
If HashValue is NULL, then ASSERT().
@param[in, out] Context Pointer to the specified context.
@param[out] HashValue Pointer to a buffer that receives the digest
value.
@retval TRUE digest computation succeeded.
@retval FALSE digest computation failed.
**/
typedef
BOOLEAN
(EFIAPI *CRYPTO_HASH_FINAL)(
IN OUT VOID *Context,
OUT UINT8 *HashValue
);
//
// The struct used to store the information and operation of Block Cipher algorithm.
//
typedef struct _ENCRYPT_ALGORITHM {
//
// The ID of the Algorithm
//
UINT8 AlgorithmId;
//
// The Key length of the Algorithm
//
UINTN KeyLength;
//
// Iv Size of the Algorithm
//
UINTN IvLength;
//
// The Block Size of the Algorithm
//
UINTN BlockSize;
//
// The Function pointer of GetContextSize.
//
CRYPTO_CIPHER_GETCONTEXTSIZE CipherGetContextSize;
//
// The Function pointer of Cipher initiation.
//
CRYPTO_CIPHER_INIT CipherInitiate;
//
// The Function pointer of Cipher Encryption.
//
CRYPTO_CIPHER_ENCRYPT CipherEncrypt;
//
// The Function pointer of Cipher Decryption.
//
CRYPTO_CIPHER_DECRYPT CipherDecrypt;
} ENCRYPT_ALGORITHM;
//
// The struct used to store the information and operation of Authentication algorithm.
//
typedef struct _AUTH_ALGORITHM {
//
// ID of the Algorithm
//
UINT8 AlgorithmId;
//
// The Key length of the Algorithm
//
UINTN DigestLength;
//
// The ICV length of the Algorithm
//
UINTN IcvLength;
//
// The block size of the Algorithm
//
UINTN BlockSize;
//
// The function pointer of GetContextSize.
//
CRYPTO_HMAC_GETCONTEXTSIZE HmacGetContextSize;
//
// The function pointer of Initiation
//
CRYPTO_HMAC_INIT HmacInitiate;
//
// The function pointer of HMAC Update.
//
CRYPTO_HMAC_UPDATE HmacUpdate;
//
// The fucntion pointer of HMAC Final
//
CRYPTO_HMAC_FINAL HmacFinal;
} AUTH_ALGORITHM;
//
// The struct used to store the information and operation of Hash algorithm.
//
typedef struct _HASH_ALGORITHM {
//
// ID of the Algorithm
//
UINT8 AlgorithmId;
//
// The Key length of the Algorithm
//
UINTN DigestLength;
//
// The ICV length of the Algorithm
//
UINTN IcvLength;
//
// The block size of the Algorithm
//
UINTN BlockSize;
//
// The function pointer of GetContextSize
//
CRYPTO_HASH_GETCONTEXTSIZE HashGetContextSize;
//
// The function pointer of Initiation
//
CRYPTO_HASH_INIT HashInitiate;
//
// The function pointer of Hash Update
//
CRYPTO_HASH_UPDATE HashUpdate;
//
// The fucntion pointer of Hash Final
//
CRYPTO_HASH_FINAL HashFinal;
} HASH_ALGORITHM;
/**
Get the IV size of specified encryption algorithm.
@param[in] AlgorithmId The encryption algorithm ID.
@return The value of IV size.
**/
UINTN
IpSecGetEncryptIvLength (
IN UINT8 AlgorithmId
);
/**
Get the block size of specified encryption algorithm.
@param[in] AlgorithmId The encryption algorithm ID.
@return The value of block size.
**/
UINTN
IpSecGetEncryptBlockSize (
IN UINT8 AlgorithmId
);
/**
Get the required key length of the specified encryption algorithm.
@param[in] AlgorithmId The encryption algorithm ID.
@return The value of key length.
**/
UINTN
IpSecGetEncryptKeyLength (
IN UINT8 AlgorithmId
);
/**
Get the ICV size of the specified Authentication algorithm.
@param[in] AlgorithmId The Authentication algorithm ID.
@return The value of ICV size.
**/
UINTN
IpSecGetIcvLength (
IN UINT8 AlgorithmId
);
/**
Get the HMAC digest length by the specified Algorithm ID.
@param[in] AlgorithmId The specified Algorithm ID.
@return The digest length of the specified Authentication Algorithm ID.
**/
UINTN
IpSecGetHmacDigestLength (
IN UINT8 AlgorithmId
);
/**
Generate a random data for IV. If the IvSize is zero, not needed to create
IV and return EFI_SUCCESS.
@param[in] IvBuffer The pointer of the IV buffer.
@param[in] IvSize The IV size in bytes.
@retval EFI_SUCCESS Create random data for IV.
**/
EFI_STATUS
IpSecGenerateIv (
IN UINT8 *IvBuffer,
IN UINTN IvSize
);
/**
Encrypt the buffer.
This function calls relevant encryption interface from CryptoLib according to
the input algorithm ID. The InData should be multiple of block size. This function
doesn't perform the padding. If it has the Ivec data, the length of it should be
same with the block size. The block size is different from the different algorithm.
@param[in] AlgorithmId The Algorithm identification defined in RFC.
@param[in] Key Pointer to the buffer containing encrypting key.
@param[in] KeyBits The length of the key in bits.
@param[in] Ivec Point to the buffer containing the Initialization
Vector (IV) data.
@param[in] InData Point to the buffer containing the data to be
encrypted.
@param[in] InDataLength The length of InData in Bytes.
@param[out] OutData Point to the buffer that receives the encryption
output.
@retval EFI_UNSUPPORTED The input Algorithm is not supported.
@retval EFI_OUT_OF_RESOURCE The required resource can't be allocated.
@retval EFI_SUCCESS The operation completed successfully.
**/
EFI_STATUS
IpSecCryptoIoEncrypt (
IN CONST UINT8 AlgorithmId,
IN CONST UINT8 *Key,
IN CONST UINTN KeyBits,
IN CONST UINT8 *Ivec, OPTIONAL
IN UINT8 *InData,
IN UINTN InDataLength,
OUT UINT8 *OutData
);
/**
Decrypts the buffer.
This function calls relevant Decryption interface from CryptoLib according to
the input algorithm ID. The InData should be multiple of block size. This function
doesn't perform the padding. If it has the Ivec data, the length of it should be
same with the block size. The block size is different from the different algorithm.
@param[in] AlgorithmId The Algorithm identification defined in RFC.
@param[in] Key Pointer to the buffer containing encrypting key.
@param[in] KeyBits The length of the key in bits.
@param[in] Ivec Point to the buffer containing the Initialization
Vector (IV) data.
@param[in] InData Point to the buffer containing the data to be
decrypted.
@param[in] InDataLength The length of InData in Bytes.
@param[out] OutData Pointer to the buffer that receives the decryption
output.
@retval EFI_UNSUPPORTED The input Algorithm is not supported.
@retval EFI_OUT_OF_RESOURCE The required resource can't be allocated.
@retval EFI_SUCCESS The operation completed successfully.
**/
EFI_STATUS
IpSecCryptoIoDecrypt (
IN CONST UINT8 AlgorithmId,
IN CONST UINT8 *Key,
IN CONST UINTN KeyBits,
IN CONST UINT8 *Ivec, OPTIONAL
IN UINT8 *InData,
IN UINTN InDataLength,
OUT UINT8 *OutData
);
/**
Digests the Payload with key and store the result into the OutData.
This function calls relevant Hmac interface from CryptoLib according to
the input algorithm ID. It computes all datas from InDataFragment and output
the result into the OutData buffer. If the OutDataSize is larger than the related
HMAC algorithm output size, return EFI_INVALID_PARAMETER.
@param[in] AlgorithmId The authentication Identification.
@param[in] Key Pointer of the authentication key.
@param[in] KeyLength The length of the Key in bytes.
@param[in] InDataFragment The list contains all data to be authenticated.
@param[in] FragmentCount The size of the InDataFragment.
@param[out] OutData For in, the buffer to receive the output data.
For out, the buffer contains the authenticated data.
@param[in] OutDataSize The size of the buffer of OutData.
@retval EFI_UNSUPPORTED If the AuthAlg is not in the support list.
@retval EFI_INVALID_PARAMETER The OutData buffer size is larger than algorithm digest size.
@retval EFI_SUCCESS Authenticate the payload successfully.
@retval otherwise Authentication of the payload fails.
**/
EFI_STATUS
IpSecCryptoIoHmac (
IN CONST UINT8 AlgorithmId,
IN CONST UINT8 *Key,
IN UINTN KeyLength,
IN HASH_DATA_FRAGMENT *InDataFragment,
IN UINTN FragmentCount,
OUT UINT8 *OutData,
IN UINTN OutDataSize
);
/**
Digests the Payload and store the result into the OutData.
This function calls relevant Hash interface from CryptoLib according to
the input algorithm ID. It computes all datas from InDataFragment and output
the result into the OutData buffer. If the OutDataSize is larger than the related
Hash algorithm output size, return EFI_INVALID_PARAMETER.
@param[in] AlgorithmId The authentication Identification.
@param[in] InDataFragment A list contains all data to be authenticated.
@param[in] FragmentCount The size of the InDataFragment.
@param[out] OutData For in, the buffer to receive the output data.
For out, the buffer contains the authenticated data.
@param[in] OutDataSize The size of the buffer of OutData.
@retval EFI_UNSUPPORTED If the AuthAlg is not in the support list.
@retval EFI_SUCCESS Authenticated the payload successfully.
@retval EFI_INVALID_PARAMETER If the OutDataSize is larger than the related Hash
algorithm could handle.
@retval otherwise Authentication of the payload failed.
**/
EFI_STATUS
IpSecCryptoIoHash (
IN CONST UINT8 AlgorithmId,
IN HASH_DATA_FRAGMENT *InDataFragment,
IN UINTN FragmentCount,
OUT UINT8 *OutData,
IN UINTN OutDataSize
);
/**
Generates the Diffie-Hellman public key.
This function first initiate a DHContext, then call the DhSetParameter() to set
the prime and primelength, at end call the DhGenerateKey() to generates random
secret exponent, and computes the public key. The output returned via parameter
PublicKey and PublicKeySize. DH context is updated accordingly. If the PublicKey
buffer is too small to hold the public key, EFI_INVALID_PARAMETER is returned
and PublicKeySize is set to the required buffer size to obtain the public key.
@param[in, out] DhContext Pointer to the DH context.
@param[in] Generator Value of generator.
@param[in] PrimeLength Length in bits of prime to be generated.
@param[in] Prime Pointer to the buffer to receive the generated
prime number.
@param[out] PublicKey Pointer to the buffer to receive generated public key.
@param[in, out] PublicKeySize For in, the size of PublicKey buffer in bytes.
For out, the size of data returned in PublicKey
buffer in bytes.
@retval EFI_SUCCESS The operation performs successfully.
@retval Otherwise The operation is failed.
**/
EFI_STATUS
IpSecCryptoIoDhGetPublicKey (
IN OUT UINT8 **DhContext,
IN UINTN Generator,
IN UINTN PrimeLength,
IN CONST UINT8 *Prime,
OUT UINT8 *PublicKey,
IN OUT UINTN *PublicKeySize
);
/**
Generates exchanged common key.
Given peer's public key, this function computes the exchanged common key, based
on its own context including value of prime modulus and random secret exponent.
@param[in, out] DhContext Pointer to the DH context.
@param[in] PeerPublicKey Pointer to the peer's Public Key.
@param[in] PeerPublicKeySize Size of peer's public key in bytes.
@param[out] Key Pointer to the buffer to receive generated key.
@param[in, out] KeySize For in, the size of Key buffer in bytes.
For out, the size of data returned in Key
buffer in bytes.
@retval EFI_SUCCESS The operation performs successfully.
@retval Otherwise The operation is failed.
**/
EFI_STATUS
IpSecCryptoIoDhComputeKey (
IN OUT UINT8 *DhContext,
IN CONST UINT8 *PeerPublicKey,
IN UINTN PeerPublicKeySize,
OUT UINT8 *Key,
IN OUT UINTN *KeySize
);
/**
Releases the DH context. If DhContext is NULL, return EFI_INVALID_PARAMETER.
@param[in, out] DhContext Pointer to the DH context to be freed.
@retval EFI_SUCCESS The operation performs successfully.
@retval EFI_INVALID_PARAMETER The DhContext is NULL.
**/
EFI_STATUS
IpSecCryptoIoFreeDh (
IN OUT UINT8 **DhContext
);
/**
Generates random numbers of specified size.
If the Random Generator wasn't initiated, initiate it first, then call RandomBytes.
@param[out] OutBuffer Pointer to buffer to receive random value.
@param[in] Bytes Size of random bytes to generate.
@retval EFI_SUCCESS The operation performs successfully.
@retval Otherwise The operation is failed.
**/
EFI_STATUS
IpSecCryptoIoGenerateRandomBytes (
OUT UINT8* OutBuffer,
IN UINTN Bytes
);
/**
Authenticate data with the certificate.
@param[in] InData Pointer to the Data to be signed.
@param[in] InDataSize InData size in bytes.
@param[in] PrivateKey Pointer to the private key.
@param[in] PrivateKeySize The size of Private Key in bytes.
@param[in] KeyPassWord Pointer to the password for retrieving private key.
@param[in] KeyPwdSize The size of Key Password in bytes.
@param[out] OutData The pointer to the signed data.
@param[in, out] OutDataSize Pointer to contain the size of out data.
**/
VOID
IpSecCryptoIoAuthDataWithCertificate (
IN UINT8 *InData,
IN UINTN InDataSize,
IN UINT8 *PrivateKey,
IN UINTN PrivateKeySize,
IN UINT8 *KeyPassWord,
IN UINTN KeyPwdSize,
OUT UINT8 **OutData,
IN OUT UINTN *OutDataSize
);
/**
Verify the singed data with the public key which is contained in a certificate.
@param[in] InCert Pointer to the Certificate which contains the
public key.
@param[in] CertLen The size of Certificate in bytes.
@param[in] InCa Pointer to the CA certificate
@param[in] CaLen The size of CA certificate in bytes.
@param[in] InData Pointer to octet message hash to be checked.
@param[in] InDataSize Size of the message hash in bytes.
@param[in] Singnature The pointer to the RSA PKCS1-V1_5 signature to be verified.
@param[in] SigSize Size of signature in bytes.
@retval TRUE Valid signature encoded in PKCS1-v1_5.
@retval FALSE Invalid signature or invalid RSA context.
**/
BOOLEAN
IpSecCryptoIoVerifySignDataByCertificate (
IN UINT8 *InCert,
IN UINTN CertLen,
IN UINT8 *InCa,
IN UINTN CaLen,
IN UINT8 *InData,
IN UINTN InDataSize,
IN UINT8 *Singnature,
IN UINTN SigSize
);
/**
Retrieves the RSA Public Key from one X509 certificate (DER format only).
@param[in] InCert Pointer to the certificate.
@param[in] CertLen The size of the certificate in bytes.
@param[out] PublicKey Pointer to the retrieved public key.
@param[out] PublicKeyLen Size of Public Key in bytes.
@retval EFI_SUCCESS Successfully get the public Key.
@retval EFI_INVALID_PARAMETER The CA certificate is malformed.
**/
EFI_STATUS
IpSecCryptoIoGetPublicKeyFromCert (
IN UINT8 *InCert,
IN UINTN CertLen,
OUT UINT8 **PublicKey,
OUT UINTN *PublicKeyLen
);
/**
Retrieves the subject name from one X509 certificate (DER format only).
@param[in] InCert Pointer to the X509 certificate.
@param[in] CertSize The size of the X509 certificate in bytes.
@param[out] CertSubject Pointer to the retrieved certificate subject.
@param[out] SubjectSize The size of Certificate Subject in bytes.
@retval EFI_SUCCESS Retrieved the certificate subject successfully.
@retval EFI_INVALID_PARAMETER The certificate is malformed.
**/
EFI_STATUS
IpSecCryptoIoGetSubjectFromCert (
IN UINT8 *InCert,
IN UINTN CertSize,
OUT UINT8 **CertSubject,
OUT UINTN *SubjectSize
);
#endif

328
NetworkPkg/IpSecDxe/IpSecDebug.c
View File

@ -1,328 +0,0 @@
/** @file
The Interfaces of IPsec debug information printing.
Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#include "IpSecImpl.h"
#include "IpSecDebug.h"
//
// The print title for IKEv1 variety phase.
//
CHAR8 *mIkev1StateStr[IKE_STATE_NUM] = {
"IKEv1_MAIN_1",
"IKEv1_MAIN_2",
"IKEv1_MAIN_3",
"IKEv1_MAIN_ESTABLISHED",
"IKEv1_QUICK_1",
"IKEv1_QUICK_2",
"IKEv1_QUICK_ESTABLISHED"
};
//
// The print title for IKEv2 variety phase.
//
CHAR8 *mIkev2StateStr[IKE_STATE_NUM] = {
"IKEv2_STATE_INIT",
"IKEv2_STATE_AUTH",
"IKEv2_STATE_SA_ESTABLISH",
"IKEv2_STATE_CREATE_CHILD",
"IKEv2_STATE_SA_REKEYING",
"IKEv2_STATE_CHILD_SA_ESTABLISHED",
"IKEv2_STATE_SA_DELETING"
};
//
// The print title for IKEv1 variety Exchagne.
//
CHAR8 *mExchangeStr[] = {
"IKEv1 Main Exchange",
"IKEv1 Info Exchange",
"IKEv1 Quick Exchange",
"IKEv2 Initial Exchange",
"IKEv2 Auth Exchange",
"IKEv2 Create Child Exchange",
"IKEv2 Info Exchange",
"IKE Unknow Exchange"
};
//
// The print title for IKEv1 variety Payload.
//
CHAR8 *mIkev1PayloadStr[] = {
"IKEv1 None Payload",
"IKEv1 SA Payload",
"IKEv1 Proposal Payload",
"IKEv1 Transform Payload",
"IKEv1 KE Payload",
"IKEv1 ID Payload",
"IKEv1 Certificate Payload",
"IKEv1 Certificate Request Payload",
"IKEv1 Hash Payload",
"IKEv1 Signature Payload",
"IKEv1 Nonce Payload",
"IKEv1 Notify Payload",
"IKEv1 Delete Payload",
"IKEv1 Vendor Payload"
};
//
// The print title for IKEv2 variety Payload.
//
CHAR8* mIkev2PayloadStr[] = {
"IKEv2 SA Payload",
"IKEv2 Key Payload",
"IKEv2 Identity Initial Payload",
"IKEv2 Identity Respond Payload",
"IKEv2 Certificate Payload",
"IKEv2 Certificate Request Payload",
"IKEv2 Auth Payload",
"IKEv2 Nonce Payload",
"IKEv2 Notify Payload",
"IKEv2 Delet Payload",
"IKEv2 Vendor Payload",
"IKEv2 Traffic Selector Initiator Payload",
"IKEv2 Traffic Selector Respond Payload",
"IKEv2 Encrypt Payload",
"IKEv2 Configuration Payload",
"IKEv2 Extensible Authentication Payload"
};
/**
Print the IP address.
@param[in] Level Debug print error level. Pass to DEBUG().
@param[in] Ip Point to a specified IP address.
@param[in] IpVersion The IP Version.
**/
VOID
IpSecDumpAddress (
IN UINTN Level,
IN EFI_IP_ADDRESS *Ip,
IN UINT8 IpVersion
)
{
if (IpVersion == IP_VERSION_6) {
DEBUG (
(Level,
"%x%x:%x%x:%x%x:%x%x",
Ip->v6.Addr[0],
Ip->v6.Addr[1],
Ip->v6.Addr[2],
Ip->v6.Addr[3],
Ip->v6.Addr[4],
Ip->v6.Addr[5],
Ip->v6.Addr[6],
Ip->v6.Addr[7])
);
DEBUG (
(Level,
":%x%x:%x%x:%x%x:%x%x\n",
Ip->v6.Addr[8],
Ip->v6.Addr[9],
Ip->v6.Addr[10],
Ip->v6.Addr[11],
Ip->v6.Addr[12],
Ip->v6.Addr[13],
Ip->v6.Addr[14],
Ip->v6.Addr[15])
);
} else {
DEBUG (
(Level,
"%d.%d.%d.%d\n",
Ip->v4.Addr[0],
Ip->v4.Addr[1],
Ip->v4.Addr[2],
Ip->v4.Addr[3])
);
}
}
/**
Print IKE Current states.
@param[in] Previous The Previous state of IKE.
@param[in] Current The current state of IKE.
@param[in] IkeVersion The version of IKE.
**/
VOID
IkeDumpState (
IN UINT32 Previous,
IN UINT32 Current,
IN UINT8 IkeVersion
)
{
if (Previous >= IKE_STATE_NUM || Current >= IKE_STATE_NUM) {
return;
}
if (Previous == Current) {
if (IkeVersion == 1) {
DEBUG ((DEBUG_INFO, "\n****Current state is %a\n", mIkev1StateStr[Previous]));
} else if (IkeVersion == 2) {
DEBUG ((DEBUG_INFO, "\n****Current state is %a\n", mIkev2StateStr[Previous]));
}
} else {
if (IkeVersion == 1) {
DEBUG ((DEBUG_INFO, "\n****Change state from %a to %a\n", mIkev1StateStr[Previous], mIkev1StateStr[Current]));
} else {
DEBUG ((DEBUG_INFO, "\n****Change state from %a to %a\n", mIkev2StateStr[Previous], mIkev2StateStr[Current]));
}
}
}
/**
Print the IKE Packet.
@param[in] Packet Point to IKE packet to be printed.
@param[in] Direction Point to the IKE packet is inbound or outbound.
@param[in] IpVersion Specified IP Version.
**/
VOID
IpSecDumpPacket (
IN IKE_PACKET *Packet,
IN EFI_IPSEC_TRAFFIC_DIR Direction,
IN UINT8 IpVersion
)
{
CHAR8 *TypeStr;
UINTN PacketSize;
UINT64 InitCookie;
UINT64 RespCookie;
ASSERT (Packet != NULL);
PacketSize = Packet->PayloadTotalSize + sizeof (IKE_HEADER);
InitCookie = (Direction == EfiIPsecOutBound) ? HTONLL (Packet->Header->InitiatorCookie) : Packet->Header->InitiatorCookie;
RespCookie = (Direction == EfiIPsecOutBound) ? HTONLL (Packet->Header->ResponderCookie) : Packet->Header->ResponderCookie;
switch (Packet->Header->ExchangeType) {
case IKE_XCG_TYPE_IDENTITY_PROTECT:
TypeStr = mExchangeStr[0];
break;
case IKE_XCG_TYPE_INFO:
TypeStr = mExchangeStr[1];
break;
case IKE_XCG_TYPE_QM:
TypeStr = mExchangeStr[2];
break;
case IKE_XCG_TYPE_SA_INIT:
TypeStr = mExchangeStr[3];
break;
case IKE_XCG_TYPE_AUTH:
TypeStr = mExchangeStr[4];
break;
case IKE_XCG_TYPE_CREATE_CHILD_SA:
TypeStr = mExchangeStr[5];
break;
case IKE_XCG_TYPE_INFO2:
TypeStr = mExchangeStr[6];
break;
default:
TypeStr = mExchangeStr[7];
break;
}
if (Direction == EfiIPsecOutBound) {
DEBUG ((DEBUG_INFO, "\n>>>Sending %d bytes %a to ", PacketSize, TypeStr));
} else {
DEBUG ((DEBUG_INFO, "\n>>>Receiving %d bytes %a from ", PacketSize, TypeStr));
}
IpSecDumpAddress (DEBUG_INFO, &Packet->RemotePeerIp, IpVersion);
DEBUG ((DEBUG_INFO, " InitiatorCookie:0x%lx ResponderCookie:0x%lx\n", InitCookie, RespCookie));
DEBUG (
(DEBUG_INFO,
" Version: 0x%x Flags:0x%x ExchangeType:0x%x\n",
Packet->Header->Version,
Packet->Header->Flags,
Packet->Header->ExchangeType)
);
DEBUG (
(DEBUG_INFO,
" MessageId:0x%x NextPayload:0x%x\n",
Packet->Header->MessageId,
Packet->Header->NextPayload)
);
}
/**
Print the IKE Paylolad.
@param[in] IkePayload Point to payload to be printed.
@param[in] IkeVersion The specified version of IKE.
**/
VOID
IpSecDumpPayload (
IN IKE_PAYLOAD *IkePayload,
IN UINT8 IkeVersion
)
{
if (IkeVersion == 1) {
DEBUG ((DEBUG_INFO, "+%a\n", mIkev1PayloadStr[IkePayload->PayloadType]));
} else {
//
// For IKEV2 the first Payload type is started from 33.
//
DEBUG ((DEBUG_INFO, "+%a\n", mIkev2PayloadStr[IkePayload->PayloadType - 33]));
}
IpSecDumpBuf ("Payload data", IkePayload->PayloadBuf, IkePayload->PayloadSize);
}
/**
Print the buffer in form of Hex.
@param[in] Title The strings to be printed before the data of the buffer.
@param[in] Data Points to buffer to be printed.
@param[in] DataSize The size of the buffer to be printed.
**/
VOID
IpSecDumpBuf (
IN CHAR8 *Title,
IN UINT8 *Data,
IN UINTN DataSize
)
{
UINTN Index;
UINTN DataIndex;
UINTN BytesRemaining;
UINTN BytesToPrint;
DataIndex = 0;
BytesRemaining = DataSize;
DEBUG ((DEBUG_INFO, "==%a %d bytes==\n", Title, DataSize));
while (BytesRemaining > 0) {
BytesToPrint = (BytesRemaining > IPSEC_DEBUG_BYTE_PER_LINE) ? IPSEC_DEBUG_BYTE_PER_LINE : BytesRemaining;
for (Index = 0; Index < BytesToPrint; Index++) {
DEBUG ((DEBUG_INFO, " 0x%02x,", Data[DataIndex++]));
}
DEBUG ((DEBUG_INFO, "\n"));
BytesRemaining -= BytesToPrint;
}
}

101
NetworkPkg/IpSecDxe/IpSecDebug.h
View File

@ -1,101 +0,0 @@
/** @file
The definition of functions and MACROs used for IPsec debug information printting.
Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#ifndef _EFI_IPSEC_DEBUG_H_
#define _EFI_IPSEC_DEBUG_H_
#include "IkeCommon.h"
#include "IkePacket.h"
#define IPSEC_DUMP_ADDRESS(Level, Ip, Version) IpSecDumpAddress (Level, Ip, Version)
#define IKEV1_DUMP_STATE(Previous, Current) IkeDumpState (Previous, Current, 1)
#define IKEV2_DUMP_STATE(Previous, Current) IkeDumpState (Previous, Current, 2)
#define IPSEC_DUMP_PACKET(Packet, Direction, IpVersion) IpSecDumpPacket (Packet, Direction, IpVersion)
#define IPSEC_DUMP_PAYLOAD(IkePayload) IpSecDumpPayload (IkePayload, 1)
#define IKEV2_DUMP_PAYLOAD(IkePayload) IpSecDumpPayload (IkePayload, 2)
#define IPSEC_DUMP_BUF(Title, Data, DataSize) IpSecDumpBuf (Title, Data, DataSize)
#define IPSEC_DEBUG_BYTE_PER_LINE 8
#define IKE_STATE_NUM 7
/**
Print the IP address.
@param[in] Level Debug print error level. Pass to DEBUG().
@param[in] Ip Point to specified IP address.
@param[in] IpVersion The IP Version.
**/
VOID
IpSecDumpAddress (
IN UINTN Level,
IN EFI_IP_ADDRESS *Ip,
IN UINT8 IpVersion
);
/**
Print IKE Current states.
@param[in] Previous The Previous state of IKE.
@param[in] Current The current state of IKE.
@param[in] IkeVersion The version of IKE.
**/
VOID
IkeDumpState (
IN UINT32 Previous,
IN UINT32 Current,
IN UINT8 IkeVersion
);
/**
Print the IKE Packet.
@param[in] Packet Point to IKE packet to be printed.
@param[in] Direction Point to the IKE packet is inbound or outbound.
@param[in] IpVersion Specified IP Version.
**/
VOID
IpSecDumpPacket (
IN IKE_PACKET *Packet,
IN EFI_IPSEC_TRAFFIC_DIR Direction,
IN UINT8 IpVersion
);
/**
Print the IKE Paylolad.
@param[in] IkePayload Point to payload to be printed.
@param[in] IkeVersion The specified version of IKE.
**/
VOID
IpSecDumpPayload (
IN IKE_PAYLOAD *IkePayload,
IN UINT8 IkeVersion
);
/**
Print the buffer in form of Hex.
@param[in] Title The strings to be printed before the data of the buffer.
@param[in] Data Point to buffer to be printed.
@param[in] DataSize The size of the buffer to be printed.
**/
VOID
IpSecDumpBuf (
IN CHAR8 *Title,
IN UINT8 *Data,
IN UINTN DataSize
);
#endif

654
NetworkPkg/IpSecDxe/IpSecDriver.c
View File

@ -1,654 +0,0 @@
/** @file
Driver Binding Protocol for IPsec Driver.
Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#include <Library/BaseCryptLib.h>
#include "IpSecConfigImpl.h"
#include "IkeService.h"
#include "IpSecDebug.h"
/**
Test to see if this driver supports ControllerHandle. This is the worker function
for IpSec4(6)DriverbindingSupported.
@param[in] This Protocol instance pointer.
@param[in] ControllerHandle Handle of device to test.
@param[in] RemainingDevicePath Optional parameter used to pick a specific child
device to start.
@param[in] IpVersion IP_VERSION_4 or IP_VERSION_6.
@retval EFI_SUCCES This driver supports this device.
@retval EFI_ALREADY_STARTED This driver is already running on this device.
@retval other This driver does not support this device.
**/
EFI_STATUS
EFIAPI
IpSecSupported (
IN EFI_DRIVER_BINDING_PROTOCOL *This,
IN EFI_HANDLE ControllerHandle,
IN EFI_DEVICE_PATH_PROTOCOL *RemainingDevicePath OPTIONAL,
IN UINT8 IpVersion
)
{
EFI_STATUS Status;
EFI_GUID *UdpServiceBindingGuid;
if (IpVersion == IP_VERSION_4) {
UdpServiceBindingGuid = &gEfiUdp4ServiceBindingProtocolGuid;
} else {
UdpServiceBindingGuid = &gEfiUdp6ServiceBindingProtocolGuid;
}
Status = gBS->OpenProtocol (
ControllerHandle,
UdpServiceBindingGuid,
NULL,
This->DriverBindingHandle,
ControllerHandle,
EFI_OPEN_PROTOCOL_TEST_PROTOCOL
);
if (EFI_ERROR (Status)) {
return EFI_UNSUPPORTED;
}
return EFI_SUCCESS;
}
/**
Start this driver on ControllerHandle. This is the worker function
for IpSec4(6)DriverbindingStart.
@param[in] This Protocol instance pointer.
@param[in] ControllerHandle Handle of device to bind driver to.
@param[in] RemainingDevicePath Optional parameter used to pick a specific child
device to start.
@param[in] IpVersion IP_VERSION_4 or IP_VERSION_6.
@retval EFI_SUCCES This driver is added to ControllerHandle
@retval EFI_ALREADY_STARTED This driver is already running on ControllerHandle
@retval EFI_DEVICE_ERROR The device could not be started due to a device error.
Currently not implemented.
@retval other This driver does not support this device
**/
EFI_STATUS
EFIAPI
IpSecStart (
IN EFI_DRIVER_BINDING_PROTOCOL *This,
IN EFI_HANDLE ControllerHandle,
IN EFI_DEVICE_PATH_PROTOCOL *RemainingDevicePath OPTIONAL,
IN UINT8 IpVersion
)
{
EFI_IPSEC2_PROTOCOL *IpSec;
EFI_STATUS Status;
IPSEC_PRIVATE_DATA *Private;
//
// Ipsec protocol should be installed when load image.
//
Status = gBS->LocateProtocol (&gEfiIpSec2ProtocolGuid, NULL, (VOID **) &IpSec);
if (EFI_ERROR (Status)) {
return Status;
}
Private = IPSEC_PRIVATE_DATA_FROM_IPSEC (IpSec);
if (IpVersion == IP_VERSION_4) {
//
// Try to open a udp4 io for input.
//
Status = gBS->OpenProtocol (
ControllerHandle,
&gEfiUdp4ServiceBindingProtocolGuid,
NULL,
This->DriverBindingHandle,
ControllerHandle,
EFI_OPEN_PROTOCOL_TEST_PROTOCOL
);
if (!EFI_ERROR (Status)) {
Status = IkeOpenInputUdp4 (Private, ControllerHandle, This->DriverBindingHandle);
}
} else {
//
// Try to open a udp6 io for input.
//
Status = gBS->OpenProtocol (
ControllerHandle,
&gEfiUdp6ServiceBindingProtocolGuid,
NULL,
This->DriverBindingHandle,
ControllerHandle,
EFI_OPEN_PROTOCOL_TEST_PROTOCOL
);
if (!EFI_ERROR (Status)) {
Status = IkeOpenInputUdp6 (Private, ControllerHandle, This->DriverBindingHandle);
}
}
if (EFI_ERROR (Status)) {
return EFI_DEVICE_ERROR;
}
return EFI_SUCCESS;
}
/**
Stop this driver on ControllerHandle. This is the worker function
for IpSec4(6)DriverbindingStop.
@param[in] This Protocol instance pointer.
@param[in] ControllerHandle Handle of a device to stop the driver on.
@param[in] NumberOfChildren Number of Handles in ChildHandleBuffer. If the number of
children is zero, stop the entire bus driver.
@param[in] ChildHandleBuffer List of Child Handles to Stop.
@param[in] IpVersion IP_VERSION_4 or IP_VERSION_6.
@retval EFI_SUCCES This driver removed ControllerHandle.
@retval other This driver was not removed from this device.
**/
EFI_STATUS
EFIAPI
IpSecStop (
IN EFI_DRIVER_BINDING_PROTOCOL *This,
IN EFI_HANDLE ControllerHandle,
IN UINTN NumberOfChildren,
IN EFI_HANDLE *ChildHandleBuffer,
IN UINT8 IpVersion
)
{
EFI_IPSEC2_PROTOCOL *IpSec;
EFI_STATUS Status;
IPSEC_PRIVATE_DATA *Private;
IKE_UDP_SERVICE *UdpSrv;
LIST_ENTRY *Entry;
LIST_ENTRY *Next;
IKEV2_SA_SESSION *Ikev2SaSession;
//
// Locate ipsec protocol to get private data.
//
Status = gBS->LocateProtocol (&gEfiIpSec2ProtocolGuid, NULL, (VOID **) &IpSec);
if (EFI_ERROR (Status)) {
return Status;
}
Private = IPSEC_PRIVATE_DATA_FROM_IPSEC (IpSec);
//
// The SAs are shared by both IP4 and IP6 stack. So we skip the cleanup
// and leave the SAs unchanged if the other IP stack is still running.
//
if ((IpVersion == IP_VERSION_4 && Private->Udp6Num ==0) ||
(IpVersion == IP_VERSION_6 && Private->Udp4Num ==0)) {
//
// If IKEv2 SAs are under establishing, delete it directly.
//
if (!IsListEmpty (&Private->Ikev2SessionList)) {
NET_LIST_FOR_EACH_SAFE (Entry, Next, &Private->Ikev2SessionList) {
Ikev2SaSession = IKEV2_SA_SESSION_BY_SESSION (Entry);
RemoveEntryList (&Ikev2SaSession->BySessionTable);
Ikev2SaSessionFree (Ikev2SaSession);
}
}
//
// Delete established IKEv2 SAs.
//
if (!IsListEmpty (&Private->Ikev2EstablishedList)) {
NET_LIST_FOR_EACH_SAFE (Entry, Next, &Private->Ikev2EstablishedList) {
Ikev2SaSession = IKEV2_SA_SESSION_BY_SESSION (Entry);
RemoveEntryList (&Ikev2SaSession->BySessionTable);
Ikev2SaSessionFree (Ikev2SaSession);
}
}
}
if (IpVersion == IP_VERSION_4) {
//
// If has udp4 io opened on the controller, close and free it.
//
NET_LIST_FOR_EACH_SAFE (Entry, Next, &Private->Udp4List) {
UdpSrv = IPSEC_UDP_SERVICE_FROM_LIST (Entry);
//
// Find the right udp service which installed on the appointed nic handle.
//
if (UdpSrv->Input != NULL && ControllerHandle == UdpSrv->Input->UdpHandle) {
UdpIoFreeIo (UdpSrv->Input);
UdpSrv->Input = NULL;
}
if (UdpSrv->Output != NULL && ControllerHandle == UdpSrv->Output->UdpHandle) {
UdpIoFreeIo (UdpSrv->Output);
UdpSrv->Output = NULL;
}
if (UdpSrv->Input == NULL && UdpSrv->Output == NULL) {
RemoveEntryList (&UdpSrv->List);
FreePool (UdpSrv);
ASSERT (Private->Udp4Num > 0);
Private->Udp4Num--;
}
}
} else {
//
// If has udp6 io opened on the controller, close and free it.
//
NET_LIST_FOR_EACH_SAFE (Entry, Next, &Private->Udp6List) {
UdpSrv = IPSEC_UDP_SERVICE_FROM_LIST (Entry);
//
// Find the right udp service which installed on the appointed nic handle.
//
if (UdpSrv->Input != NULL && ControllerHandle == UdpSrv->Input->UdpHandle) {
UdpIoFreeIo (UdpSrv->Input);
UdpSrv->Input = NULL;
}
if (UdpSrv->Output != NULL && ControllerHandle == UdpSrv->Output->UdpHandle) {
UdpIoFreeIo (UdpSrv->Output);
UdpSrv->Output = NULL;
}
if (UdpSrv->Input == NULL && UdpSrv->Output == NULL) {
RemoveEntryList (&UdpSrv->List);
FreePool (UdpSrv);
ASSERT (Private->Udp6Num > 0);
Private->Udp6Num--;
}
}
}
return EFI_SUCCESS;
}
/**
Test to see if this driver supports ControllerHandle.
@param[in] This Protocol instance pointer.
@param[in] ControllerHandle Handle of device to test.
@param[in] RemainingDevicePath Optional parameter used to pick a specific child
device to start.
@retval EFI_SUCCES This driver supports this device.
@retval EFI_ALREADY_STARTED This driver is already running on this device.
@retval other This driver does not support this device.
**/
EFI_STATUS
EFIAPI
IpSec4DriverBindingSupported (
IN EFI_DRIVER_BINDING_PROTOCOL *This,
IN EFI_HANDLE ControllerHandle,
IN EFI_DEVICE_PATH_PROTOCOL *RemainingDevicePath OPTIONAL
)
{
return IpSecSupported (
This,
ControllerHandle,
RemainingDevicePath,
IP_VERSION_4
);
}
/**
Start this driver on ControllerHandle.
@param[in] This Protocol instance pointer.
@param[in] ControllerHandle Handle of device to bind driver to.
@param[in] RemainingDevicePath Optional parameter used to pick a specific child
device to start.
@retval EFI_SUCCES This driver is added to ControllerHandle
@retval EFI_ALREADY_STARTED This driver is already running on ControllerHandle
@retval EFI_DEVICE_ERROR The device could not be started due to a device error.
Currently not implemented.
@retval other This driver does not support this device
**/
EFI_STATUS
EFIAPI
IpSec4DriverBindingStart (
IN EFI_DRIVER_BINDING_PROTOCOL *This,
IN EFI_HANDLE ControllerHandle,
IN EFI_DEVICE_PATH_PROTOCOL *RemainingDevicePath OPTIONAL
)
{
return IpSecStart (
This,
ControllerHandle,
RemainingDevicePath,
IP_VERSION_4
);
}
/**
Stop this driver on ControllerHandle.
@param[in] This Protocol instance pointer.
@param[in] ControllerHandle Handle of a device to stop the driver on.
@param[in] NumberOfChildren Number of Handles in ChildHandleBuffer. If the number of
children is zero, stop the entire bus driver.
@param[in] ChildHandleBuffer List of Child Handles to Stop.
@retval EFI_SUCCES This driver removed ControllerHandle.
@retval other This driver was not removed from this device.
**/
EFI_STATUS
EFIAPI
IpSec4DriverBindingStop (
IN EFI_DRIVER_BINDING_PROTOCOL *This,
IN EFI_HANDLE ControllerHandle,
IN UINTN NumberOfChildren,
IN EFI_HANDLE *ChildHandleBuffer
)
{
return IpSecStop (
This,
ControllerHandle,
NumberOfChildren,
ChildHandleBuffer,
IP_VERSION_4
);
}
/**
Test to see if this driver supports ControllerHandle.
@param[in] This Protocol instance pointer.
@param[in] ControllerHandle Handle of device to test.
@param[in] RemainingDevicePath Optional parameter used to pick a specific child
device to start.
@retval EFI_SUCCES This driver supports this device.
@retval EFI_ALREADY_STARTED This driver is already running on this device.
@retval other This driver does not support this device.
**/
EFI_STATUS
EFIAPI
IpSec6DriverBindingSupported (
IN EFI_DRIVER_BINDING_PROTOCOL *This,
IN EFI_HANDLE ControllerHandle,
IN EFI_DEVICE_PATH_PROTOCOL *RemainingDevicePath OPTIONAL
)
{
return IpSecSupported (
This,
ControllerHandle,
RemainingDevicePath,
IP_VERSION_6
);
}
/**
Start this driver on ControllerHandle.
@param[in] This Protocol instance pointer.
@param[in] ControllerHandle Handle of device to bind driver to.
@param[in] RemainingDevicePath Optional parameter used to pick a specific child
device to start.
@retval EFI_SUCCES This driver is added to ControllerHandle
@retval EFI_ALREADY_STARTED This driver is already running on ControllerHandle
@retval EFI_DEVICE_ERROR The device could not be started due to a device error.
Currently not implemented.
@retval other This driver does not support this device
**/
EFI_STATUS
EFIAPI
IpSec6DriverBindingStart (
IN EFI_DRIVER_BINDING_PROTOCOL *This,
IN EFI_HANDLE ControllerHandle,
IN EFI_DEVICE_PATH_PROTOCOL *RemainingDevicePath OPTIONAL
)
{
return IpSecStart (
This,
ControllerHandle,
RemainingDevicePath,
IP_VERSION_6
);
}
/**
Stop this driver on ControllerHandle.
@param[in] This Protocol instance pointer.
@param[in] ControllerHandle Handle of a device to stop the driver on.
@param[in] NumberOfChildren Number of Handles in ChildHandleBuffer. If the number of
children is zero, stop the entire bus driver.
@param[in] ChildHandleBuffer List of Child Handles to Stop.
@retval EFI_SUCCES This driver removed ControllerHandle.
@retval other This driver was not removed from this device.
**/
EFI_STATUS
EFIAPI
IpSec6DriverBindingStop (
IN EFI_DRIVER_BINDING_PROTOCOL *This,
IN EFI_HANDLE ControllerHandle,
IN UINTN NumberOfChildren,
IN EFI_HANDLE *ChildHandleBuffer
)
{
return IpSecStop (
This,
ControllerHandle,
NumberOfChildren,
ChildHandleBuffer,
IP_VERSION_6
);
}
EFI_DRIVER_BINDING_PROTOCOL gIpSec4DriverBinding = {
IpSec4DriverBindingSupported,
IpSec4DriverBindingStart,
IpSec4DriverBindingStop,
0xa,
NULL,
NULL
};
EFI_DRIVER_BINDING_PROTOCOL gIpSec6DriverBinding = {
IpSec6DriverBindingSupported,
IpSec6DriverBindingStart,
IpSec6DriverBindingStop,
0xa,
NULL,
NULL
};
/**
This is a callback function when the mIpSecInstance.DisabledEvent is signaled.
@param[in] Event Event whose notification function is being invoked.
@param[in] Context Pointer to the notification function's context.
**/
VOID
EFIAPI
IpSecCleanupAllSa (
IN EFI_EVENT Event,
IN VOID *Context
)
{
IPSEC_PRIVATE_DATA *Private;
Private = (IPSEC_PRIVATE_DATA *) Context;
Private->IsIPsecDisabling = TRUE;
IkeDeleteAllSas (Private, TRUE);
}
/**
This is the declaration of an EFI image entry point. This entry point is
the same for UEFI Applications, UEFI OS Loaders, and UEFI Drivers, including
both device drivers and bus drivers.
The entry point for IPsec driver which installs the driver binding,
component name protocol, IPsec Config protcolon, and IPsec protocol in
its ImageHandle.
@param[in] ImageHandle The firmware allocated handle for the UEFI image.
@param[in] SystemTable A pointer to the EFI System Table.
@retval EFI_SUCCESS The operation completed successfully.
@retval EFI_ALREADY_STARTED The IPsec driver has been already loaded.
@retval EFI_OUT_OF_RESOURCES The request could not be completed due to a lack of resources.
@retval Others The operation is failed.
**/
EFI_STATUS
EFIAPI
IpSecDriverEntryPoint (
IN EFI_HANDLE ImageHandle,
IN EFI_SYSTEM_TABLE *SystemTable
)
{
EFI_STATUS Status;
IPSEC_PRIVATE_DATA *Private;
EFI_IPSEC2_PROTOCOL *IpSec;
//
// Check whether ipsec protocol has already been installed.
//
Status = gBS->LocateProtocol (&gEfiIpSec2ProtocolGuid, NULL, (VOID **) &IpSec);
if (!EFI_ERROR (Status)) {
DEBUG ((DEBUG_WARN, "_ModuleEntryPoint: IpSec has been already loaded\n"));
Status = EFI_ALREADY_STARTED;
goto ON_EXIT;
}
Status = gBS->LocateProtocol (&gEfiDpcProtocolGuid, NULL, (VOID **) &mDpc);
if (EFI_ERROR (Status)) {
DEBUG ((DEBUG_ERROR, "_ModuleEntryPoint: Failed to locate EfiDpcProtocol\n"));
goto ON_EXIT;
}
Private = AllocateZeroPool (sizeof (IPSEC_PRIVATE_DATA));
if (Private == NULL) {
DEBUG ((DEBUG_ERROR, "_ModuleEntryPoint: Failed to allocate private data\n"));
Status = EFI_OUT_OF_RESOURCES;
goto ON_EXIT;
}
//
// Create disable event to cleanup all SA when ipsec disabled by user.
//
Status = gBS->CreateEvent (
EVT_NOTIFY_SIGNAL,
TPL_CALLBACK,
IpSecCleanupAllSa,
Private,
&mIpSecInstance.DisabledEvent
);
if (EFI_ERROR (Status)) {
DEBUG ((DEBUG_ERROR, "_ModuleEntryPoint: Failed to create disable event\n"));
goto ON_FREE_PRIVATE;
}
Private->Signature = IPSEC_PRIVATE_DATA_SIGNATURE;
Private->ImageHandle = ImageHandle;
CopyMem (&Private->IpSec, &mIpSecInstance, sizeof (EFI_IPSEC2_PROTOCOL));
//
// Initilize Private's members. Thess members is used for IKE.
//
InitializeListHead (&Private->Udp4List);
InitializeListHead (&Private->Udp6List);
InitializeListHead (&Private->Ikev1SessionList);
InitializeListHead (&Private->Ikev1EstablishedList);
InitializeListHead (&Private->Ikev2SessionList);
InitializeListHead (&Private->Ikev2EstablishedList);
RandomSeed (NULL, 0);
//
// Initialize the ipsec config data and restore it from variable.
//
Status = IpSecConfigInitialize (Private);
if (EFI_ERROR (Status)) {
DEBUG ((DEBUG_ERROR, "_ModuleEntryPoint: Failed to initialize IpSecConfig\n"));
goto ON_CLOSE_EVENT;
}
//
// Install ipsec protocol which is used by ip driver to process ipsec header.
//
Status = gBS->InstallMultipleProtocolInterfaces (
&Private->Handle,
&gEfiIpSec2ProtocolGuid,
&Private->IpSec,
NULL
);
if (EFI_ERROR (Status)) {
goto ON_UNINSTALL_CONFIG;
}
Status = EfiLibInstallDriverBindingComponentName2 (
ImageHandle,
SystemTable,
&gIpSec4DriverBinding,
ImageHandle,
&gIpSecComponentName,
&gIpSecComponentName2
);
if (EFI_ERROR (Status)) {
goto ON_UNINSTALL_IPSEC;
}
Status = EfiLibInstallDriverBindingComponentName2 (
ImageHandle,
SystemTable,
&gIpSec6DriverBinding,
NULL,
&gIpSecComponentName,
&gIpSecComponentName2
);
if (EFI_ERROR (Status)) {
goto ON_UNINSTALL_IPSEC4_DB;
}
return Status;
ON_UNINSTALL_IPSEC4_DB:
EfiLibUninstallDriverBindingComponentName2 (
&gIpSec4DriverBinding,
&gIpSecComponentName,
&gIpSecComponentName2
);
ON_UNINSTALL_IPSEC:
gBS->UninstallProtocolInterface (
Private->Handle,
&gEfiIpSec2ProtocolGuid,
&Private->IpSec
);
ON_UNINSTALL_CONFIG:
gBS->UninstallProtocolInterface (
Private->Handle,
&gEfiIpSecConfigProtocolGuid,
&Private->IpSecConfig
);
ON_CLOSE_EVENT:
gBS->CloseEvent (mIpSecInstance.DisabledEvent);
mIpSecInstance.DisabledEvent = NULL;
ON_FREE_PRIVATE:
FreePool (Private);
ON_EXIT:
return Status;
}

104
NetworkPkg/IpSecDxe/IpSecDxe.inf
View File

@ -1,104 +0,0 @@
## @file
# Packet-level security for IP datagram.
#
# This driver provides EFI IPsec2 Protocol which is used to abstract the ability
# to deal with the individual packets sent and received by the host and provide
# packet-level security for IP datagram. It provides the IP packet protection via
# ESP and it supports IKEv2 for key negotiation.
#
# Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
#
# SPDX-License-Identifier: BSD-2-Clause-Patent
#
##
[Defines]
INF_VERSION = 0x00010005
BASE_NAME = IpSecDxe
FILE_GUID = EE8367C0-A1D6-4565-8F89-EF628547B722
MODULE_TYPE = UEFI_DRIVER
VERSION_STRING = 1.0
ENTRY_POINT = IpSecDriverEntryPoint
MODULE_UNI_FILE = IpSecDxe.uni
#
# The following information is for reference only and not required by the build tools.
#
# VALID_ARCHITECTURES = IA32 X64 EBC
#
[Sources]
IpSecConfigImpl.c
IpSecConfigImpl.h
IpSecCryptIo.h
IpSecCryptIo.c
IpSecDebug.h
ComponentName.c
IkeCommon.h
IpSecImpl.c
IkeService.c
Ike.h
IkePacket.h
IkePacket.c
IpSecDebug.c
IpSecMain.c
IpSecDriver.c
IkeCommon.c
IetfConstants.c
IpSecImpl.h
IkeService.h
Ikev2/Ikev2.h
Ikev2/Payload.h
Ikev2/Utility.h
Ikev2/Utility.c
Ikev2/Sa.c
Ikev2/ChildSa.c
Ikev2/Info.c
Ikev2/Payload.c
Ikev2/Exchange.c
[Packages]
MdePkg/MdePkg.dec
MdeModulePkg/MdeModulePkg.dec
CryptoPkg/CryptoPkg.dec
NetworkPkg/NetworkPkg.dec
[LibraryClasses]
MemoryAllocationLib
BaseLib
UefiLib
UefiBootServicesTableLib
UefiRuntimeServicesTableLib
UefiDriverEntryPoint
BaseMemoryLib
DebugLib
PrintLib
BaseCryptLib
DpcLib
UdpIoLib
NetLib
PcdLib
[Protocols]
gEfiIp4Config2ProtocolGuid ## SOMETIMES_CONSUMES
gEfiUdp4ServiceBindingProtocolGuid ## SOMETIMES_CONSUMES
gEfiUdp4ProtocolGuid ## SOMETIMES_CONSUMES
gEfiUdp6ServiceBindingProtocolGuid ## SOMETIMES_CONSUMES
gEfiUdp6ProtocolGuid ## SOMETIMES_CONSUMES
gEfiIpSecConfigProtocolGuid ## PRODUCES
gEfiIpSec2ProtocolGuid ## PRODUCES
[Pcd]
gEfiNetworkPkgTokenSpaceGuid.PcdIpsecCertificateEnabled ## SOMETIMES_CONSUMES
gEfiNetworkPkgTokenSpaceGuid.PcdIpsecUefiCaFile ## SOMETIMES_CONSUMES
gEfiNetworkPkgTokenSpaceGuid.PcdIpsecUefiCaFileSize ## SOMETIMES_CONSUMES
gEfiNetworkPkgTokenSpaceGuid.PcdIpsecUefiCertificate ## SOMETIMES_CONSUMES
gEfiNetworkPkgTokenSpaceGuid.PcdIpsecUefiCertificateSize ## SOMETIMES_CONSUMES
gEfiNetworkPkgTokenSpaceGuid.PcdIpsecUefiCertificateKey ## SOMETIMES_CONSUMES
gEfiNetworkPkgTokenSpaceGuid.PcdIpsecUefiCertificateKeySize ## SOMETIMES_CONSUMES
[UserExtensions.TianoCore."ExtraFiles"]
IpSecDxeExtra.uni

19
NetworkPkg/IpSecDxe/IpSecDxe.uni
View File

@ -1,19 +0,0 @@
// /** @file
// Packet-level security for IP datagram.
//
// This driver provides EFI IPsec2 Protocol which is used to abstract the ability
// to deal with the individual packets sent and received by the host and provide
// packet-level security for IP datagram. It provides the IP packet protection via
// ESP and it supports IKEv2 for key negotiation.
//
// Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
//
// SPDX-License-Identifier: BSD-2-Clause-Patent
//
// **/
#string STR_MODULE_ABSTRACT #language en-US "Packet-level security for IP datagram"
#string STR_MODULE_DESCRIPTION #language en-US "This driver provides EFI IPsec2 Protocol which is used to abstract the ability to deal with the individual packets sent and received by the host and provide packet-level security for IP datagram. It provides the IP packet protection via ESP and it supports IKEv2 for key negotiation."

14
NetworkPkg/IpSecDxe/IpSecDxeExtra.uni
View File

@ -1,14 +0,0 @@
// /** @file
// IpSecDxe Localized Strings and Content
//
// Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.<BR>
//
// SPDX-License-Identifier: BSD-2-Clause-Patent
//
// **/
#string STR_PROPERTIES_MODULE_NAME
#language en-US
"IpSec DXE"

2178
NetworkPkg/IpSecDxe/IpSecImpl.c
View File

File diff suppressed because it is too large Load Diff

384
NetworkPkg/IpSecDxe/IpSecImpl.h
View File

@ -1,384 +0,0 @@
/** @file
The definitions related to IPsec protocol implementation.
Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#ifndef _IP_SEC_IMPL_H_
#define _IP_SEC_IMPL_H_
#include <Uefi.h>
#include <Library/UefiLib.h>
#include <Library/NetLib.h>
#include <Library/BaseMemoryLib.h>
#include <Library/UefiBootServicesTableLib.h>
#include <Library/MemoryAllocationLib.h>
#include <Protocol/IpSec.h>
#include <Protocol/IpSecConfig.h>
#include <Protocol/Dpc.h>
#include <Protocol/ComponentName.h>
#include <Protocol/ComponentName2.h>
typedef struct _IPSEC_PRIVATE_DATA IPSEC_PRIVATE_DATA;
typedef struct _IPSEC_SPD_ENTRY IPSEC_SPD_ENTRY;
typedef struct _IPSEC_PAD_ENTRY IPSEC_PAD_ENTRY;
typedef struct _IPSEC_SPD_DATA IPSEC_SPD_DATA;
#define IPSEC_PRIVATE_DATA_SIGNATURE SIGNATURE_32 ('I', 'P', 'S', 'E')
#define IPSEC_PRIVATE_DATA_FROM_IPSEC(a) CR (a, IPSEC_PRIVATE_DATA, IpSec, IPSEC_PRIVATE_DATA_SIGNATURE)
#define IPSEC_PRIVATE_DATA_FROM_UDP4LIST(a) CR (a, IPSEC_PRIVATE_DATA, Udp4List, IPSEC_PRIVATE_DATA_SIGNATURE)
#define IPSEC_PRIVATE_DATA_FROM_UDP6LIST(a) CR (a, IPSEC_PRIVATE_DATA, Udp6List, IPSEC_PRIVATE_DATA_SIGNATURE)
#define IPSEC_UDP_SERVICE_FROM_LIST(a) BASE_CR (a, IKE_UDP_SERVICE, List)
#define IPSEC_SPD_ENTRY_FROM_LIST(a) BASE_CR (a, IPSEC_SPD_ENTRY, List)
#define IPSEC_SAD_ENTRY_FROM_LIST(a) BASE_CR (a, IPSEC_SAD_ENTRY, List)
#define IPSEC_PAD_ENTRY_FROM_LIST(a) BASE_CR (a, IPSEC_PAD_ENTRY, List)
#define IPSEC_SAD_ENTRY_FROM_SPD(a) BASE_CR (a, IPSEC_SAD_ENTRY, BySpd)
#define IPSEC_STATUS_DISABLED 0
#define IPSEC_STATUS_ENABLED 1
#define IPSEC_ESP_PROTOCOL 50
#define IPSEC_AH_PROTOCOL 51
#define IPSEC_DEFAULT_VARIABLE_SIZE 0x100
//
// Internal Structure Definition
//
#pragma pack(1)
typedef struct _EFI_AH_HEADER {
UINT8 NextHeader;
UINT8 PayloadLen;
UINT16 Reserved;
UINT32 Spi;
UINT32 SequenceNumber;
} EFI_AH_HEADER;
typedef struct _EFI_ESP_HEADER {
UINT32 Spi;
UINT32 SequenceNumber;
} EFI_ESP_HEADER;
typedef struct _EFI_ESP_TAIL {
UINT8 PaddingLength;
UINT8 NextHeader;
} EFI_ESP_TAIL;
#pragma pack()
struct _IPSEC_SPD_DATA {
CHAR16 Name[100];
UINT32 PackageFlag;
EFI_IPSEC_TRAFFIC_DIR TrafficDirection;
EFI_IPSEC_ACTION Action;
EFI_IPSEC_PROCESS_POLICY *ProcessingPolicy;
LIST_ENTRY Sas;
};
struct _IPSEC_SPD_ENTRY {
EFI_IPSEC_SPD_SELECTOR *Selector;
IPSEC_SPD_DATA *Data;
LIST_ENTRY List;
};
typedef struct _IPSEC_SAD_DATA {
EFI_IPSEC_MODE Mode;
UINT64 SequenceNumber;
UINT8 AntiReplayWindowSize;
UINT64 AntiReplayBitmap[4]; // bitmap for received packet
EFI_IPSEC_ALGO_INFO AlgoInfo;
EFI_IPSEC_SA_LIFETIME SaLifetime;
UINT32 PathMTU;
IPSEC_SPD_ENTRY *SpdEntry;
EFI_IPSEC_SPD_SELECTOR *SpdSelector;
BOOLEAN ESNEnabled; // Extended (64-bit) SN enabled
BOOLEAN ManualSet;
EFI_IP_ADDRESS TunnelDestAddress;
EFI_IP_ADDRESS TunnelSourceAddress;
} IPSEC_SAD_DATA;
typedef struct _IPSEC_SAD_ENTRY {
EFI_IPSEC_SA_ID *Id;
IPSEC_SAD_DATA *Data;
LIST_ENTRY List;
LIST_ENTRY BySpd; // Linked on IPSEC_SPD_DATA.Sas
} IPSEC_SAD_ENTRY;
struct _IPSEC_PAD_ENTRY {
EFI_IPSEC_PAD_ID *Id;
EFI_IPSEC_PAD_DATA *Data;
LIST_ENTRY List;
};
typedef struct _IPSEC_RECYCLE_CONTEXT {
EFI_IPSEC_FRAGMENT_DATA *FragmentTable;
UINT8 *PayloadBuffer;
} IPSEC_RECYCLE_CONTEXT;
//
// Struct used to store the Hash and its data.
//
typedef struct {
UINTN DataSize;
UINT8 *Data;
} HASH_DATA_FRAGMENT;
struct _IPSEC_PRIVATE_DATA {
UINT32 Signature;
EFI_HANDLE Handle; // Virtual handle to install private prtocol
EFI_HANDLE ImageHandle;
EFI_IPSEC2_PROTOCOL IpSec;
EFI_IPSEC_CONFIG_PROTOCOL IpSecConfig;
BOOLEAN SetBySelf;
LIST_ENTRY Udp4List;
UINTN Udp4Num;
LIST_ENTRY Udp6List;
UINTN Udp6Num;
LIST_ENTRY Ikev1SessionList;
LIST_ENTRY Ikev1EstablishedList;
LIST_ENTRY Ikev2SessionList;
LIST_ENTRY Ikev2EstablishedList;
BOOLEAN IsIPsecDisabling;
};
/**
This function processes the inbound traffic with IPsec.
It checks the received packet security property, trims the ESP/AH header, and then
returns without an IPsec protected IP Header and FragmentTable.
@param[in] IpVersion The version of IP.
@param[in, out] IpHead Points to IP header containing the ESP/AH header
to be trimed on input, and without ESP/AH header
on return.
@param[in, out] LastHead The Last Header in IP header on return.
@param[in, out] OptionsBuffer Pointer to the options buffer.
@param[in, out] OptionsLength Length of the options buffer.
@param[in, out] FragmentTable Pointer to a list of fragments in form of IPsec
protected on input, and without IPsec protected
on return.
@param[in, out] FragmentCount The number of fragments.
@param[out] SpdEntry Pointer to contain the address of SPD entry on return.
@param[out] RecycleEvent The event for recycling of resources.
@retval EFI_SUCCESS The operation was successful.
@retval EFI_UNSUPPORTED The IPSEC protocol is not supported.
**/
EFI_STATUS
IpSecProtectInboundPacket (
IN UINT8 IpVersion,
IN OUT VOID *IpHead,
IN OUT UINT8 *LastHead,
IN OUT VOID **OptionsBuffer,
IN OUT UINT32 *OptionsLength,
IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,
IN OUT UINT32 *FragmentCount,
OUT EFI_IPSEC_SPD_SELECTOR **SpdEntry,
OUT EFI_EVENT *RecycleEvent
);
/**
This fucntion processes the output traffic with IPsec.
It protected the sending packet by encrypting it payload and inserting ESP/AH header
in the orginal IP header, then return the IpHeader and IPsec protected Fragmentable.
@param[in] IpVersion The version of IP.
@param[in, out] IpHead Point to IP header containing the orginal IP header
to be processed on input, and inserted ESP/AH header
on return.
@param[in, out] LastHead The Last Header in IP header.
@param[in, out] OptionsBuffer Pointer to the options buffer.
@param[in, out] OptionsLength Length of the options buffer.
@param[in, out] FragmentTable Pointer to a list of fragments to be protected by
IPsec on input, and with IPsec protected
on return.
@param[in, out] FragmentCount Number of fragments.
@param[in] SadEntry Related SAD entry.
@param[out] RecycleEvent Event for recycling of resources.
@retval EFI_SUCCESS The operation is successful.
@retval EFI_UNSUPPORTED If the IPSEC protocol is not supported.
**/
EFI_STATUS
IpSecProtectOutboundPacket (
IN UINT8 IpVersion,
IN OUT VOID *IpHead,
IN OUT UINT8 *LastHead,
IN OUT VOID **OptionsBuffer,
IN OUT UINT32 *OptionsLength,
IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,
IN OUT UINT32 *FragmentCount,
IN IPSEC_SAD_ENTRY *SadEntry,
OUT EFI_EVENT *RecycleEvent
);
/**
Check if the IP Address in the address range of AddressInfos specified.
@param[in] IpVersion The IP version.
@param[in] IpAddr Points to EFI_IP_ADDRESS to be check.
@param[in] AddressInfo A list of EFI_IP_ADDRESS_INFO that is used to check
the IP Address is matched.
@param[in] AddressCount The total numbers of the AddressInfo.
@retval TRUE If the Specified IP Address is in the range of the AddressInfos specified.
@retval FALSE If the Specified IP Address is not in the range of the AddressInfos specified.
**/
BOOLEAN
IpSecMatchIpAddress (
IN UINT8 IpVersion,
IN EFI_IP_ADDRESS *IpAddr,
IN EFI_IP_ADDRESS_INFO *AddressInfo,
IN UINT32 AddressCount
);
/**
Find a PAD entry according to remote IP address.
@param[in] IpVersion The version of IP.
@param[in] IpAddr Point to remote IP address.
@return The pointer of related PAD entry.
**/
IPSEC_PAD_ENTRY *
IpSecLookupPadEntry (
IN UINT8 IpVersion,
IN EFI_IP_ADDRESS *IpAddr
);
/**
Check if the specified IP packet can be serviced by this SPD entry.
@param[in] SpdEntry Point to SPD entry.
@param[in] IpVersion Version of IP.
@param[in] IpHead Point to IP header.
@param[in] IpPayload Point to IP payload.
@param[in] Protocol The Last protocol of IP packet.
@param[in] IsOutbound Traffic direction.
@param[out] Action The support action of SPD entry.
@retval EFI_SUCCESS Find the related SPD.
@retval EFI_NOT_FOUND Not find the related SPD entry;
**/
EFI_STATUS
IpSecLookupSpdEntry (
IN IPSEC_SPD_ENTRY *SpdEntry,
IN UINT8 IpVersion,
IN VOID *IpHead,
IN UINT8 *IpPayload,
IN UINT8 Protocol,
IN BOOLEAN IsOutbound,
OUT EFI_IPSEC_ACTION *Action
);
/**
Look up if there is existing SAD entry for specified IP packet sending.
This function is called by the IPsecProcess when there is some IP packet needed to
send out. This function checks if there is an existing SAD entry that can be serviced
to this IP packet sending. If no existing SAD entry could be used, this
function will invoke an IPsec Key Exchange Negotiation.
@param[in] Private Points to private data.
@param[in] NicHandle Points to a NIC handle.
@param[in] IpVersion The version of IP.
@param[in] IpHead The IP Header of packet to be sent out.
@param[in] IpPayload The IP Payload to be sent out.
@param[in] OldLastHead The Last protocol of the IP packet.
@param[in] SpdEntry Points to a related SPD entry.
@param[out] SadEntry Contains the Point of a related SAD entry.
@retval EFI_DEVICE_ERROR One of following conditions is TRUE:
- If don't find related UDP service.
- Sequence Number is used up.
- Extension Sequence Number is used up.
@retval EFI_NOT_READY No existing SAD entry could be used.
@retval EFI_SUCCESS Find the related SAD entry.
**/
EFI_STATUS
IpSecLookupSadEntry (
IN IPSEC_PRIVATE_DATA *Private,
IN EFI_HANDLE NicHandle,
IN UINT8 IpVersion,
IN VOID *IpHead,
IN UINT8 *IpPayload,
IN UINT8 OldLastHead,
IN IPSEC_SPD_ENTRY *SpdEntry,
OUT IPSEC_SAD_ENTRY **SadEntry
);
/**
Find the SAD through whole SAD list.
@param[in] Spi The SPI used to search the SAD entry.
@param[in] DestAddress The destination used to search the SAD entry.
@param[in] IpVersion The IP version. Ip4 or Ip6.
@return The pointer to a certain SAD entry.
**/
IPSEC_SAD_ENTRY *
IpSecLookupSadBySpi (
IN UINT32 Spi,
IN EFI_IP_ADDRESS *DestAddress,
IN UINT8 IpVersion
)
;
/**
Handles IPsec packet processing for inbound and outbound IP packets.
The EFI_IPSEC_PROCESS process routine handles each inbound or outbound packet.
The behavior is that it can perform one of the following actions:
bypass the packet, discard the packet, or protect the packet.
@param[in] This Pointer to the EFI_IPSEC2_PROTOCOL instance.
@param[in] NicHandle Instance of the network interface.
@param[in] IpVersion IPV4 or IPV6.
@param[in, out] IpHead Pointer to the IP Header.
@param[in, out] LastHead The protocol of the next layer to be processed by IPsec.
@param[in, out] OptionsBuffer Pointer to the options buffer.
@param[in, out] OptionsLength Length of the options buffer.
@param[in, out] FragmentTable Pointer to a list of fragments.
@param[in, out] FragmentCount Number of fragments.
@param[in] TrafficDirection Traffic direction.
@param[out] RecycleSignal Event for recycling of resources.
@retval EFI_SUCCESS The packet was bypassed and all buffers remain the same.
@retval EFI_SUCCESS The packet was protected.
@retval EFI_ACCESS_DENIED The packet was discarded.
**/
EFI_STATUS
EFIAPI
IpSecProcess (
IN EFI_IPSEC2_PROTOCOL *This,
IN EFI_HANDLE NicHandle,
IN UINT8 IpVersion,
IN OUT VOID *IpHead,
IN OUT UINT8 *LastHead,
IN OUT VOID **OptionsBuffer,
IN OUT UINT32 *OptionsLength,
IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,
IN OUT UINT32 *FragmentCount,
IN EFI_IPSEC_TRAFFIC_DIR TrafficDirection,
OUT EFI_EVENT *RecycleSignal
);
extern EFI_DPC_PROTOCOL *mDpc;
extern EFI_IPSEC2_PROTOCOL mIpSecInstance;
extern EFI_COMPONENT_NAME2_PROTOCOL gIpSecComponentName2;
extern EFI_COMPONENT_NAME_PROTOCOL gIpSecComponentName;
#endif

236
NetworkPkg/IpSecDxe/IpSecMain.c
View File

@ -1,236 +0,0 @@
/** @file
The mian interface of IPsec Protocol.
Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#include "IpSecConfigImpl.h"
#include "IpSecImpl.h"
EFI_IPSEC2_PROTOCOL mIpSecInstance = { IpSecProcess, NULL, TRUE };
/**
Handles IPsec packet processing for inbound and outbound IP packets.
The EFI_IPSEC_PROCESS process routine handles each inbound or outbound packet.
The behavior is that it can perform one of the following actions:
bypass the packet, discard the packet, or protect the packet.
@param[in] This Pointer to the EFI_IPSEC2_PROTOCOL instance.
@param[in] NicHandle Instance of the network interface.
@param[in] IpVersion IPV4 or IPV6.
@param[in, out] IpHead Pointer to the IP Header.
@param[in, out] LastHead The protocol of the next layer to be processed by IPsec.
@param[in, out] OptionsBuffer Pointer to the options buffer.
@param[in, out] OptionsLength Length of the options buffer.
@param[in, out] FragmentTable Pointer to a list of fragments.
@param[in, out] FragmentCount Number of fragments.
@param[in] TrafficDirection Traffic direction.
@param[out] RecycleSignal Event for recycling of resources.
@retval EFI_SUCCESS The packet was bypassed and all buffers remain the same.
@retval EFI_SUCCESS The packet was protected.
@retval EFI_ACCESS_DENIED The packet was discarded.
**/
EFI_STATUS
EFIAPI
IpSecProcess (
IN EFI_IPSEC2_PROTOCOL *This,
IN EFI_HANDLE NicHandle,
IN UINT8 IpVersion,
IN OUT VOID *IpHead,
IN OUT UINT8 *LastHead,
IN OUT VOID **OptionsBuffer,
IN OUT UINT32 *OptionsLength,
IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,
IN OUT UINT32 *FragmentCount,
IN EFI_IPSEC_TRAFFIC_DIR TrafficDirection,
OUT EFI_EVENT *RecycleSignal
)
{
IPSEC_PRIVATE_DATA *Private;
IPSEC_SPD_ENTRY *SpdEntry;
EFI_IPSEC_SPD_SELECTOR *SpdSelector;
IPSEC_SAD_ENTRY *SadEntry;
LIST_ENTRY *SpdList;
LIST_ENTRY *Entry;
EFI_IPSEC_ACTION Action;
EFI_STATUS Status;
UINT8 *IpPayload;
UINT8 OldLastHead;
BOOLEAN IsOutbound;
if (OptionsBuffer == NULL ||
OptionsLength == NULL ||
FragmentTable == NULL ||
FragmentCount == NULL
) {
return EFI_INVALID_PARAMETER;
}
Private = IPSEC_PRIVATE_DATA_FROM_IPSEC (This);
IpPayload = (*FragmentTable)[0].FragmentBuffer;
IsOutbound = (BOOLEAN) ((TrafficDirection == EfiIPsecOutBound) ? TRUE : FALSE);
OldLastHead = *LastHead;
*RecycleSignal = NULL;
SpdList = &mConfigData[IPsecConfigDataTypeSpd];
if (!IsOutbound) {
//
// For inbound traffic, process the ipsec header of the packet.
//
Status = IpSecProtectInboundPacket (
IpVersion,
IpHead,
LastHead,
OptionsBuffer,
OptionsLength,
FragmentTable,
FragmentCount,
&SpdSelector,
RecycleSignal
);
if (Status == EFI_ACCESS_DENIED || Status == EFI_OUT_OF_RESOURCES) {
//
// The packet is denied to access.
//
goto ON_EXIT;
}
if (Status == EFI_SUCCESS) {
//
// Check the spd entry if the packet is accessible.
//
if (SpdSelector == NULL) {
Status = EFI_ACCESS_DENIED;
goto ON_EXIT;
}
Status = EFI_ACCESS_DENIED;
NET_LIST_FOR_EACH (Entry, SpdList) {
SpdEntry = IPSEC_SPD_ENTRY_FROM_LIST (Entry);
if (IsSubSpdSelector (
(EFI_IPSEC_CONFIG_SELECTOR *) SpdSelector,
(EFI_IPSEC_CONFIG_SELECTOR *) SpdEntry->Selector
)) {
Status = EFI_SUCCESS;
}
}
goto ON_EXIT;
}
}
Status = EFI_ACCESS_DENIED;
NET_LIST_FOR_EACH (Entry, SpdList) {
//
// For outbound and non-ipsec Inbound traffic: check the spd entry.
//
SpdEntry = IPSEC_SPD_ENTRY_FROM_LIST (Entry);
if (EFI_ERROR (IpSecLookupSpdEntry (
SpdEntry,
IpVersion,
IpHead,
IpPayload,
OldLastHead,
IsOutbound,
&Action
))) {
//
// If the related SPD not find
//
continue;
}
switch (Action) {
case EfiIPsecActionProtect:
if (IsOutbound) {
//
// For outbound traffic, lookup the sad entry.
//
Status = IpSecLookupSadEntry (
Private,
NicHandle,
IpVersion,
IpHead,
IpPayload,
OldLastHead,
SpdEntry,
&SadEntry
);
if (SadEntry != NULL) {
//
// Process the packet by the found sad entry.
//
Status = IpSecProtectOutboundPacket (
IpVersion,
IpHead,
LastHead,
OptionsBuffer,
OptionsLength,
FragmentTable,
FragmentCount,
SadEntry,
RecycleSignal
);
} else if (OldLastHead == IP6_ICMP && *IpPayload != ICMP_V6_ECHO_REQUEST) {
//
// TODO: if no need return not ready to upper layer, change here.
//
Status = EFI_SUCCESS;
}
} else if (OldLastHead == IP6_ICMP && *IpPayload != ICMP_V6_ECHO_REQUEST) {
//
// For inbound icmpv6 traffic except ping request, accept the packet
// although no sad entry associated with protect spd entry.
//
Status = IpSecLookupSadEntry (
Private,
NicHandle,
IpVersion,
IpHead,
IpPayload,
OldLastHead,
SpdEntry,
&SadEntry
);
if (SadEntry == NULL) {
Status = EFI_SUCCESS;
}
}
goto ON_EXIT;
case EfiIPsecActionBypass:
Status = EFI_SUCCESS;
goto ON_EXIT;
case EfiIPsecActionDiscard:
goto ON_EXIT;
}
}
//
// If don't find the related SPD entry, return the EFI_ACCESS_DENIED and discard it.
// But it the packet is NS/NA, it should be by passed even not find the related SPD entry.
//
if (OldLastHead == IP6_ICMP &&
(*IpPayload == ICMP_V6_NEIGHBOR_SOLICIT || *IpPayload == ICMP_V6_NEIGHBOR_ADVERTISE)
){
Status = EFI_SUCCESS;
}
ON_EXIT:
return Status;
}

31
NetworkPkg/NetworkPkg.dec
View File

File diff suppressed because one or more lines are too long

2
NetworkPkg/NetworkPkg.dsc
View File

@ -112,11 +112,9 @@
NetworkPkg/HttpBootDxe/HttpBootDxe.inf
NetworkPkg/WifiConnectionManagerDxe/WifiConnectionManagerDxe.inf
NetworkPkg/Application/IpsecConfig/IpSecConfig.inf
NetworkPkg/Application/VConfig/VConfig.inf
[Components.IA32, Components.X64]
NetworkPkg/IpSecDxe/IpSecDxe.inf
NetworkPkg/IScsiDxe/IScsiDxe.inf
NetworkPkg/UefiPxeBcDxe/UefiPxeBcDxe.inf
NetworkPkg/TlsDxe/TlsDxe.inf