/** @file The implementation of policy entry operation function in IpSecConfig application. Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent **/ #include "IpSecConfig.h" #include "Indexer.h" #include "Match.h" #include "Helper.h" #include "ForEach.h" #include "PolicyEntryOperation.h" /** Fill in EFI_IPSEC_SPD_SELECTOR through ParamPackage list. @param[out] Selector The pointer to the EFI_IPSEC_SPD_SELECTOR structure. @param[in] ParamPackage The pointer to the ParamPackage list. @param[in, out] Mask The pointer to the Mask. @retval EFI_SUCCESS Fill in EFI_IPSEC_SPD_SELECTOR successfully. @retval EFI_INVALID_PARAMETER Invalid user input parameter. **/ EFI_STATUS CreateSpdSelector ( OUT EFI_IPSEC_SPD_SELECTOR *Selector, IN LIST_ENTRY *ParamPackage, IN OUT UINT32 *Mask ) { EFI_STATUS Status; EFI_STATUS ReturnStatus; CONST CHAR16 *ValueStr; Status = EFI_SUCCESS; ReturnStatus = EFI_SUCCESS; // // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR. // ValueStr = ShellCommandLineGetValue (ParamPackage, L"--local"); if (ValueStr != NULL) { Selector->LocalAddressCount = 1; Status = EfiInetAddrRange ((CHAR16 *) ValueStr, Selector->LocalAddress); if (EFI_ERROR (Status)) { ShellPrintHiiEx ( -1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE), mHiiHandle, mAppName, L"--local", ValueStr ); ReturnStatus = EFI_INVALID_PARAMETER; } else { *Mask |= LOCAL; } } // // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR. // ValueStr = ShellCommandLineGetValue (ParamPackage, L"--remote"); if (ValueStr != NULL) { Selector->RemoteAddressCount = 1; Status = EfiInetAddrRange ((CHAR16 *) ValueStr, Selector->RemoteAddress); if (EFI_ERROR (Status)) { ShellPrintHiiEx ( -1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE), mHiiHandle, mAppName, L"--remote", ValueStr ); ReturnStatus = EFI_INVALID_PARAMETER; } else { *Mask |= REMOTE; } } Selector->NextLayerProtocol = EFI_IPSEC_ANY_PROTOCOL; // // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR. // Status = GetNumber ( L"--proto", (UINT16) -1, &Selector->NextLayerProtocol, sizeof (UINT16), mMapIpProtocol, ParamPackage, FORMAT_NUMBER | FORMAT_STRING ); if (!EFI_ERROR (Status)) { *Mask |= PROTO; } if (Status == EFI_INVALID_PARAMETER) { ReturnStatus = EFI_INVALID_PARAMETER; } Selector->LocalPort = EFI_IPSEC_ANY_PORT; Selector->RemotePort = EFI_IPSEC_ANY_PORT; // // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR. // ValueStr = ShellCommandLineGetValue (ParamPackage, L"--local-port"); if (ValueStr != NULL) { Status = EfiInetPortRange ((CHAR16 *) ValueStr, &Selector->LocalPort, &Selector->LocalPortRange); if (EFI_ERROR (Status)) { ShellPrintHiiEx ( -1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE), mHiiHandle, mAppName, L"--local-port", ValueStr ); ReturnStatus = EFI_INVALID_PARAMETER; } else { *Mask |= LOCAL_PORT; } } // // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR. // ValueStr = ShellCommandLineGetValue (ParamPackage, L"--remote-port"); if (ValueStr != NULL) { Status = EfiInetPortRange ((CHAR16 *) ValueStr, &Selector->RemotePort, &Selector->RemotePortRange); if (EFI_ERROR (Status)) { ShellPrintHiiEx ( -1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE), mHiiHandle, mAppName, L"--remote-port", ValueStr ); ReturnStatus = EFI_INVALID_PARAMETER; } else { *Mask |= REMOTE_PORT; } } // // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR. // Status = GetNumber ( L"--icmp-type", (UINT8) -1, &Selector->LocalPort, sizeof (UINT16), NULL, ParamPackage, FORMAT_NUMBER ); if (!EFI_ERROR (Status)) { *Mask |= ICMP_TYPE; } if (Status == EFI_INVALID_PARAMETER) { ReturnStatus = EFI_INVALID_PARAMETER; } // // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR. // Status = GetNumber ( L"--icmp-code", (UINT8) -1, &Selector->RemotePort, sizeof (UINT16), NULL, ParamPackage, FORMAT_NUMBER ); if (!EFI_ERROR (Status)) { *Mask |= ICMP_CODE; } if (Status == EFI_INVALID_PARAMETER) { ReturnStatus = EFI_INVALID_PARAMETER; } return ReturnStatus; } /** Fill in EFI_IPSEC_SPD_SELECTOR and EFI_IPSEC_SPD_DATA through ParamPackage list. @param[out] Selector The pointer to the EFI_IPSEC_SPD_SELECTOR structure. @param[out] Data The pointer to the EFI_IPSEC_SPD_DATA structure. @param[in] ParamPackage The pointer to the ParamPackage list. @param[out] Mask The pointer to the Mask. @param[in] CreateNew The switch to create new. @retval EFI_SUCCESS Fill in EFI_IPSEC_SPD_SELECTOR and EFI_IPSEC_SPD_DATA successfully. @retval EFI_INVALID_PARAMETER Invalid user input parameter. **/ EFI_STATUS CreateSpdEntry ( OUT EFI_IPSEC_SPD_SELECTOR **Selector, OUT EFI_IPSEC_SPD_DATA **Data, IN LIST_ENTRY *ParamPackage, OUT UINT32 *Mask, IN BOOLEAN CreateNew ) { EFI_STATUS Status; EFI_STATUS ReturnStatus; CONST CHAR16 *ValueStr; UINTN DataSize; Status = EFI_SUCCESS; *Mask = 0; *Selector = AllocateZeroPool (sizeof (EFI_IPSEC_SPD_SELECTOR) + 2 * sizeof (EFI_IP_ADDRESS_INFO)); ASSERT (*Selector != NULL); (*Selector)->LocalAddress = (EFI_IP_ADDRESS_INFO *) (*Selector + 1); (*Selector)->RemoteAddress = (*Selector)->LocalAddress + 1; ReturnStatus = CreateSpdSelector (*Selector, ParamPackage, Mask); // // SPD DATA // NOTE: Allocate enough memory and add padding for different arch. // DataSize = ALIGN_VARIABLE (sizeof (EFI_IPSEC_SPD_DATA)); DataSize = ALIGN_VARIABLE (DataSize + sizeof (EFI_IPSEC_PROCESS_POLICY)); DataSize += sizeof (EFI_IPSEC_TUNNEL_OPTION); *Data = AllocateZeroPool (DataSize); ASSERT (*Data != NULL); (*Data)->ProcessingPolicy = (EFI_IPSEC_PROCESS_POLICY *) ALIGN_POINTER ( (*Data + 1), sizeof (UINTN) ); (*Data)->ProcessingPolicy->TunnelOption = (EFI_IPSEC_TUNNEL_OPTION *) ALIGN_POINTER ( ((*Data)->ProcessingPolicy + 1), sizeof (UINTN) ); // // Convert user imput from string to integer, and fill in the Name in EFI_IPSEC_SPD_DATA. // ValueStr = ShellCommandLineGetValue (ParamPackage, L"--name"); if (ValueStr != NULL) { UnicodeStrToAsciiStrS (ValueStr, (CHAR8 *) (*Data)->Name, sizeof ((*Data)->Name)); *Mask |= NAME; } // // Convert user imput from string to integer, and fill in the PackageFlag in EFI_IPSEC_SPD_DATA. // Status = GetNumber ( L"--packet-flag", (UINT8) -1, &(*Data)->PackageFlag, sizeof (UINT32), NULL, ParamPackage, FORMAT_NUMBER ); if (!EFI_ERROR (Status)) { *Mask |= PACKET_FLAG; } if (Status == EFI_INVALID_PARAMETER) { ReturnStatus = EFI_INVALID_PARAMETER; } // // Convert user imput from string to integer, and fill in the Action in EFI_IPSEC_SPD_DATA. // Status = GetNumber ( L"--action", (UINT8) -1, &(*Data)->Action, sizeof (UINT32), mMapIpSecAction, ParamPackage, FORMAT_STRING ); if (!EFI_ERROR (Status)) { *Mask |= ACTION; } if (Status == EFI_INVALID_PARAMETER) { ReturnStatus = EFI_INVALID_PARAMETER; } // // Convert user imput from string to integer, and fill in the ExtSeqNum in EFI_IPSEC_SPD_DATA. // if (ShellCommandLineGetFlag (ParamPackage, L"--ext-sequence")) { (*Data)->ProcessingPolicy->ExtSeqNum = TRUE; *Mask |= EXT_SEQUENCE; } else if (ShellCommandLineGetFlag (ParamPackage, L"--ext-sequence-")) { (*Data)->ProcessingPolicy->ExtSeqNum = FALSE; *Mask |= EXT_SEQUENCE; } // // Convert user imput from string to integer, and fill in the SeqOverflow in EFI_IPSEC_SPD_DATA. // if (ShellCommandLineGetFlag (ParamPackage, L"--sequence-overflow")) { (*Data)->ProcessingPolicy->SeqOverflow = TRUE; *Mask |= SEQUENCE_OVERFLOW; } else if (ShellCommandLineGetFlag (ParamPackage, L"--sequence-overflow-")) { (*Data)->ProcessingPolicy->SeqOverflow = FALSE; *Mask |= SEQUENCE_OVERFLOW; } // // Convert user imput from string to integer, and fill in the FragCheck in EFI_IPSEC_SPD_DATA. // if (ShellCommandLineGetFlag (ParamPackage, L"--fragment-check")) { (*Data)->ProcessingPolicy->FragCheck = TRUE; *Mask |= FRAGMENT_CHECK; } else if (ShellCommandLineGetFlag (ParamPackage, L"--fragment-check-")) { (*Data)->ProcessingPolicy->FragCheck = FALSE; *Mask |= FRAGMENT_CHECK; } // // Convert user imput from string to integer, and fill in the ProcessingPolicy in EFI_IPSEC_SPD_DATA. // Status = GetNumber ( L"--lifebyte", (UINT64) -1, &(*Data)->ProcessingPolicy->SaLifetime.ByteCount, sizeof (UINT64), NULL, ParamPackage, FORMAT_NUMBER ); if (!EFI_ERROR (Status)) { *Mask |= LIFEBYTE; } if (Status == EFI_INVALID_PARAMETER) { ReturnStatus = EFI_INVALID_PARAMETER; } Status = GetNumber ( L"--lifetime", (UINT64) -1, &(*Data)->ProcessingPolicy->SaLifetime.HardLifetime, sizeof (UINT64), NULL, ParamPackage, FORMAT_NUMBER ); if (!EFI_ERROR (Status)) { *Mask |= LIFETIME; } if (Status == EFI_INVALID_PARAMETER) { ReturnStatus = EFI_INVALID_PARAMETER; } Status = GetNumber ( L"--lifetime-soft", (UINT64) -1, &(*Data)->ProcessingPolicy->SaLifetime.SoftLifetime, sizeof (UINT64), NULL, ParamPackage, FORMAT_NUMBER ); if (!EFI_ERROR (Status)) { *Mask |= LIFETIME_SOFT; } if (Status == EFI_INVALID_PARAMETER) { ReturnStatus = EFI_INVALID_PARAMETER; } (*Data)->ProcessingPolicy->Mode = EfiIPsecTransport; Status = GetNumber ( L"--mode", 0, &(*Data)->ProcessingPolicy->Mode, sizeof (UINT32), mMapIpSecMode, ParamPackage, FORMAT_STRING ); if (!EFI_ERROR (Status)) { *Mask |= MODE; } if (Status == EFI_INVALID_PARAMETER) { ReturnStatus = EFI_INVALID_PARAMETER; } ValueStr = ShellCommandLineGetValue (ParamPackage, L"--tunnel-local"); if (ValueStr != NULL) { Status = EfiInetAddr2 ((CHAR16 *) ValueStr, &(*Data)->ProcessingPolicy->TunnelOption->LocalTunnelAddress); if (EFI_ERROR (Status)) { ShellPrintHiiEx ( -1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE), mHiiHandle, mAppName, L"--tunnel-local", ValueStr ); ReturnStatus = EFI_INVALID_PARAMETER; } else { *Mask |= TUNNEL_LOCAL; } } ValueStr = ShellCommandLineGetValue (ParamPackage, L"--tunnel-remote"); if (ValueStr != NULL) { Status = EfiInetAddr2 ((CHAR16 *) ValueStr, &(*Data)->ProcessingPolicy->TunnelOption->RemoteTunnelAddress); if (EFI_ERROR (Status)) { ShellPrintHiiEx ( -1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE), mHiiHandle, mAppName, L"--tunnel-remote", ValueStr ); ReturnStatus = EFI_INVALID_PARAMETER; } else { *Mask |= TUNNEL_REMOTE; } } (*Data)->ProcessingPolicy->TunnelOption->DF = EfiIPsecTunnelCopyDf; Status = GetNumber ( L"--dont-fragment", 0, &(*Data)->ProcessingPolicy->TunnelOption->DF, sizeof (UINT32), mMapDfOption, ParamPackage, FORMAT_STRING ); if (!EFI_ERROR (Status)) { *Mask |= DONT_FRAGMENT; } if (Status == EFI_INVALID_PARAMETER) { ReturnStatus = EFI_INVALID_PARAMETER; } (*Data)->ProcessingPolicy->Proto = EfiIPsecESP; Status = GetNumber ( L"--ipsec-proto", 0, &(*Data)->ProcessingPolicy->Proto, sizeof (UINT32), mMapIpSecProtocol, ParamPackage, FORMAT_STRING ); if (!EFI_ERROR (Status)) { *Mask |= IPSEC_PROTO; } if (Status == EFI_INVALID_PARAMETER) { ReturnStatus = EFI_INVALID_PARAMETER; } Status = GetNumber ( L"--encrypt-algo", 0, &(*Data)->ProcessingPolicy->EncAlgoId, sizeof (UINT8), mMapEncAlgo, ParamPackage, FORMAT_STRING ); if (!EFI_ERROR (Status)) { *Mask |= ENCRYPT_ALGO; } if (Status == EFI_INVALID_PARAMETER) { ReturnStatus = EFI_INVALID_PARAMETER; } Status = GetNumber ( L"--auth-algo", 0, &(*Data)->ProcessingPolicy->AuthAlgoId, sizeof (UINT8), mMapAuthAlgo, ParamPackage, FORMAT_STRING ); if (!EFI_ERROR (Status)) { *Mask |= AUTH_ALGO; } if (Status == EFI_INVALID_PARAMETER) { ReturnStatus = EFI_INVALID_PARAMETER; } // // Cannot check Mode against EfiIPsecTunnel, because user may want to change tunnel_remote only so the Mode is not set. // if ((*Mask & (TUNNEL_LOCAL | TUNNEL_REMOTE | DONT_FRAGMENT)) == 0) { (*Data)->ProcessingPolicy->TunnelOption = NULL; } if ((*Mask & (EXT_SEQUENCE | SEQUENCE_OVERFLOW | FRAGMENT_CHECK | LIFEBYTE | LIFETIME_SOFT | LIFETIME | MODE | TUNNEL_LOCAL | TUNNEL_REMOTE | DONT_FRAGMENT | IPSEC_PROTO | AUTH_ALGO | ENCRYPT_ALGO)) == 0) { if ((*Data)->Action != EfiIPsecActionProtect) { // // User may not provide additional parameter for Protect action, so we cannot simply set ProcessingPolicy to NULL. // (*Data)->ProcessingPolicy = NULL; } } if (CreateNew) { if ((*Mask & (LOCAL | REMOTE | PROTO | ACTION)) != (LOCAL | REMOTE | PROTO | ACTION)) { ShellPrintHiiEx ( -1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS), mHiiHandle, mAppName, L"--local --remote --proto --action" ); ReturnStatus = EFI_INVALID_PARAMETER; } else if (((*Data)->Action == EfiIPsecActionProtect) && ((*Data)->ProcessingPolicy->Mode == EfiIPsecTunnel) && ((*Mask & (TUNNEL_LOCAL | TUNNEL_REMOTE)) != (TUNNEL_LOCAL | TUNNEL_REMOTE))) { ShellPrintHiiEx ( -1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS), mHiiHandle, mAppName, L"--tunnel-local --tunnel-remote" ); ReturnStatus = EFI_INVALID_PARAMETER; } } return ReturnStatus; } /** Fill in EFI_IPSEC_SA_ID and EFI_IPSEC_SA_DATA2 through ParamPackage list. @param[out] SaId The pointer to the EFI_IPSEC_SA_ID structure. @param[out] Data The pointer to the EFI_IPSEC_SA_DATA2 structure. @param[in] ParamPackage The pointer to the ParamPackage list. @param[out] Mask The pointer to the Mask. @param[in] CreateNew The switch to create new. @retval EFI_SUCCESS Fill in EFI_IPSEC_SA_ID and EFI_IPSEC_SA_DATA2 successfully. @retval EFI_INVALID_PARAMETER Invalid user input parameter. **/ EFI_STATUS CreateSadEntry ( OUT EFI_IPSEC_SA_ID **SaId, OUT EFI_IPSEC_SA_DATA2 **Data, IN LIST_ENTRY *ParamPackage, OUT UINT32 *Mask, IN BOOLEAN CreateNew ) { EFI_STATUS Status; EFI_STATUS ReturnStatus; UINTN AuthKeyLength; UINTN EncKeyLength; CONST CHAR16 *ValueStr; CHAR8 *AsciiStr; UINTN DataSize; Status = EFI_SUCCESS; ReturnStatus = EFI_SUCCESS; *Mask = 0; AuthKeyLength = 0; EncKeyLength = 0; *SaId = AllocateZeroPool (sizeof (EFI_IPSEC_SA_ID)); ASSERT (*SaId != NULL); // // Convert user imput from string to integer, and fill in the Spi in EFI_IPSEC_SA_ID. // Status = GetNumber (L"--spi", (UINT32) -1, &(*SaId)->Spi, sizeof (UINT32), NULL, ParamPackage, FORMAT_NUMBER); if (!EFI_ERROR (Status)) { *Mask |= SPI; } if (Status == EFI_INVALID_PARAMETER) { ReturnStatus = EFI_INVALID_PARAMETER; } // // Convert user imput from string to integer, and fill in the Proto in EFI_IPSEC_SA_ID. // Status = GetNumber ( L"--ipsec-proto", 0, &(*SaId)->Proto, sizeof (EFI_IPSEC_PROTOCOL_TYPE), mMapIpSecProtocol, ParamPackage, FORMAT_STRING ); if (!EFI_ERROR (Status)) { *Mask |= IPSEC_PROTO; } if (Status == EFI_INVALID_PARAMETER) { ReturnStatus = EFI_INVALID_PARAMETER; } // // Convert user imput from string to integer, and fill in EFI_IPSEC_SA_DATA2. // ValueStr = ShellCommandLineGetValue (ParamPackage, L"--auth-key"); if (ValueStr != NULL) { AuthKeyLength = StrLen (ValueStr); } ValueStr = ShellCommandLineGetValue (ParamPackage, L"--encrypt-key"); if (ValueStr != NULL) { EncKeyLength = StrLen (ValueStr); } // // EFI_IPSEC_SA_DATA2: // +------------ // | EFI_IPSEC_SA_DATA2 // +----------------------- // | AuthKey // +------------------------- // | EncKey // +------------------------- // | SpdSelector // // Notes: To make sure the address alignment add padding after each data if needed. // DataSize = ALIGN_VARIABLE (sizeof (EFI_IPSEC_SA_DATA2)); DataSize = ALIGN_VARIABLE (DataSize + AuthKeyLength); DataSize = ALIGN_VARIABLE (DataSize + EncKeyLength); DataSize = ALIGN_VARIABLE (DataSize + sizeof (EFI_IPSEC_SPD_SELECTOR)); DataSize = ALIGN_VARIABLE (DataSize + sizeof (EFI_IP_ADDRESS_INFO)); DataSize += sizeof (EFI_IP_ADDRESS_INFO); *Data = AllocateZeroPool (DataSize); ASSERT (*Data != NULL); (*Data)->ManualSet = TRUE; (*Data)->AlgoInfo.EspAlgoInfo.AuthKey = (VOID *) ALIGN_POINTER (((*Data) + 1), sizeof (UINTN)); (*Data)->AlgoInfo.EspAlgoInfo.EncKey = (VOID *) ALIGN_POINTER ( ((UINT8 *) (*Data)->AlgoInfo.EspAlgoInfo.AuthKey + AuthKeyLength), sizeof (UINTN) ); (*Data)->SpdSelector = (EFI_IPSEC_SPD_SELECTOR *) ALIGN_POINTER ( ((UINT8 *) (*Data)->AlgoInfo.EspAlgoInfo.EncKey + EncKeyLength), sizeof (UINTN) ); (*Data)->SpdSelector->LocalAddress = (EFI_IP_ADDRESS_INFO *) ALIGN_POINTER ( ((UINT8 *) (*Data)->SpdSelector + sizeof (EFI_IPSEC_SPD_SELECTOR)), sizeof (UINTN)); (*Data)->SpdSelector->RemoteAddress = (EFI_IP_ADDRESS_INFO *) ALIGN_POINTER ( (*Data)->SpdSelector->LocalAddress + 1, sizeof (UINTN) ); (*Data)->Mode = EfiIPsecTransport; Status = GetNumber ( L"--mode", 0, &(*Data)->Mode, sizeof (EFI_IPSEC_MODE), mMapIpSecMode, ParamPackage, FORMAT_STRING ); if (!EFI_ERROR (Status)) { *Mask |= MODE; } if (Status == EFI_INVALID_PARAMETER) { ReturnStatus = EFI_INVALID_PARAMETER; } // // According to RFC 4303-3.3.3. The first packet sent using a given SA // will contain a sequence number of 1. // (*Data)->SNCount = 1; Status = GetNumber ( L"--sequence-number", (UINT64) -1, &(*Data)->SNCount, sizeof (UINT64), NULL, ParamPackage, FORMAT_NUMBER ); if (!EFI_ERROR (Status)) { *Mask |= SEQUENCE_NUMBER; } if (Status == EFI_INVALID_PARAMETER) { ReturnStatus = EFI_INVALID_PARAMETER; } (*Data)->AntiReplayWindows = 0; Status = GetNumber ( L"--antireplay-window", (UINT8) -1, &(*Data)->AntiReplayWindows, sizeof (UINT8), NULL, ParamPackage, FORMAT_NUMBER ); if (!EFI_ERROR (Status)) { *Mask |= SEQUENCE_NUMBER; } if (Status == EFI_INVALID_PARAMETER) { ReturnStatus = EFI_INVALID_PARAMETER; } Status = GetNumber ( L"--encrypt-algo", 0, &(*Data)->AlgoInfo.EspAlgoInfo.EncAlgoId, sizeof (UINT8), mMapEncAlgo, ParamPackage, FORMAT_STRING ); if (!EFI_ERROR (Status)) { *Mask |= ENCRYPT_ALGO; } if (Status == EFI_INVALID_PARAMETER) { ReturnStatus = EFI_INVALID_PARAMETER; } ValueStr = ShellCommandLineGetValue (ParamPackage, L"--encrypt-key"); if (ValueStr != NULL ) { (*Data)->AlgoInfo.EspAlgoInfo.EncKeyLength = EncKeyLength; AsciiStr = AllocateZeroPool (EncKeyLength + 1); ASSERT (AsciiStr != NULL); UnicodeStrToAsciiStrS (ValueStr, AsciiStr, EncKeyLength + 1); CopyMem ((*Data)->AlgoInfo.EspAlgoInfo.EncKey, AsciiStr, EncKeyLength); FreePool (AsciiStr); *Mask |= ENCRYPT_KEY; } else { (*Data)->AlgoInfo.EspAlgoInfo.EncKey = NULL; } Status = GetNumber ( L"--auth-algo", 0, &(*Data)->AlgoInfo.EspAlgoInfo.AuthAlgoId, sizeof (UINT8), mMapAuthAlgo, ParamPackage, FORMAT_STRING ); if (!EFI_ERROR (Status)) { *Mask |= AUTH_ALGO; } if (Status == EFI_INVALID_PARAMETER) { ReturnStatus = EFI_INVALID_PARAMETER; } ValueStr = ShellCommandLineGetValue (ParamPackage, L"--auth-key"); if (ValueStr != NULL) { (*Data)->AlgoInfo.EspAlgoInfo.AuthKeyLength = AuthKeyLength; AsciiStr = AllocateZeroPool (AuthKeyLength + 1); ASSERT (AsciiStr != NULL); UnicodeStrToAsciiStrS (ValueStr, AsciiStr, AuthKeyLength + 1); CopyMem ((*Data)->AlgoInfo.EspAlgoInfo.AuthKey, AsciiStr, AuthKeyLength); FreePool (AsciiStr); *Mask |= AUTH_KEY; } else { (*Data)->AlgoInfo.EspAlgoInfo.AuthKey = NULL; } Status = GetNumber ( L"--lifebyte", (UINT64) -1, &(*Data)->SaLifetime.ByteCount, sizeof (UINT64), NULL, ParamPackage, FORMAT_NUMBER ); if (!EFI_ERROR (Status)) { *Mask |= LIFEBYTE; } if (Status == EFI_INVALID_PARAMETER) { ReturnStatus = EFI_INVALID_PARAMETER; } Status = GetNumber ( L"--lifetime", (UINT64) -1, &(*Data)->SaLifetime.HardLifetime, sizeof (UINT64), NULL, ParamPackage, FORMAT_NUMBER ); if (!EFI_ERROR (Status)) { *Mask |= LIFETIME; } if (Status == EFI_INVALID_PARAMETER) { ReturnStatus = EFI_INVALID_PARAMETER; } Status = GetNumber ( L"--lifetime-soft", (UINT64) -1, &(*Data)->SaLifetime.SoftLifetime, sizeof (UINT64), NULL, ParamPackage, FORMAT_NUMBER ); if (!EFI_ERROR (Status)) { *Mask |= LIFETIME_SOFT; } if (Status == EFI_INVALID_PARAMETER) { ReturnStatus = EFI_INVALID_PARAMETER; } Status = GetNumber ( L"--path-mtu", (UINT32) -1, &(*Data)->PathMTU, sizeof (UINT32), NULL, ParamPackage, FORMAT_NUMBER ); if (!EFI_ERROR (Status)) { *Mask |= PATH_MTU; } if (Status == EFI_INVALID_PARAMETER) { ReturnStatus = EFI_INVALID_PARAMETER; } // // Convert user imput from string to integer, and fill in the DestAddress in EFI_IPSEC_SA_ID. // ValueStr = ShellCommandLineGetValue (ParamPackage, L"--tunnel-dest"); if (ValueStr != NULL) { Status = EfiInetAddr2 ((CHAR16 *) ValueStr, &(*Data)->TunnelDestinationAddress); if (EFI_ERROR (Status)) { ShellPrintHiiEx ( -1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE), mHiiHandle, mAppName, L"--tunnel-dest", ValueStr ); ReturnStatus = EFI_INVALID_PARAMETER; } else { *Mask |= DEST; } } // // Convert user input from string to integer, and fill in the DestAddress in EFI_IPSEC_SA_ID. // ValueStr = ShellCommandLineGetValue (ParamPackage, L"--tunnel-source"); if (ValueStr != NULL) { Status = EfiInetAddr2 ((CHAR16 *) ValueStr, &(*Data)->TunnelSourceAddress); if (EFI_ERROR (Status)) { ShellPrintHiiEx ( -1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE), mHiiHandle, mAppName, L"--tunnel-source", ValueStr ); ReturnStatus = EFI_INVALID_PARAMETER; } else { *Mask |= SOURCE; } } // // If it is TunnelMode, then check if the tunnel-source and --tunnel-dest are set // if ((*Data)->Mode == EfiIPsecTunnel) { if ((*Mask & (DEST|SOURCE)) != (DEST|SOURCE)) { ShellPrintHiiEx ( -1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS), mHiiHandle, mAppName, L"--tunnel-source --tunnel-dest" ); ReturnStatus = EFI_INVALID_PARAMETER; } } ReturnStatus = CreateSpdSelector ((*Data)->SpdSelector, ParamPackage, Mask); if (CreateNew) { if ((*Mask & (SPI|IPSEC_PROTO|LOCAL|REMOTE)) != (SPI|IPSEC_PROTO|LOCAL|REMOTE)) { ShellPrintHiiEx ( -1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS), mHiiHandle, mAppName, L"--spi --ipsec-proto --local --remote" ); ReturnStatus = EFI_INVALID_PARAMETER; } else { if ((*SaId)->Proto == EfiIPsecAH) { if ((*Mask & AUTH_ALGO) == 0) { ShellPrintHiiEx ( -1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER), mHiiHandle, mAppName, L"--auth-algo" ); ReturnStatus = EFI_INVALID_PARAMETER; } else if ((*Data)->AlgoInfo.EspAlgoInfo.AuthAlgoId != IPSEC_AALG_NONE && (*Mask & AUTH_KEY) == 0) { ShellPrintHiiEx ( -1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER), mHiiHandle, mAppName, L"--auth-key" ); ReturnStatus = EFI_INVALID_PARAMETER; } } else { if ((*Mask & (ENCRYPT_ALGO|AUTH_ALGO)) != (ENCRYPT_ALGO|AUTH_ALGO) ) { ShellPrintHiiEx ( -1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER), mHiiHandle, mAppName, L"--encrypt-algo --auth-algo" ); ReturnStatus = EFI_INVALID_PARAMETER; } else if ((*Data)->AlgoInfo.EspAlgoInfo.EncAlgoId != IPSEC_EALG_NONE && (*Mask & ENCRYPT_KEY) == 0) { ShellPrintHiiEx ( -1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER), mHiiHandle, mAppName, L"--encrypt-key" ); ReturnStatus = EFI_INVALID_PARAMETER; } else if ((*Data)->AlgoInfo.EspAlgoInfo.AuthAlgoId != IPSEC_AALG_NONE && (*Mask & AUTH_KEY) == 0) { ShellPrintHiiEx ( -1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER), mHiiHandle, mAppName, L"--auth-key" ); ReturnStatus = EFI_INVALID_PARAMETER; } } } } return ReturnStatus; } /** Fill in EFI_IPSEC_PAD_ID and EFI_IPSEC_PAD_DATA through ParamPackage list. @param[out] PadId The pointer to the EFI_IPSEC_PAD_ID structure. @param[out] Data The pointer to the EFI_IPSEC_PAD_DATA structure. @param[in] ParamPackage The pointer to the ParamPackage list. @param[out] Mask The pointer to the Mask. @param[in] CreateNew The switch to create new. @retval EFI_SUCCESS Fill in EFI_IPSEC_PAD_ID and EFI_IPSEC_PAD_DATA successfully. @retval EFI_INVALID_PARAMETER Invalid user input parameter. **/ EFI_STATUS CreatePadEntry ( OUT EFI_IPSEC_PAD_ID **PadId, OUT EFI_IPSEC_PAD_DATA **Data, IN LIST_ENTRY *ParamPackage, OUT UINT32 *Mask, IN BOOLEAN CreateNew ) { EFI_STATUS Status; EFI_STATUS ReturnStatus; SHELL_FILE_HANDLE FileHandle; UINT64 FileSize; UINTN AuthDataLength; UINTN RevocationDataLength; UINTN DataLength; UINTN Index; CONST CHAR16 *ValueStr; UINTN DataSize; Status = EFI_SUCCESS; ReturnStatus = EFI_SUCCESS; *Mask = 0; AuthDataLength = 0; RevocationDataLength = 0; *PadId = AllocateZeroPool (sizeof (EFI_IPSEC_PAD_ID)); ASSERT (*PadId != NULL); // // Convert user imput from string to integer, and fill in EFI_IPSEC_PAD_ID. // ValueStr = ShellCommandLineGetValue (ParamPackage, L"--peer-address"); if (ValueStr != NULL) { (*PadId)->PeerIdValid = FALSE; Status = EfiInetAddrRange ((CHAR16 *) ValueStr, &(*PadId)->Id.IpAddress); if (EFI_ERROR (Status)) { ShellPrintHiiEx ( -1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE), mHiiHandle, mAppName, L"--peer-address", ValueStr ); ReturnStatus = EFI_INVALID_PARAMETER; } else { *Mask |= PEER_ADDRESS; } } ValueStr = ShellCommandLineGetValue (ParamPackage, L"--peer-id"); if (ValueStr != NULL) { (*PadId)->PeerIdValid = TRUE; StrnCpyS ((CHAR16 *) (*PadId)->Id.PeerId, MAX_PEERID_LEN / sizeof (CHAR16), ValueStr, MAX_PEERID_LEN / sizeof (CHAR16) - 1); *Mask |= PEER_ID; } ValueStr = ShellCommandLineGetValue (ParamPackage, L"--auth-data"); if (ValueStr != NULL) { if (ValueStr[0] == L'@') { // // Input is a file: --auth-data "@fs1:\My Certificates\tom.dat" // Status = ShellOpenFileByName (&ValueStr[1], &FileHandle, EFI_FILE_MODE_READ, 0); if (EFI_ERROR (Status)) { ShellPrintHiiEx ( -1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_FILE_OPEN_FAILED), mHiiHandle, mAppName, &ValueStr[1] ); ReturnStatus = EFI_INVALID_PARAMETER; } else { Status = ShellGetFileSize (FileHandle, &FileSize); ShellCloseFile (&FileHandle); if (EFI_ERROR (Status)) { ShellPrintHiiEx ( -1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_FILE_OPEN_FAILED), mHiiHandle, mAppName, &ValueStr[1] ); ReturnStatus = EFI_INVALID_PARAMETER; } else { AuthDataLength = (UINTN) FileSize; } } } else { AuthDataLength = StrLen (ValueStr); } } ValueStr = ShellCommandLineGetValue (ParamPackage, L"--revocation-data"); if (ValueStr != NULL) { RevocationDataLength = (StrLen (ValueStr) + 1) * sizeof (CHAR16); } // // Allocate Buffer for Data. Add padding after each struct to make sure the alignment // in different Arch. // DataSize = ALIGN_VARIABLE (sizeof (EFI_IPSEC_PAD_DATA)); DataSize = ALIGN_VARIABLE (DataSize + AuthDataLength); DataSize += RevocationDataLength; *Data = AllocateZeroPool (DataSize); ASSERT (*Data != NULL); (*Data)->AuthData = (VOID *) ALIGN_POINTER ((*Data + 1), sizeof (UINTN)); (*Data)->RevocationData = (VOID *) ALIGN_POINTER (((UINT8 *) (*Data + 1) + AuthDataLength), sizeof (UINTN)); (*Data)->AuthProtocol = EfiIPsecAuthProtocolIKEv1; // // Convert user imput from string to integer, and fill in EFI_IPSEC_PAD_DATA. // Status = GetNumber ( L"--auth-proto", 0, &(*Data)->AuthProtocol, sizeof (EFI_IPSEC_AUTH_PROTOCOL_TYPE), mMapAuthProto, ParamPackage, FORMAT_STRING ); if (!EFI_ERROR (Status)) { *Mask |= AUTH_PROTO; } if (Status == EFI_INVALID_PARAMETER) { ReturnStatus = EFI_INVALID_PARAMETER; } Status = GetNumber ( L"--auth-method", 0, &(*Data)->AuthMethod, sizeof (EFI_IPSEC_AUTH_METHOD), mMapAuthMethod, ParamPackage, FORMAT_STRING ); if (!EFI_ERROR (Status)) { *Mask |= AUTH_METHOD; } if (Status == EFI_INVALID_PARAMETER) { ReturnStatus = EFI_INVALID_PARAMETER; } if (ShellCommandLineGetFlag (ParamPackage, L"--ike-id")) { (*Data)->IkeIdFlag = TRUE; *Mask |= IKE_ID; } if (ShellCommandLineGetFlag (ParamPackage, L"--ike-id-")) { (*Data)->IkeIdFlag = FALSE; *Mask |= IKE_ID; } ValueStr = ShellCommandLineGetValue (ParamPackage, L"--auth-data"); if (ValueStr != NULL) { if (ValueStr[0] == L'@') { // // Input is a file: --auth-data "@fs1:\My Certificates\tom.dat" // Status = ShellOpenFileByName (&ValueStr[1], &FileHandle, EFI_FILE_MODE_READ, 0); if (EFI_ERROR (Status)) { ShellPrintHiiEx ( -1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_FILE_OPEN_FAILED), mHiiHandle, mAppName, &ValueStr[1] ); ReturnStatus = EFI_INVALID_PARAMETER; (*Data)->AuthData = NULL; } else { DataLength = AuthDataLength; Status = ShellReadFile (FileHandle, &DataLength, (*Data)->AuthData); ShellCloseFile (&FileHandle); if (EFI_ERROR (Status)) { ShellPrintHiiEx ( -1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_FILE_OPEN_FAILED), mHiiHandle, mAppName, &ValueStr[1] ); ReturnStatus = EFI_INVALID_PARAMETER; (*Data)->AuthData = NULL; } else { ASSERT (DataLength == AuthDataLength); *Mask |= AUTH_DATA; } } } else { for (Index = 0; Index < AuthDataLength; Index++) { ((CHAR8 *) (*Data)->AuthData)[Index] = (CHAR8) ValueStr[Index]; } (*Data)->AuthDataSize = AuthDataLength; *Mask |= AUTH_DATA; } } ValueStr = ShellCommandLineGetValue (ParamPackage, L"--revocation-data"); if (ValueStr != NULL) { CopyMem ((*Data)->RevocationData, ValueStr, RevocationDataLength); (*Data)->RevocationDataSize = RevocationDataLength; *Mask |= REVOCATION_DATA; } else { (*Data)->RevocationData = NULL; } if (CreateNew) { if ((*Mask & (PEER_ID | PEER_ADDRESS)) == 0) { ShellPrintHiiEx ( -1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS), mHiiHandle, mAppName, L"--peer-id --peer-address" ); ReturnStatus = EFI_INVALID_PARAMETER; } else if ((*Mask & (AUTH_METHOD | AUTH_DATA)) != (AUTH_METHOD | AUTH_DATA)) { ShellPrintHiiEx ( -1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS), mHiiHandle, mAppName, L"--auth-method --auth-data" ); ReturnStatus = EFI_INVALID_PARAMETER; } } return ReturnStatus; } CREATE_POLICY_ENTRY mCreatePolicyEntry[] = { (CREATE_POLICY_ENTRY) CreateSpdEntry, (CREATE_POLICY_ENTRY) CreateSadEntry, (CREATE_POLICY_ENTRY) CreatePadEntry }; /** Combine old SPD entry with new SPD entry. @param[in, out] OldSelector The pointer to the EFI_IPSEC_SPD_SELECTOR structure. @param[in, out] OldData The pointer to the EFI_IPSEC_SPD_DATA structure. @param[in] NewSelector The pointer to the EFI_IPSEC_SPD_SELECTOR structure. @param[in] NewData The pointer to the EFI_IPSEC_SPD_DATA structure. @param[in] Mask The pointer to the Mask. @param[out] CreateNew The switch to create new. @retval EFI_SUCCESS Combined successfully. @retval EFI_INVALID_PARAMETER Invalid user input parameter. **/ EFI_STATUS CombineSpdEntry ( IN OUT EFI_IPSEC_SPD_SELECTOR *OldSelector, IN OUT EFI_IPSEC_SPD_DATA *OldData, IN EFI_IPSEC_SPD_SELECTOR *NewSelector, IN EFI_IPSEC_SPD_DATA *NewData, IN UINT32 Mask, OUT BOOLEAN *CreateNew ) { // // Process Selector // *CreateNew = FALSE; if ((Mask & LOCAL) == 0) { NewSelector->LocalAddressCount = OldSelector->LocalAddressCount; NewSelector->LocalAddress = OldSelector->LocalAddress; } else if ((NewSelector->LocalAddressCount != OldSelector->LocalAddressCount) || (CompareMem (NewSelector->LocalAddress, OldSelector->LocalAddress, NewSelector->LocalAddressCount * sizeof (EFI_IP_ADDRESS_INFO)) != 0)) { *CreateNew = TRUE; } if ((Mask & REMOTE) == 0) { NewSelector->RemoteAddressCount = OldSelector->RemoteAddressCount; NewSelector->RemoteAddress = OldSelector->RemoteAddress; } else if ((NewSelector->RemoteAddressCount != OldSelector->RemoteAddressCount) || (CompareMem (NewSelector->RemoteAddress, OldSelector->RemoteAddress, NewSelector->RemoteAddressCount * sizeof (EFI_IP_ADDRESS_INFO)) != 0)) { *CreateNew = TRUE; } if ((Mask & PROTO) == 0) { NewSelector->NextLayerProtocol = OldSelector->NextLayerProtocol; } else if (NewSelector->NextLayerProtocol != OldSelector->NextLayerProtocol) { *CreateNew = TRUE; } switch (NewSelector->NextLayerProtocol) { case EFI_IP4_PROTO_TCP: case EFI_IP4_PROTO_UDP: if ((Mask & LOCAL_PORT) == 0) { NewSelector->LocalPort = OldSelector->LocalPort; NewSelector->LocalPortRange = OldSelector->LocalPortRange; } else if ((NewSelector->LocalPort != OldSelector->LocalPort) || (NewSelector->LocalPortRange != OldSelector->LocalPortRange)) { *CreateNew = TRUE; } if ((Mask & REMOTE_PORT) == 0) { NewSelector->RemotePort = OldSelector->RemotePort; NewSelector->RemotePortRange = OldSelector->RemotePortRange; } else if ((NewSelector->RemotePort != OldSelector->RemotePort) || (NewSelector->RemotePortRange != OldSelector->RemotePortRange)) { *CreateNew = TRUE; } break; case EFI_IP4_PROTO_ICMP: if ((Mask & ICMP_TYPE) == 0) { NewSelector->LocalPort = OldSelector->LocalPort; } else if (NewSelector->LocalPort != OldSelector->LocalPort) { *CreateNew = TRUE; } if ((Mask & ICMP_CODE) == 0) { NewSelector->RemotePort = OldSelector->RemotePort; } else if (NewSelector->RemotePort != OldSelector->RemotePort) { *CreateNew = TRUE; } break; } // // Process Data // OldData->SaIdCount = 0; if ((Mask & NAME) != 0) { AsciiStrCpyS ((CHAR8 *) OldData->Name, MAX_PEERID_LEN, (CHAR8 *) NewData->Name); } if ((Mask & PACKET_FLAG) != 0) { OldData->PackageFlag = NewData->PackageFlag; } if ((Mask & ACTION) != 0) { OldData->Action = NewData->Action; } if (OldData->Action != EfiIPsecActionProtect) { OldData->ProcessingPolicy = NULL; } else { // // Protect // if (OldData->ProcessingPolicy == NULL) { // // Just point to new data if originally NULL. // OldData->ProcessingPolicy = NewData->ProcessingPolicy; if (OldData->ProcessingPolicy->Mode == EfiIPsecTunnel && (Mask & (TUNNEL_LOCAL | TUNNEL_REMOTE)) != (TUNNEL_LOCAL | TUNNEL_REMOTE) ) { // // Change to Protect action and Tunnel mode, but without providing local/remote tunnel address. // ShellPrintHiiEx ( -1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS), mHiiHandle, mAppName, L"--tunnel-local --tunnel-remote" ); return EFI_INVALID_PARAMETER; } } else { // // Modify some of the data. // if ((Mask & EXT_SEQUENCE) != 0) { OldData->ProcessingPolicy->ExtSeqNum = NewData->ProcessingPolicy->ExtSeqNum; } if ((Mask & SEQUENCE_OVERFLOW) != 0) { OldData->ProcessingPolicy->SeqOverflow = NewData->ProcessingPolicy->SeqOverflow; } if ((Mask & FRAGMENT_CHECK) != 0) { OldData->ProcessingPolicy->FragCheck = NewData->ProcessingPolicy->FragCheck; } if ((Mask & LIFEBYTE) != 0) { OldData->ProcessingPolicy->SaLifetime.ByteCount = NewData->ProcessingPolicy->SaLifetime.ByteCount; } if ((Mask & LIFETIME_SOFT) != 0) { OldData->ProcessingPolicy->SaLifetime.SoftLifetime = NewData->ProcessingPolicy->SaLifetime.SoftLifetime; } if ((Mask & LIFETIME) != 0) { OldData->ProcessingPolicy->SaLifetime.HardLifetime = NewData->ProcessingPolicy->SaLifetime.HardLifetime; } if ((Mask & MODE) != 0) { OldData->ProcessingPolicy->Mode = NewData->ProcessingPolicy->Mode; } if ((Mask & IPSEC_PROTO) != 0) { OldData->ProcessingPolicy->Proto = NewData->ProcessingPolicy->Proto; } if ((Mask & AUTH_ALGO) != 0) { OldData->ProcessingPolicy->AuthAlgoId = NewData->ProcessingPolicy->AuthAlgoId; } if ((Mask & ENCRYPT_ALGO) != 0) { OldData->ProcessingPolicy->EncAlgoId = NewData->ProcessingPolicy->EncAlgoId; } if (OldData->ProcessingPolicy->Mode != EfiIPsecTunnel) { OldData->ProcessingPolicy->TunnelOption = NULL; } else { if (OldData->ProcessingPolicy->TunnelOption == NULL) { // // Set from Transport mode to Tunnel mode, should ensure TUNNEL_LOCAL & TUNNEL_REMOTE both exists. // if ((Mask & (TUNNEL_LOCAL | TUNNEL_REMOTE)) != (TUNNEL_LOCAL | TUNNEL_REMOTE)) { ShellPrintHiiEx ( -1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS), mHiiHandle, mAppName, L"--tunnel-local --tunnel-remote" ); return EFI_INVALID_PARAMETER; } OldData->ProcessingPolicy->TunnelOption = NewData->ProcessingPolicy->TunnelOption; } else { if ((Mask & TUNNEL_LOCAL) != 0) { CopyMem ( &OldData->ProcessingPolicy->TunnelOption->LocalTunnelAddress, &NewData->ProcessingPolicy->TunnelOption->LocalTunnelAddress, sizeof (EFI_IP_ADDRESS) ); } if ((Mask & TUNNEL_REMOTE) != 0) { CopyMem ( &OldData->ProcessingPolicy->TunnelOption->RemoteTunnelAddress, &NewData->ProcessingPolicy->TunnelOption->RemoteTunnelAddress, sizeof (EFI_IP_ADDRESS) ); } if ((Mask & DONT_FRAGMENT) != 0) { OldData->ProcessingPolicy->TunnelOption->DF = NewData->ProcessingPolicy->TunnelOption->DF; } } } } } return EFI_SUCCESS; } /** Combine old SAD entry with new SAD entry. @param[in, out] OldSaId The pointer to the EFI_IPSEC_SA_ID structure. @param[in, out] OldData The pointer to the EFI_IPSEC_SA_DATA2 structure. @param[in] NewSaId The pointer to the EFI_IPSEC_SA_ID structure. @param[in] NewData The pointer to the EFI_IPSEC_SA_DATA2 structure. @param[in] Mask The pointer to the Mask. @param[out] CreateNew The switch to create new. @retval EFI_SUCCESS Combined successfully. @retval EFI_INVALID_PARAMETER Invalid user input parameter. **/ EFI_STATUS CombineSadEntry ( IN OUT EFI_IPSEC_SA_ID *OldSaId, IN OUT EFI_IPSEC_SA_DATA2 *OldData, IN EFI_IPSEC_SA_ID *NewSaId, IN EFI_IPSEC_SA_DATA2 *NewData, IN UINT32 Mask, OUT BOOLEAN *CreateNew ) { *CreateNew = FALSE; if ((Mask & SPI) == 0) { NewSaId->Spi = OldSaId->Spi; } else if (NewSaId->Spi != OldSaId->Spi) { *CreateNew = TRUE; } if ((Mask & IPSEC_PROTO) == 0) { NewSaId->Proto = OldSaId->Proto; } else if (NewSaId->Proto != OldSaId->Proto) { *CreateNew = TRUE; } if ((Mask & DEST) == 0) { CopyMem (&NewData->TunnelDestinationAddress, &OldData->TunnelDestinationAddress, sizeof (EFI_IP_ADDRESS)); } else if (CompareMem (&NewData->TunnelDestinationAddress, &OldData->TunnelDestinationAddress, sizeof (EFI_IP_ADDRESS)) != 0) { *CreateNew = TRUE; } if ((Mask & SOURCE) == 0) { CopyMem (&NewData->TunnelSourceAddress, &OldData->TunnelSourceAddress, sizeof (EFI_IP_ADDRESS)); } else if (CompareMem (&NewData->TunnelSourceAddress, &OldData->TunnelSourceAddress, sizeof (EFI_IP_ADDRESS)) != 0) { *CreateNew = TRUE; } // // Process SA_DATA. // if ((Mask & MODE) != 0) { OldData->Mode = NewData->Mode; } if ((Mask & SEQUENCE_NUMBER) != 0) { OldData->SNCount = NewData->SNCount; } if ((Mask & ANTIREPLAY_WINDOW) != 0) { OldData->AntiReplayWindows = NewData->AntiReplayWindows; } if ((Mask & AUTH_ALGO) != 0) { OldData->AlgoInfo.EspAlgoInfo.AuthAlgoId = NewData->AlgoInfo.EspAlgoInfo.AuthAlgoId; } if ((Mask & AUTH_KEY) != 0) { OldData->AlgoInfo.EspAlgoInfo.AuthKey = NewData->AlgoInfo.EspAlgoInfo.AuthKey; OldData->AlgoInfo.EspAlgoInfo.AuthKeyLength = NewData->AlgoInfo.EspAlgoInfo.AuthKeyLength; } if ((Mask & ENCRYPT_ALGO) != 0) { OldData->AlgoInfo.EspAlgoInfo.EncAlgoId = NewData->AlgoInfo.EspAlgoInfo.EncAlgoId; } if ((Mask & ENCRYPT_KEY) != 0) { OldData->AlgoInfo.EspAlgoInfo.EncKey = NewData->AlgoInfo.EspAlgoInfo.EncKey; OldData->AlgoInfo.EspAlgoInfo.EncKeyLength = NewData->AlgoInfo.EspAlgoInfo.EncKeyLength; } if (NewSaId->Proto == EfiIPsecAH) { if ((Mask & (ENCRYPT_ALGO | ENCRYPT_KEY)) != 0) { // // Should not provide encrypt_* if AH. // ShellPrintHiiEx ( -1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_UNWANTED_PARAMETER), mHiiHandle, mAppName, L"--encrypt-algo --encrypt-key" ); return EFI_INVALID_PARAMETER; } } if (NewSaId->Proto == EfiIPsecESP && OldSaId->Proto == EfiIPsecAH) { // // AH -> ESP // Should provide encrypt_algo at least. // if ((Mask & ENCRYPT_ALGO) == 0) { ShellPrintHiiEx ( -1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER), mHiiHandle, mAppName, L"--encrypt-algo" ); return EFI_INVALID_PARAMETER; } // // Encrypt_key should be provided if algorithm is not NONE. // if (NewData->AlgoInfo.EspAlgoInfo.EncAlgoId != IPSEC_EALG_NONE && (Mask & ENCRYPT_KEY) == 0) { ShellPrintHiiEx ( -1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER), mHiiHandle, mAppName, L"--encrypt-algo" ); return EFI_INVALID_PARAMETER; } } if ((Mask & LIFEBYTE) != 0) { OldData->SaLifetime.ByteCount = NewData->SaLifetime.ByteCount; } if ((Mask & LIFETIME_SOFT) != 0) { OldData->SaLifetime.SoftLifetime = NewData->SaLifetime.SoftLifetime; } if ((Mask & LIFETIME) != 0) { OldData->SaLifetime.HardLifetime = NewData->SaLifetime.HardLifetime; } if ((Mask & PATH_MTU) != 0) { OldData->PathMTU = NewData->PathMTU; } // // Process SpdSelector. // if (OldData->SpdSelector == NULL) { if ((Mask & (LOCAL | REMOTE | PROTO | LOCAL_PORT | REMOTE_PORT | ICMP_TYPE | ICMP_CODE)) != 0) { if ((Mask & (LOCAL | REMOTE | PROTO)) != (LOCAL | REMOTE | PROTO)) { ShellPrintHiiEx ( -1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS), mHiiHandle, mAppName, L"--local --remote --proto" ); return EFI_INVALID_PARAMETER; } OldData->SpdSelector = NewData->SpdSelector; } } else { if ((Mask & LOCAL) != 0) { OldData->SpdSelector->LocalAddressCount = NewData->SpdSelector->LocalAddressCount; OldData->SpdSelector->LocalAddress = NewData->SpdSelector->LocalAddress; } if ((Mask & REMOTE) != 0) { OldData->SpdSelector->RemoteAddressCount = NewData->SpdSelector->RemoteAddressCount; OldData->SpdSelector->RemoteAddress = NewData->SpdSelector->RemoteAddress; } if ((Mask & PROTO) != 0) { OldData->SpdSelector->NextLayerProtocol = NewData->SpdSelector->NextLayerProtocol; } if (OldData->SpdSelector != NULL) { switch (OldData->SpdSelector->NextLayerProtocol) { case EFI_IP4_PROTO_TCP: case EFI_IP4_PROTO_UDP: if ((Mask & LOCAL_PORT) != 0) { OldData->SpdSelector->LocalPort = NewData->SpdSelector->LocalPort; } if ((Mask & REMOTE_PORT) != 0) { OldData->SpdSelector->RemotePort = NewData->SpdSelector->RemotePort; } break; case EFI_IP4_PROTO_ICMP: if ((Mask & ICMP_TYPE) != 0) { OldData->SpdSelector->LocalPort = (UINT8) NewData->SpdSelector->LocalPort; } if ((Mask & ICMP_CODE) != 0) { OldData->SpdSelector->RemotePort = (UINT8) NewData->SpdSelector->RemotePort; } break; } } } return EFI_SUCCESS; } /** Combine old PAD entry with new PAD entry. @param[in, out] OldPadId The pointer to the EFI_IPSEC_PAD_ID structure. @param[in, out] OldData The pointer to the EFI_IPSEC_PAD_DATA structure. @param[in] NewPadId The pointer to the EFI_IPSEC_PAD_ID structure. @param[in] NewData The pointer to the EFI_IPSEC_PAD_DATA structure. @param[in] Mask The pointer to the Mask. @param[out] CreateNew The switch to create new. @retval EFI_SUCCESS Combined successfully. @retval EFI_INVALID_PARAMETER Invalid user input parameter. **/ EFI_STATUS CombinePadEntry ( IN OUT EFI_IPSEC_PAD_ID *OldPadId, IN OUT EFI_IPSEC_PAD_DATA *OldData, IN EFI_IPSEC_PAD_ID *NewPadId, IN EFI_IPSEC_PAD_DATA *NewData, IN UINT32 Mask, OUT BOOLEAN *CreateNew ) { *CreateNew = FALSE; if ((Mask & (PEER_ID | PEER_ADDRESS)) == 0) { CopyMem (NewPadId, OldPadId, sizeof (EFI_IPSEC_PAD_ID)); } else { if ((Mask & PEER_ID) != 0) { if (OldPadId->PeerIdValid) { if (StrCmp ((CONST CHAR16 *) OldPadId->Id.PeerId, (CONST CHAR16 *) NewPadId->Id.PeerId) != 0) { *CreateNew = TRUE; } } else { *CreateNew = TRUE; } } else { // // MASK & PEER_ADDRESS // if (OldPadId->PeerIdValid) { *CreateNew = TRUE; } else { if ((CompareMem (&OldPadId->Id.IpAddress.Address, &NewPadId->Id.IpAddress.Address, sizeof (EFI_IP_ADDRESS)) != 0) || (OldPadId->Id.IpAddress.PrefixLength != NewPadId->Id.IpAddress.PrefixLength)) { *CreateNew = TRUE; } } } } if ((Mask & AUTH_PROTO) != 0) { OldData->AuthProtocol = NewData->AuthProtocol; } if ((Mask & AUTH_METHOD) != 0) { OldData->AuthMethod = NewData->AuthMethod; } if ((Mask & IKE_ID) != 0) { OldData->IkeIdFlag = NewData->IkeIdFlag; } if ((Mask & AUTH_DATA) != 0) { OldData->AuthDataSize = NewData->AuthDataSize; OldData->AuthData = NewData->AuthData; } if ((Mask & REVOCATION_DATA) != 0) { OldData->RevocationDataSize = NewData->RevocationDataSize; OldData->RevocationData = NewData->RevocationData; } return EFI_SUCCESS; } COMBINE_POLICY_ENTRY mCombinePolicyEntry[] = { (COMBINE_POLICY_ENTRY) CombineSpdEntry, (COMBINE_POLICY_ENTRY) CombineSadEntry, (COMBINE_POLICY_ENTRY) CombinePadEntry }; /** Edit entry information in the database. @param[in] Selector The pointer to the EFI_IPSEC_CONFIG_SELECTOR structure. @param[in] Data The pointer to the data. @param[in] Context The pointer to the INSERT_POLICY_ENTRY_CONTEXT structure. @retval EFI_SUCCESS Continue the iteration. @retval EFI_ABORTED Abort the iteration. **/ EFI_STATUS EditOperatePolicyEntry ( IN EFI_IPSEC_CONFIG_SELECTOR *Selector, IN VOID *Data, IN EDIT_POLICY_ENTRY_CONTEXT *Context ) { EFI_STATUS Status; BOOLEAN CreateNew; if (mMatchPolicyEntry[Context->DataType] (Selector, Data, &Context->Indexer)) { ASSERT (Context->DataType < 3); Status = mCombinePolicyEntry[Context->DataType] ( Selector, Data, Context->Selector, Context->Data, Context->Mask, &CreateNew ); if (!EFI_ERROR (Status)) { // // If the Selector already existed, this Entry will be updated by set data. // Status = mIpSecConfig->SetData ( mIpSecConfig, Context->DataType, Context->Selector, /// New created selector. Data, /// Old date which has been modified, need to be set data. Selector ); ASSERT_EFI_ERROR (Status); if (CreateNew) { // // Edit the entry to a new one. So, we need delete the old entry. // Status = mIpSecConfig->SetData ( mIpSecConfig, Context->DataType, Selector, /// Old selector. NULL, /// NULL means to delete this Entry specified by Selector. NULL ); ASSERT_EFI_ERROR (Status); } } Context->Status = Status; return EFI_ABORTED; } return EFI_SUCCESS; } /** Edit entry information in database according to datatype. @param[in] DataType The value of EFI_IPSEC_CONFIG_DATA_TYPE. @param[in] ParamPackage The pointer to the ParamPackage list. @retval EFI_SUCCESS Edit entry information successfully. @retval EFI_NOT_FOUND Can't find the specified entry. @retval Others Some mistaken case. **/ EFI_STATUS EditPolicyEntry ( IN EFI_IPSEC_CONFIG_DATA_TYPE DataType, IN LIST_ENTRY *ParamPackage ) { EFI_STATUS Status; EDIT_POLICY_ENTRY_CONTEXT Context; CONST CHAR16 *ValueStr; ValueStr = ShellCommandLineGetValue (ParamPackage, L"-e"); if (ValueStr == NULL) { ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_INDEX_NOT_SPECIFIED), mHiiHandle, mAppName, ValueStr); return EFI_NOT_FOUND; } Status = mConstructPolicyEntryIndexer[DataType] (&Context.Indexer, ParamPackage); if (!EFI_ERROR (Status)) { Context.DataType = DataType; Context.Status = EFI_NOT_FOUND; Status = mCreatePolicyEntry[DataType] (&Context.Selector, &Context.Data, ParamPackage, &Context.Mask, FALSE); if (!EFI_ERROR (Status)) { ForeachPolicyEntry (DataType, (VISIT_POLICY_ENTRY) EditOperatePolicyEntry, &Context); Status = Context.Status; } if (Context.Selector != NULL) { gBS->FreePool (Context.Selector); } if (Context.Data != NULL) { gBS->FreePool (Context.Data); } } if (Status == EFI_NOT_FOUND) { ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_INDEX_NOT_FOUND), mHiiHandle, mAppName, ValueStr); } else if (EFI_ERROR (Status)) { ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_EDIT_FAILED), mHiiHandle, mAppName); } return Status; } /** Insert entry information in database. @param[in] Selector The pointer to the EFI_IPSEC_CONFIG_SELECTOR structure. @param[in] Data The pointer to the data. @param[in] Context The pointer to the INSERT_POLICY_ENTRY_CONTEXT structure. @retval EFI_SUCCESS Continue the iteration. @retval EFI_ABORTED Abort the iteration. **/ EFI_STATUS InsertPolicyEntry ( IN EFI_IPSEC_CONFIG_SELECTOR *Selector, IN VOID *Data, IN INSERT_POLICY_ENTRY_CONTEXT *Context ) { // // Found the entry which we want to insert before. // if (mMatchPolicyEntry[Context->DataType] (Selector, Data, &Context->Indexer)) { Context->Status = mIpSecConfig->SetData ( mIpSecConfig, Context->DataType, Context->Selector, Context->Data, Selector ); // // Abort the iteration after the insertion. // return EFI_ABORTED; } return EFI_SUCCESS; } /** Insert or add entry information in database according to datatype. @param[in] DataType The value of EFI_IPSEC_CONFIG_DATA_TYPE. @param[in] ParamPackage The pointer to the ParamPackage list. @retval EFI_SUCCESS Insert or add entry information successfully. @retval EFI_NOT_FOUND Can't find the specified entry. @retval EFI_BUFFER_TOO_SMALL The entry already existed. @retval EFI_UNSUPPORTED The operation is not supported. @retval Others Some mistaken case. **/ EFI_STATUS AddOrInsertPolicyEntry ( IN EFI_IPSEC_CONFIG_DATA_TYPE DataType, IN LIST_ENTRY *ParamPackage ) { EFI_STATUS Status; EFI_IPSEC_CONFIG_SELECTOR *Selector; VOID *Data; INSERT_POLICY_ENTRY_CONTEXT Context; UINT32 Mask; UINTN DataSize; CONST CHAR16 *ValueStr; Status = mCreatePolicyEntry[DataType] (&Selector, &Data, ParamPackage, &Mask, TRUE); if (!EFI_ERROR (Status)) { // // Find if the Selector to be inserted already exists. // DataSize = 0; Status = mIpSecConfig->GetData ( mIpSecConfig, DataType, Selector, &DataSize, NULL ); if (Status == EFI_BUFFER_TOO_SMALL) { ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_ALREADY_EXISTS), mHiiHandle, mAppName); } else if (ShellCommandLineGetFlag (ParamPackage, L"-a")) { Status = mIpSecConfig->SetData ( mIpSecConfig, DataType, Selector, Data, NULL ); } else { ValueStr = ShellCommandLineGetValue (ParamPackage, L"-i"); if (ValueStr == NULL) { ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_INDEX_NOT_SPECIFIED), mHiiHandle, mAppName, ValueStr); return EFI_NOT_FOUND; } Status = mConstructPolicyEntryIndexer[DataType] (&Context.Indexer, ParamPackage); if (!EFI_ERROR (Status)) { Context.DataType = DataType; Context.Status = EFI_NOT_FOUND; Context.Selector = Selector; Context.Data = Data; ForeachPolicyEntry (DataType, (VISIT_POLICY_ENTRY) InsertPolicyEntry, &Context); Status = Context.Status; if (Status == EFI_NOT_FOUND) { ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_INDEX_NOT_FOUND), mHiiHandle, mAppName, ValueStr); } } } gBS->FreePool (Selector); gBS->FreePool (Data); } if (Status == EFI_UNSUPPORTED) { ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_INSERT_UNSUPPORT), mHiiHandle, mAppName); } else if (EFI_ERROR (Status)) { ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_INSERT_FAILED), mHiiHandle, mAppName); } return Status; }