mirror of https://github.com/acidanthera/audk.git
2739 lines
86 KiB
C
2739 lines
86 KiB
C
/** @file
|
|
The Common operations used by IKE Exchange Process.
|
|
|
|
(C) Copyright 2015 Hewlett-Packard Development Company, L.P.<BR>
|
|
Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>
|
|
|
|
SPDX-License-Identifier: BSD-2-Clause-Patent
|
|
|
|
**/
|
|
|
|
#include "Utility.h"
|
|
#include "IpSecDebug.h"
|
|
#include "IkeService.h"
|
|
#include "IpSecConfigImpl.h"
|
|
|
|
UINT16 mIkev2EncryptAlgorithmList[IKEV2_SUPPORT_ENCRYPT_ALGORITHM_NUM] = {
|
|
IKEV2_TRANSFORM_ID_ENCR_3DES,
|
|
IKEV2_TRANSFORM_ID_ENCR_AES_CBC,
|
|
};
|
|
|
|
UINT16 mIkev2PrfAlgorithmList[IKEV2_SUPPORT_PRF_ALGORITHM_NUM] = {
|
|
IKEV2_TRANSFORM_ID_PRF_HMAC_SHA1,
|
|
};
|
|
|
|
UINT16 mIkev2DhGroupAlgorithmList[IKEV2_SUPPORT_DH_ALGORITHM_NUM] = {
|
|
IKEV2_TRANSFORM_ID_DH_1024MODP,
|
|
IKEV2_TRANSFORM_ID_DH_2048MODP,
|
|
};
|
|
|
|
UINT16 mIkev2AuthAlgorithmList[IKEV2_SUPPORT_AUTH_ALGORITHM_NUM] = {
|
|
IKEV2_TRANSFORM_ID_AUTH_HMAC_SHA1_96,
|
|
};
|
|
|
|
/**
|
|
Allocate buffer for IKEV2_SA_SESSION and initialize it.
|
|
|
|
@param[in] Private Pointer to IPSEC_PRIVATE_DATA.
|
|
@param[in] UdpService Pointer to IKE_UDP_SERVICE related to this IKE SA Session.
|
|
|
|
@return Pointer to IKEV2_SA_SESSION or NULL.
|
|
|
|
**/
|
|
IKEV2_SA_SESSION *
|
|
Ikev2SaSessionAlloc (
|
|
IN IPSEC_PRIVATE_DATA *Private,
|
|
IN IKE_UDP_SERVICE *UdpService
|
|
)
|
|
{
|
|
EFI_STATUS Status;
|
|
IKEV2_SESSION_COMMON *SessionCommon;
|
|
IKEV2_SA_SESSION *IkeSaSession;
|
|
|
|
IkeSaSession = AllocateZeroPool (sizeof (IKEV2_SA_SESSION));
|
|
if (IkeSaSession == NULL) {
|
|
return NULL;
|
|
}
|
|
|
|
//
|
|
// Initialize the fields of IkeSaSession and its SessionCommon.
|
|
//
|
|
IkeSaSession->NCookie = NULL;
|
|
IkeSaSession->Signature = IKEV2_SA_SESSION_SIGNATURE;
|
|
IkeSaSession->InitiatorCookie = IkeGenerateCookie ();
|
|
IkeSaSession->ResponderCookie = 0;
|
|
//
|
|
// BUGBUG: Message ID starts from 2 is to match the OpenSwan requirement, but it
|
|
// might not match the IPv6 Logo. In its test specification, it mentions that
|
|
// the Message ID should start from zero after the IKE_SA_INIT exchange.
|
|
//
|
|
IkeSaSession->MessageId = 2;
|
|
SessionCommon = &IkeSaSession->SessionCommon;
|
|
SessionCommon->UdpService = UdpService;
|
|
SessionCommon->Private = Private;
|
|
SessionCommon->IkeSessionType = IkeSessionTypeIkeSa;
|
|
SessionCommon->IkeVer = 2;
|
|
SessionCommon->AfterEncodePayload = NULL;
|
|
SessionCommon->BeforeDecodePayload = NULL;
|
|
|
|
//
|
|
// Create a resend notfiy event for retry.
|
|
//
|
|
Status = gBS->CreateEvent (
|
|
EVT_TIMER | EVT_NOTIFY_SIGNAL,
|
|
TPL_CALLBACK,
|
|
Ikev2ResendNotify,
|
|
SessionCommon,
|
|
&SessionCommon->TimeoutEvent
|
|
);
|
|
|
|
if (EFI_ERROR (Status)) {
|
|
FreePool (IkeSaSession);
|
|
return NULL;
|
|
}
|
|
|
|
//
|
|
// Initialize the lists in IkeSaSession.
|
|
//
|
|
InitializeListHead (&IkeSaSession->ChildSaSessionList);
|
|
InitializeListHead (&IkeSaSession->ChildSaEstablishSessionList);
|
|
InitializeListHead (&IkeSaSession->InfoMIDList);
|
|
InitializeListHead (&IkeSaSession->DeleteSaList);
|
|
|
|
return IkeSaSession;
|
|
}
|
|
|
|
/**
|
|
Register the established IKEv2 SA into Private->Ikev2EstablishedList. If there is
|
|
IKEV2_SA_SESSION with same remote peer IP, remove the old one then register the
|
|
new one.
|
|
|
|
@param[in] IkeSaSession Pointer to IKEV2_SA_SESSION to be registered.
|
|
@param[in] Private Pointer to IPSEC_PRAVATE_DATA.
|
|
|
|
**/
|
|
VOID
|
|
Ikev2SaSessionReg (
|
|
IN IKEV2_SA_SESSION *IkeSaSession,
|
|
IN IPSEC_PRIVATE_DATA *Private
|
|
)
|
|
{
|
|
IKEV2_SESSION_COMMON *SessionCommon;
|
|
IKEV2_SA_SESSION *OldIkeSaSession;
|
|
EFI_STATUS Status;
|
|
UINT64 Lifetime;
|
|
|
|
//
|
|
// Keep IKE SA exclusive to remote ip address.
|
|
//
|
|
SessionCommon = &IkeSaSession->SessionCommon;
|
|
OldIkeSaSession = Ikev2SaSessionRemove (&Private->Ikev2EstablishedList, &SessionCommon->RemotePeerIp);
|
|
if (OldIkeSaSession != NULL) {
|
|
//
|
|
// TODO: It should delete all child SAs if rekey the IKE SA.
|
|
//
|
|
Ikev2SaSessionFree (OldIkeSaSession);
|
|
}
|
|
|
|
//
|
|
// Cleanup the fields of SessionCommon for processing.
|
|
//
|
|
Ikev2SessionCommonRefresh (SessionCommon);
|
|
|
|
//
|
|
// Insert the ready IKE SA session into established list.
|
|
//
|
|
Ikev2SaSessionInsert (&Private->Ikev2EstablishedList, IkeSaSession, &SessionCommon->RemotePeerIp);
|
|
|
|
//
|
|
// Create a notfiy event for the IKE SA life time counting.
|
|
//
|
|
Status = gBS->CreateEvent (
|
|
EVT_TIMER | EVT_NOTIFY_SIGNAL,
|
|
TPL_CALLBACK,
|
|
Ikev2LifetimeNotify,
|
|
SessionCommon,
|
|
&SessionCommon->TimeoutEvent
|
|
);
|
|
if (EFI_ERROR(Status)){
|
|
//
|
|
// If TimerEvent creation failed, the SA will be alive untill user disable it or
|
|
// receiving a Delete Payload from peer.
|
|
//
|
|
return;
|
|
}
|
|
|
|
//
|
|
// Start to count the lifetime of the IKE SA.
|
|
//
|
|
if (IkeSaSession->Spd->Data->ProcessingPolicy->SaLifetime.HardLifetime == 0) {
|
|
Lifetime = IKE_SA_DEFAULT_LIFETIME;
|
|
} else {
|
|
Lifetime = IkeSaSession->Spd->Data->ProcessingPolicy->SaLifetime.HardLifetime;
|
|
}
|
|
|
|
Status = gBS->SetTimer (
|
|
SessionCommon->TimeoutEvent,
|
|
TimerRelative,
|
|
MultU64x32(Lifetime, 10000000) // ms->100ns
|
|
);
|
|
if (EFI_ERROR(Status)){
|
|
//
|
|
// If SetTimer failed, the SA will be alive untill user disable it or
|
|
// receiving a Delete Payload from peer.
|
|
//
|
|
return ;
|
|
}
|
|
|
|
DEBUG ((
|
|
DEBUG_INFO,
|
|
"\n------IkeSa established and start to count down %d seconds lifetime\n",
|
|
Lifetime
|
|
));
|
|
|
|
return ;
|
|
}
|
|
|
|
/**
|
|
Find a IKEV2_SA_SESSION by the remote peer IP.
|
|
|
|
@param[in] SaSessionList SaSession List to be searched.
|
|
@param[in] RemotePeerIp Pointer to specified IP address.
|
|
|
|
@return Pointer to IKEV2_SA_SESSION if find one or NULL.
|
|
|
|
**/
|
|
IKEV2_SA_SESSION *
|
|
Ikev2SaSessionLookup (
|
|
IN LIST_ENTRY *SaSessionList,
|
|
IN EFI_IP_ADDRESS *RemotePeerIp
|
|
)
|
|
{
|
|
LIST_ENTRY *Entry;
|
|
IKEV2_SA_SESSION *IkeSaSession;
|
|
|
|
NET_LIST_FOR_EACH (Entry, SaSessionList) {
|
|
IkeSaSession = IKEV2_SA_SESSION_BY_SESSION (Entry);
|
|
|
|
if (CompareMem (
|
|
&IkeSaSession->SessionCommon.RemotePeerIp,
|
|
RemotePeerIp,
|
|
sizeof (EFI_IP_ADDRESS)
|
|
) == 0) {
|
|
|
|
return IkeSaSession;
|
|
}
|
|
}
|
|
|
|
return NULL;
|
|
}
|
|
|
|
/**
|
|
Insert a IKE_SA_SESSION into IkeSaSession list. The IkeSaSession list is either
|
|
Private->Ikev2SaSession list or Private->Ikev2EstablishedList list.
|
|
|
|
@param[in] SaSessionList Pointer to list to be inserted into.
|
|
@param[in] IkeSaSession Pointer to IKEV2_SA_SESSION to be inserted.
|
|
@param[in] RemotePeerIp Pointer to EFI_IP_ADDRESSS to indicate the
|
|
unique IKEV2_SA_SESSION.
|
|
|
|
**/
|
|
VOID
|
|
Ikev2SaSessionInsert (
|
|
IN LIST_ENTRY *SaSessionList,
|
|
IN IKEV2_SA_SESSION *IkeSaSession,
|
|
IN EFI_IP_ADDRESS *RemotePeerIp
|
|
)
|
|
{
|
|
Ikev2SaSessionRemove (SaSessionList, RemotePeerIp);
|
|
InsertTailList (SaSessionList, &IkeSaSession->BySessionTable);
|
|
}
|
|
|
|
/**
|
|
Remove the SA Session by Remote Peer IP.
|
|
|
|
@param[in] SaSessionList Pointer to list to be searched.
|
|
@param[in] RemotePeerIp Pointer to EFI_IP_ADDRESS to use for SA Session search.
|
|
|
|
@retval Pointer to IKEV2_SA_SESSION with the specified remote IP address or NULL.
|
|
|
|
**/
|
|
IKEV2_SA_SESSION *
|
|
Ikev2SaSessionRemove (
|
|
IN LIST_ENTRY *SaSessionList,
|
|
IN EFI_IP_ADDRESS *RemotePeerIp
|
|
)
|
|
{
|
|
LIST_ENTRY *Entry;
|
|
IKEV2_SA_SESSION *IkeSaSession;
|
|
|
|
NET_LIST_FOR_EACH (Entry, SaSessionList) {
|
|
IkeSaSession = IKEV2_SA_SESSION_BY_SESSION (Entry);
|
|
|
|
if (CompareMem (
|
|
&IkeSaSession->SessionCommon.RemotePeerIp,
|
|
RemotePeerIp,
|
|
sizeof (EFI_IP_ADDRESS)
|
|
) == 0) {
|
|
|
|
RemoveEntryList (Entry);
|
|
return IkeSaSession;
|
|
}
|
|
}
|
|
|
|
return NULL;
|
|
}
|
|
|
|
|
|
/**
|
|
Free specified Seession Common. The session common would belong to a IKE SA or
|
|
a Child SA.
|
|
|
|
@param[in] SessionCommon Pointer to a Session Common.
|
|
|
|
**/
|
|
VOID
|
|
Ikev2SaSessionCommonFree (
|
|
IN IKEV2_SESSION_COMMON *SessionCommon
|
|
)
|
|
{
|
|
|
|
ASSERT (SessionCommon != NULL);
|
|
|
|
if (SessionCommon->LastSentPacket != NULL) {
|
|
IkePacketFree (SessionCommon->LastSentPacket);
|
|
}
|
|
|
|
if (SessionCommon->SaParams != NULL) {
|
|
FreePool (SessionCommon->SaParams);
|
|
}
|
|
if (SessionCommon->TimeoutEvent != NULL) {
|
|
gBS->CloseEvent (SessionCommon->TimeoutEvent);
|
|
}
|
|
}
|
|
|
|
/**
|
|
After IKE/Child SA is estiblished, close the time event and free sent packet.
|
|
|
|
@param[in] SessionCommon Pointer to a Session Common.
|
|
|
|
**/
|
|
VOID
|
|
Ikev2SessionCommonRefresh (
|
|
IN IKEV2_SESSION_COMMON *SessionCommon
|
|
)
|
|
{
|
|
ASSERT (SessionCommon != NULL);
|
|
|
|
gBS->CloseEvent (SessionCommon->TimeoutEvent);
|
|
SessionCommon->TimeoutEvent = NULL;
|
|
SessionCommon->TimeoutInterval = 0;
|
|
SessionCommon->RetryCount = 0;
|
|
if (SessionCommon->LastSentPacket != NULL) {
|
|
IkePacketFree (SessionCommon->LastSentPacket);
|
|
SessionCommon->LastSentPacket = NULL;
|
|
}
|
|
|
|
return ;
|
|
}
|
|
/**
|
|
Free specified IKEV2 SA Session.
|
|
|
|
@param[in] IkeSaSession Pointer to IKEV2_SA_SESSION to be freed.
|
|
|
|
**/
|
|
VOID
|
|
Ikev2SaSessionFree (
|
|
IN IKEV2_SA_SESSION *IkeSaSession
|
|
)
|
|
{
|
|
IKEV2_SESSION_KEYS *IkeKeys;
|
|
LIST_ENTRY *Entry;
|
|
IKEV2_CHILD_SA_SESSION *ChildSa;
|
|
IKEV2_DH_BUFFER *DhBuffer;
|
|
|
|
ASSERT (IkeSaSession != NULL);
|
|
|
|
//
|
|
// Delete Common Session
|
|
//
|
|
Ikev2SaSessionCommonFree (&IkeSaSession->SessionCommon);
|
|
|
|
//
|
|
// Delete ChildSaEstablish List and SAD
|
|
//
|
|
for (Entry = IkeSaSession->ChildSaEstablishSessionList.ForwardLink;
|
|
Entry != &IkeSaSession->ChildSaEstablishSessionList;
|
|
) {
|
|
|
|
ChildSa = IKEV2_CHILD_SA_SESSION_BY_IKE_SA (Entry);
|
|
Entry = Entry->ForwardLink;
|
|
Ikev2ChildSaSilentDelete (ChildSa->IkeSaSession, ChildSa->LocalPeerSpi);
|
|
|
|
}
|
|
|
|
//
|
|
// Delete ChildSaSessionList
|
|
//
|
|
for ( Entry = IkeSaSession->ChildSaSessionList.ForwardLink;
|
|
Entry != &IkeSaSession->ChildSaSessionList;
|
|
){
|
|
ChildSa = IKEV2_CHILD_SA_SESSION_BY_IKE_SA (Entry);
|
|
Entry = Entry->ForwardLink;
|
|
RemoveEntryList (Entry->BackLink);
|
|
Ikev2ChildSaSessionFree (ChildSa);
|
|
}
|
|
|
|
//
|
|
// Delete DhBuffer and Keys
|
|
//
|
|
if (IkeSaSession->IkeKeys != NULL) {
|
|
IkeKeys = IkeSaSession->IkeKeys;
|
|
DhBuffer = IkeKeys->DhBuffer;
|
|
|
|
//
|
|
// Delete DhBuffer
|
|
//
|
|
Ikev2DhBufferFree (DhBuffer);
|
|
|
|
//
|
|
// Delete Keys
|
|
//
|
|
if (IkeKeys->SkAiKey != NULL) {
|
|
FreePool (IkeKeys->SkAiKey);
|
|
}
|
|
if (IkeKeys->SkArKey != NULL) {
|
|
FreePool (IkeKeys->SkArKey);
|
|
}
|
|
if (IkeKeys->SkdKey != NULL) {
|
|
FreePool (IkeKeys->SkdKey);
|
|
}
|
|
if (IkeKeys->SkEiKey != NULL) {
|
|
FreePool (IkeKeys->SkEiKey);
|
|
}
|
|
if (IkeKeys->SkErKey != NULL) {
|
|
FreePool (IkeKeys->SkErKey);
|
|
}
|
|
if (IkeKeys->SkPiKey != NULL) {
|
|
FreePool (IkeKeys->SkPiKey);
|
|
}
|
|
if (IkeKeys->SkPrKey != NULL) {
|
|
FreePool (IkeKeys->SkPrKey);
|
|
}
|
|
FreePool (IkeKeys);
|
|
}
|
|
|
|
if (IkeSaSession->SaData != NULL) {
|
|
FreePool (IkeSaSession->SaData);
|
|
}
|
|
|
|
if (IkeSaSession->NiBlock != NULL) {
|
|
FreePool (IkeSaSession->NiBlock);
|
|
}
|
|
|
|
if (IkeSaSession->NrBlock != NULL) {
|
|
FreePool (IkeSaSession->NrBlock);
|
|
}
|
|
|
|
if (IkeSaSession->NCookie != NULL) {
|
|
FreePool (IkeSaSession->NCookie);
|
|
}
|
|
|
|
if (IkeSaSession->InitPacket != NULL) {
|
|
FreePool (IkeSaSession->InitPacket);
|
|
}
|
|
|
|
if (IkeSaSession->RespPacket != NULL) {
|
|
FreePool (IkeSaSession->RespPacket);
|
|
}
|
|
|
|
FreePool (IkeSaSession);
|
|
|
|
return ;
|
|
}
|
|
|
|
/**
|
|
Increase the MessageID in IkeSaSession.
|
|
|
|
@param[in] IkeSaSession Pointer to a specified IKEV2_SA_SESSION.
|
|
|
|
**/
|
|
VOID
|
|
Ikev2SaSessionIncreaseMessageId (
|
|
IN IKEV2_SA_SESSION *IkeSaSession
|
|
)
|
|
{
|
|
if (IkeSaSession->MessageId < 0xffffffff) {
|
|
IkeSaSession->MessageId ++;
|
|
} else {
|
|
//
|
|
// TODO: Trigger Rekey process.
|
|
//
|
|
}
|
|
}
|
|
|
|
/**
|
|
Allocate memory for IKEV2 Child SA Session.
|
|
|
|
@param[in] UdpService Pointer to IKE_UDP_SERVICE.
|
|
@param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to this Child SA
|
|
Session.
|
|
|
|
@retval Pointer of a new created IKEV2 Child SA Session or NULL.
|
|
|
|
**/
|
|
IKEV2_CHILD_SA_SESSION *
|
|
Ikev2ChildSaSessionAlloc (
|
|
IN IKE_UDP_SERVICE *UdpService,
|
|
IN IKEV2_SA_SESSION *IkeSaSession
|
|
)
|
|
{
|
|
EFI_STATUS Status;
|
|
IKEV2_CHILD_SA_SESSION *ChildSaSession;
|
|
IKEV2_SESSION_COMMON *ChildSaCommon;
|
|
IKEV2_SESSION_COMMON *SaCommon;
|
|
|
|
ChildSaSession = AllocateZeroPool (sizeof (IKEV2_CHILD_SA_SESSION));
|
|
if (ChildSaSession == NULL) {
|
|
return NULL;
|
|
}
|
|
|
|
//
|
|
// Initialize the fields of ChildSaSession and its SessionCommon.
|
|
//
|
|
ChildSaSession->Signature = IKEV2_CHILD_SA_SESSION_SIGNATURE;
|
|
ChildSaSession->IkeSaSession = IkeSaSession;
|
|
ChildSaSession->MessageId = IkeSaSession->MessageId;
|
|
|
|
//
|
|
// Generate an new SPI.
|
|
//
|
|
Status = IkeGenerateSpi (IkeSaSession, &(ChildSaSession->LocalPeerSpi));
|
|
if (EFI_ERROR (Status)) {
|
|
FreePool (ChildSaSession);
|
|
return NULL;
|
|
}
|
|
|
|
ChildSaCommon = &ChildSaSession->SessionCommon;
|
|
ChildSaCommon->UdpService = UdpService;
|
|
ChildSaCommon->Private = IkeSaSession->SessionCommon.Private;
|
|
ChildSaCommon->IkeSessionType = IkeSessionTypeChildSa;
|
|
ChildSaCommon->IkeVer = 2;
|
|
ChildSaCommon->AfterEncodePayload = Ikev2ChildSaAfterEncodePayload;
|
|
ChildSaCommon->BeforeDecodePayload = Ikev2ChildSaBeforeDecodePayload;
|
|
SaCommon = &ChildSaSession->IkeSaSession->SessionCommon;
|
|
|
|
//
|
|
// Create a resend notfiy event for retry.
|
|
//
|
|
Status = gBS->CreateEvent (
|
|
EVT_TIMER | EVT_NOTIFY_SIGNAL,
|
|
TPL_CALLBACK,
|
|
Ikev2ResendNotify,
|
|
ChildSaCommon,
|
|
&ChildSaCommon->TimeoutEvent
|
|
);
|
|
if (EFI_ERROR (Status)) {
|
|
FreePool (ChildSaSession);
|
|
return NULL;
|
|
}
|
|
|
|
CopyMem (&ChildSaCommon->LocalPeerIp, &SaCommon->LocalPeerIp, sizeof (EFI_IP_ADDRESS));
|
|
CopyMem (&ChildSaCommon->RemotePeerIp, &SaCommon->RemotePeerIp, sizeof (EFI_IP_ADDRESS));
|
|
|
|
return ChildSaSession;
|
|
}
|
|
|
|
/**
|
|
Register a established IKEv2 Child SA into IkeSaSession->ChildSaEstablishSessionList.
|
|
If the there is IKEV2_CHILD_SA_SESSION with same remote peer IP, remove the old one
|
|
then register the new one.
|
|
|
|
@param[in] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION to be registered.
|
|
@param[in] Private Pointer to IPSEC_PRAVATE_DATA.
|
|
|
|
**/
|
|
VOID
|
|
Ikev2ChildSaSessionReg (
|
|
IN IKEV2_CHILD_SA_SESSION *ChildSaSession,
|
|
IN IPSEC_PRIVATE_DATA *Private
|
|
)
|
|
{
|
|
IKEV2_SESSION_COMMON *SessionCommon;
|
|
IKEV2_CHILD_SA_SESSION *OldChildSaSession;
|
|
IKEV2_SA_SESSION *IkeSaSession;
|
|
EFI_STATUS Status;
|
|
UINT64 Lifetime;
|
|
|
|
//
|
|
// Keep the IKE SA exclusive.
|
|
//
|
|
SessionCommon = &ChildSaSession->SessionCommon;
|
|
IkeSaSession = ChildSaSession->IkeSaSession;
|
|
OldChildSaSession = Ikev2ChildSaSessionRemove (
|
|
&IkeSaSession->ChildSaEstablishSessionList,
|
|
ChildSaSession->LocalPeerSpi,
|
|
IKEV2_ESTABLISHED_CHILDSA_LIST
|
|
);
|
|
if (OldChildSaSession != NULL) {
|
|
//
|
|
// Free the old one.
|
|
//
|
|
Ikev2ChildSaSessionFree (OldChildSaSession);
|
|
}
|
|
|
|
//
|
|
// Store the ready child SA into SAD.
|
|
//
|
|
Ikev2StoreSaData (ChildSaSession);
|
|
|
|
//
|
|
// Cleanup the fields of SessionCommon for processing.
|
|
//
|
|
Ikev2SessionCommonRefresh (SessionCommon);
|
|
|
|
//
|
|
// Insert the ready child SA session into established list.
|
|
//
|
|
Ikev2ChildSaSessionInsert (&IkeSaSession->ChildSaEstablishSessionList, ChildSaSession);
|
|
|
|
//
|
|
// Create a Notify event for the IKE SA life time counting.
|
|
//
|
|
Status = gBS->CreateEvent (
|
|
EVT_TIMER | EVT_NOTIFY_SIGNAL,
|
|
TPL_CALLBACK,
|
|
Ikev2LifetimeNotify,
|
|
SessionCommon,
|
|
&SessionCommon->TimeoutEvent
|
|
);
|
|
if (EFI_ERROR(Status)){
|
|
return ;
|
|
}
|
|
|
|
//
|
|
// Start to count the lifetime of the IKE SA.
|
|
//
|
|
if (ChildSaSession->Spd->Data->ProcessingPolicy->SaLifetime.HardLifetime != 0){
|
|
Lifetime = ChildSaSession->Spd->Data->ProcessingPolicy->SaLifetime.HardLifetime;
|
|
} else {
|
|
Lifetime = CHILD_SA_DEFAULT_LIFETIME;
|
|
}
|
|
|
|
Status = gBS->SetTimer (
|
|
SessionCommon->TimeoutEvent,
|
|
TimerRelative,
|
|
MultU64x32(Lifetime, 10000000) // ms->100ns
|
|
);
|
|
if (EFI_ERROR(Status)){
|
|
return ;
|
|
}
|
|
|
|
DEBUG ((
|
|
DEBUG_INFO,
|
|
"\n------ChildSa established and start to count down %d seconds lifetime\n",
|
|
Lifetime
|
|
));
|
|
|
|
return ;
|
|
}
|
|
|
|
|
|
/**
|
|
This function find the Child SA by the specified SPI.
|
|
|
|
This functin find a ChildSA session by searching the ChildSaSessionlist of
|
|
the input IKEV2_SA_SESSION by specified MessageID.
|
|
|
|
@param[in] SaSessionList Pointer to List to be searched.
|
|
@param[in] Spi Specified SPI.
|
|
|
|
@return Pointer to IKEV2_CHILD_SA_SESSION or NULL.
|
|
|
|
**/
|
|
IKEV2_CHILD_SA_SESSION *
|
|
Ikev2ChildSaSessionLookupBySpi (
|
|
IN LIST_ENTRY *SaSessionList,
|
|
IN UINT32 Spi
|
|
)
|
|
{
|
|
LIST_ENTRY *Entry;
|
|
IKEV2_CHILD_SA_SESSION *ChildSaSession;
|
|
|
|
NET_LIST_FOR_EACH (Entry, SaSessionList) {
|
|
ChildSaSession = IKEV2_CHILD_SA_SESSION_BY_IKE_SA (Entry);
|
|
|
|
if (ChildSaSession->RemotePeerSpi == Spi || ChildSaSession->LocalPeerSpi == Spi) {
|
|
return ChildSaSession;
|
|
}
|
|
}
|
|
|
|
return NULL;
|
|
}
|
|
|
|
/**
|
|
Insert a Child SA Session into the specified ChildSa list.
|
|
|
|
@param[in] SaSessionList Pointer to list to be inserted in.
|
|
@param[in] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION to be inserted.
|
|
|
|
**/
|
|
VOID
|
|
Ikev2ChildSaSessionInsert (
|
|
IN LIST_ENTRY *SaSessionList,
|
|
IN IKEV2_CHILD_SA_SESSION *ChildSaSession
|
|
)
|
|
{
|
|
InsertTailList (SaSessionList, &ChildSaSession->ByIkeSa);
|
|
}
|
|
|
|
/**
|
|
Remove the IKEV2_CHILD_SA_SESSION from IkeSaSessionList.
|
|
|
|
@param[in] SaSessionList The SA Session List to be iterated.
|
|
@param[in] Spi Spi used to identified the IKEV2_CHILD_SA_SESSION.
|
|
@param[in] ListType The type of the List to indicate whether it is a
|
|
Established.
|
|
|
|
@return The point to IKEV2_CHILD_SA_SESSION or NULL.
|
|
|
|
**/
|
|
IKEV2_CHILD_SA_SESSION *
|
|
Ikev2ChildSaSessionRemove (
|
|
IN LIST_ENTRY *SaSessionList,
|
|
IN UINT32 Spi,
|
|
IN UINT8 ListType
|
|
)
|
|
{
|
|
LIST_ENTRY *Entry;
|
|
LIST_ENTRY *NextEntry;
|
|
IKEV2_CHILD_SA_SESSION *ChildSaSession;
|
|
|
|
NET_LIST_FOR_EACH_SAFE (Entry, NextEntry, SaSessionList) {
|
|
|
|
if (ListType == IKEV2_ESTABLISHED_CHILDSA_LIST || ListType == IKEV2_ESTABLISHING_CHILDSA_LIST) {
|
|
ChildSaSession = IKEV2_CHILD_SA_SESSION_BY_IKE_SA (Entry);
|
|
} else if (ListType == IKEV2_DELET_CHILDSA_LIST) {
|
|
ChildSaSession = IKEV2_CHILD_SA_SESSION_BY_DEL_SA (Entry);
|
|
} else {
|
|
return NULL;
|
|
}
|
|
|
|
if (ChildSaSession->RemotePeerSpi == Spi || ChildSaSession->LocalPeerSpi == Spi) {
|
|
RemoveEntryList (Entry);
|
|
return ChildSaSession;
|
|
}
|
|
}
|
|
|
|
return NULL;
|
|
}
|
|
|
|
/**
|
|
Free the memory located for the specified IKEV2_CHILD_SA_SESSION.
|
|
|
|
@param[in] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION.
|
|
|
|
**/
|
|
VOID
|
|
Ikev2ChildSaSessionFree (
|
|
IN IKEV2_CHILD_SA_SESSION *ChildSaSession
|
|
)
|
|
{
|
|
IKEV2_SESSION_COMMON *SessionCommon;
|
|
|
|
SessionCommon = &ChildSaSession->SessionCommon;
|
|
if (ChildSaSession->SaData != NULL) {
|
|
FreePool (ChildSaSession->SaData);
|
|
}
|
|
|
|
if (ChildSaSession->NiBlock != NULL) {
|
|
FreePool (ChildSaSession->NiBlock);
|
|
}
|
|
|
|
if (ChildSaSession->NrBlock != NULL) {
|
|
FreePool (ChildSaSession->NrBlock);
|
|
}
|
|
|
|
if (ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthKey != NULL) {
|
|
FreePool (ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthKey);
|
|
}
|
|
|
|
if (ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncKey != NULL) {
|
|
FreePool (ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncKey);
|
|
}
|
|
|
|
if (ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthKey != NULL) {
|
|
FreePool (ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthKey);
|
|
}
|
|
|
|
if (ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncKey != NULL) {
|
|
FreePool (ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncKey);
|
|
}
|
|
|
|
//
|
|
// Delete DhBuffer
|
|
//
|
|
Ikev2DhBufferFree (ChildSaSession->DhBuffer);
|
|
|
|
//
|
|
// Delete SpdSelector
|
|
//
|
|
if (ChildSaSession->SpdSelector != NULL) {
|
|
if (ChildSaSession->SpdSelector->LocalAddress != NULL) {
|
|
FreePool (ChildSaSession->SpdSelector->LocalAddress);
|
|
}
|
|
if (ChildSaSession->SpdSelector->RemoteAddress != NULL) {
|
|
FreePool (ChildSaSession->SpdSelector->RemoteAddress);
|
|
}
|
|
FreePool (ChildSaSession->SpdSelector);
|
|
}
|
|
Ikev2SaSessionCommonFree (SessionCommon);
|
|
FreePool (ChildSaSession);
|
|
|
|
return ;
|
|
}
|
|
|
|
/**
|
|
Delete the specified established Child SA.
|
|
|
|
This function delete the Child SA directly and don't send the Information Packet to
|
|
remote peer.
|
|
|
|
@param[in] IkeSaSession Pointer to a IKE SA Session used to be searched for.
|
|
@param[in] Spi SPI used to find the Child SA.
|
|
|
|
@retval EFI_NOT_FOUND Pointer of IKE SA Session is NULL.
|
|
@retval EFI_NOT_FOUND There is no specified Child SA related with the input
|
|
SPI under this IKE SA Session.
|
|
@retval EFI_SUCCESS Delete the Child SA successfully.
|
|
|
|
**/
|
|
EFI_STATUS
|
|
Ikev2ChildSaSilentDelete (
|
|
IN IKEV2_SA_SESSION *IkeSaSession,
|
|
IN UINT32 Spi
|
|
)
|
|
{
|
|
EFI_STATUS Status;
|
|
EFI_IPSEC_CONFIG_SELECTOR *Selector;
|
|
UINTN SelectorSize;
|
|
BOOLEAN IsLocalFound;
|
|
BOOLEAN IsRemoteFound;
|
|
UINT32 LocalSpi;
|
|
UINT32 RemoteSpi;
|
|
IKEV2_CHILD_SA_SESSION *ChildSession;
|
|
EFI_IPSEC_CONFIG_SELECTOR *LocalSelector;
|
|
EFI_IPSEC_CONFIG_SELECTOR *RemoteSelector;
|
|
IPSEC_PRIVATE_DATA *Private;
|
|
|
|
if (IkeSaSession == NULL) {
|
|
return EFI_NOT_FOUND;
|
|
}
|
|
|
|
IsLocalFound = FALSE;
|
|
IsRemoteFound = FALSE;
|
|
ChildSession = NULL;
|
|
LocalSelector = NULL;
|
|
RemoteSelector = NULL;
|
|
|
|
Private = IkeSaSession->SessionCommon.Private;
|
|
|
|
//
|
|
// Remove the Established SA from ChildSaEstablishlist.
|
|
//
|
|
ChildSession = Ikev2ChildSaSessionRemove(
|
|
&(IkeSaSession->ChildSaEstablishSessionList),
|
|
Spi,
|
|
IKEV2_ESTABLISHED_CHILDSA_LIST
|
|
);
|
|
if (ChildSession == NULL) {
|
|
return EFI_NOT_FOUND;
|
|
}
|
|
|
|
LocalSpi = ChildSession->LocalPeerSpi;
|
|
RemoteSpi = ChildSession->RemotePeerSpi;
|
|
|
|
SelectorSize = sizeof (EFI_IPSEC_CONFIG_SELECTOR);
|
|
Selector = AllocateZeroPool (SelectorSize);
|
|
if (Selector == NULL) {
|
|
return EFI_OUT_OF_RESOURCES;
|
|
}
|
|
|
|
while (1) {
|
|
Status = EfiIpSecConfigGetNextSelector (
|
|
&Private->IpSecConfig,
|
|
IPsecConfigDataTypeSad,
|
|
&SelectorSize,
|
|
Selector
|
|
);
|
|
if (Status == EFI_BUFFER_TOO_SMALL) {
|
|
FreePool (Selector);
|
|
|
|
Selector = AllocateZeroPool (SelectorSize);
|
|
if (Selector == NULL) {
|
|
Status = EFI_OUT_OF_RESOURCES;
|
|
break;
|
|
}
|
|
|
|
Status = EfiIpSecConfigGetNextSelector (
|
|
&Private->IpSecConfig,
|
|
IPsecConfigDataTypeSad,
|
|
&SelectorSize,
|
|
Selector
|
|
);
|
|
}
|
|
|
|
if (EFI_ERROR (Status)) {
|
|
break;
|
|
}
|
|
|
|
if (Selector->SaId.Spi == RemoteSpi) {
|
|
//
|
|
// SPI is unique. There is only one SAD whose SPI is
|
|
// same with RemoteSpi.
|
|
//
|
|
IsRemoteFound = TRUE;
|
|
RemoteSelector = AllocateZeroPool (SelectorSize);
|
|
if (RemoteSelector == NULL) {
|
|
Status = EFI_OUT_OF_RESOURCES;
|
|
break;
|
|
}
|
|
|
|
CopyMem (RemoteSelector, Selector, SelectorSize);
|
|
}
|
|
|
|
if (Selector->SaId.Spi == LocalSpi) {
|
|
//
|
|
// SPI is unique. There is only one SAD whose SPI is
|
|
// same with LocalSpi.
|
|
//
|
|
IsLocalFound = TRUE;
|
|
LocalSelector = AllocateZeroPool (SelectorSize);
|
|
if (LocalSelector == NULL) {
|
|
Status = EFI_OUT_OF_RESOURCES;
|
|
break;
|
|
}
|
|
|
|
CopyMem (LocalSelector, Selector, SelectorSize);
|
|
}
|
|
}
|
|
//
|
|
// Delete SA from the Variable.
|
|
//
|
|
if (IsLocalFound) {
|
|
Status = EfiIpSecConfigSetData (
|
|
&Private->IpSecConfig,
|
|
IPsecConfigDataTypeSad,
|
|
LocalSelector,
|
|
NULL,
|
|
NULL
|
|
);
|
|
}
|
|
|
|
if (IsRemoteFound) {
|
|
Status = EfiIpSecConfigSetData (
|
|
&Private->IpSecConfig,
|
|
IPsecConfigDataTypeSad,
|
|
RemoteSelector,
|
|
NULL,
|
|
NULL
|
|
);
|
|
|
|
}
|
|
|
|
DEBUG (
|
|
(DEBUG_INFO,
|
|
"\n------IKEV2 deleted ChildSa(local spi, remote spi):(0x%x, 0x%x)------\n",
|
|
LocalSpi,
|
|
RemoteSpi)
|
|
);
|
|
Ikev2ChildSaSessionFree (ChildSession);
|
|
|
|
if (RemoteSelector != NULL) {
|
|
FreePool (RemoteSelector);
|
|
}
|
|
|
|
if (LocalSelector != NULL) {
|
|
FreePool (LocalSelector);
|
|
}
|
|
|
|
if (Selector != NULL) {
|
|
FreePool (Selector);
|
|
}
|
|
|
|
return Status;
|
|
}
|
|
|
|
/**
|
|
Free the specified DhBuffer.
|
|
|
|
@param[in] DhBuffer Pointer to IKEV2_DH_BUFFER to be freed.
|
|
|
|
**/
|
|
VOID
|
|
Ikev2DhBufferFree (
|
|
IKEV2_DH_BUFFER *DhBuffer
|
|
)
|
|
{
|
|
if (DhBuffer != NULL) {
|
|
if (DhBuffer->GxBuffer != NULL) {
|
|
FreePool (DhBuffer->GxBuffer);
|
|
}
|
|
if (DhBuffer->GyBuffer != NULL) {
|
|
FreePool (DhBuffer->GyBuffer);
|
|
}
|
|
if (DhBuffer->GxyBuffer != NULL) {
|
|
FreePool (DhBuffer->GxyBuffer);
|
|
}
|
|
if (DhBuffer->DhContext != NULL) {
|
|
IpSecCryptoIoFreeDh (&DhBuffer->DhContext);
|
|
}
|
|
FreePool (DhBuffer);
|
|
}
|
|
}
|
|
|
|
/**
|
|
This function is to parse a request IKE packet and return its request type.
|
|
The request type is one of IKE CHILD SA creation, IKE SA rekeying and
|
|
IKE CHILD SA rekeying.
|
|
|
|
@param[in] IkePacket IKE packet to be prased.
|
|
|
|
return the type of the IKE packet.
|
|
|
|
**/
|
|
IKEV2_CREATE_CHILD_REQUEST_TYPE
|
|
Ikev2ChildExchangeRequestType(
|
|
IN IKE_PACKET *IkePacket
|
|
)
|
|
{
|
|
BOOLEAN Flag;
|
|
LIST_ENTRY *Entry;
|
|
IKE_PAYLOAD *IkePayload;
|
|
|
|
Flag = FALSE;
|
|
|
|
NET_LIST_FOR_EACH (Entry, &(IkePacket)->PayloadList) {
|
|
IkePayload = IKE_PAYLOAD_BY_PACKET (Entry);
|
|
if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_TS_INIT) {
|
|
//
|
|
// Packet with Ts Payload means it is for either CHILD_SA_CREATE or CHILD_SA_REKEY.
|
|
//
|
|
Flag = TRUE;
|
|
}
|
|
if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_NOTIFY) {
|
|
if (((IKEV2_NOTIFY*)IkePayload)->MessageType == IKEV2_NOTIFICATION_REKEY_SA) {
|
|
//
|
|
// If notify payload with REKEY_SA message type, the IkePacket is for
|
|
// rekeying Child SA.
|
|
//
|
|
return IkeRequestTypeRekeyChildSa;
|
|
}
|
|
}
|
|
};
|
|
|
|
if (!Flag){
|
|
//
|
|
// The Create Child Exchange is for IKE SA rekeying.
|
|
//
|
|
return IkeRequestTypeRekeyIkeSa;
|
|
} else {
|
|
//
|
|
// If the Notify payloaad with transport mode message type, the IkePacket is
|
|
// for create Child SA.
|
|
//
|
|
return IkeRequestTypeCreateChildSa;
|
|
}
|
|
}
|
|
|
|
/**
|
|
Associate a SPD selector to the Child SA Session.
|
|
|
|
This function is called when the Child SA is not the first child SA of its
|
|
IKE SA. It associate a SPD to this Child SA.
|
|
|
|
@param[in, out] ChildSaSession Pointer to the Child SA Session to be associated to
|
|
a SPD selector.
|
|
|
|
@retval EFI_SUCCESS Associate one SPD selector to this Child SA Session successfully.
|
|
@retval EFI_NOT_FOUND Can't find the related SPD selector.
|
|
|
|
**/
|
|
EFI_STATUS
|
|
Ikev2ChildSaAssociateSpdEntry (
|
|
IN OUT IKEV2_CHILD_SA_SESSION *ChildSaSession
|
|
)
|
|
{
|
|
IpSecVisitConfigData (IPsecConfigDataTypeSpd, Ikev2MatchSpdEntry, ChildSaSession);
|
|
if (ChildSaSession->Spd != NULL) {
|
|
return EFI_SUCCESS;
|
|
} else {
|
|
return EFI_NOT_FOUND;
|
|
}
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
Validate the IKE header of received IKE packet.
|
|
|
|
@param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to this IKE packet.
|
|
@param[in] IkeHdr Pointer to IKE header of received IKE packet.
|
|
|
|
@retval TRUE If the IKE header is valid.
|
|
@retval FALSE If the IKE header is invalid.
|
|
|
|
**/
|
|
BOOLEAN
|
|
Ikev2ValidateHeader (
|
|
IN IKEV2_SA_SESSION *IkeSaSession,
|
|
IN IKE_HEADER *IkeHdr
|
|
)
|
|
{
|
|
|
|
IKEV2_SESSION_STATE State;
|
|
|
|
State = IkeSaSession->SessionCommon.State;
|
|
if (State == IkeStateInit) {
|
|
//
|
|
// For the IKE Initial Exchange, the MessagId should be zero.
|
|
//
|
|
if (IkeHdr->MessageId != 0) {
|
|
return FALSE;
|
|
}
|
|
} else {
|
|
if (State == IkeStateAuth) {
|
|
if (IkeHdr->MessageId != 1) {
|
|
return FALSE;
|
|
}
|
|
}
|
|
if (IkeHdr->InitiatorCookie != IkeSaSession->InitiatorCookie ||
|
|
IkeHdr->ResponderCookie != IkeSaSession->ResponderCookie
|
|
) {
|
|
//
|
|
// TODO: send notification INVALID-COOKIE
|
|
//
|
|
return FALSE;
|
|
}
|
|
}
|
|
|
|
//
|
|
// Information Exchagne and Create Child Exchange can be started from each part.
|
|
//
|
|
if (IkeHdr->ExchangeType != IKEV2_EXCHANGE_TYPE_INFO &&
|
|
IkeHdr->ExchangeType != IKEV2_EXCHANGE_TYPE_CREATE_CHILD
|
|
) {
|
|
if (IkeSaSession->SessionCommon.IsInitiator) {
|
|
if (IkeHdr->InitiatorCookie != IkeSaSession->InitiatorCookie) {
|
|
//
|
|
// TODO: send notification INVALID-COOKIE
|
|
//
|
|
return FALSE;
|
|
}
|
|
if (IkeHdr->Flags != IKE_HEADER_FLAGS_RESPOND) {
|
|
return FALSE;
|
|
}
|
|
} else {
|
|
if (IkeHdr->Flags != IKE_HEADER_FLAGS_INIT) {
|
|
return FALSE;
|
|
}
|
|
}
|
|
}
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
/**
|
|
Create and intialize IKEV2_SA_DATA for speicifed IKEV2_SESSION_COMMON.
|
|
|
|
This function will be only called by the initiator. The responder's IKEV2_SA_DATA
|
|
will be generated during parsed the initiator packet.
|
|
|
|
@param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON related to.
|
|
|
|
@retval a Pointer to a new IKEV2_SA_DATA or NULL.
|
|
|
|
**/
|
|
IKEV2_SA_DATA *
|
|
Ikev2InitializeSaData (
|
|
IN IKEV2_SESSION_COMMON *SessionCommon
|
|
)
|
|
{
|
|
IKEV2_CHILD_SA_SESSION *ChildSaSession;
|
|
IKEV2_SA_DATA *SaData;
|
|
IKEV2_PROPOSAL_DATA *ProposalData;
|
|
IKEV2_TRANSFORM_DATA *TransformData;
|
|
IKE_SA_ATTRIBUTE *Attribute;
|
|
|
|
ASSERT (SessionCommon != NULL);
|
|
//
|
|
// TODO: Remove the hard code of the support Alogrithm. Those data should be
|
|
// get from the SPD/PAD data.
|
|
//
|
|
if (SessionCommon->IkeSessionType == IkeSessionTypeIkeSa) {
|
|
SaData = AllocateZeroPool (
|
|
sizeof (IKEV2_SA_DATA) +
|
|
sizeof (IKEV2_PROPOSAL_DATA) * 2 +
|
|
sizeof (IKEV2_TRANSFORM_DATA) * 4 * 2
|
|
);
|
|
} else {
|
|
SaData = AllocateZeroPool (
|
|
sizeof (IKEV2_SA_DATA) +
|
|
sizeof (IKEV2_PROPOSAL_DATA) * 2 +
|
|
sizeof (IKEV2_TRANSFORM_DATA) * 3 * 2
|
|
);
|
|
}
|
|
if (SaData == NULL) {
|
|
return NULL;
|
|
}
|
|
|
|
//
|
|
// First proposal payload: 3DES + SHA1 + DH
|
|
//
|
|
SaData->NumProposals = 2;
|
|
ProposalData = (IKEV2_PROPOSAL_DATA *) (SaData + 1);
|
|
ProposalData->ProposalIndex = 1;
|
|
|
|
//
|
|
// If SA data for IKE_SA_INIT exchage, contains 4 transforms. If SA data for
|
|
// IKE_AUTH exchange contains 3 transforms.
|
|
//
|
|
if (SessionCommon->IkeSessionType == IkeSessionTypeIkeSa) {
|
|
ProposalData->NumTransforms = 4;
|
|
} else {
|
|
ProposalData->NumTransforms = 3;
|
|
}
|
|
|
|
|
|
if (SessionCommon->IkeSessionType == IkeSessionTypeIkeSa) {
|
|
ProposalData->ProtocolId = IPSEC_PROTO_ISAKMP;
|
|
} else {
|
|
ChildSaSession = IKEV2_CHILD_SA_SESSION_FROM_COMMON (SessionCommon);
|
|
ProposalData->ProtocolId = IPSEC_PROTO_IPSEC_ESP;
|
|
ProposalData->Spi = AllocateZeroPool (sizeof (ChildSaSession->LocalPeerSpi));
|
|
if (ProposalData->Spi == NULL) {
|
|
FreePool (SaData);
|
|
return NULL;
|
|
}
|
|
|
|
CopyMem (
|
|
ProposalData->Spi,
|
|
&ChildSaSession->LocalPeerSpi,
|
|
sizeof(ChildSaSession->LocalPeerSpi)
|
|
);
|
|
}
|
|
|
|
//
|
|
// Set transform attribute for Encryption Algorithm - 3DES
|
|
//
|
|
TransformData = (IKEV2_TRANSFORM_DATA *) (ProposalData + 1);
|
|
TransformData->TransformIndex = 0;
|
|
TransformData->TransformType = IKEV2_TRANSFORM_TYPE_ENCR;
|
|
TransformData->TransformId = IKEV2_TRANSFORM_ID_ENCR_3DES;
|
|
|
|
//
|
|
// Set transform attribute for Integrity Algorithm - SHA1_96
|
|
//
|
|
TransformData = (IKEV2_TRANSFORM_DATA *) (TransformData + 1);
|
|
TransformData->TransformIndex = 1;
|
|
TransformData->TransformType = IKEV2_TRANSFORM_TYPE_INTEG;
|
|
TransformData->TransformId = IKEV2_TRANSFORM_ID_AUTH_HMAC_SHA1_96;
|
|
|
|
if (SessionCommon->IkeSessionType == IkeSessionTypeIkeSa) {
|
|
//
|
|
// Set transform attribute for Pseduo-Random Function - HAMC_SHA1
|
|
//
|
|
TransformData = (IKEV2_TRANSFORM_DATA *) (TransformData + 1);
|
|
TransformData->TransformIndex = 2;
|
|
TransformData->TransformType = IKEV2_TRANSFORM_TYPE_PRF;
|
|
TransformData->TransformId = IKEV2_TRANSFORM_ID_PRF_HMAC_SHA1;
|
|
}
|
|
|
|
if (SessionCommon->IkeSessionType == IkeSessionTypeIkeSa) {
|
|
//
|
|
// Set transform attribute for DH Group - DH 1024
|
|
//
|
|
TransformData = (IKEV2_TRANSFORM_DATA *) (TransformData + 1);
|
|
TransformData->TransformIndex = 3;
|
|
TransformData->TransformType = IKEV2_TRANSFORM_TYPE_DH;
|
|
TransformData->TransformId = IKEV2_TRANSFORM_ID_DH_1024MODP;
|
|
} else {
|
|
//
|
|
// Transform type for Extended Sequence Numbers. Currently not support Extended
|
|
// Sequence Number.
|
|
//
|
|
TransformData = (IKEV2_TRANSFORM_DATA *) (TransformData + 1);
|
|
TransformData->TransformIndex = 2;
|
|
TransformData->TransformType = IKEV2_TRANSFORM_TYPE_ESN;
|
|
TransformData->TransformId = 0;
|
|
}
|
|
|
|
//
|
|
// Second proposal payload: 3DES + SHA1 + DH
|
|
//
|
|
ProposalData = (IKEV2_PROPOSAL_DATA *) (TransformData + 1);
|
|
ProposalData->ProposalIndex = 2;
|
|
|
|
if (SessionCommon->IkeSessionType == IkeSessionTypeIkeSa) {
|
|
ProposalData->ProtocolId = IPSEC_PROTO_ISAKMP;
|
|
ProposalData->NumTransforms = 4;
|
|
} else {
|
|
|
|
ChildSaSession = IKEV2_CHILD_SA_SESSION_FROM_COMMON (SessionCommon);
|
|
ProposalData->ProtocolId = IPSEC_PROTO_IPSEC_ESP;
|
|
ProposalData->NumTransforms = 3;
|
|
ProposalData->Spi = AllocateZeroPool (sizeof (ChildSaSession->LocalPeerSpi));
|
|
if (ProposalData->Spi == NULL) {
|
|
FreePool (((IKEV2_PROPOSAL_DATA *) (SaData + 1))->Spi);
|
|
FreePool (SaData);
|
|
return NULL;
|
|
}
|
|
|
|
CopyMem (
|
|
ProposalData->Spi,
|
|
&ChildSaSession->LocalPeerSpi,
|
|
sizeof(ChildSaSession->LocalPeerSpi)
|
|
);
|
|
}
|
|
|
|
//
|
|
// Set transform attribute for Encryption Algorithm - AES-CBC
|
|
//
|
|
TransformData = (IKEV2_TRANSFORM_DATA *) (ProposalData + 1);
|
|
TransformData->TransformIndex = 0;
|
|
TransformData->TransformType = IKEV2_TRANSFORM_TYPE_ENCR;
|
|
TransformData->TransformId = IKEV2_TRANSFORM_ID_ENCR_AES_CBC;
|
|
Attribute = &TransformData->Attribute;
|
|
Attribute->AttrType = IKEV2_ATTRIBUTE_TYPE_KEYLEN;
|
|
Attribute->Attr.AttrLength = (UINT16) (8 * IpSecGetEncryptKeyLength (IKEV2_TRANSFORM_ID_ENCR_AES_CBC));
|
|
|
|
//
|
|
// Set transform attribute for Integrity Algorithm - SHA1_96
|
|
//
|
|
TransformData = (IKEV2_TRANSFORM_DATA *) (TransformData + 1);
|
|
TransformData->TransformIndex = 1;
|
|
TransformData->TransformType = IKEV2_TRANSFORM_TYPE_INTEG;
|
|
TransformData->TransformId = IKEV2_TRANSFORM_ID_AUTH_HMAC_SHA1_96;
|
|
|
|
if (SessionCommon->IkeSessionType == IkeSessionTypeIkeSa) {
|
|
//
|
|
// Set transform attribute for Pseduo-Random Function - HAMC_SHA1
|
|
//
|
|
TransformData = (IKEV2_TRANSFORM_DATA *) (TransformData + 1);
|
|
TransformData->TransformIndex = 2;
|
|
TransformData->TransformType = IKEV2_TRANSFORM_TYPE_PRF;
|
|
TransformData->TransformId = IKEV2_TRANSFORM_ID_PRF_HMAC_SHA1;
|
|
}
|
|
|
|
if (SessionCommon->IkeSessionType == IkeSessionTypeIkeSa) {
|
|
//
|
|
// Set transform attrbiute for DH Group - DH-1024
|
|
//
|
|
TransformData = (IKEV2_TRANSFORM_DATA *) (TransformData + 1);
|
|
TransformData->TransformIndex = 3;
|
|
TransformData->TransformType = IKEV2_TRANSFORM_TYPE_DH;
|
|
TransformData->TransformId = IKEV2_TRANSFORM_ID_DH_1024MODP;
|
|
} else {
|
|
//
|
|
// Transform type for Extended Sequence Numbers. Currently not support Extended
|
|
// Sequence Number.
|
|
//
|
|
TransformData = (IKEV2_TRANSFORM_DATA *) (TransformData + 1);
|
|
TransformData->TransformIndex = 2;
|
|
TransformData->TransformType = IKEV2_TRANSFORM_TYPE_ESN;
|
|
TransformData->TransformId = 0;
|
|
}
|
|
|
|
return SaData;
|
|
}
|
|
|
|
/**
|
|
Store the SA into SAD.
|
|
|
|
@param[in] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION.
|
|
|
|
**/
|
|
VOID
|
|
Ikev2StoreSaData (
|
|
IN IKEV2_CHILD_SA_SESSION *ChildSaSession
|
|
)
|
|
{
|
|
EFI_STATUS Status;
|
|
EFI_IPSEC_SA_ID SaId;
|
|
EFI_IPSEC_SA_DATA2 SaData;
|
|
IKEV2_SESSION_COMMON *SessionCommon;
|
|
IPSEC_PRIVATE_DATA *Private;
|
|
UINT32 TempAddressCount;
|
|
EFI_IP_ADDRESS_INFO *TempAddressInfo;
|
|
|
|
SessionCommon = &ChildSaSession->SessionCommon;
|
|
Private = SessionCommon->Private;
|
|
|
|
ZeroMem (&SaId, sizeof (EFI_IPSEC_SA_ID));
|
|
ZeroMem (&SaData, sizeof (EFI_IPSEC_SA_DATA2));
|
|
|
|
//
|
|
// Create a SpdSelector. In this implementation, one SPD represents
|
|
// 2 direction traffic, so in here, there needs to reverse the local address
|
|
// and remote address for Remote Peer's SA, then reverse again for the locate
|
|
// SA.
|
|
//
|
|
TempAddressCount = ChildSaSession->SpdSelector->LocalAddressCount;
|
|
TempAddressInfo = ChildSaSession->SpdSelector->LocalAddress;
|
|
|
|
ChildSaSession->SpdSelector->LocalAddressCount = ChildSaSession->SpdSelector->RemoteAddressCount;
|
|
ChildSaSession->SpdSelector->LocalAddress = ChildSaSession->SpdSelector->RemoteAddress;
|
|
|
|
ChildSaSession->SpdSelector->RemoteAddress = TempAddressInfo;
|
|
ChildSaSession->SpdSelector->RemoteAddressCount= TempAddressCount;
|
|
|
|
//
|
|
// Set the SaId and SaData.
|
|
//
|
|
SaId.Spi = ChildSaSession->LocalPeerSpi;
|
|
SaId.Proto = EfiIPsecESP;
|
|
SaData.AntiReplayWindows = 16;
|
|
SaData.SNCount = 0;
|
|
SaData.Mode = ChildSaSession->Spd->Data->ProcessingPolicy->Mode;
|
|
|
|
//
|
|
// If it is tunnel mode, should add the TunnelDest and TunnelSource for SaData.
|
|
//
|
|
if (SaData.Mode == EfiIPsecTunnel) {
|
|
CopyMem (
|
|
&SaData.TunnelSourceAddress,
|
|
&ChildSaSession->Spd->Data->ProcessingPolicy->TunnelOption->RemoteTunnelAddress,
|
|
sizeof (EFI_IP_ADDRESS)
|
|
);
|
|
CopyMem (
|
|
&SaData.TunnelDestinationAddress,
|
|
&ChildSaSession->Spd->Data->ProcessingPolicy->TunnelOption->LocalTunnelAddress,
|
|
sizeof (EFI_IP_ADDRESS)
|
|
);
|
|
}
|
|
|
|
CopyMem (&SaId.DestAddress, &ChildSaSession->SessionCommon.LocalPeerIp, sizeof (EFI_IP_ADDRESS));
|
|
CopyMem (&SaData.AlgoInfo, &ChildSaSession->ChildKeymats.LocalPeerInfo, sizeof (EFI_IPSEC_ALGO_INFO));
|
|
SaData.SpdSelector = ChildSaSession->SpdSelector;
|
|
|
|
//
|
|
// Store the remote SA into SAD.
|
|
//
|
|
Status = EfiIpSecConfigSetData (
|
|
&Private->IpSecConfig,
|
|
IPsecConfigDataTypeSad,
|
|
(EFI_IPSEC_CONFIG_SELECTOR *) &SaId,
|
|
&SaData,
|
|
NULL
|
|
);
|
|
ASSERT_EFI_ERROR (Status);
|
|
|
|
//
|
|
// Store the local SA into SAD.
|
|
//
|
|
ChildSaSession->SpdSelector->RemoteAddressCount = ChildSaSession->SpdSelector->LocalAddressCount;
|
|
ChildSaSession->SpdSelector->RemoteAddress = ChildSaSession->SpdSelector->LocalAddress;
|
|
|
|
ChildSaSession->SpdSelector->LocalAddress = TempAddressInfo;
|
|
ChildSaSession->SpdSelector->LocalAddressCount = TempAddressCount;
|
|
|
|
SaId.Spi = ChildSaSession->RemotePeerSpi;
|
|
|
|
CopyMem (&SaId.DestAddress, &ChildSaSession->SessionCommon.RemotePeerIp, sizeof (EFI_IP_ADDRESS));
|
|
CopyMem (&SaData.AlgoInfo, &ChildSaSession->ChildKeymats.RemotePeerInfo, sizeof (EFI_IPSEC_ALGO_INFO));
|
|
SaData.SpdSelector = ChildSaSession->SpdSelector;
|
|
|
|
//
|
|
// If it is tunnel mode, should add the TunnelDest and TunnelSource for SaData.
|
|
//
|
|
if (SaData.Mode == EfiIPsecTunnel) {
|
|
CopyMem (
|
|
&SaData.TunnelSourceAddress,
|
|
&ChildSaSession->Spd->Data->ProcessingPolicy->TunnelOption->LocalTunnelAddress,
|
|
sizeof (EFI_IP_ADDRESS)
|
|
);
|
|
CopyMem (
|
|
&SaData.TunnelDestinationAddress,
|
|
&ChildSaSession->Spd->Data->ProcessingPolicy->TunnelOption->RemoteTunnelAddress,
|
|
sizeof (EFI_IP_ADDRESS)
|
|
);
|
|
}
|
|
|
|
Status = EfiIpSecConfigSetData (
|
|
&Private->IpSecConfig,
|
|
IPsecConfigDataTypeSad,
|
|
(EFI_IPSEC_CONFIG_SELECTOR *) &SaId,
|
|
&SaData,
|
|
NULL
|
|
);
|
|
|
|
ASSERT_EFI_ERROR (Status);
|
|
}
|
|
|
|
/**
|
|
Call back function of the IKE life time is over.
|
|
|
|
This function will mark the related IKE SA Session as deleting and trigger a
|
|
Information negotiation.
|
|
|
|
@param[in] Event The signaled Event.
|
|
@param[in] Context Pointer to data passed by caller.
|
|
|
|
**/
|
|
VOID
|
|
EFIAPI
|
|
Ikev2LifetimeNotify (
|
|
IN EFI_EVENT Event,
|
|
IN VOID *Context
|
|
)
|
|
{
|
|
IKEV2_SA_SESSION *IkeSaSession;
|
|
IKEV2_CHILD_SA_SESSION *ChildSaSession;
|
|
IKEV2_SESSION_COMMON *SessionCommon;
|
|
|
|
ASSERT (Context != NULL);
|
|
SessionCommon = (IKEV2_SESSION_COMMON *) Context;
|
|
|
|
if (SessionCommon->IkeSessionType == IkeSessionTypeIkeSa) {
|
|
IkeSaSession = IKEV2_SA_SESSION_FROM_COMMON (SessionCommon);
|
|
DEBUG ((
|
|
DEBUG_INFO,
|
|
"\n---IkeSa Lifetime is out(cookie_i, cookie_r):(0x%lx, 0x%lx)---\n",
|
|
IkeSaSession->InitiatorCookie,
|
|
IkeSaSession->ResponderCookie
|
|
));
|
|
|
|
//
|
|
// Change the IKE SA Session's State to IKE_STATE_SA_DELETING.
|
|
//
|
|
IKEV2_DUMP_STATE (IkeSaSession->SessionCommon.State, IkeStateSaDeleting);
|
|
IkeSaSession->SessionCommon.State = IkeStateSaDeleting;
|
|
|
|
} else {
|
|
ChildSaSession = IKEV2_CHILD_SA_SESSION_FROM_COMMON (SessionCommon);
|
|
IkeSaSession = ChildSaSession->IkeSaSession;
|
|
|
|
//
|
|
// Link the timeout child SA to the DeleteSaList.
|
|
//
|
|
InsertTailList (&IkeSaSession->DeleteSaList, &ChildSaSession->ByDelete);
|
|
|
|
//
|
|
// Change the Child SA Session's State to IKE_STATE_SA_DELETING.
|
|
//
|
|
DEBUG ((
|
|
DEBUG_INFO,
|
|
"\n------ChildSa Lifetime is out(SPI):(0x%x)------\n",
|
|
ChildSaSession->LocalPeerSpi
|
|
));
|
|
}
|
|
|
|
//
|
|
// TODO: Send the delete info packet or delete silently
|
|
//
|
|
mIkev2Exchange.NegotiateInfo ((UINT8 *) IkeSaSession, NULL);
|
|
}
|
|
|
|
/**
|
|
This function will be called if the TimeOut Event is signaled.
|
|
|
|
@param[in] Event The signaled Event.
|
|
@param[in] Context The data passed by caller.
|
|
|
|
**/
|
|
VOID
|
|
EFIAPI
|
|
Ikev2ResendNotify (
|
|
IN EFI_EVENT Event,
|
|
IN VOID *Context
|
|
)
|
|
{
|
|
IPSEC_PRIVATE_DATA *Private;
|
|
IKEV2_SA_SESSION *IkeSaSession;
|
|
IKEV2_CHILD_SA_SESSION *ChildSaSession;
|
|
IKEV2_SESSION_COMMON *SessionCommon;
|
|
LIST_ENTRY *ChildSaEntry;
|
|
UINT8 Value;
|
|
EFI_STATUS Status;
|
|
|
|
ASSERT (Context != NULL);
|
|
IkeSaSession = NULL;
|
|
ChildSaSession = NULL;
|
|
SessionCommon = (IKEV2_SESSION_COMMON *) Context;
|
|
Private = SessionCommon->Private;
|
|
|
|
//
|
|
// Remove the SA session from the processing list if exceed the max retry.
|
|
//
|
|
if (SessionCommon->RetryCount > IKE_MAX_RETRY) {
|
|
if (SessionCommon->IkeSessionType == IkeSessionTypeIkeSa) {
|
|
IkeSaSession = IKEV2_SA_SESSION_FROM_COMMON (SessionCommon);
|
|
if (IkeSaSession->SessionCommon.State == IkeStateSaDeleting) {
|
|
|
|
//
|
|
// If the IkeSaSession is initiator, delete all its Child SAs before removing IKE SA.
|
|
// If the IkesaSession is responder, all ChildSa has been remove in Ikev2HandleInfo();
|
|
//
|
|
for (ChildSaEntry = IkeSaSession->ChildSaEstablishSessionList.ForwardLink;
|
|
ChildSaEntry != &IkeSaSession->ChildSaEstablishSessionList;
|
|
) {
|
|
ChildSaSession = IKEV2_CHILD_SA_SESSION_BY_IKE_SA (ChildSaEntry);
|
|
//
|
|
// Move to next ChildSa Entry.
|
|
//
|
|
ChildSaEntry = ChildSaEntry->ForwardLink;
|
|
//
|
|
// Delete LocalSpi & RemoteSpi and remove the ChildSaSession from the
|
|
// EstablishedChildSaList.
|
|
//
|
|
Ikev2ChildSaSilentDelete (IkeSaSession, ChildSaSession->LocalPeerSpi);
|
|
}
|
|
|
|
//
|
|
// If the IKE SA Delete Payload wasn't sent out successfully, Delete it from the EstablishedList.
|
|
//
|
|
Ikev2SaSessionRemove (&Private->Ikev2EstablishedList, &SessionCommon->RemotePeerIp);
|
|
|
|
if (Private != NULL && Private->IsIPsecDisabling) {
|
|
//
|
|
// After all IKE SAs were deleted, set the IPSEC_STATUS_DISABLED value in
|
|
// IPsec status variable.
|
|
//
|
|
if (IsListEmpty (&Private->Ikev1EstablishedList) && IsListEmpty (&Private->Ikev2EstablishedList)) {
|
|
Value = IPSEC_STATUS_DISABLED;
|
|
Status = gRT->SetVariable (
|
|
IPSECCONFIG_STATUS_NAME,
|
|
&gEfiIpSecConfigProtocolGuid,
|
|
EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_NON_VOLATILE,
|
|
sizeof (Value),
|
|
&Value
|
|
);
|
|
if (!EFI_ERROR (Status)) {
|
|
//
|
|
// Set the Disabled Flag in Private data.
|
|
//
|
|
Private->IpSec.DisabledFlag = TRUE;
|
|
Private->IsIPsecDisabling = FALSE;
|
|
}
|
|
}
|
|
}
|
|
} else {
|
|
Ikev2SaSessionRemove (&Private->Ikev2SessionList, &SessionCommon->RemotePeerIp);
|
|
}
|
|
Ikev2SaSessionFree (IkeSaSession);
|
|
|
|
} else {
|
|
|
|
//
|
|
// If the packet sent by Child SA.
|
|
//
|
|
ChildSaSession = IKEV2_CHILD_SA_SESSION_FROM_COMMON (SessionCommon);
|
|
IkeSaSession = ChildSaSession->IkeSaSession;
|
|
if (ChildSaSession->SessionCommon.State == IkeStateSaDeleting) {
|
|
|
|
//
|
|
// Established Child SA should be remove from the SAD entry and
|
|
// DeleteList. The function of Ikev2DeleteChildSaSilent() will remove
|
|
// the childSA from the IkeSaSession->ChildSaEstablishedList. So there
|
|
// is no need to remove it here.
|
|
//
|
|
Ikev2ChildSaSilentDelete (IkeSaSession, ChildSaSession->LocalPeerSpi);
|
|
Ikev2ChildSaSessionRemove (
|
|
&IkeSaSession->DeleteSaList,
|
|
ChildSaSession->LocalPeerSpi,
|
|
IKEV2_DELET_CHILDSA_LIST
|
|
);
|
|
} else {
|
|
Ikev2ChildSaSessionRemove (
|
|
&IkeSaSession->ChildSaSessionList,
|
|
ChildSaSession->LocalPeerSpi,
|
|
IKEV2_ESTABLISHING_CHILDSA_LIST
|
|
);
|
|
}
|
|
|
|
Ikev2ChildSaSessionFree (ChildSaSession);
|
|
}
|
|
return ;
|
|
}
|
|
|
|
//
|
|
// Increase the retry count.
|
|
//
|
|
SessionCommon->RetryCount++;
|
|
DEBUG ((DEBUG_INFO, ">>>Resending the last packet ...\n"));
|
|
|
|
//
|
|
// Resend the last packet.
|
|
//
|
|
Ikev2SendIkePacket (
|
|
SessionCommon->UdpService,
|
|
(UINT8*)SessionCommon,
|
|
SessionCommon->LastSentPacket,
|
|
0
|
|
);
|
|
}
|
|
|
|
/**
|
|
Copy ChildSaSession->Spd->Selector to ChildSaSession->SpdSelector.
|
|
|
|
ChildSaSession->SpdSelector stores the real Spdselector for its SA. Sometime,
|
|
the SpdSelector in ChildSaSession is more accurated or the scope is smaller
|
|
than the one in ChildSaSession->Spd, especially for the tunnel mode.
|
|
|
|
@param[in, out] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION related to.
|
|
|
|
@retval EFI_SUCCESS The operation complete successfully.
|
|
@retval EFI_OUT_OF_RESOURCES If the required resource can't be allocated.
|
|
|
|
**/
|
|
EFI_STATUS
|
|
Ikev2ChildSaSessionSpdSelectorCreate (
|
|
IN OUT IKEV2_CHILD_SA_SESSION *ChildSaSession
|
|
)
|
|
{
|
|
EFI_STATUS Status;
|
|
|
|
Status = EFI_SUCCESS;
|
|
|
|
if (ChildSaSession->Spd != NULL && ChildSaSession->Spd->Selector != NULL) {
|
|
if (ChildSaSession->SpdSelector == NULL) {
|
|
ChildSaSession->SpdSelector = AllocateZeroPool (sizeof (EFI_IPSEC_SPD_SELECTOR));
|
|
if (ChildSaSession->SpdSelector == NULL) {
|
|
Status = EFI_OUT_OF_RESOURCES;
|
|
return Status;
|
|
}
|
|
}
|
|
CopyMem (
|
|
ChildSaSession->SpdSelector,
|
|
ChildSaSession->Spd->Selector,
|
|
sizeof (EFI_IPSEC_SPD_SELECTOR)
|
|
);
|
|
ChildSaSession->SpdSelector->RemoteAddress = AllocateCopyPool (
|
|
ChildSaSession->Spd->Selector->RemoteAddressCount *
|
|
sizeof (EFI_IP_ADDRESS_INFO),
|
|
ChildSaSession->Spd->Selector->RemoteAddress
|
|
);
|
|
if (ChildSaSession->SpdSelector->RemoteAddress == NULL) {
|
|
Status = EFI_OUT_OF_RESOURCES;
|
|
|
|
FreePool (ChildSaSession->SpdSelector);
|
|
|
|
return Status;
|
|
}
|
|
|
|
ChildSaSession->SpdSelector->LocalAddress = AllocateCopyPool (
|
|
ChildSaSession->Spd->Selector->LocalAddressCount *
|
|
sizeof (EFI_IP_ADDRESS_INFO),
|
|
ChildSaSession->Spd->Selector->LocalAddress
|
|
);
|
|
if (ChildSaSession->SpdSelector->LocalAddress == NULL) {
|
|
Status = EFI_OUT_OF_RESOURCES;
|
|
|
|
FreePool (ChildSaSession->SpdSelector->RemoteAddress);
|
|
|
|
FreePool (ChildSaSession->SpdSelector);
|
|
|
|
return Status;
|
|
}
|
|
|
|
ChildSaSession->SpdSelector->RemoteAddressCount = ChildSaSession->Spd->Selector->RemoteAddressCount;
|
|
ChildSaSession->SpdSelector->LocalAddressCount = ChildSaSession->Spd->Selector->LocalAddressCount;
|
|
}
|
|
|
|
return Status;
|
|
}
|
|
|
|
/**
|
|
Generate a ChildSa Session and insert it into related IkeSaSession.
|
|
|
|
@param[in] IkeSaSession Pointer to related IKEV2_SA_SESSION.
|
|
@param[in] UdpService Pointer to related IKE_UDP_SERVICE.
|
|
|
|
@return pointer of IKEV2_CHILD_SA_SESSION.
|
|
|
|
**/
|
|
IKEV2_CHILD_SA_SESSION *
|
|
Ikev2ChildSaSessionCreate (
|
|
IN IKEV2_SA_SESSION *IkeSaSession,
|
|
IN IKE_UDP_SERVICE *UdpService
|
|
)
|
|
{
|
|
IKEV2_CHILD_SA_SESSION *ChildSaSession;
|
|
IKEV2_SESSION_COMMON *ChildSaCommon;
|
|
|
|
//
|
|
// Create a new ChildSaSession.Insert it into processing list and initiate the common parameters.
|
|
//
|
|
ChildSaSession = Ikev2ChildSaSessionAlloc (UdpService, IkeSaSession);
|
|
if (ChildSaSession == NULL) {
|
|
return NULL;
|
|
}
|
|
|
|
//
|
|
// Set the specific parameters.
|
|
//
|
|
ChildSaSession->Spd = IkeSaSession->Spd;
|
|
ChildSaCommon = &ChildSaSession->SessionCommon;
|
|
ChildSaCommon->IsInitiator = IkeSaSession->SessionCommon.IsInitiator;
|
|
if (IkeSaSession->SessionCommon.State == IkeStateAuth) {
|
|
ChildSaCommon->State = IkeStateAuth;
|
|
IKEV2_DUMP_STATE (ChildSaCommon->State, IkeStateAuth);
|
|
} else {
|
|
ChildSaCommon->State = IkeStateCreateChild;
|
|
IKEV2_DUMP_STATE (ChildSaCommon->State, IkeStateCreateChild);
|
|
}
|
|
|
|
//
|
|
// If SPD->Selector is not NULL, copy it to the ChildSaSession->SpdSelector.
|
|
// The ChildSaSession->SpdSelector might be changed after the traffic selector
|
|
// negoniation and it will be copied into the SAData after ChildSA established.
|
|
//
|
|
if (EFI_ERROR (Ikev2ChildSaSessionSpdSelectorCreate (ChildSaSession))) {
|
|
Ikev2ChildSaSessionFree (ChildSaSession);
|
|
return NULL;
|
|
}
|
|
|
|
//
|
|
// Copy first NiBlock and NrBlock to ChildSa Session
|
|
//
|
|
ChildSaSession->NiBlock = AllocateZeroPool (IkeSaSession->NiBlkSize);
|
|
if (ChildSaSession->NiBlock == NULL) {
|
|
Ikev2ChildSaSessionFree (ChildSaSession);
|
|
return NULL;
|
|
}
|
|
|
|
ChildSaSession->NiBlkSize = IkeSaSession->NiBlkSize;
|
|
CopyMem (ChildSaSession->NiBlock, IkeSaSession->NiBlock, IkeSaSession->NiBlkSize);
|
|
|
|
ChildSaSession->NrBlock = AllocateZeroPool (IkeSaSession->NrBlkSize);
|
|
if (ChildSaSession->NrBlock == NULL) {
|
|
Ikev2ChildSaSessionFree (ChildSaSession);
|
|
return NULL;
|
|
}
|
|
|
|
ChildSaSession->NrBlkSize = IkeSaSession->NrBlkSize;
|
|
CopyMem (ChildSaSession->NrBlock, IkeSaSession->NrBlock, IkeSaSession->NrBlkSize);
|
|
|
|
//
|
|
// Only if the Create Child SA is called for the IKE_INIT Exchange and
|
|
// IkeSaSession is initiator (Only Initiator's SPD is not NULL), Set the
|
|
// Traffic Selectors related information here.
|
|
//
|
|
if (IkeSaSession->SessionCommon.State == IkeStateAuth && IkeSaSession->Spd != NULL) {
|
|
ChildSaSession->ProtoId = IkeSaSession->Spd->Selector->NextLayerProtocol;
|
|
ChildSaSession->LocalPort = IkeSaSession->Spd->Selector->LocalPort;
|
|
ChildSaSession->RemotePort = IkeSaSession->Spd->Selector->RemotePort;
|
|
}
|
|
|
|
//
|
|
// Insert the new ChildSaSession into processing child SA list.
|
|
//
|
|
Ikev2ChildSaSessionInsert (&IkeSaSession->ChildSaSessionList, ChildSaSession);
|
|
return ChildSaSession;
|
|
}
|
|
|
|
/**
|
|
Check if the SPD is related to the input Child SA Session.
|
|
|
|
This function is the subfunction of Ikev1AssociateSpdEntry(). It is the call
|
|
back function of IpSecVisitConfigData().
|
|
|
|
|
|
@param[in] Type Type of the input Config Selector.
|
|
@param[in] Selector Pointer to the Configure Selector to be checked.
|
|
@param[in] Data Pointer to the Configure Selector's Data passed
|
|
from the caller.
|
|
@param[in] SelectorSize The buffer size of Selector.
|
|
@param[in] DataSize The buffer size of the Data.
|
|
@param[in] Context The data passed from the caller. It is a Child
|
|
SA Session in this context.
|
|
|
|
@retval EFI_SUCCESS The SPD Selector is not related to the Child SA Session.
|
|
@retval EFI_ABORTED The SPD Selector is related to the Child SA session and
|
|
set the ChildSaSession->Spd to point to this SPD Selector.
|
|
|
|
**/
|
|
EFI_STATUS
|
|
Ikev2MatchSpdEntry (
|
|
IN EFI_IPSEC_CONFIG_DATA_TYPE Type,
|
|
IN EFI_IPSEC_CONFIG_SELECTOR *Selector,
|
|
IN VOID *Data,
|
|
IN UINTN SelectorSize,
|
|
IN UINTN DataSize,
|
|
IN VOID *Context
|
|
)
|
|
{
|
|
IKEV2_CHILD_SA_SESSION *ChildSaSession;
|
|
EFI_IPSEC_SPD_SELECTOR *SpdSelector;
|
|
EFI_IPSEC_SPD_DATA *SpdData;
|
|
BOOLEAN IsMatch;
|
|
UINT8 IpVersion;
|
|
|
|
ASSERT (Type == IPsecConfigDataTypeSpd);
|
|
SpdData = (EFI_IPSEC_SPD_DATA *) Data;
|
|
//
|
|
// Bypass all non-protect SPD entry first
|
|
//
|
|
if (SpdData->Action != EfiIPsecActionProtect) {
|
|
return EFI_SUCCESS;
|
|
}
|
|
|
|
ChildSaSession = (IKEV2_CHILD_SA_SESSION *) Context;
|
|
IpVersion = ChildSaSession->SessionCommon.UdpService->IpVersion;
|
|
SpdSelector = (EFI_IPSEC_SPD_SELECTOR *) Selector;
|
|
IsMatch = TRUE;
|
|
|
|
if (SpdSelector->NextLayerProtocol == EFI_IP_PROTO_UDP &&
|
|
SpdSelector->LocalPort == IKE_DEFAULT_PORT &&
|
|
SpdSelector->LocalPortRange == 0 &&
|
|
SpdSelector->RemotePort == IKE_DEFAULT_PORT &&
|
|
SpdSelector->RemotePortRange == 0
|
|
) {
|
|
//
|
|
// TODO: Skip IKE Policy here or set a SPD entry?
|
|
//
|
|
return EFI_SUCCESS;
|
|
}
|
|
|
|
if (SpdSelector->NextLayerProtocol != EFI_IPSEC_ANY_PROTOCOL &&
|
|
SpdSelector->NextLayerProtocol != ChildSaSession->ProtoId
|
|
) {
|
|
IsMatch = FALSE;
|
|
}
|
|
|
|
if (SpdSelector->LocalPort != EFI_IPSEC_ANY_PORT && SpdSelector->LocalPort != ChildSaSession->LocalPort) {
|
|
IsMatch = FALSE;
|
|
}
|
|
|
|
if (SpdSelector->RemotePort != EFI_IPSEC_ANY_PORT && SpdSelector->RemotePort != ChildSaSession->RemotePort) {
|
|
IsMatch = FALSE;
|
|
}
|
|
|
|
IsMatch = (BOOLEAN) (IsMatch &&
|
|
IpSecMatchIpAddress (
|
|
IpVersion,
|
|
&ChildSaSession->SessionCommon.LocalPeerIp,
|
|
SpdSelector->LocalAddress,
|
|
SpdSelector->LocalAddressCount
|
|
));
|
|
|
|
IsMatch = (BOOLEAN) (IsMatch &&
|
|
IpSecMatchIpAddress (
|
|
IpVersion,
|
|
&ChildSaSession->SessionCommon.RemotePeerIp,
|
|
SpdSelector->RemoteAddress,
|
|
SpdSelector->RemoteAddressCount
|
|
));
|
|
|
|
if (IsMatch) {
|
|
ChildSaSession->Spd = IkeSearchSpdEntry (SpdSelector);
|
|
return EFI_ABORTED;
|
|
} else {
|
|
return EFI_SUCCESS;
|
|
}
|
|
}
|
|
|
|
/**
|
|
Check if the Algorithm ID is supported.
|
|
|
|
@param[in] AlgorithmId The specified Algorithm ID.
|
|
@param[in] Type The type used to indicate the Algorithm is for Encrypt or
|
|
Authentication.
|
|
|
|
@retval TRUE If the Algorithm ID is supported.
|
|
@retval FALSE If the Algorithm ID is not supported.
|
|
|
|
**/
|
|
BOOLEAN
|
|
Ikev2IsSupportAlg (
|
|
IN UINT16 AlgorithmId,
|
|
IN UINT8 Type
|
|
)
|
|
{
|
|
UINT8 Index;
|
|
switch (Type) {
|
|
case IKE_ENCRYPT_TYPE :
|
|
for (Index = 0; Index < IKEV2_SUPPORT_ENCRYPT_ALGORITHM_NUM; Index++) {
|
|
if (mIkev2EncryptAlgorithmList[Index] == AlgorithmId) {
|
|
return TRUE;
|
|
}
|
|
}
|
|
break;
|
|
|
|
case IKE_AUTH_TYPE :
|
|
for (Index = 0; Index < IKEV2_SUPPORT_AUTH_ALGORITHM_NUM; Index++) {
|
|
if (mIkev2AuthAlgorithmList[Index] == AlgorithmId) {
|
|
return TRUE;
|
|
}
|
|
}
|
|
break;
|
|
|
|
case IKE_DH_TYPE :
|
|
for (Index = 0; Index < IKEV2_SUPPORT_DH_ALGORITHM_NUM; Index++) {
|
|
if (mIkev2DhGroupAlgorithmList[Index] == AlgorithmId) {
|
|
return TRUE;
|
|
}
|
|
}
|
|
break;
|
|
|
|
case IKE_PRF_TYPE :
|
|
for (Index = 0; Index < IKEV2_SUPPORT_PRF_ALGORITHM_NUM; Index++) {
|
|
if (mIkev2PrfAlgorithmList[Index] == AlgorithmId) {
|
|
return TRUE;
|
|
}
|
|
}
|
|
}
|
|
return FALSE;
|
|
}
|
|
|
|
/**
|
|
Get the preferred algorithm types from ProposalData.
|
|
|
|
@param[in] ProposalData Pointer to related IKEV2_PROPOSAL_DATA.
|
|
@param[in, out] PreferEncryptAlgorithm Pointer to buffer which is used to store the
|
|
preferred encrypt algorithm.
|
|
Input value shall be initialized to zero that
|
|
indicates to be parsed from ProposalData.
|
|
Output of preferred encrypt algorithm.
|
|
@param[in, out] PreferIntegrityAlgorithm Pointer to buffer which is used to store the
|
|
preferred integrity algorithm.
|
|
Input value shall be initialized to zero that
|
|
indicates to be parsed from ProposalData.
|
|
Output of preferred integrity algorithm.
|
|
@param[in, out] PreferPrfAlgorithm Pointer to buffer which is used to store the
|
|
preferred PRF algorithm.
|
|
Input value shall be initialized to zero that
|
|
indicates to be parsed from ProposalData.
|
|
Output of preferred PRF algorithm. Only
|
|
for IKE SA.
|
|
@param[in, out] PreferDhGroup Pointer to buffer which is used to store the
|
|
preferred DH group.
|
|
Input value shall be initialized to zero that
|
|
indicates to be parsed from ProposalData.
|
|
Output of preferred DH group. Only for
|
|
IKE SA.
|
|
@param[out] PreferEncryptKeylength Pointer to buffer which is used to store the
|
|
preferred encrypt key length in bytes.
|
|
@param[out] IsSupportEsn Pointer to buffer which is used to store the
|
|
value about the Extented Sequence Number is
|
|
support or not. Only for Child SA.
|
|
@param[in] IsChildSa If it is ture, the ProposalData is for IKE
|
|
SA. Otherwise the proposalData is for Child SA.
|
|
|
|
**/
|
|
VOID
|
|
Ikev2ParseProposalData (
|
|
IN IKEV2_PROPOSAL_DATA *ProposalData,
|
|
IN OUT UINT16 *PreferEncryptAlgorithm,
|
|
IN OUT UINT16 *PreferIntegrityAlgorithm,
|
|
IN OUT UINT16 *PreferPrfAlgorithm,
|
|
IN OUT UINT16 *PreferDhGroup,
|
|
OUT UINTN *PreferEncryptKeylength,
|
|
OUT BOOLEAN *IsSupportEsn,
|
|
IN BOOLEAN IsChildSa
|
|
)
|
|
{
|
|
IKEV2_TRANSFORM_DATA *TransformData;
|
|
UINT8 TransformIndex;
|
|
|
|
//
|
|
// Check input parameters.
|
|
//
|
|
if (ProposalData == NULL ||
|
|
PreferEncryptAlgorithm == NULL ||
|
|
PreferIntegrityAlgorithm == NULL ||
|
|
PreferEncryptKeylength == NULL
|
|
) {
|
|
return;
|
|
}
|
|
|
|
if (IsChildSa) {
|
|
if (IsSupportEsn == NULL) {
|
|
return;
|
|
}
|
|
} else {
|
|
if (PreferPrfAlgorithm == NULL || PreferDhGroup == NULL) {
|
|
return;
|
|
}
|
|
}
|
|
|
|
TransformData = (IKEV2_TRANSFORM_DATA *)(ProposalData + 1);
|
|
for (TransformIndex = 0; TransformIndex < ProposalData->NumTransforms; TransformIndex++) {
|
|
switch (TransformData->TransformType) {
|
|
//
|
|
// For IKE SA there are four algorithm types. Encryption Algorithm, Pseudo-random Function,
|
|
// Integrity Algorithm, Diffie-Hellman Group. For Child SA, there are three algorithm types.
|
|
// Encryption Algorithm, Integrity Algorithm, Extended Sequence Number.
|
|
//
|
|
case IKEV2_TRANSFORM_TYPE_ENCR:
|
|
if (*PreferEncryptAlgorithm == 0 && Ikev2IsSupportAlg (TransformData->TransformId, IKE_ENCRYPT_TYPE)) {
|
|
//
|
|
// Check the attribute value. According to RFC, only Keylength is support.
|
|
//
|
|
if (TransformData->Attribute.AttrType == IKEV2_ATTRIBUTE_TYPE_KEYLEN) {
|
|
//
|
|
// If the Keylength is not support, continue to check the next one.
|
|
//
|
|
if (IpSecGetEncryptKeyLength ((UINT8)TransformData->TransformId) != (UINTN)(TransformData->Attribute.Attr.AttrValue >> 3)){
|
|
break;
|
|
} else {
|
|
*PreferEncryptKeylength = TransformData->Attribute.Attr.AttrValue;
|
|
}
|
|
}
|
|
*PreferEncryptAlgorithm = TransformData->TransformId;
|
|
}
|
|
break;
|
|
|
|
case IKEV2_TRANSFORM_TYPE_PRF :
|
|
if (!IsChildSa) {
|
|
if (*PreferPrfAlgorithm == 0 && Ikev2IsSupportAlg (TransformData->TransformId, IKE_PRF_TYPE)) {
|
|
*PreferPrfAlgorithm = TransformData->TransformId;
|
|
}
|
|
}
|
|
break;
|
|
|
|
case IKEV2_TRANSFORM_TYPE_INTEG :
|
|
if (*PreferIntegrityAlgorithm == 0 && Ikev2IsSupportAlg (TransformData->TransformId, IKE_AUTH_TYPE)) {
|
|
*PreferIntegrityAlgorithm = TransformData->TransformId;
|
|
}
|
|
break;
|
|
|
|
case IKEV2_TRANSFORM_TYPE_DH :
|
|
if (!IsChildSa) {
|
|
if (*PreferDhGroup == 0 && Ikev2IsSupportAlg (TransformData->TransformId, IKE_DH_TYPE)) {
|
|
*PreferDhGroup = TransformData->TransformId;
|
|
}
|
|
}
|
|
break;
|
|
|
|
case IKEV2_TRANSFORM_TYPE_ESN :
|
|
if (IsChildSa) {
|
|
if (TransformData->TransformId != 0) {
|
|
*IsSupportEsn = TRUE;
|
|
}
|
|
}
|
|
break;
|
|
|
|
default:
|
|
break;
|
|
}
|
|
TransformData = (IKEV2_TRANSFORM_DATA *)(TransformData + 1);
|
|
}
|
|
}
|
|
|
|
/**
|
|
Parse the received Initial Exchange Packet.
|
|
|
|
This function parse the SA Payload and Key Payload to find out the cryptographic
|
|
suite for the further IKE negotiation and fill it into the IKE SA Session's
|
|
CommonSession->SaParams.
|
|
|
|
@param[in, out] IkeSaSession Pointer to related IKEV2_SA_SESSION.
|
|
@param[in] SaPayload The received packet.
|
|
@param[in] Type The received packet IKE header flag.
|
|
|
|
@retval TRUE If the SA proposal in Packet is acceptable.
|
|
@retval FALSE If the SA proposal in Packet is not acceptable.
|
|
|
|
**/
|
|
BOOLEAN
|
|
Ikev2SaParseSaPayload (
|
|
IN OUT IKEV2_SA_SESSION *IkeSaSession,
|
|
IN IKE_PAYLOAD *SaPayload,
|
|
IN UINT8 Type
|
|
)
|
|
{
|
|
IKEV2_PROPOSAL_DATA *ProposalData;
|
|
UINT8 ProposalIndex;
|
|
UINT16 PreferEncryptAlgorithm;
|
|
UINT16 PreferIntegrityAlgorithm;
|
|
UINT16 PreferPrfAlgorithm;
|
|
UINT16 PreferDhGroup;
|
|
UINTN PreferEncryptKeylength;
|
|
UINT16 EncryptAlgorithm;
|
|
UINT16 IntegrityAlgorithm;
|
|
UINT16 PrfAlgorithm;
|
|
UINT16 DhGroup;
|
|
UINTN EncryptKeylength;
|
|
BOOLEAN IsMatch;
|
|
UINTN SaDataSize;
|
|
|
|
PreferPrfAlgorithm = 0;
|
|
PreferIntegrityAlgorithm = 0;
|
|
PreferDhGroup = 0;
|
|
PreferEncryptAlgorithm = 0;
|
|
PreferEncryptKeylength = 0;
|
|
PrfAlgorithm = 0;
|
|
IntegrityAlgorithm = 0;
|
|
DhGroup = 0;
|
|
EncryptAlgorithm = 0;
|
|
EncryptKeylength = 0;
|
|
IsMatch = FALSE;
|
|
|
|
if (Type == IKE_HEADER_FLAGS_INIT) {
|
|
ProposalData = (IKEV2_PROPOSAL_DATA *)((IKEV2_SA_DATA *)SaPayload->PayloadBuf + 1);
|
|
for (ProposalIndex = 0; ProposalIndex < ((IKEV2_SA_DATA *)SaPayload->PayloadBuf)->NumProposals; ProposalIndex++) {
|
|
//
|
|
// Iterate each proposal to find the perfered one.
|
|
//
|
|
if (ProposalData->ProtocolId == IPSEC_PROTO_ISAKMP && ProposalData->NumTransforms >= 4) {
|
|
//
|
|
// Get the preferred algorithms.
|
|
//
|
|
Ikev2ParseProposalData (
|
|
ProposalData,
|
|
&PreferEncryptAlgorithm,
|
|
&PreferIntegrityAlgorithm,
|
|
&PreferPrfAlgorithm,
|
|
&PreferDhGroup,
|
|
&PreferEncryptKeylength,
|
|
NULL,
|
|
FALSE
|
|
);
|
|
|
|
if (PreferEncryptAlgorithm != 0 &&
|
|
PreferIntegrityAlgorithm != 0 &&
|
|
PreferPrfAlgorithm != 0 &&
|
|
PreferDhGroup != 0
|
|
) {
|
|
//
|
|
// Find the matched one.
|
|
//
|
|
IkeSaSession->SessionCommon.SaParams = AllocateZeroPool (sizeof (IKEV2_SA_PARAMS));
|
|
if (IkeSaSession->SessionCommon.SaParams == NULL) {
|
|
return FALSE;
|
|
}
|
|
|
|
IkeSaSession->SessionCommon.SaParams->EncAlgId = PreferEncryptAlgorithm;
|
|
IkeSaSession->SessionCommon.SaParams->EnckeyLen = PreferEncryptKeylength;
|
|
IkeSaSession->SessionCommon.SaParams->DhGroup = PreferDhGroup;
|
|
IkeSaSession->SessionCommon.SaParams->Prf = PreferPrfAlgorithm;
|
|
IkeSaSession->SessionCommon.SaParams->IntegAlgId = PreferIntegrityAlgorithm;
|
|
IkeSaSession->SessionCommon.PreferDhGroup = PreferDhGroup;
|
|
|
|
//
|
|
// Save the matched one in IKEV2_SA_DATA for furthure calculation.
|
|
//
|
|
SaDataSize = sizeof (IKEV2_SA_DATA) +
|
|
sizeof (IKEV2_PROPOSAL_DATA) +
|
|
sizeof (IKEV2_TRANSFORM_DATA) * 4;
|
|
IkeSaSession->SaData = AllocateZeroPool (SaDataSize);
|
|
if (IkeSaSession->SaData == NULL) {
|
|
FreePool (IkeSaSession->SessionCommon.SaParams);
|
|
return FALSE;
|
|
}
|
|
|
|
IkeSaSession->SaData->NumProposals = 1;
|
|
|
|
//
|
|
// BUGBUG: Suppose the matched proposal only has 4 transforms. If
|
|
// The matched Proposal has more than 4 transforms means it contains
|
|
// one than one transform with same type.
|
|
//
|
|
CopyMem (
|
|
(IKEV2_PROPOSAL_DATA *) (IkeSaSession->SaData + 1),
|
|
ProposalData,
|
|
SaDataSize - sizeof (IKEV2_SA_DATA)
|
|
);
|
|
|
|
((IKEV2_PROPOSAL_DATA *) (IkeSaSession->SaData + 1))->ProposalIndex = 1;
|
|
|
|
return TRUE;
|
|
} else {
|
|
PreferEncryptAlgorithm = 0;
|
|
PreferIntegrityAlgorithm = 0;
|
|
PreferPrfAlgorithm = 0;
|
|
PreferDhGroup = 0;
|
|
PreferEncryptKeylength = 0;
|
|
}
|
|
}
|
|
//
|
|
// Point to next Proposal.
|
|
//
|
|
ProposalData = (IKEV2_PROPOSAL_DATA*)((UINT8*)(ProposalData + 1) +
|
|
ProposalData->NumTransforms * sizeof (IKEV2_TRANSFORM_DATA));
|
|
}
|
|
} else if (Type == IKE_HEADER_FLAGS_RESPOND) {
|
|
//
|
|
// First check the SA proposal's ProtoctolID and Transform Numbers. Since it is
|
|
// the responded SA proposal, suppose it only has one proposal and the transform Numbers
|
|
// is 4.
|
|
//
|
|
ProposalData = (IKEV2_PROPOSAL_DATA *)((IKEV2_SA_DATA *) SaPayload->PayloadBuf + 1);
|
|
if (ProposalData->ProtocolId != IPSEC_PROTO_ISAKMP || ProposalData->NumTransforms != 4) {
|
|
return FALSE;
|
|
}
|
|
//
|
|
// Get the preferred algorithms.
|
|
//
|
|
Ikev2ParseProposalData (
|
|
ProposalData,
|
|
&PreferEncryptAlgorithm,
|
|
&PreferIntegrityAlgorithm,
|
|
&PreferPrfAlgorithm,
|
|
&PreferDhGroup,
|
|
&PreferEncryptKeylength,
|
|
NULL,
|
|
FALSE
|
|
);
|
|
//
|
|
// Check if the Sa proposal data from received packet is in the IkeSaSession->SaData.
|
|
//
|
|
ProposalData = (IKEV2_PROPOSAL_DATA *) (IkeSaSession->SaData + 1);
|
|
|
|
for (ProposalIndex = 0; ProposalIndex < IkeSaSession->SaData->NumProposals && (!IsMatch); ProposalIndex++) {
|
|
Ikev2ParseProposalData (
|
|
ProposalData,
|
|
&EncryptAlgorithm,
|
|
&IntegrityAlgorithm,
|
|
&PrfAlgorithm,
|
|
&DhGroup,
|
|
&EncryptKeylength,
|
|
NULL,
|
|
FALSE
|
|
);
|
|
if (EncryptAlgorithm == PreferEncryptAlgorithm &&
|
|
EncryptKeylength == PreferEncryptKeylength &&
|
|
IntegrityAlgorithm == PreferIntegrityAlgorithm &&
|
|
PrfAlgorithm == PreferPrfAlgorithm &&
|
|
DhGroup == PreferDhGroup
|
|
) {
|
|
IsMatch = TRUE;
|
|
} else {
|
|
EncryptAlgorithm = 0;
|
|
IntegrityAlgorithm = 0;
|
|
PrfAlgorithm = 0;
|
|
DhGroup = 0;
|
|
EncryptKeylength = 0;
|
|
}
|
|
|
|
ProposalData = (IKEV2_PROPOSAL_DATA*)((UINT8*)(ProposalData + 1) +
|
|
ProposalData->NumTransforms * sizeof (IKEV2_TRANSFORM_DATA));
|
|
}
|
|
|
|
if (IsMatch) {
|
|
IkeSaSession->SessionCommon.SaParams = AllocateZeroPool (sizeof (IKEV2_SA_PARAMS));
|
|
if (IkeSaSession->SessionCommon.SaParams == NULL) {
|
|
return FALSE;
|
|
}
|
|
|
|
IkeSaSession->SessionCommon.SaParams->EncAlgId = PreferEncryptAlgorithm;
|
|
IkeSaSession->SessionCommon.SaParams->EnckeyLen = PreferEncryptKeylength;
|
|
IkeSaSession->SessionCommon.SaParams->DhGroup = PreferDhGroup;
|
|
IkeSaSession->SessionCommon.SaParams->Prf = PreferPrfAlgorithm;
|
|
IkeSaSession->SessionCommon.SaParams->IntegAlgId = PreferIntegrityAlgorithm;
|
|
IkeSaSession->SessionCommon.PreferDhGroup = PreferDhGroup;
|
|
|
|
return TRUE;
|
|
}
|
|
}
|
|
|
|
return FALSE;
|
|
}
|
|
|
|
/**
|
|
Parse the received Authentication Exchange Packet.
|
|
|
|
This function parse the SA Payload and Key Payload to find out the cryptographic
|
|
suite for the ESP and fill it into the Child SA Session's CommonSession->SaParams.
|
|
|
|
@param[in, out] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION related to
|
|
this Authentication Exchange.
|
|
@param[in] SaPayload The received packet.
|
|
@param[in] Type The IKE header's flag of received packet .
|
|
|
|
@retval TRUE If the SA proposal in Packet is acceptable.
|
|
@retval FALSE If the SA proposal in Packet is not acceptable.
|
|
|
|
**/
|
|
BOOLEAN
|
|
Ikev2ChildSaParseSaPayload (
|
|
IN OUT IKEV2_CHILD_SA_SESSION *ChildSaSession,
|
|
IN IKE_PAYLOAD *SaPayload,
|
|
IN UINT8 Type
|
|
)
|
|
{
|
|
IKEV2_PROPOSAL_DATA *ProposalData;
|
|
UINT8 ProposalIndex;
|
|
UINT16 PreferEncryptAlgorithm;
|
|
UINT16 PreferIntegrityAlgorithm;
|
|
UINTN PreferEncryptKeylength;
|
|
BOOLEAN PreferIsSupportEsn;
|
|
UINT16 EncryptAlgorithm;
|
|
UINT16 IntegrityAlgorithm;
|
|
UINTN EncryptKeylength;
|
|
BOOLEAN IsSupportEsn;
|
|
BOOLEAN IsMatch;
|
|
UINTN SaDataSize;
|
|
|
|
|
|
PreferIntegrityAlgorithm = 0;
|
|
PreferEncryptAlgorithm = 0;
|
|
PreferEncryptKeylength = 0;
|
|
IntegrityAlgorithm = 0;
|
|
EncryptAlgorithm = 0;
|
|
EncryptKeylength = 0;
|
|
IsMatch = FALSE;
|
|
IsSupportEsn = FALSE;
|
|
PreferIsSupportEsn = FALSE;
|
|
|
|
if (Type == IKE_HEADER_FLAGS_INIT) {
|
|
ProposalData = (IKEV2_PROPOSAL_DATA *)((IKEV2_SA_DATA *) SaPayload->PayloadBuf + 1);
|
|
for (ProposalIndex = 0; ProposalIndex < ((IKEV2_SA_DATA *) SaPayload->PayloadBuf)->NumProposals; ProposalIndex++) {
|
|
//
|
|
// Iterate each proposal to find the preferred one.
|
|
//
|
|
if (ProposalData->ProtocolId == IPSEC_PROTO_IPSEC_ESP && ProposalData->NumTransforms >= 3) {
|
|
//
|
|
// Get the preferred algorithm.
|
|
//
|
|
Ikev2ParseProposalData (
|
|
ProposalData,
|
|
&PreferEncryptAlgorithm,
|
|
&PreferIntegrityAlgorithm,
|
|
NULL,
|
|
NULL,
|
|
&PreferEncryptKeylength,
|
|
&IsSupportEsn,
|
|
TRUE
|
|
);
|
|
//
|
|
// Don't support the ESN now.
|
|
//
|
|
if (PreferEncryptAlgorithm != 0 &&
|
|
PreferIntegrityAlgorithm != 0 &&
|
|
!IsSupportEsn
|
|
) {
|
|
//
|
|
// Find the matched one.
|
|
//
|
|
ChildSaSession->SessionCommon.SaParams = AllocateZeroPool (sizeof (IKEV2_SA_PARAMS));
|
|
if (ChildSaSession->SessionCommon.SaParams == NULL) {
|
|
return FALSE;
|
|
}
|
|
|
|
ChildSaSession->SessionCommon.SaParams->EncAlgId = PreferEncryptAlgorithm;
|
|
ChildSaSession->SessionCommon.SaParams->EnckeyLen = PreferEncryptKeylength;
|
|
ChildSaSession->SessionCommon.SaParams->IntegAlgId = PreferIntegrityAlgorithm;
|
|
CopyMem (&ChildSaSession->RemotePeerSpi, ProposalData->Spi, sizeof (ChildSaSession->RemotePeerSpi));
|
|
|
|
//
|
|
// Save the matched one in IKEV2_SA_DATA for furthure calculation.
|
|
//
|
|
SaDataSize = sizeof (IKEV2_SA_DATA) +
|
|
sizeof (IKEV2_PROPOSAL_DATA) +
|
|
sizeof (IKEV2_TRANSFORM_DATA) * 4;
|
|
|
|
ChildSaSession->SaData = AllocateZeroPool (SaDataSize);
|
|
if (ChildSaSession->SaData == NULL) {
|
|
FreePool (ChildSaSession->SessionCommon.SaParams);
|
|
return FALSE;
|
|
}
|
|
|
|
ChildSaSession->SaData->NumProposals = 1;
|
|
|
|
//
|
|
// BUGBUG: Suppose there are 4 transforms in the matched proposal. If
|
|
// the matched Proposal has more than 4 transforms that means there
|
|
// are more than one transform with same type.
|
|
//
|
|
CopyMem (
|
|
(IKEV2_PROPOSAL_DATA *) (ChildSaSession->SaData + 1),
|
|
ProposalData,
|
|
SaDataSize - sizeof (IKEV2_SA_DATA)
|
|
);
|
|
|
|
((IKEV2_PROPOSAL_DATA *) (ChildSaSession->SaData + 1))->ProposalIndex = 1;
|
|
|
|
((IKEV2_PROPOSAL_DATA *) (ChildSaSession->SaData + 1))->Spi = AllocateCopyPool (
|
|
sizeof (ChildSaSession->LocalPeerSpi),
|
|
&ChildSaSession->LocalPeerSpi
|
|
);
|
|
if (((IKEV2_PROPOSAL_DATA *) (ChildSaSession->SaData + 1))->Spi == NULL) {
|
|
FreePool (ChildSaSession->SessionCommon.SaParams);
|
|
|
|
FreePool (ChildSaSession->SaData );
|
|
|
|
return FALSE;
|
|
}
|
|
|
|
return TRUE;
|
|
|
|
} else {
|
|
PreferEncryptAlgorithm = 0;
|
|
PreferIntegrityAlgorithm = 0;
|
|
IsSupportEsn = TRUE;
|
|
}
|
|
}
|
|
//
|
|
// Point to next Proposal
|
|
//
|
|
ProposalData = (IKEV2_PROPOSAL_DATA *)((UINT8 *)(ProposalData + 1) +
|
|
ProposalData->NumTransforms * sizeof (IKEV2_TRANSFORM_DATA));
|
|
}
|
|
} else if (Type == IKE_HEADER_FLAGS_RESPOND) {
|
|
//
|
|
// First check the SA proposal's ProtoctolID and Transform Numbers. Since it is
|
|
// the responded SA proposal, suppose it only has one proposal and the transform Numbers
|
|
// is 3.
|
|
//
|
|
ProposalData = (IKEV2_PROPOSAL_DATA *)((IKEV2_SA_DATA *)SaPayload->PayloadBuf + 1);
|
|
if (ProposalData->ProtocolId != IPSEC_PROTO_IPSEC_ESP || ProposalData->NumTransforms != 3) {
|
|
return FALSE;
|
|
}
|
|
//
|
|
// Get the preferred algorithms.
|
|
//
|
|
Ikev2ParseProposalData (
|
|
ProposalData,
|
|
&PreferEncryptAlgorithm,
|
|
&PreferIntegrityAlgorithm,
|
|
NULL,
|
|
NULL,
|
|
&PreferEncryptKeylength,
|
|
&PreferIsSupportEsn,
|
|
TRUE
|
|
);
|
|
|
|
ProposalData = (IKEV2_PROPOSAL_DATA *) (ChildSaSession->SaData + 1);
|
|
|
|
for (ProposalIndex = 0; ProposalIndex < ChildSaSession->SaData->NumProposals && (!IsMatch); ProposalIndex++) {
|
|
Ikev2ParseProposalData (
|
|
ProposalData,
|
|
&EncryptAlgorithm,
|
|
&IntegrityAlgorithm,
|
|
NULL,
|
|
NULL,
|
|
&EncryptKeylength,
|
|
&IsSupportEsn,
|
|
TRUE
|
|
);
|
|
if (EncryptAlgorithm == PreferEncryptAlgorithm &&
|
|
EncryptKeylength == PreferEncryptKeylength &&
|
|
IntegrityAlgorithm == PreferIntegrityAlgorithm &&
|
|
IsSupportEsn == PreferIsSupportEsn
|
|
) {
|
|
IsMatch = TRUE;
|
|
} else {
|
|
IntegrityAlgorithm = 0;
|
|
EncryptAlgorithm = 0;
|
|
EncryptKeylength = 0;
|
|
IsSupportEsn = FALSE;
|
|
}
|
|
ProposalData = (IKEV2_PROPOSAL_DATA*)((UINT8*)(ProposalData + 1) +
|
|
ProposalData->NumTransforms * sizeof (IKEV2_TRANSFORM_DATA));
|
|
}
|
|
|
|
ProposalData = (IKEV2_PROPOSAL_DATA *)((IKEV2_SA_DATA *)SaPayload->PayloadBuf + 1);
|
|
if (IsMatch) {
|
|
ChildSaSession->SessionCommon.SaParams = AllocateZeroPool (sizeof (IKEV2_SA_PARAMS));
|
|
if (ChildSaSession->SessionCommon.SaParams == NULL) {
|
|
return FALSE;
|
|
}
|
|
|
|
ChildSaSession->SessionCommon.SaParams->EncAlgId = PreferEncryptAlgorithm;
|
|
ChildSaSession->SessionCommon.SaParams->EnckeyLen = PreferEncryptKeylength;
|
|
ChildSaSession->SessionCommon.SaParams->IntegAlgId = PreferIntegrityAlgorithm;
|
|
CopyMem (&ChildSaSession->RemotePeerSpi, ProposalData->Spi, sizeof (ChildSaSession->RemotePeerSpi));
|
|
|
|
return TRUE;
|
|
}
|
|
}
|
|
return FALSE;
|
|
}
|
|
|
|
/**
|
|
Generate Key buffer from fragments.
|
|
|
|
If the digest length of specified HashAlgId is larger than or equal with the
|
|
required output key length, derive the key directly. Otherwise, Key Material
|
|
needs to be PRF-based concatenation according to 2.13 of RFC 4306:
|
|
prf+ (K,S) = T1 | T2 | T3 | T4 | ..., T1 = prf (K, S | 0x01),
|
|
T2 = prf (K, T1 | S | 0x02), T3 = prf (K, T2 | S | 0x03),T4 = prf (K, T3 | S | 0x04)
|
|
then derive the key from this key material.
|
|
|
|
@param[in] HashAlgId The Hash Algorithm ID used to generate key.
|
|
@param[in] HashKey Pointer to a key buffer which contains hash key.
|
|
@param[in] HashKeyLength The length of HashKey in bytes.
|
|
@param[in, out] OutputKey Pointer to buffer which is used to receive the
|
|
output key.
|
|
@param[in] OutputKeyLength The length of OutPutKey buffer.
|
|
@param[in] Fragments Pointer to the data to be used to generate key.
|
|
@param[in] NumFragments The numbers of the Fragement.
|
|
|
|
@retval EFI_SUCCESS The operation complete successfully.
|
|
@retval EFI_INVALID_PARAMETER If NumFragments is zero.
|
|
If the authentication algorithm given by HashAlgId
|
|
cannot be found.
|
|
@retval EFI_OUT_OF_RESOURCES If the required resource can't be allocated.
|
|
@retval Others The operation is failed.
|
|
|
|
**/
|
|
EFI_STATUS
|
|
Ikev2SaGenerateKey (
|
|
IN UINT8 HashAlgId,
|
|
IN UINT8 *HashKey,
|
|
IN UINTN HashKeyLength,
|
|
IN OUT UINT8 *OutputKey,
|
|
IN UINTN OutputKeyLength,
|
|
IN PRF_DATA_FRAGMENT *Fragments,
|
|
IN UINTN NumFragments
|
|
)
|
|
{
|
|
EFI_STATUS Status;
|
|
PRF_DATA_FRAGMENT LocalFragments[3];
|
|
UINT8 *Digest;
|
|
UINTN DigestSize;
|
|
UINTN Round;
|
|
UINTN Index;
|
|
UINTN AuthKeyLength;
|
|
UINTN FragmentsSize;
|
|
UINT8 TailData;
|
|
|
|
Status = EFI_SUCCESS;
|
|
|
|
if (NumFragments == 0) {
|
|
return EFI_INVALID_PARAMETER;
|
|
}
|
|
|
|
LocalFragments[0].Data = NULL;
|
|
LocalFragments[1].Data = NULL;
|
|
LocalFragments[2].Data = NULL;
|
|
|
|
AuthKeyLength = IpSecGetHmacDigestLength (HashAlgId);
|
|
if (AuthKeyLength == 0) {
|
|
return EFI_INVALID_PARAMETER;
|
|
}
|
|
|
|
DigestSize = AuthKeyLength;
|
|
Digest = AllocateZeroPool (AuthKeyLength);
|
|
|
|
if (Digest == NULL) {
|
|
return EFI_OUT_OF_RESOURCES;
|
|
}
|
|
//
|
|
// If the required output key length is less than the digest size,
|
|
// copy the digest into OutputKey.
|
|
//
|
|
if (OutputKeyLength <= DigestSize) {
|
|
Status = IpSecCryptoIoHmac (
|
|
HashAlgId,
|
|
HashKey,
|
|
HashKeyLength,
|
|
(HASH_DATA_FRAGMENT *) Fragments,
|
|
NumFragments,
|
|
Digest,
|
|
DigestSize
|
|
);
|
|
if (EFI_ERROR (Status)) {
|
|
goto Exit;
|
|
}
|
|
|
|
CopyMem (OutputKey, Digest, OutputKeyLength);
|
|
goto Exit;
|
|
}
|
|
|
|
//
|
|
//Otherwise, Key Material need to be PRF-based concatenation according to 2.13
|
|
//of RFC 4306: prf+ (K,S) = T1 | T2 | T3 | T4 | ..., T1 = prf (K, S | 0x01),
|
|
//T2 = prf (K, T1 | S | 0x02), T3 = prf (K, T2 | S | 0x03),T4 = prf (K, T3 | S | 0x04)
|
|
//then derive the key from this key material.
|
|
//
|
|
FragmentsSize = 0;
|
|
for (Index = 0; Index < NumFragments; Index++) {
|
|
FragmentsSize = FragmentsSize + Fragments[Index].DataSize;
|
|
}
|
|
|
|
LocalFragments[1].Data = AllocateZeroPool (FragmentsSize);
|
|
if (LocalFragments[1].Data == NULL) {
|
|
Status = EFI_OUT_OF_RESOURCES;
|
|
goto Exit;
|
|
}
|
|
|
|
LocalFragments[1].DataSize = FragmentsSize;
|
|
|
|
//
|
|
// Copy all input fragments into LocalFragments[1];
|
|
//
|
|
FragmentsSize = 0;
|
|
for (Index = 0; Index < NumFragments; Index++) {
|
|
CopyMem (
|
|
LocalFragments[1].Data + FragmentsSize,
|
|
Fragments[Index].Data,
|
|
Fragments[Index].DataSize
|
|
);
|
|
FragmentsSize = FragmentsSize + Fragments[Index].DataSize;
|
|
}
|
|
|
|
//
|
|
// Prepare 0x01 as the first tail data.
|
|
//
|
|
TailData = 0x01;
|
|
LocalFragments[2].Data = &TailData;
|
|
LocalFragments[2].DataSize = sizeof (TailData);
|
|
//
|
|
// Allocate buffer for the first fragment
|
|
//
|
|
LocalFragments[0].Data = AllocateZeroPool (AuthKeyLength);
|
|
if (LocalFragments[0].Data == NULL) {
|
|
Status = EFI_OUT_OF_RESOURCES;
|
|
goto Exit;
|
|
}
|
|
|
|
LocalFragments[0].DataSize = AuthKeyLength;
|
|
|
|
Round = (OutputKeyLength - 1) / AuthKeyLength + 1;
|
|
for (Index = 0; Index < Round; Index++) {
|
|
Status = IpSecCryptoIoHmac (
|
|
HashAlgId,
|
|
HashKey,
|
|
HashKeyLength,
|
|
(HASH_DATA_FRAGMENT *)(Index == 0 ? &LocalFragments[1] : LocalFragments),
|
|
Index == 0 ? 2 : 3,
|
|
Digest,
|
|
DigestSize
|
|
);
|
|
if (EFI_ERROR(Status)) {
|
|
goto Exit;
|
|
}
|
|
CopyMem (
|
|
LocalFragments[0].Data,
|
|
Digest,
|
|
DigestSize
|
|
);
|
|
if (OutputKeyLength > DigestSize * (Index + 1)) {
|
|
CopyMem (
|
|
OutputKey + Index * DigestSize,
|
|
Digest,
|
|
DigestSize
|
|
);
|
|
LocalFragments[0].DataSize = DigestSize;
|
|
TailData ++;
|
|
} else {
|
|
//
|
|
// The last round
|
|
//
|
|
CopyMem (
|
|
OutputKey + Index * DigestSize,
|
|
Digest,
|
|
OutputKeyLength - Index * DigestSize
|
|
);
|
|
}
|
|
}
|
|
|
|
Exit:
|
|
//
|
|
// Only First and second Framgement Data need to be freed.
|
|
//
|
|
for (Index = 0 ; Index < 2; Index++) {
|
|
if (LocalFragments[Index].Data != NULL) {
|
|
FreePool (LocalFragments[Index].Data);
|
|
}
|
|
}
|
|
if (Digest != NULL) {
|
|
FreePool (Digest);
|
|
}
|
|
return Status;
|
|
}
|
|
|