1 /** @file 2 The interfaces of IKE/Child session operations and payload related operations 3 used by IKE Exchange Process. 4 5 Copyright (c) 2010 - 2016, Intel Corporation. All rights reserved.<BR> 6 7 This program and the accompanying materials 8 are licensed and made available under the terms and conditions of the BSD License 9 which accompanies this distribution. The full text of the license may be found at 10 http://opensource.org/licenses/bsd-license.php. 11 12 THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, 13 WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. 14 15 **/ 16 17 #ifndef _IKE_V2_UTILITY_H_ 18 #define _IKE_V2_UTILITY_H_ 19 20 #include "Ikev2.h" 21 #include "IkeCommon.h" 22 #include "IpSecCryptIo.h" 23 24 #include <Library/PcdLib.h> 25 26 #define IKEV2_SUPPORT_ENCRYPT_ALGORITHM_NUM 2 27 #define IKEV2_SUPPORT_PRF_ALGORITHM_NUM 1 28 #define IKEV2_SUPPORT_DH_ALGORITHM_NUM 2 29 #define IKEV2_SUPPORT_AUTH_ALGORITHM_NUM 1 30 31 /** 32 Allocate buffer for IKEV2_SA_SESSION and initialize it. 33 34 @param[in] Private Pointer to IPSEC_PRIVATE_DATA. 35 @param[in] UdpService Pointer to IKE_UDP_SERVICE related to this IKE SA Session. 36 37 @return Pointer to IKEV2_SA_SESSION. 38 39 **/ 40 IKEV2_SA_SESSION * 41 Ikev2SaSessionAlloc ( 42 IN IPSEC_PRIVATE_DATA *Private, 43 IN IKE_UDP_SERVICE *UdpService 44 ); 45 46 /** 47 Register Establish IKEv2 SA into Private->Ikev2EstablishedList. 48 49 @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION to be registered. 50 @param[in] Private Pointer to IPSEC_PRAVATE_DATA. 51 52 **/ 53 VOID 54 Ikev2SaSessionReg ( 55 IN IKEV2_SA_SESSION *IkeSaSession, 56 IN IPSEC_PRIVATE_DATA *Private 57 ); 58 59 /** 60 Find a IKEV2_SA_SESSION by the remote peer IP. 61 62 @param[in] SaSessionList SaSession List to be searched. 63 @param[in] RemotePeerIp Pointer to specified IP address. 64 65 @return Pointer to IKEV2_SA_SESSION if find one or NULL. 66 67 **/ 68 IKEV2_SA_SESSION * 69 Ikev2SaSessionLookup ( 70 IN LIST_ENTRY *SaSessionList, 71 IN EFI_IP_ADDRESS *RemotePeerIp 72 ); 73 74 /** 75 Insert a IKE_SA_SESSION into IkeSaSession list. The IkeSaSession list is either 76 Private->Ikev2SaSession list or Private->Ikev2EstablishedList list. 77 78 @param[in] SaSessionList Pointer to list to be inserted into. 79 @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION to be inserted. 80 @param[in] RemotePeerIp Pointer to EFI_IP_ADDRESSS to indicate the 81 unique IKEV2_SA_SESSION. 82 83 **/ 84 VOID 85 Ikev2SaSessionInsert ( 86 IN LIST_ENTRY *SaSessionList, 87 IN IKEV2_SA_SESSION *IkeSaSession, 88 IN EFI_IP_ADDRESS *RemotePeerIp 89 ); 90 91 /** 92 Remove the SA Session by Remote Peer IP. 93 94 @param[in] SaSessionList Pointer to list to be searched. 95 @param[in] RemotePeerIp Pointer to EFI_IP_ADDRESS to use for SA Session search. 96 97 @retval Pointer to IKEV2_SA_SESSION with the specified remote IP address. 98 99 **/ 100 IKEV2_SA_SESSION * 101 Ikev2SaSessionRemove ( 102 IN LIST_ENTRY *SaSessionList, 103 IN EFI_IP_ADDRESS *RemotePeerIp 104 ); 105 106 107 /** 108 Marking a SA session as on deleting. 109 110 @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION. 111 112 @retval EFI_SUCCESS Find the related SA session and marked it. 113 114 **/ 115 EFI_STATUS 116 Ikev2SaSessionOnDeleting ( 117 IN IKEV2_SA_SESSION *IkeSaSession 118 ); 119 120 /** 121 After IKE/Child SA is estiblished, close the time event and free sent packet. 122 123 @param[in] SessionCommon Pointer to a Session Common. 124 125 **/ 126 VOID 127 Ikev2SessionCommonRefresh ( 128 IN IKEV2_SESSION_COMMON *SessionCommon 129 ); 130 131 /** 132 Free specified IKEV2 SA Session. 133 134 @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION to be freed. 135 136 **/ 137 VOID 138 Ikev2SaSessionFree ( 139 IN IKEV2_SA_SESSION *IkeSaSession 140 ); 141 142 /** 143 Free specified Seession Common. The session common would belong to a IKE SA or 144 a Child SA. 145 146 @param[in] SessionCommon Pointer to a Session Common. 147 148 **/ 149 VOID 150 Ikev2SaSessionCommonFree ( 151 IN IKEV2_SESSION_COMMON *SessionCommon 152 ); 153 154 /** 155 Increase the MessageID in IkeSaSession. 156 157 @param[in] IkeSaSession Pointer to a specified IKEV2_SA_SESSION. 158 159 **/ 160 VOID 161 Ikev2SaSessionIncreaseMessageId ( 162 IN IKEV2_SA_SESSION *IkeSaSession 163 ); 164 165 /** 166 Allocate Momery for IKEV2 Child SA Session. 167 168 @param[in] UdpService Pointer to IKE_UDP_SERVICE. 169 @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to this Child SA 170 Session. 171 172 @retval Pointer of a new created IKEV2 Child SA Session. 173 174 **/ 175 IKEV2_CHILD_SA_SESSION * 176 Ikev2ChildSaSessionAlloc ( 177 IN IKE_UDP_SERVICE *UdpService, 178 IN IKEV2_SA_SESSION *IkeSaSession 179 ); 180 181 /** 182 Register a established IKEv2 Child SA into IkeSaSession->ChildSaEstablishSessionList. 183 If the there is IKEV2_CHILD_SA_SESSION with same remote peer IP, remove the old one 184 then register the new one. 185 186 @param[in] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION to be registered. 187 @param[in] Private Pointer to IPSEC_PRAVATE_DATA. 188 189 **/ 190 VOID 191 Ikev2ChildSaSessionReg ( 192 IN IKEV2_CHILD_SA_SESSION *ChildSaSession, 193 IN IPSEC_PRIVATE_DATA *Private 194 ); 195 196 /** 197 This function find the Child SA by the specified Spi. 198 199 This functin find a ChildSA session by searching the ChildSaSessionlist of 200 the input IKEV2_SA_SESSION by specified MessageID. 201 202 @param[in] SaSessionList Pointer to List to be searched. 203 @param[in] Spi Specified SPI. 204 205 @return Pointer to IKEV2_CHILD_SA_SESSION. 206 207 **/ 208 IKEV2_CHILD_SA_SESSION * 209 Ikev2ChildSaSessionLookupBySpi ( 210 IN LIST_ENTRY *SaSessionList, 211 IN UINT32 Spi 212 ); 213 214 /** 215 Find the ChildSaSession by it's MessagId. 216 217 @param[in] SaSessionList Pointer to a ChildSaSession List. 218 @param[in] Mid The messageId used to search ChildSaSession. 219 220 @return Pointer to IKEV2_CHILD_SA_SESSION. 221 222 **/ 223 IKEV2_CHILD_SA_SESSION * 224 Ikev2ChildSaSessionLookupByMid ( 225 IN LIST_ENTRY *SaSessionList, 226 IN UINT32 Mid 227 ); 228 229 /** 230 Insert a Child SA Session into the specified ChildSa list.. 231 232 @param[in] SaSessionList Pointer to list to be inserted in. 233 @param[in] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION to be inserted. 234 235 **/ 236 VOID 237 Ikev2ChildSaSessionInsert ( 238 IN LIST_ENTRY *SaSessionList, 239 IN IKEV2_CHILD_SA_SESSION *ChildSaSession 240 ); 241 242 /** 243 Remove the IKEV2_CHILD_SA_SESSION from IkeSaSessionList. 244 245 @param[in] SaSessionList The SA Session List to be iterated. 246 @param[in] Spi Spi used to identify the IKEV2_CHILD_SA_SESSION. 247 @param[in] ListType The type of the List to indicate whether it is a 248 Established. 249 250 @return The point to IKEV2_CHILD_SA_SESSION. 251 252 **/ 253 IKEV2_CHILD_SA_SESSION * 254 Ikev2ChildSaSessionRemove ( 255 IN LIST_ENTRY *SaSessionList, 256 IN UINT32 Spi, 257 IN UINT8 ListType 258 ); 259 260 /** 261 Mark a specified Child SA Session as on deleting. 262 263 @param[in] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION. 264 265 @retval EFI_SUCCESS Operation is successful. 266 267 **/ 268 EFI_STATUS 269 Ikev2ChildSaSessionOnDeleting ( 270 IN IKEV2_CHILD_SA_SESSION *ChildSaSession 271 ); 272 273 /** 274 Free the memory located for the specified IKEV2_CHILD_SA_SESSION. 275 276 @param[in] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION. 277 278 **/ 279 VOID 280 Ikev2ChildSaSessionFree ( 281 IN IKEV2_CHILD_SA_SESSION *ChildSaSession 282 ); 283 284 /** 285 Free the specified DhBuffer. 286 287 @param[in] DhBuffer Pointer to IKEV2_DH_BUFFER to be freed. 288 289 **/ 290 VOID 291 Ikev2DhBufferFree ( 292 IN IKEV2_DH_BUFFER *DhBuffer 293 ); 294 295 /** 296 Delete the specified established Child SA. 297 298 This function delete the Child SA directly and dont send the Information Packet to 299 remote peer. 300 301 @param[in] IkeSaSession Pointer to a IKE SA Session used to be searched for. 302 @param[in] Spi SPI used to find the Child SA. 303 304 @retval EFI_NOT_FOUND Pointer of IKE SA Session is NULL. 305 @retval EFI_NOT_FOUND There is no specified Child SA related with the input 306 SPI under this IKE SA Session. 307 @retval EFI_SUCCESS Delete the Child SA successfully. 308 309 **/ 310 EFI_STATUS 311 Ikev2ChildSaSilentDelete ( 312 IN IKEV2_SA_SESSION *IkeSaSession, 313 IN UINT32 Spi 314 ); 315 316 /** 317 This function is to parse a request IKE packet and return its request type. 318 The request type is one of IKE CHILD SA creation, IKE SA rekeying and 319 IKE CHILD SA rekeying. 320 321 @param[in] IkePacket IKE packet to be prased. 322 323 return the type of the IKE packet. 324 325 **/ 326 IKEV2_CREATE_CHILD_REQUEST_TYPE 327 Ikev2ChildExchangeRequestType( 328 IN IKE_PACKET *IkePacket 329 ); 330 331 /** 332 This function finds the SPI from Create Child Sa Exchange Packet. 333 334 @param[in] IkePacket Pointer to IKE_PACKET to be searched. 335 336 @retval SPI number. 337 338 **/ 339 UINT32 340 Ikev2ChildExchangeRekeySpi( 341 IN IKE_PACKET *IkePacket 342 ); 343 344 345 /** 346 Associate a SPD selector to the Child SA Session. 347 348 This function is called when the Child SA is not the first child SA of its 349 IKE SA. It associate a SPD to this Child SA. 350 351 @param[in, out] ChildSaSession Pointer to the Child SA Session to be associated to 352 a SPD selector. 353 354 @retval EFI_SUCCESS Associate one SPD selector to this Child SA Session successfully. 355 @retval EFI_NOT_FOUND Can't find the related SPD selector. 356 357 **/ 358 EFI_STATUS 359 Ikev2ChildSaAssociateSpdEntry ( 360 IN OUT IKEV2_CHILD_SA_SESSION *ChildSaSession 361 ); 362 363 /** 364 Validate the IKE header of received IKE packet. 365 366 @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to this IKE packet. 367 @param[in] IkeHdr Pointer to IKE header of received IKE packet. 368 369 @retval TRUE If the IKE header is valid. 370 @retval FALSE If the IKE header is invalid. 371 372 **/ 373 BOOLEAN 374 Ikev2ValidateHeader ( 375 IN IKEV2_SA_SESSION *IkeSaSession, 376 IN IKE_HEADER *IkeHdr 377 ); 378 379 /** 380 Create and intialize IKEV2_SA_DATA for speicifed IKEV2_SESSION_COMMON. 381 382 This function will be only called by the initiator. The responder's IKEV2_SA_DATA 383 will be generated during parsed the initiator packet. 384 385 @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON related to. 386 387 @retval a Pointer to a new IKEV2_SA_DATA or NULL. 388 389 **/ 390 IKEV2_SA_DATA * 391 Ikev2InitializeSaData ( 392 IN IKEV2_SESSION_COMMON *SessionCommon 393 ); 394 395 /** 396 Store the SA into SAD. 397 398 @param[in] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION. 399 400 **/ 401 VOID 402 Ikev2StoreSaData ( 403 IN IKEV2_CHILD_SA_SESSION *ChildSaSession 404 ); 405 406 /** 407 Routine process before the payload decoding. 408 409 @param[in] SessionCommon Pointer to ChildSa SessionCommon. 410 @param[in] PayloadBuf Pointer to the payload. 411 @param[in] PayloadSize Size of PayloadBuf in byte. 412 @param[in] PayloadType Type of Payload. 413 414 **/ 415 VOID 416 Ikev2ChildSaBeforeDecodePayload ( 417 IN UINT8 *SessionCommon, 418 IN UINT8 *PayloadBuf, 419 IN UINTN PayloadSize, 420 IN UINT8 PayloadType 421 ); 422 423 /** 424 Routine Process after the encode payload. 425 426 @param[in] SessionCommon Pointer to ChildSa SessionCommon. 427 @param[in] PayloadBuf Pointer to the payload. 428 @param[in] PayloadSize Size of PayloadBuf in byte. 429 @param[in] PayloadType Type of Payload. 430 431 **/ 432 VOID 433 Ikev2ChildSaAfterEncodePayload ( 434 IN UINT8 *SessionCommon, 435 IN UINT8 *PayloadBuf, 436 IN UINTN PayloadSize, 437 IN UINT8 PayloadType 438 ); 439 440 /** 441 Generate Ikev2 SA payload according to SessionSaData 442 443 @param[in] SessionSaData The data used in SA payload. 444 @param[in] NextPayload The payload type presented in NextPayload field of 445 SA Payload header. 446 @param[in] Type The SA type. It MUST be neither (1) for IKE_SA or 447 (2) for CHILD_SA or (3) for INFO. 448 449 @retval a Pointer to SA IKE payload. 450 451 **/ 452 IKE_PAYLOAD * 453 Ikev2GenerateSaPayload ( 454 IN IKEV2_SA_DATA *SessionSaData, 455 IN UINT8 NextPayload, 456 IN IKE_SESSION_TYPE Type 457 ); 458 459 /** 460 Generate a ID payload. 461 462 @param[in] CommonSession Pointer to IKEV2_SESSION_COMMON related to ID payload. 463 @param[in] NextPayload The payload type presented in the NextPayload field 464 of ID Payload header. 465 466 @retval Pointer to ID IKE payload. 467 468 **/ 469 IKE_PAYLOAD * 470 Ikev2GenerateIdPayload ( 471 IN IKEV2_SESSION_COMMON *CommonSession, 472 IN UINT8 NextPayload 473 ); 474 475 /** 476 Generate a ID payload. 477 478 @param[in] CommonSession Pointer to IKEV2_SESSION_COMMON related to ID payload. 479 @param[in] NextPayload The payload type presented in the NextPayload field 480 of ID Payload header. 481 @param[in] InCert Pointer to the Certificate which distinguished name 482 will be added into the Id payload. 483 @param[in] CertSize Size of the Certificate. 484 485 @retval Pointer to ID IKE payload. 486 487 **/ 488 IKE_PAYLOAD * 489 Ikev2GenerateCertIdPayload ( 490 IN IKEV2_SESSION_COMMON *CommonSession, 491 IN UINT8 NextPayload, 492 IN UINT8 *InCert, 493 IN UINTN CertSize 494 ); 495 496 /** 497 Generate a Nonce payload contenting the input parameter NonceBuf. 498 499 @param[in] NonceBuf The nonce buffer content the whole Nonce payload block 500 except the payload header. 501 @param[in] NonceSize The buffer size of the NonceBuf 502 @param[in] NextPayload The payload type presented in the NextPayload field 503 of Nonce Payload header. 504 505 @retval Pointer to Nonce IKE paload. 506 507 **/ 508 IKE_PAYLOAD * 509 Ikev2GenerateNoncePayload ( 510 IN UINT8 *NonceBuf, 511 IN UINTN NonceSize, 512 IN UINT8 NextPayload 513 ); 514 515 /** 516 Generate the Notify payload. 517 518 Since the structure of Notify payload which defined in RFC 4306 is simple, so 519 there is no internal data structure for Notify payload. This function generate 520 Notify payload defined in RFC 4306, but all the fields in this payload are still 521 in host order and need call Ikev2EncodePayload() to convert those fields from 522 the host order to network order beforing sending it. 523 524 @param[in] ProtocolId The protocol type ID. For IKE_SA it MUST be one (1). 525 For IPsec SAs it MUST be neither (2) for AH or (3) 526 for ESP. 527 @param[in] NextPayload The next paylaod type in NextPayload field of 528 the Notify payload. 529 @param[in] SpiSize Size of the SPI in SPI size field of the Notify Payload. 530 @param[in] MessageType The message type in NotifyMessageType field of the 531 Notify Payload. 532 @param[in] SpiBuf Pointer to buffer contains the SPI value. 533 @param[in] NotifyData Pointer to buffer contains the notification data. 534 @param[in] NotifyDataSize The size of NotifyData in bytes. 535 536 537 @retval Pointer to IKE Notify Payload. 538 539 **/ 540 IKE_PAYLOAD * 541 Ikev2GenerateNotifyPayload ( 542 IN UINT8 ProtocolId, 543 IN UINT8 NextPayload, 544 IN UINT8 SpiSize, 545 IN UINT16 MessageType, 546 IN UINT8 *SpiBuf, 547 IN UINT8 *NotifyData, 548 IN UINTN NotifyDataSize 549 ); 550 551 /** 552 Generate the Delete payload. 553 554 Since the structure of Delete payload which defined in RFC 4306 is simple, 555 there is no internal data structure for Delete payload. This function generate 556 Delete payload defined in RFC 4306, but all the fields in this payload are still 557 in host order and need call Ikev2EncodePayload() to convert those fields from 558 the host order to network order beforing sending it. 559 560 @param[in] IkeSaSession Pointer to IKE SA Session to be used of Delete payload generation. 561 @param[in] NextPayload The next paylaod type in NextPayload field of 562 the Delete payload. 563 @param[in] SpiSize Size of the SPI in SPI size field of the Delete Payload. 564 @param[in] SpiNum Number of SPI in NumofSPIs field of the Delete Payload. 565 @param[in] SpiBuf Pointer to buffer contains the SPI value. 566 567 @retval Pointer to IKE Delete Payload. 568 569 **/ 570 IKE_PAYLOAD * 571 Ikev2GenerateDeletePayload ( 572 IN IKEV2_SA_SESSION *IkeSaSession, 573 IN UINT8 NextPayload, 574 IN UINT8 SpiSize, 575 IN UINT16 SpiNum, 576 IN UINT8 *SpiBuf 577 ); 578 579 /** 580 Generate the Configuration payload. 581 582 This function generates a configuration payload defined in RFC 4306, but all the 583 fields in this payload are still in host order and need call Ikev2EncodePayload() 584 to convert those fields from the host order to network order beforing sending it. 585 586 @param[in] IkeSaSession Pointer to IKE SA Session to be used for Delete payload 587 generation. 588 @param[in] NextPayload The next paylaod type in NextPayload field of 589 the Delete payload. 590 @param[in] CfgType The attribute type in the Configuration attribute. 591 592 @retval Pointer to IKE CP Payload. 593 594 **/ 595 IKE_PAYLOAD * 596 Ikev2GenerateCpPayload ( 597 IN IKEV2_SA_SESSION *IkeSaSession, 598 IN UINT8 NextPayload, 599 IN UINT8 CfgType 600 ); 601 602 /** 603 Generate a Authentication Payload. 604 605 This function is used for both Authentication generation and verification. When the 606 IsVerify is TRUE, it create a Auth Data for verification. This function choose the 607 related IKE_SA_INIT Message for Auth data creation according to the IKE Session's type 608 and the value of IsVerify parameter. 609 610 @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to. 611 @param[in] IdPayload Pointer to the ID payload to be used for Authentication 612 payload generation. 613 @param[in] NextPayload The type filled into the Authentication Payload next 614 payload field. 615 @param[in] IsVerify If it is TURE, the Authentication payload is used for 616 verification. 617 618 @return pointer to IKE Authentication payload for pre-shard key method. 619 620 **/ 621 IKE_PAYLOAD * 622 Ikev2PskGenerateAuthPayload ( 623 IN IKEV2_SA_SESSION *IkeSaSession, 624 IN IKE_PAYLOAD *IdPayload, 625 IN UINT8 NextPayload, 626 IN BOOLEAN IsVerify 627 ); 628 629 /** 630 Generate a Authentication Payload for Certificate Auth method. 631 632 This function has two functions. One is creating a local Authentication 633 Payload for sending and other is creating the remote Authentication data 634 for verification when the IsVerify is TURE. 635 636 @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to. 637 @param[in] IdPayload Pointer to the ID payload to be used for Authentication 638 payload generation. 639 @param[in] NextPayload The type filled into the Authentication Payload 640 next payload field. 641 @param[in] IsVerify If it is TURE, the Authentication payload is used 642 for verification. 643 @param[in] UefiPrivateKey Pointer to the UEFI private key. Ignore it when 644 verify the authenticate payload. 645 @param[in] UefiPrivateKeyLen The size of UefiPrivateKey in bytes. Ignore it 646 when verify the authenticate payload. 647 @param[in] UefiKeyPwd Pointer to the password of UEFI private key. 648 Ignore it when verify the authenticate payload. 649 @param[in] UefiKeyPwdLen The size of UefiKeyPwd in bytes.Ignore it when 650 verify the authenticate payload. 651 652 @return pointer to IKE Authentication payload for certification method. 653 654 **/ 655 IKE_PAYLOAD * 656 Ikev2CertGenerateAuthPayload ( 657 IN IKEV2_SA_SESSION *IkeSaSession, 658 IN IKE_PAYLOAD *IdPayload, 659 IN UINT8 NextPayload, 660 IN BOOLEAN IsVerify, 661 IN UINT8 *UefiPrivateKey, 662 IN UINTN UefiPrivateKeyLen, 663 IN UINT8 *UefiKeyPwd, 664 IN UINTN UefiKeyPwdLen 665 ); 666 667 /** 668 Generate TS payload. 669 670 This function generates TSi or TSr payload according to type of next payload. 671 If the next payload is Responder TS, gereate TSi Payload. Otherwise, generate 672 TSr payload 673 674 @param[in] ChildSa Pointer to IKEV2_CHILD_SA_SESSION related to this TS payload. 675 @param[in] NextPayload The payload type presented in the NextPayload field 676 of ID Payload header. 677 @param[in] IsTunnel It indicates that if the Ts Payload is after the CP payload. 678 If yes, it means the Tsi and Tsr payload should be with 679 Max port range and address range and protocol is marked 680 as zero. 681 682 @retval Pointer to Ts IKE payload. 683 684 **/ 685 IKE_PAYLOAD * 686 Ikev2GenerateTsPayload ( 687 IN IKEV2_CHILD_SA_SESSION *ChildSa, 688 IN UINT8 NextPayload, 689 IN BOOLEAN IsTunnel 690 ); 691 692 /** 693 Parser the Notify Cookie payload. 694 695 This function parses the Notify Cookie payload.If the Notify ProtocolId is not 696 IPSEC_PROTO_ISAKMP or if the SpiSize is not zero or if the MessageType is not 697 the COOKIE, return EFI_INVALID_PARAMETER. 698 699 @param[in] IkeNCookie Pointer to the IKE_PAYLOAD which contians the 700 Notify Cookie payload. 701 the Notify payload. 702 @param[in, out] IkeSaSession Pointer to the relevant IKE SA Session. 703 704 @retval EFI_SUCCESS The Notify Cookie Payload is valid. 705 @retval EFI_INVALID_PARAMETER The Notify Cookie Payload is invalid. 706 @retval EFI_OUT_OF_RESOURCE The required resource can't be allocated. 707 708 **/ 709 EFI_STATUS 710 Ikev2ParserNotifyCookiePayload ( 711 IN IKE_PAYLOAD *IkeNCookie, 712 IN OUT IKEV2_SA_SESSION *IkeSaSession 713 ); 714 715 /** 716 Generate the Certificate payload or Certificate Request Payload. 717 718 Since the Certificate Payload structure is same with Certificate Request Payload, 719 the only difference is that one contains the Certificate Data, other contains 720 the acceptable certificateion CA. This function generate Certificate payload 721 or Certificate Request Payload defined in RFC 4306, but all the fields 722 in the payload are still in host order and need call Ikev2EncodePayload() 723 to convert those fields from the host order to network order beforing sending it. 724 725 @param[in] IkeSaSession Pointer to IKE SA Session to be used of Delete payload 726 generation. 727 @param[in] NextPayload The next paylaod type in NextPayload field of 728 the Delete payload. 729 @param[in] Certificate Pointer of buffer contains the certification data. 730 @param[in] CertificateLen The length of Certificate in byte. 731 @param[in] EncodeType Specified the Certificate Encodeing which is defined 732 in RFC 4306. 733 @param[in] IsRequest To indicate create Certificate Payload or Certificate 734 Request Payload. If it is TURE, create Certificate 735 Request Payload. Otherwise, create Certificate Payload. 736 737 @retval a Pointer to IKE Payload whose payload buffer containing the Certificate 738 payload or Certificated Request payload. 739 740 **/ 741 IKE_PAYLOAD * 742 Ikev2GenerateCertificatePayload ( 743 IN IKEV2_SA_SESSION *IkeSaSession, 744 IN UINT8 NextPayload, 745 IN UINT8 *Certificate, 746 IN UINTN CertificateLen, 747 IN UINT8 EncodeType, 748 IN BOOLEAN IsRequest 749 ); 750 751 /** 752 General interface of payload encoding. 753 754 This function encode the internal data structure into payload which 755 is defined in RFC 4306. The IkePayload->PayloadBuf used to store both the input 756 payload and converted payload. Only the SA payload use the interal structure 757 to store the attribute. Other payload use structure which is same with the RFC 758 defined, for this kind payloads just do host order to network order change of 759 some fields. 760 761 @param[in] SessionCommon Pointer to IKE Session Common used to encode the payload. 762 @param[in, out] IkePayload Pointer to IKE payload to be encode as input, and 763 store the encoded result as output. 764 765 @retval EFI_INVALID_PARAMETER Meet error when encode the SA payload. 766 @retval EFI_SUCCESS Encode successfully. 767 768 **/ 769 EFI_STATUS 770 Ikev2EncodePayload ( 771 IN UINT8 *SessionCommon, 772 IN OUT IKE_PAYLOAD *IkePayload 773 ); 774 775 /** 776 The general interface of decode Payload. 777 778 This function convert the received Payload into internal structure. 779 780 @param[in] SessionCommon Pointer to IKE Session Common to use for decoding. 781 @param[in, out] IkePayload Pointer to IKE payload to be decode as input, and 782 store the decoded result as output. 783 784 @retval EFI_INVALID_PARAMETER Meet error when decode the SA payload. 785 @retval EFI_SUCCESS Decode successfully. 786 787 **/ 788 EFI_STATUS 789 Ikev2DecodePayload ( 790 IN UINT8 *SessionCommon, 791 IN OUT IKE_PAYLOAD *IkePayload 792 ); 793 794 /** 795 Decrypt IKE packet. 796 797 This function decrpt the Encrypted IKE packet and put the result into IkePacket->PayloadBuf. 798 799 @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON containing 800 some parameter used during decrypting. 801 @param[in, out] IkePacket Point to IKE_PACKET to be decrypted as input, 802 and the decrypted reslult as output. 803 @param[in, out] IkeType The type of IKE. IKE_SA_TYPE, IKE_INFO_TYPE and 804 IKE_CHILD_TYPE are supportted. 805 806 @retval EFI_INVALID_PARAMETER If the IKE packet length is zero or the 807 IKE packet length is not Algorithm Block Size 808 alignment. 809 @retval EFI_SUCCESS Decrypt IKE packet successfully. 810 811 **/ 812 EFI_STATUS 813 Ikev2DecryptPacket ( 814 IN IKEV2_SESSION_COMMON *SessionCommon, 815 IN OUT IKE_PACKET *IkePacket, 816 IN OUT UINTN IkeType 817 ); 818 819 /** 820 Encrypt IKE packet. 821 822 This function encrypt IKE packet before sending it. The Encrypted IKE packet 823 is put in to IKEV2 Encrypted Payload. 824 825 @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON related to the IKE packet. 826 @param[in, out] IkePacket Pointer to IKE packet to be encrypted. 827 828 @retval EFI_SUCCESS Operation is successful. 829 @retval Others OPeration is failed. 830 831 **/ 832 EFI_STATUS 833 Ikev2EncryptPacket ( 834 IN IKEV2_SESSION_COMMON *SessionCommon, 835 IN OUT IKE_PACKET *IkePacket 836 ); 837 838 /** 839 Encode the IKE packet. 840 841 This function put all Payloads into one payload then encrypt it if needed. 842 843 @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON containing 844 some parameter used during IKE packet encoding. 845 @param[in, out] IkePacket Pointer to IKE_PACKET to be encoded as input, 846 and the encoded reslult as output. 847 @param[in] IkeType The type of IKE. IKE_SA_TYPE, IKE_INFO_TYPE and 848 IKE_CHILD_TYPE are supportted. 849 850 @retval EFI_SUCCESS Encode IKE packet successfully. 851 @retval Otherwise Encode IKE packet failed. 852 853 **/ 854 EFI_STATUS 855 Ikev2EncodePacket ( 856 IN IKEV2_SESSION_COMMON *SessionCommon, 857 IN OUT IKE_PACKET *IkePacket, 858 IN UINTN IkeType 859 ); 860 861 /** 862 Decode the IKE packet. 863 864 This function first decrypts the IKE packet if needed , then separats the whole 865 IKE packet from the IkePacket->PayloadBuf into IkePacket payload list. 866 867 @param[in] SessionCommon Pointer to IKEV1_SESSION_COMMON containing 868 some parameter used by IKE packet decoding. 869 @param[in, out] IkePacket The IKE Packet to be decoded on input, and 870 the decoded result on return. 871 @param[in] IkeType The type of IKE. IKE_SA_TYPE, IKE_INFO_TYPE and 872 IKE_CHILD_TYPE are supportted. 873 874 @retval EFI_SUCCESS The IKE packet is decoded successfull. 875 @retval Otherwise The IKE packet decoding is failed. 876 877 **/ 878 EFI_STATUS 879 Ikev2DecodePacket ( 880 IN IKEV2_SESSION_COMMON *SessionCommon, 881 IN OUT IKE_PACKET *IkePacket, 882 IN UINTN IkeType 883 ); 884 885 /** 886 Save some useful payloads after accepting the Packet. 887 888 @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON related to the operation. 889 @param[in] IkePacket Pointer to received IkePacet. 890 @param[in] IkeType The type used to indicate it is in IkeSa or ChildSa or Info 891 exchange. 892 893 **/ 894 VOID 895 Ikev2OnPacketAccepted ( 896 IN IKEV2_SESSION_COMMON *SessionCommon, 897 IN IKE_PACKET *IkePacket, 898 IN UINT8 IkeType 899 ); 900 901 /** 902 Send out IKEV2 packet. 903 904 @param[in] IkeUdpService Pointer to IKE_UDP_SERVICE used to send the IKE packet. 905 @param[in] SessionCommon Pointer to IKEV1_SESSION_COMMON related to the IKE packet. 906 @param[in] IkePacket Pointer to IKE_PACKET to be sent out. 907 @param[in] IkeType The type of IKE to point what's kind of the IKE 908 packet is to be sent out. IKE_SA_TYPE, IKE_INFO_TYPE 909 and IKE_CHILD_TYPE are supportted. 910 911 @retval EFI_SUCCESS The operation complete successfully. 912 @retval Otherwise The operation is failed. 913 914 **/ 915 EFI_STATUS 916 Ikev2SendIkePacket ( 917 IN IKE_UDP_SERVICE *IkeUdpService, 918 IN UINT8 *SessionCommon, 919 IN IKE_PACKET *IkePacket, 920 IN UINTN IkeType 921 ); 922 923 /** 924 Callback function for the IKE life time is over. 925 926 This function will mark the related IKE SA Session as deleting and trigger a 927 Information negotiation. 928 929 @param[in] Event The time out event. 930 @param[in] Context Pointer to data passed by caller. 931 932 **/ 933 VOID 934 EFIAPI 935 Ikev2LifetimeNotify ( 936 IN EFI_EVENT Event, 937 IN VOID *Context 938 ); 939 940 /** 941 This function will be called if the TimeOut Event is signaled. 942 943 @param[in] Event The signaled Event. 944 @param[in] Context The data passed by caller. 945 946 **/ 947 VOID 948 EFIAPI 949 Ikev2ResendNotify ( 950 IN EFI_EVENT Event, 951 IN VOID *Context 952 ); 953 954 /** 955 Generate a Key Exchange payload according to the DH group type and save the 956 public Key into IkeSaSession IkeKey field. 957 958 @param[in, out] IkeSaSession Pointer of the IKE_SA_SESSION. 959 @param[in] NextPayload The payload type presented in the NextPayload field of Key 960 Exchange Payload header. 961 962 @retval Pointer to Key IKE payload. 963 964 **/ 965 IKE_PAYLOAD * 966 Ikev2GenerateKePayload ( 967 IN OUT IKEV2_SA_SESSION *IkeSaSession, 968 IN UINT8 NextPayload 969 ); 970 971 /** 972 Check if the SPD is related to the input Child SA Session. 973 974 This function is the subfunction of Ikev1AssociateSpdEntry(). It is the call 975 back function of IpSecVisitConfigData(). 976 977 978 @param[in] Type Type of the input Config Selector. 979 @param[in] Selector Pointer to the Configure Selector to be checked. 980 @param[in] Data Pointer to the Configure Selector's Data passed 981 from the caller. 982 @param[in] SelectorSize The buffer size of Selector. 983 @param[in] DataSize The buffer size of the Data. 984 @param[in] Context The data passed from the caller. It is a Child 985 SA Session in this context. 986 987 @retval EFI_SUCCESS The SPD Selector is not related to the Child SA Session. 988 @retval EFI_ABORTED The SPD Selector is related to the Child SA session and 989 set the ChildSaSession->Spd to point to this SPD Selector. 990 991 **/ 992 EFI_STATUS 993 Ikev2MatchSpdEntry ( 994 IN EFI_IPSEC_CONFIG_DATA_TYPE Type, 995 IN EFI_IPSEC_CONFIG_SELECTOR *Selector, 996 IN VOID *Data, 997 IN UINTN SelectorSize, 998 IN UINTN DataSize, 999 IN VOID *Context 1000 ); 1001 1002 /** 1003 Check if the Algorithm ID is supported. 1004 1005 @param[in] AlgorithmId The specified Algorithm ID. 1006 @param[in] Type The type used to indicate the Algorithm is for Encrypt or 1007 Authentication. 1008 1009 @retval TRUE If the Algorithm ID is supported. 1010 @retval FALSE If the Algorithm ID is not supported. 1011 1012 **/ 1013 BOOLEAN 1014 Ikev2IsSupportAlg ( 1015 IN UINT16 AlgorithmId, 1016 IN UINT8 Type 1017 ); 1018 1019 /** 1020 Generate a ChildSa Session and insert it into related IkeSaSession. 1021 1022 @param[in] IkeSaSession Pointer to related IKEV2_SA_SESSION. 1023 @param[in] UdpService Pointer to related IKE_UDP_SERVICE. 1024 1025 @return pointer of IKEV2_CHILD_SA_SESSION. 1026 1027 **/ 1028 IKEV2_CHILD_SA_SESSION * 1029 Ikev2ChildSaSessionCreate ( 1030 IN IKEV2_SA_SESSION *IkeSaSession, 1031 IN IKE_UDP_SERVICE *UdpService 1032 ) ; 1033 1034 /** 1035 Parse the received Initial Exchange Packet. 1036 1037 This function parse the SA Payload and Key Payload to find out the cryptographic 1038 suite for the further IKE negotiation and fill it into the IKE SA Session's 1039 CommonSession->SaParams. 1040 1041 @param[in, out] IkeSaSession Pointer to related IKEV2_SA_SESSION. 1042 @param[in] SaPayload The received packet. 1043 @param[in] Type The received packet IKE header flag. 1044 1045 @retval TRUE If the SA proposal in Packet is acceptable. 1046 @retval FALSE If the SA proposal in Packet is not acceptable. 1047 1048 **/ 1049 BOOLEAN 1050 Ikev2SaParseSaPayload ( 1051 IN OUT IKEV2_SA_SESSION *IkeSaSession, 1052 IN IKE_PAYLOAD *SaPayload, 1053 IN UINT8 Type 1054 ); 1055 1056 /** 1057 Parse the received Authentication Exchange Packet. 1058 1059 This function parse the SA Payload and Key Payload to find out the cryptographic 1060 suite for the ESP and fill it into the Child SA Session's CommonSession->SaParams. 1061 1062 @param[in, out] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION related to 1063 this Authentication Exchange. 1064 @param[in] SaPayload The received packet. 1065 @param[in] Type The IKE header's flag of received packet . 1066 1067 @retval TRUE If the SA proposal in Packet is acceptable. 1068 @retval FALSE If the SA proposal in Packet is not acceptable. 1069 1070 **/ 1071 BOOLEAN 1072 Ikev2ChildSaParseSaPayload ( 1073 IN OUT IKEV2_CHILD_SA_SESSION *ChildSaSession, 1074 IN IKE_PAYLOAD *SaPayload, 1075 IN UINT8 Type 1076 ); 1077 1078 /** 1079 Generate Key buffer from fragments. 1080 1081 If the digest length of specified HashAlgId is larger than or equal with the 1082 required output key length, derive the key directly. Otherwise, Key Material 1083 needs to be PRF-based concatenation according to 2.13 of RFC 4306: 1084 prf+ (K,S) = T1 | T2 | T3 | T4 | ..., T1 = prf (K, S | 0x01), 1085 T2 = prf (K, T1 | S | 0x02), T3 = prf (K, T2 | S | 0x03),T4 = prf (K, T3 | S | 0x04) 1086 then derive the key from this key material. 1087 1088 @param[in] HashAlgId The Hash Algorithm ID used to generate key. 1089 @param[in] HashKey Pointer to a key buffer which contains hash key. 1090 @param[in] HashKeyLength The length of HashKey in bytes. 1091 @param[in, out] OutputKey Pointer to buffer which is used to receive the 1092 output key. 1093 @param[in] OutputKeyLength The length of OutPutKey buffer. 1094 @param[in] Fragments Pointer to the data to be used to generate key. 1095 @param[in] NumFragments The numbers of the Fragement. 1096 1097 @retval EFI_SUCCESS The operation complete successfully. 1098 @retval EFI_INVALID_PARAMETER If NumFragments is zero. 1099 @retval EFI_OUT_OF_RESOURCES If the required resource can't be allocated. 1100 @retval Others The operation is failed. 1101 1102 **/ 1103 EFI_STATUS 1104 Ikev2SaGenerateKey ( 1105 IN UINT8 HashAlgId, 1106 IN UINT8 *HashKey, 1107 IN UINTN HashKeyLength, 1108 IN OUT UINT8 *OutputKey, 1109 IN UINTN OutputKeyLength, 1110 IN PRF_DATA_FRAGMENT *Fragments, 1111 IN UINTN NumFragments 1112 ); 1113 1114 /** 1115 Copy ChildSaSession->Spd->Selector to ChildSaSession->SpdSelector. 1116 1117 ChildSaSession->SpdSelector stores the real Spdselector for its SA. Sometime, 1118 the SpdSelector in ChildSaSession is more accurated or the scope is smaller 1119 than the one in ChildSaSession->Spd, especially for the tunnel mode. 1120 1121 @param[in, out] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION related to. 1122 1123 @retval EFI_SUCCESS The operation complete successfully. 1124 @retval EFI_OUT_OF_RESOURCES If the required resource can't be allocated. 1125 1126 **/ 1127 EFI_STATUS 1128 Ikev2ChildSaSessionSpdSelectorCreate ( 1129 IN OUT IKEV2_CHILD_SA_SESSION *ChildSaSession 1130 ); 1131 1132 extern IKE_ALG_GUID_INFO mIPsecEncrAlgInfo[]; 1133 #endif 1134 1135