4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Provide IPsec Key Exchange (IKE) service general interfaces.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Copyright (c) 2010 - 2011, Intel Corporation. All rights reserved.<BR>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync This program and the accompanying materials
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync are licensed and made available under the terms and conditions of the BSD License
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync which accompanies this distribution. The full text of the license may be found at
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync // IO parameters
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync // IO parameters
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync //Access Point
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Check if the NIC handle is binded to a Udp service.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync @param[in] Private Pointer of IPSEC_PRIVATE_DATA.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync @param[in] Handle The Handle of the NIC card.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync @param[in] IpVersion The version of the IP stack.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync @return a pointer of IKE_UDP_SERVICE.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Head = (IpVersion == IP_VERSION_4) ? &Private->Udp4List : &Private->Udp6List;
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync // Find the right udp service which installed on the appointed NIC handle.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Configure a UDPIO's UDP4 instance.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync This fuction is called by the UdpIoCreateIo() to configures a
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync UDP4 instance.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync @param[in] UdpIo The UDP_IO to be configured.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync @param[in] Context User-defined data when calling UdpIoCreateIo().
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync @retval EFI_SUCCESS The configuration succeeded.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync @retval Others The UDP4 instance fails to configure.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync // Configure udp4 io with local default address.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Configure a UDPIO's UDP6 instance.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync This fuction is called by the UdpIoCreateIo()to configure a
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync UDP6 instance.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync @param[in] UdpIo The UDP_IO to be configured.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync @param[in] Context User-defined data when calling UdpIoCreateIo().
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync @retval EFI_SUCCESS The configuration succeeded.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync @retval Others The configuration fails.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync // Configure instance with a destination address to start source address
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync // selection, and then get the configure data from the mode data to store
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync // the source address.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Open and configure the related output UDPIO for IKE packet sending.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync If the UdpService is not configured, this fuction calls UdpIoCreatIo() to
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync create UDPIO to bind this UdpService for IKE packet sending. If the UdpService
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync has already been configured, then return.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync @param[in] UdpService The UDP_IO to be configured.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync @param[in] RemoteIp User-defined data when calling UdpIoCreateIo().
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync @retval EFI_SUCCESS The configuration is successful.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync @retval Others The configuration fails.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync // Check whether the input and output udp io are both configured.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync if (UdpService->IpVersion == UDP_IO_UDP4_VERSION) {
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync // Handle ip4config protocol to get local default address.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync if (EFI_ERROR (Status) && Status != EFI_BUFFER_TOO_SMALL) {
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Status = Ip4Cfg->GetData (Ip4Cfg, &BufSize, Ip4CfgData);
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync // Create udp4 io for output with local default address.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync // Create udp6 io for output with remote address.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync // Get ip6 mode data to get the result of source address selection.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync ZeroMem (&Ip6ModeData, sizeof (EFI_IP6_MODE_DATA));
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Status = Udp6->GetModeData (Udp6, NULL, &Ip6ModeData, NULL, NULL);
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync // Reconfigure udp6 io without remote address.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync // Record the selected source address for ipsec process later.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Open and configure a UDPIO of Udp4 for IKE packet receiving.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync This function is called at the IPsecDriverBinding start. IPsec create a UDP4 and
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync UDP4 IO for each NIC handle.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync @param[in] Private Point to IPSEC_PRIVATE_DATA
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync @param[in] Controller Handler for NIC card.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync @retval EFI_SUCCESS The Operation is successful.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync @retval EFI_OUT_OF_RESOURCE The required system resource can't be allocated.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync // Check whether udp4 io of the controller has already been opened.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Udp4Srv = IkeLookupUdp (Private, Controller, IP_VERSION_4);
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Udp4Srv = AllocateZeroPool (sizeof (IKE_UDP_SERVICE));
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync // Create udp4 io for iutput.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync ZeroMem (&Udp4Srv->DefaultAddress, sizeof (EFI_IP_ADDRESS));
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync // Insert the udp4 io into the list and increase the count.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync InsertTailList (&Private->Udp4List, &Udp4Srv->List);
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync UdpIoRecvDatagram (Udp4Srv->Input, IkeDispatch, Udp4Srv, 0);
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Open and configure a UDPIO of Udp6 for IKE packet receiving.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync This function is called at the IPsecDriverBinding start. IPsec create a UDP6 and UDP6
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync IO for each NIC handle.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync @param[in] Private Point to IPSEC_PRIVATE_DATA
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync @param[in] Controller Handler for NIC card.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync @retval EFI_SUCCESS The Operation is successful.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync @retval EFI_OUT_OF_RESOURCE The required system resource can't be allocated.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Udp6Srv = IkeLookupUdp (Private, Controller, IP_VERSION_6);
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Udp6Srv = AllocateZeroPool (sizeof (IKE_UDP_SERVICE));
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync // Create udp6 io for input.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync ZeroMem (&Udp6Srv->DefaultAddress, sizeof (EFI_IP_ADDRESS));
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync // Insert the udp6 io into the list and increase the count.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync InsertTailList (&Private->Udp6List, &Udp6Srv->List);
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync UdpIoRecvDatagram (Udp6Srv->Input, IkeDispatch, Udp6Srv, 0);
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync The general interface of starting IPsec Key Exchange.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync This function is called when a IKE negotiation to start getting a Key.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync @param[in] UdpService Point to IKE_UDP_SERVICE which will be used for
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync IKE packet sending.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync @param[in] SpdEntry Point to the SPD entry related to the IKE negotiation.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync @param[in] RemoteIp Point to EFI_IP_ADDRESS related to the IKE negotiation.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync @retval EFI_SUCCESS The Operation is successful.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync @retval EFI_ACCESS_DENIED No related PAD entry was found.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync @retval EFI_INVALID_PARAMETER The IKE version is not supported.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Private = (UdpService->IpVersion == IP_VERSION_4) ?
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync IPSEC_PRIVATE_DATA_FROM_UDP4LIST(UdpService->ListHead) :
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync IPSEC_PRIVATE_DATA_FROM_UDP6LIST(UdpService->ListHead);
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync // Try to open udp io for output if it hasn't.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync // Try to find the IKE SA session in the IKEv1 and IKEv2 established SA session list.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync IkeSaSession = (UINT8 *) Ikev2SaSessionLookup (&Private->Ikev2EstablishedList, RemoteIp);
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync // Find the pad entry by the remote ip address.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync PadEntry = IpSecLookupPadEntry (UdpService->IpVersion, RemoteIp);
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync // Determine the IKE exchange instance by the auth protocol in pad entry.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync ASSERT (PadEntry->Data->AuthProtocol < EfiIPsecAuthProtocolMaximum);
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync if (PadEntry->Data->AuthProtocol == EfiIPsecAuthProtocolIKEv1) {
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Exchange = mIkeExchange[PadEntry->Data->AuthProtocol];
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync // Start the main mode stage to negotiate IKE SA.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Status = Exchange->NegotiateSa (UdpService, SpdEntry, PadEntry, RemoteIp);
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync // Determine the IKE exchange instance by the IKE version in IKE SA session.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync IkeVersion = IkeGetVersionFromSession (IkeSaSession);
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync // Start the quick mode stage to negotiate child SA.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Status = Exchange->NegotiateChildSa (IkeSaSession, SpdEntry, NULL);
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync The generic interface when receive a IKE packet.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync This function is called when UDP IO receives a IKE packet.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync @param[in] Packet Point to received IKE packet.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync @param[in] EndPoint Point to UDP_END_POINT which contains the information of
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Remote IP and Port.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync @param[in] IoStatus The Status of Recieve Token.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync @param[in] Context Point to data passed from the caller.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Private = (UdpService->IpVersion == IP_VERSION_4) ?
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync IPSEC_PRIVATE_DATA_FROM_UDP4LIST(UdpService->ListHead) :
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync IPSEC_PRIVATE_DATA_FROM_UDP6LIST(UdpService->ListHead);
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync // Check whether the ipsec is enabled or not.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync // Build IKE packet from the received netbuf.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync // Get the remote address from the IKE packet.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync *(UINT32 *) IkePacket->RemotePeerIp.Addr = HTONL ((*(UINT32 *) EndPoint->RemoteAddr.Addr));
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync // Try to open udp io for output if hasn't.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Status = IkeOpenOutputUdp (UdpService, &IkePacket->RemotePeerIp);
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync // Determine the IKE exchange instance by the IKE version in IKE header.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Exchange = mIkeExchange[IKE_MAJOR_VERSION (IkeHdr->Version) - 1];
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync UdpIoRecvDatagram (UdpService->Input, IkeDispatch, UdpService, 0);
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Delete all established IKE SAs and related Child SAs.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync This function is the subfunction of the IpSecCleanupAllSa(). It first calls
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync IkeDeleteChildSa() to delete all Child SAs then send out the related
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Information packet.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync @param[in] Private Pointer of the IPSEC_PRIVATE_DATA
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync @param[in] IsDisableIpsec Indicate whether needs to disable IPsec.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync // If the IKEv1 is supported, first deal with the Ikev1Estatblished list.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync // If IKEv2 SAs are under establishing, delete it directly.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync NET_LIST_FOR_EACH_SAFE (Entry, NextEntry, &Private->Ikev2SessionList) {
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Ikev2SaSession = IKEV2_SA_SESSION_BY_SESSION (Entry);
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync // If there is no existing established IKE SA, set the Ipsec DisableFlag to TRUE
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync // and turn off the IsIPsecDisabling flag.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync if (IsListEmpty (&Private->Ikev2EstablishedList) && IsDisableIpsec) {
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_NON_VOLATILE,
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync // Delete established IKEv2 SAs.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync if (!IsListEmpty (&Private->Ikev2EstablishedList)) {
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync for (Entry = Private->Ikev2EstablishedList.ForwardLink; Entry != &Private->Ikev2EstablishedList;) {
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Ikev2SaSession = IKEV2_SA_SESSION_BY_SESSION (Entry);
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Ikev2SaSession->SessionCommon.State = IkeStateSaDeleting;
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync // Call for Information Exchange.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync IkeVersion = IkeGetVersionFromSession ((UINT8*)Ikev2SaSession);