Home | History | Annotate | Download | only in IpSecDxe
      1 /** @file
      2   The common definition of IPsec Key Exchange (IKE).
      3 
      4   Copyright (c) 2010, Intel Corporation. All rights reserved.<BR>
      5 
      6   This program and the accompanying materials
      7   are licensed and made available under the terms and conditions of the BSD License
      8   which accompanies this distribution.  The full text of the license may be found at
      9   http://opensource.org/licenses/bsd-license.php.
     10 
     11   THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
     12   WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
     13 
     14 
     15 **/
     16 
     17 #ifndef _IKE_H_
     18 #define _IKE_H_
     19 
     20 #include <Library/UdpIoLib.h>
     21 #include <Library/BaseCryptLib.h>
     22 #include "IpSecImpl.h"
     23 
     24 #define IKE_VERSION_MAJOR_MASK  0xf0
     25 #define IKE_VERSION_MINOR_MASK  0x0f
     26 
     27 #define IKE_MAJOR_VERSION(v)    (((v) & IKE_VERSION_MAJOR_MASK) >> 4)
     28 #define IKE_MINOR_VERSION(v)    ((v) & IKE_VERSION_MINOR_MASK)
     29 
     30 //
     31 // Protocol Value Use in IKEv1 and IKEv2
     32 //
     33 #define IPSEC_PROTO_ISAKMP    1
     34 #define IPSEC_PROTO_IPSEC_AH  2
     35 #define IPSEC_PROTO_IPSEC_ESP 3
     36 #define IPSEC_PROTO_IPCOMP    4 // For IKEv1 this value is reserved
     37 
     38 //
     39 //  For Algorithm search in support list.Last two types are for IKEv2 only.
     40 //
     41 #define IKE_ENCRYPT_TYPE      0
     42 #define IKE_AUTH_TYPE         1
     43 #define IKE_PRF_TYPE          2
     44 #define IKE_DH_TYPE           3
     45 
     46 //
     47 // Encryption Algorithm present in IKEv1 phasrs2 and IKEv2 transform payload (Transform Type 1)
     48 //
     49 #define IPSEC_ESP_DES_IV64            1
     50 #define IPSEC_ESP_DES                 2
     51 #define IPSEC_ESP_3DES                3
     52 #define IPSEC_ESP_RC5                 4
     53 #define IPSEC_ESP_IDEA                5
     54 #define IPSEC_ESP_CAST                6
     55 #define IPSEC_ESP_BLOWFISH            7
     56 #define IPSEC_ESP_3IDEA               8
     57 #define IPSEC_ESP_DES_IV32            9
     58 #define IPSEC_ESP_RC4                 10  // It's reserved in IKEv2
     59 #define IPSEC_ESP_NULL                11
     60 #define IPSEC_ESP_AES                 12
     61 
     62 #define IKE_XCG_TYPE_NONE             0
     63 #define IKE_XCG_TYPE_BASE             1
     64 #define IKE_XCG_TYPE_IDENTITY_PROTECT 2
     65 #define IKE_XCG_TYPE_AUTH_ONLY        3
     66 #define IKE_XCG_TYPE_AGGR             4
     67 #define IKE_XCG_TYPE_INFO             5
     68 #define IKE_XCG_TYPE_QM               32
     69 #define IKE_XCG_TYPE_NGM              33
     70 #define IKE_XCG_TYPE_SA_INIT          34
     71 #define IKE_XCG_TYPE_AUTH             35
     72 #define IKE_XCG_TYPE_CREATE_CHILD_SA  36
     73 #define IKE_XCG_TYPE_INFO2            37
     74 
     75 #define IKE_LIFE_TYPE_SECONDS         1
     76 #define IKE_LIFE_TYPE_KILOBYTES       2
     77 
     78 //
     79 // Deafult IKE SA lifetime and CHILD SA lifetime
     80 //
     81 #define IKE_SA_DEFAULT_LIFETIME       1200
     82 #define CHILD_SA_DEFAULT_LIFETIME     3600
     83 
     84 //
     85 // Next payload type presented within Proposal payload
     86 //
     87 #define IKE_PROPOSAL_NEXT_PAYLOAD_MORE  2
     88 #define IKE_PROPOSAL_NEXT_PAYLOAD_NONE  0
     89 
     90 //
     91 // Next payload type presented within Transform payload
     92 //
     93 #define IKE_TRANSFORM_NEXT_PAYLOAD_MORE 3
     94 #define IKE_TRANSFORM_NEXT_PAYLOAD_NONE 0
     95 
     96 //
     97 // Max size of the SA attribute
     98 //
     99 #define MAX_SA_ATTRS_SIZE     48
    100 #define SA_ATTR_FORMAT_BIT    0x8000
    101 //
    102 // The definition for Information Message ID.
    103 //
    104 #define INFO_MID_SIGNATURE    SIGNATURE_32 ('I', 'N', 'F', 'M')
    105 
    106 //
    107 // Type for the IKE SESSION COMMON
    108 //
    109 typedef enum {
    110   IkeSessionTypeIkeSa,
    111   IkeSessionTypeChildSa,
    112   IkeSessionTypeInfo,
    113   IkeSessionTypeMax
    114 } IKE_SESSION_TYPE;
    115 
    116 //
    117 // The DH Group ID defined RFC3526 and RFC 2409
    118 //
    119 typedef enum {
    120   OakleyGroupModp768  = 1,
    121   OakleyGroupModp1024 = 2,
    122   OakleyGroupGp155    = 3,  // Unsupported Now.
    123   OakleyGroupGp185    = 4,  // Unsupported Now.
    124   OakleyGroupModp1536 = 5,
    125 
    126   OakleyGroupModp2048 = 14,
    127   OakleyGroupModp3072 = 15,
    128   OakleyGroupModp4096 = 16,
    129   OakleyGroupModp6144 = 17,
    130   OakleyGroupModp8192 = 18,
    131   OakleyGroupMax
    132 } OAKLEY_GROUP_ID;
    133 
    134 //
    135 // IKE Header
    136 //
    137 #pragma pack(1)
    138 typedef struct {
    139   UINT64  InitiatorCookie;
    140   UINT64  ResponderCookie;
    141   UINT8   NextPayload;
    142   UINT8   Version;
    143   UINT8   ExchangeType;
    144   UINT8   Flags;
    145   UINT32  MessageId;
    146   UINT32  Length;
    147 } IKE_HEADER;
    148 #pragma pack()
    149 
    150 typedef union {
    151   UINT16  AttrLength;
    152   UINT16  AttrValue;
    153 } IKE_SA_ATTR_UNION;
    154 
    155 //
    156 // SA Attribute present in Transform Payload
    157 //
    158 #pragma pack(1)
    159 typedef struct {
    160   UINT16            AttrType;
    161   IKE_SA_ATTR_UNION Attr;
    162 } IKE_SA_ATTRIBUTE;
    163 #pragma pack()
    164 
    165 //
    166 // Contains the IKE packet information.
    167 //
    168 typedef struct {
    169   UINTN               RefCount;
    170   BOOLEAN             IsHdrExt;
    171   IKE_HEADER          *Header;
    172   BOOLEAN             IsPayloadsBufExt;
    173   UINT8               *PayloadsBuf; // The whole IkePakcet trimed the IKE header.
    174   UINTN               PayloadTotalSize;
    175   LIST_ENTRY          PayloadList;
    176   EFI_IP_ADDRESS      RemotePeerIp;
    177   BOOLEAN             IsEncoded;    // whether HTON is done when sending the packet
    178   UINT32              Spi;          // For the Delete Information Exchange
    179   BOOLEAN             IsDeleteInfo; // For the Delete Information Exchange
    180   IPSEC_PRIVATE_DATA  *Private;     // For the Delete Information Exchange
    181 } IKE_PACKET;
    182 
    183 //
    184 // The generic structure to all kinds of IKE payloads.
    185 //
    186 typedef struct {
    187   UINT32      Signature;
    188   BOOLEAN     IsPayloadBufExt;
    189   UINT8       PayloadType;
    190   UINT8       *PayloadBuf;
    191   UINTN       PayloadSize;
    192   LIST_ENTRY  ByPacket;
    193 } IKE_PAYLOAD;
    194 
    195 //
    196 // Udp Service
    197 //
    198 typedef struct {
    199   UINT32          Signature;
    200   UINT8           IpVersion;
    201   LIST_ENTRY      List;
    202   LIST_ENTRY      *ListHead;
    203   EFI_HANDLE      NicHandle;
    204   EFI_HANDLE      ImageHandle;
    205   UDP_IO          *Input;
    206   UDP_IO          *Output;
    207   EFI_IP_ADDRESS  DefaultAddress;
    208   BOOLEAN         IsConfigured;
    209 } IKE_UDP_SERVICE;
    210 
    211 //
    212 // Each IKE session has its own Key sets for local peer and remote peer.
    213 //
    214 typedef struct {
    215   EFI_IPSEC_ALGO_INFO LocalPeerInfo;
    216   EFI_IPSEC_ALGO_INFO RemotePeerInfo;
    217 } SA_KEYMATS;
    218 
    219 //
    220 // Each algorithm has its own Id, Guid, BlockSize and KeyLength.
    221 // This struct contains these information for each algorithm. It is generic structure
    222 // for both encryption and authentication algorithm.
    223 // For authentication algorithm, the AlgSize means IcvSize. For encryption algorithm,
    224 // it means IvSize.
    225 //
    226 #pragma pack(1)
    227 typedef struct {
    228   UINT8     AlgorithmId;       // Encryption or Authentication Id used by ESP/AH
    229   EFI_GUID  *AlgGuid;
    230   UINT8     AlgSize;     // IcvSize or IvSize
    231   UINT8     BlockSize;
    232   UINTN     KeyMateLen;
    233 } IKE_ALG_GUID_INFO;   // For IPsec Authentication and Encryption Algorithm.
    234 #pragma pack()
    235 
    236 //
    237 // Structure used to store the DH group
    238 //
    239 typedef struct {
    240   UINT8 GroupId;
    241   UINTN Size;
    242   UINT8 *Modulus;
    243   UINTN GroupGenerator;
    244 } MODP_GROUP;
    245 
    246 /**
    247   This is prototype definition of general interface to phase the payloads
    248   after/before the decode/encode.
    249 
    250   @param[in]  SessionCommon    Point to the SessionCommon
    251   @param[in]  PayloadBuf       Point to the buffer of Payload.
    252   @param[in]  PayloadSize      The size of the PayloadBuf in bytes.
    253   @param[in]  PayloadType      The type of Payload.
    254 
    255 **/
    256 typedef
    257 VOID
    258 (*IKE_ON_PAYLOAD_FROM_NET) (
    259   IN UINT8    *SessionCommon,
    260   IN UINT8    *PayloadBuf,
    261   IN UINTN    PayloadSize,
    262   IN UINT8    PayloadType
    263   );
    264 
    265 #endif
    266 
    267