android-10.0.0_r1.0/s

/** @file
  Provide IPsec Key Exchange (IKE) service general interfaces.

  Copyright (c) 2010 - 2016, Intel Corporation. All rights reserved.<BR>

  This program and the accompanying materials
  are licensed and made available under the terms and conditions of the BSD License
  which accompanies this distribution.  The full text of the license may be found at
  http://opensource.org/licenses/bsd-license.php.

  THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
  WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.

**/

#include "IkeService.h"
#include "IpSecConfigImpl.h"

IKE_EXCHANGE_INTERFACE  *mIkeExchange[] = {
  &mIkev1Exchange,
  &mIkev2Exchange
};

EFI_UDP4_CONFIG_DATA    mUdp4Conf = {
  FALSE,
  FALSE,
  FALSE,
  TRUE,
  //
  // IO parameters
  //
  0,
  64,
  FALSE,
  0,
  1000000,
  FALSE,
  {{0,0,0,0}},
  {{0,0,0,0}},
  IKE_DEFAULT_PORT,
  {{0,0,0,0}},
  0
};

EFI_UDP6_CONFIG_DATA    mUdp6Conf = {
  FALSE,
  FALSE,
  TRUE,
  //
  // IO parameters
  //
  0,
  128,
  0,
  1000000,
  //Access Point
  {{0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}},
  IKE_DEFAULT_PORT,
  {{0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}},
  0
};

/**
  Check if the NIC handle is binded to a Udp service.

  @param[in]  Private    Pointer of IPSEC_PRIVATE_DATA.
  @param[in]  Handle     The Handle of the NIC card.
  @param[in]  IpVersion  The version of the IP stack.

  @return a pointer of IKE_UDP_SERVICE.

**/
IKE_UDP_SERVICE *
IkeLookupUdp (
  IN IPSEC_PRIVATE_DATA     *Private,
  IN EFI_HANDLE             Handle,
  IN UINT8                  IpVersion
  )
{
  LIST_ENTRY      *Head;
  LIST_ENTRY      *Entry;
  LIST_ENTRY      *Next;
  IKE_UDP_SERVICE *Udp;

  Udp   = NULL;
  Head  = (IpVersion == IP_VERSION_4) ? &Private->Udp4List : &Private->Udp6List;

  NET_LIST_FOR_EACH_SAFE (Entry, Next, Head) {

    Udp = IPSEC_UDP_SERVICE_FROM_LIST (Entry);
    //
    // Find the right udp service which installed on the appointed NIC handle.
    //
    if (Handle == Udp->NicHandle) {
      break;
    } else {
      Udp = NULL;
    }
  }

  return Udp;
}

/**
  Configure a UDPIO's UDP4 instance.

  This fuction is called by the UdpIoCreateIo() to configures a
  UDP4 instance.

  @param[in] UdpIo         The UDP_IO to be configured.
  @param[in] Context       User-defined data when calling UdpIoCreateIo().

  @retval EFI_SUCCESS      The configuration succeeded.
  @retval Others           The UDP4 instance fails to configure.

**/
EFI_STATUS
EFIAPI
IkeConfigUdp4 (
  IN UDP_IO                 *UdpIo,
  IN VOID                   *Context
  )
{
  EFI_UDP4_CONFIG_DATA  Udp4Cfg;
  EFI_UDP4_PROTOCOL     *Udp4;

  ZeroMem (&Udp4Cfg, sizeof (EFI_UDP4_CONFIG_DATA));

  Udp4 = UdpIo->Protocol.Udp4;
  CopyMem (
    &Udp4Cfg,
    &mUdp4Conf,
    sizeof (EFI_UDP4_CONFIG_DATA)
    );

  if (Context != NULL) {
    //
    // Configure udp4 io with local default address.
    //
    Udp4Cfg.UseDefaultAddress = TRUE;
  }

  return Udp4->Configure (Udp4, &Udp4Cfg);
}

/**
  Configure a UDPIO's UDP6 instance.

  This fuction is called by the UdpIoCreateIo()to configure a
  UDP6 instance.

  @param[in] UdpIo         The UDP_IO to be configured.
  @param[in] Context       User-defined data when calling UdpIoCreateIo().

  @retval EFI_SUCCESS      The configuration succeeded.
  @retval Others           The configuration fails.

**/
EFI_STATUS
EFIAPI
IkeConfigUdp6 (
  IN UDP_IO                 *UdpIo,
  IN VOID                   *Context
  )
{
  EFI_UDP6_PROTOCOL     *Udp6;
  EFI_UDP6_CONFIG_DATA  Udp6Cfg;

  ZeroMem (&Udp6Cfg, sizeof (EFI_UDP6_CONFIG_DATA));

  Udp6 = UdpIo->Protocol.Udp6;
  CopyMem (
    &Udp6Cfg,
    &mUdp6Conf,
    sizeof (EFI_UDP6_CONFIG_DATA)
    );

  if (Context != NULL) {
    //
    // Configure instance with a destination address to start source address
    // selection, and then get the configure data from the mode data to store
    // the source address.
    //
    CopyMem (
      &Udp6Cfg.RemoteAddress,
      Context,
      sizeof (EFI_IPv6_ADDRESS)
      );
  }

  return Udp6->Configure (Udp6, &Udp6Cfg);
}

/**
  Open and configure the related output UDPIO for IKE packet sending.

  If the UdpService is not configured, this fuction calls UdpIoCreatIo() to
  create UDPIO to bind this UdpService for IKE packet sending. If the UdpService
  has already been configured, then return.

  @param[in] UdpService     The UDP_IO to be configured.
  @param[in] RemoteIp       User-defined data when calling UdpIoCreateIo().

  @retval EFI_SUCCESS      The configuration is successful.
  @retval Others           The configuration fails.

**/
EFI_STATUS
IkeOpenOutputUdp (
  IN IKE_UDP_SERVICE           *UdpService,
  IN EFI_IP_ADDRESS            *RemoteIp
  )
{
  EFI_STATUS                       Status;
  EFI_IP4_CONFIG2_PROTOCOL         *Ip4Cfg2;
  EFI_IP4_CONFIG2_INTERFACE_INFO   *IfInfo;
  UINTN                            BufSize;
  EFI_IP6_MODE_DATA                Ip6ModeData;
  EFI_UDP6_PROTOCOL                *Udp6;

  Status      = EFI_SUCCESS;
  IfInfo      = NULL;
  BufSize     = 0;

  //
  // Check whether the input and output udp io are both configured.
  //
  if (UdpService->IsConfigured) {
    goto ON_EXIT;
  }

  if (UdpService->IpVersion == UDP_IO_UDP4_VERSION) {
    //
    // Handle ip4config protocol to get local default address.
    //
    Status = gBS->HandleProtocol (
                    UdpService->NicHandle,
                    &gEfiIp4Config2ProtocolGuid,
                    (VOID **) &Ip4Cfg2
                    );

    if (EFI_ERROR (Status)) {
      goto ON_EXIT;
    }

    //
    // Get the interface information size.
    //
    Status = Ip4Cfg2->GetData (
                       Ip4Cfg2,
                       Ip4Config2DataTypeInterfaceInfo,
                       &BufSize,
                       NULL
                       );

    if (EFI_ERROR (Status) && Status != EFI_BUFFER_TOO_SMALL) {
      goto ON_EXIT;
    }

    IfInfo = AllocateZeroPool (BufSize);

    if (IfInfo == NULL) {
      Status = EFI_OUT_OF_RESOURCES;
      goto ON_EXIT;
    }

    //
    // Get the interface info.
    //
    Status = Ip4Cfg2->GetData (
                       Ip4Cfg2,
                       Ip4Config2DataTypeInterfaceInfo,
                       &BufSize,
                       IfInfo
                       );

    if (EFI_ERROR (Status)) {
      goto ON_EXIT;
    }

    CopyMem (
      &UdpService->DefaultAddress.v4,
      &IfInfo->StationAddress,
      sizeof (EFI_IPv4_ADDRESS)
      );

    //
    // Create udp4 io for output with local default address.
    //
    UdpService->Output = UdpIoCreateIo (
                           UdpService->NicHandle,
                           UdpService->ImageHandle,
                           IkeConfigUdp4,
                           UDP_IO_UDP4_VERSION,
                           &UdpService->DefaultAddress
                           );

    if (UdpService->Output == NULL) {
      Status = EFI_OUT_OF_RESOURCES;
      goto ON_EXIT;
    }

  } else {
    //
    // Create udp6 io for output with remote address.
    //
    UdpService->Output = UdpIoCreateIo (
                           UdpService->NicHandle,
                           UdpService->ImageHandle,
                           IkeConfigUdp6,
                           UDP_IO_UDP6_VERSION,
                           RemoteIp
                           );

    if (UdpService->Output == NULL) {
      Status = EFI_OUT_OF_RESOURCES;
      goto ON_EXIT;
    }
    //
    // Get ip6 mode data to get the result of source address selection.
    //
    ZeroMem (&Ip6ModeData, sizeof (EFI_IP6_MODE_DATA));

    Udp6    = UdpService->Output->Protocol.Udp6;
    Status  = Udp6->GetModeData (Udp6, NULL, &Ip6ModeData, NULL, NULL);

    if (EFI_ERROR (Status)) {
      UdpIoFreeIo (UdpService->Output);
      goto ON_EXIT;
    }

    if (Ip6ModeData.AddressList != NULL) {
      FreePool (Ip6ModeData.AddressList);
    }

    if (Ip6ModeData.GroupTable != NULL) {
      FreePool (Ip6ModeData.GroupTable);
    }

    if (Ip6ModeData.RouteTable != NULL) {
      FreePool (Ip6ModeData.RouteTable);
    }

    if (Ip6ModeData.NeighborCache != NULL) {
      FreePool (Ip6ModeData.NeighborCache);
    }

    if (Ip6ModeData.PrefixTable != NULL) {
      FreePool (Ip6ModeData.PrefixTable);
    }

    if (Ip6ModeData.IcmpTypeList != NULL) {
      FreePool (Ip6ModeData.IcmpTypeList);
    }

    //
    // Reconfigure udp6 io without remote address.
    //
    Udp6->Configure (Udp6, NULL);
    Status = IkeConfigUdp6 (UdpService->Output, NULL);

    //
    // Record the selected source address for ipsec process later.
    //
    CopyMem (
      &UdpService->DefaultAddress.v6,
      &Ip6ModeData.ConfigData.StationAddress,
      sizeof (EFI_IPv6_ADDRESS)
      );
  }

  UdpService->IsConfigured = TRUE;

ON_EXIT:
  if (IfInfo != NULL) {
    FreePool (IfInfo);
  }

  return Status;
}

/**
  Open and configure a UDPIO of Udp4 for IKE packet receiving.

  This function is called at the IPsecDriverBinding start. IPsec create a UDP4 and
  UDP4 IO for each NIC handle.

  @param[in] Private        Point to IPSEC_PRIVATE_DATA
  @param[in] Controller     Handler for NIC card.
  @param[in] ImageHandle    The handle that contains the EFI_DRIVER_BINDING_PROTOCOL instance.

  @retval EFI_SUCCESS             The Operation is successful.
  @retval EFI_OUT_OF_RESOURCE     The required system resource can't be allocated.

**/
EFI_STATUS
IkeOpenInputUdp4 (
  IN IPSEC_PRIVATE_DATA           *Private,
  IN EFI_HANDLE                   Controller,
  IN EFI_HANDLE                   ImageHandle
  )
{
  IKE_UDP_SERVICE *Udp4Srv;

  //
  // Check whether udp4 io of the controller has already been opened.
  //
  Udp4Srv = IkeLookupUdp (Private, Controller, IP_VERSION_4);

  if (Udp4Srv != NULL) {
    return EFI_ALREADY_STARTED;
  }

  Udp4Srv = AllocateZeroPool (sizeof (IKE_UDP_SERVICE));

  if (Udp4Srv == NULL) {
    return EFI_OUT_OF_RESOURCES;
  }
  //
  // Create udp4 io for iutput.
  //
  Udp4Srv->Input = UdpIoCreateIo (
                     Controller,
                     ImageHandle,
                     IkeConfigUdp4,
                     UDP_IO_UDP4_VERSION,
                     NULL
                     );

  if (Udp4Srv->Input == NULL) {
    FreePool (Udp4Srv);
    return EFI_OUT_OF_RESOURCES;
  }

  Udp4Srv->NicHandle    = Controller;
  Udp4Srv->ImageHandle  = ImageHandle;
  Udp4Srv->ListHead     = &(Private->Udp4List);
  Udp4Srv->IpVersion    = UDP_IO_UDP4_VERSION;
  Udp4Srv->IsConfigured = FALSE;

  ZeroMem (&Udp4Srv->DefaultAddress, sizeof (EFI_IP_ADDRESS));

  //
  // Insert the udp4 io into the list and increase the count.
  //
  InsertTailList (&Private->Udp4List, &Udp4Srv->List);

  Private->Udp4Num++;

  UdpIoRecvDatagram (Udp4Srv->Input, IkeDispatch, Udp4Srv, 0);

  return EFI_SUCCESS;
}

/**
  Open and configure a UDPIO of Udp6 for IKE packet receiving.

  This function is called at the IPsecDriverBinding start. IPsec create a UDP6 and UDP6
  IO for each NIC handle.

  @param[in] Private        Point to IPSEC_PRIVATE_DATA
  @param[in] Controller     Handler for NIC card.
  @param[in] ImageHandle    The handle that contains the EFI_DRIVER_BINDING_PROTOCOL instance.

  @retval EFI_SUCCESS             The Operation is successful.
  @retval EFI_OUT_OF_RESOURCE     The required system resource can't be allocated.

**/
EFI_STATUS
IkeOpenInputUdp6 (
  IN IPSEC_PRIVATE_DATA           *Private,
  IN EFI_HANDLE                   Controller,
  IN EFI_HANDLE                   ImageHandle
  )
{
  IKE_UDP_SERVICE *Udp6Srv;

  Udp6Srv = IkeLookupUdp (Private, Controller, IP_VERSION_6);

  if (Udp6Srv != NULL) {
    return EFI_ALREADY_STARTED;
  }

  Udp6Srv = AllocateZeroPool (sizeof (IKE_UDP_SERVICE));

  if (Udp6Srv == NULL) {
    return EFI_OUT_OF_RESOURCES;
  }
  //
  // Create udp6 io for input.
  //
  Udp6Srv->Input = UdpIoCreateIo (
                     Controller,
                     ImageHandle,
                     IkeConfigUdp6,
                     UDP_IO_UDP6_VERSION,
                     NULL
                     );

  if (Udp6Srv->Input == NULL) {
    FreePool (Udp6Srv);
    return EFI_OUT_OF_RESOURCES;
  }

  Udp6Srv->NicHandle    = Controller;
  Udp6Srv->ImageHandle  = ImageHandle;
  Udp6Srv->ListHead     = &(Private->Udp6List);
  Udp6Srv->IpVersion    = UDP_IO_UDP6_VERSION;
  Udp6Srv->IsConfigured = FALSE;

  ZeroMem (&Udp6Srv->DefaultAddress, sizeof (EFI_IP_ADDRESS));

  //
  // Insert the udp6 io into the list and increase the count.
  //
  InsertTailList (&Private->Udp6List, &Udp6Srv->List);

  Private->Udp6Num++;

  UdpIoRecvDatagram (Udp6Srv->Input, IkeDispatch, Udp6Srv, 0);

  return EFI_SUCCESS;
}

/**
  The general interface of starting IPsec Key Exchange.

  This function is called when a IKE negotiation to start getting a Key.

  @param[in] UdpService   Point to IKE_UDP_SERVICE which will be used for
                          IKE packet sending.
  @param[in] SpdEntry     Point to the SPD entry related to the IKE negotiation.
  @param[in] RemoteIp     Point to EFI_IP_ADDRESS related to the IKE negotiation.

  @retval EFI_SUCCESS            The Operation is successful.
  @retval EFI_ACCESS_DENIED      No related PAD entry was found.
  @retval EFI_INVALID_PARAMETER  The IKE version is not supported.

**/
EFI_STATUS
IkeNegotiate (
  IN IKE_UDP_SERVICE       *UdpService,
  IN IPSEC_SPD_ENTRY       *SpdEntry,
  IN EFI_IP_ADDRESS        *RemoteIp
  )
{
  EFI_STATUS               Status;
  UINT8                    *IkeSaSession;
  IKE_EXCHANGE_INTERFACE   *Exchange;
  IPSEC_PRIVATE_DATA       *Private;
  IPSEC_PAD_ENTRY          *PadEntry;
  UINT8                    IkeVersion;

  Private = (UdpService->IpVersion == IP_VERSION_4) ?
             IPSEC_PRIVATE_DATA_FROM_UDP4LIST(UdpService->ListHead) :
             IPSEC_PRIVATE_DATA_FROM_UDP6LIST(UdpService->ListHead);

  //
  // Try to open udp io for output if it hasn't.
  //
  Status = IkeOpenOutputUdp (UdpService, RemoteIp);
  if (EFI_ERROR (Status)) {
    return Status;
  }
  //
  // Try to find the IKE SA session in the IKEv1 and IKEv2 established SA session list.
  //
  IkeSaSession = (UINT8 *) Ikev2SaSessionLookup (&Private->Ikev2EstablishedList, RemoteIp);


  if (IkeSaSession == NULL) {
    //
    // Find the pad entry by the remote ip address.
    //
    PadEntry = IpSecLookupPadEntry (UdpService->IpVersion, RemoteIp);
    if (PadEntry == NULL) {
      return EFI_ACCESS_DENIED;
    }
    //
    // Determine the IKE exchange instance by the auth protocol in pad entry.
    //
    ASSERT (PadEntry->Data->AuthProtocol < EfiIPsecAuthProtocolMaximum);
    if (PadEntry->Data->AuthProtocol == EfiIPsecAuthProtocolIKEv1) {
      return EFI_INVALID_PARAMETER;
    }
    Exchange = mIkeExchange[PadEntry->Data->AuthProtocol];
    //
    // Start the main mode stage to negotiate IKE SA.
    //
    Status = Exchange->NegotiateSa (UdpService, SpdEntry, PadEntry, RemoteIp);
  } else {
    //
    // Determine the IKE exchange instance by the IKE version in IKE SA session.
    //
    IkeVersion = IkeGetVersionFromSession (IkeSaSession);
    if (IkeVersion != 2) {
      return EFI_INVALID_PARAMETER;
    }

    Exchange = mIkeExchange[IkeVersion - 1];
    //
    // Start the quick mode stage to negotiate child SA.
    //
    Status = Exchange->NegotiateChildSa (IkeSaSession, SpdEntry, NULL);
  }

  return Status;
}

/**
  The generic interface when receive a IKE packet.

  This function is called when UDP IO receives a IKE packet.

  @param[in] Packet       Point to received IKE packet.
  @param[in] EndPoint     Point to UDP_END_POINT which contains the information of
                          Remote IP and Port.
  @param[in] IoStatus     The Status of Recieve Token.
  @param[in] Context      Point to data passed from the caller.

**/
VOID
EFIAPI
IkeDispatch (
  IN NET_BUF                        *Packet,
  IN UDP_END_POINT                  *EndPoint,
  IN EFI_STATUS                     IoStatus,
  IN VOID                           *Context
  )
{
  IPSEC_PRIVATE_DATA                *Private;
  IKE_PACKET                        *IkePacket;
  IKE_HEADER                        *IkeHdr;
  IKE_UDP_SERVICE                   *UdpService;
  IKE_EXCHANGE_INTERFACE            *Exchange;
  EFI_STATUS                        Status;

  UdpService = (IKE_UDP_SERVICE *) Context;
  IkePacket  = NULL;
  Private    = (UdpService->IpVersion == IP_VERSION_4) ?
               IPSEC_PRIVATE_DATA_FROM_UDP4LIST(UdpService->ListHead) :
               IPSEC_PRIVATE_DATA_FROM_UDP6LIST(UdpService->ListHead);

  if (EFI_ERROR (IoStatus)) {
    goto ON_EXIT;
  }
  //
  // Check whether the ipsec is enabled or not.
  //
  if (Private->IpSec.DisabledFlag == TRUE) {
    goto ON_EXIT;
  }

  if (EndPoint->RemotePort != IKE_DEFAULT_PORT) {
    goto ON_EXIT;
  }

  //
  // Build IKE packet from the received netbuf.
  //
  IkePacket = IkePacketFromNetbuf (Packet);

  if (IkePacket == NULL) {
    goto ON_EXIT;
  }
  //
  // Get the remote address from the IKE packet.
  //
  if (UdpService->IpVersion == IP_VERSION_4) {
    *(UINT32 *) IkePacket->RemotePeerIp.Addr = HTONL ((*(UINT32 *) EndPoint->RemoteAddr.Addr));
  } else {
    CopyMem (
      &IkePacket->RemotePeerIp,
      NTOHLLL (&EndPoint->RemoteAddr.v6),
      sizeof (EFI_IPv6_ADDRESS)
      );
  }
  //
  // Try to open udp io for output if hasn't.
  //
  Status = IkeOpenOutputUdp (UdpService, &IkePacket->RemotePeerIp);

  if (EFI_ERROR (Status)) {
    goto ON_EXIT;
  }

  IkeHdr = IkePacket->Header;

  //
  // Determine the IKE exchange instance by the IKE version in IKE header.
  //
  if (IKE_MAJOR_VERSION (IkeHdr->Version) == 2) {
    Exchange = mIkeExchange[IKE_MAJOR_VERSION (IkeHdr->Version) - 1];
  } else {
    goto ON_EXIT;
  }

  switch (IkeHdr->ExchangeType) {
  case IKE_XCG_TYPE_IDENTITY_PROTECT:
  case IKE_XCG_TYPE_SA_INIT:
  case IKE_XCG_TYPE_AUTH:
    Exchange->HandleSa (UdpService, IkePacket);
    break;

  case IKE_XCG_TYPE_QM:
  case IKE_XCG_TYPE_CREATE_CHILD_SA:
    Exchange->HandleChildSa (UdpService, IkePacket);
    break;

  case IKE_XCG_TYPE_INFO:
  case IKE_XCG_TYPE_INFO2:
    Exchange->HandleInfo (UdpService, IkePacket);
    break;

  default:
    break;
  }

ON_EXIT:
  if (IkePacket != NULL) {
    IkePacketFree (IkePacket);
  }

  if (Packet != NULL) {
    NetbufFree (Packet);
  }

  UdpIoRecvDatagram (UdpService->Input, IkeDispatch, UdpService, 0);

  return ;
}

/**
  Delete all established IKE SAs and related Child SAs.

  This function is the subfunction of the IpSecCleanupAllSa(). It first calls
  IkeDeleteChildSa() to delete all Child SAs then send out the related
  Information packet.

  @param[in]  Private           Pointer of the IPSEC_PRIVATE_DATA
  @param[in]  IsDisableIpsec    Indicate whether needs to disable IPsec.

**/
VOID
IkeDeleteAllSas (
  IN IPSEC_PRIVATE_DATA  *Private,
  IN BOOLEAN             IsDisableIpsec
  )
{
  LIST_ENTRY             *Entry;
  LIST_ENTRY             *NextEntry;
  IKEV2_SA_SESSION       *Ikev2SaSession;
  UINT8                  Value;
  EFI_STATUS             Status;
  IKE_EXCHANGE_INTERFACE *Exchange;
  UINT8                  IkeVersion;

  Exchange = NULL;

  //
  // If the IKEv1 is supported, first deal with the Ikev1Estatblished list.
  //

  //
  // If IKEv2 SAs are under establishing, delete it directly.
  //
  if (!IsListEmpty (&Private->Ikev2SessionList)) {
    NET_LIST_FOR_EACH_SAFE (Entry, NextEntry, &Private->Ikev2SessionList) {
      Ikev2SaSession = IKEV2_SA_SESSION_BY_SESSION (Entry);
      RemoveEntryList (Entry);
      Ikev2SaSessionFree (Ikev2SaSession);
    }
  }

  //
  // If there is no existing established IKE SA, set the Ipsec DisableFlag to TRUE
  // and turn off the IsIPsecDisabling flag.
  //
  if (IsListEmpty (&Private->Ikev2EstablishedList) && IsDisableIpsec) {
    Value = IPSEC_STATUS_DISABLED;
    Status = gRT->SetVariable (
               IPSECCONFIG_STATUS_NAME,
               &gEfiIpSecConfigProtocolGuid,
               EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_NON_VOLATILE,
               sizeof (Value),
               &Value
               );
    if (!EFI_ERROR (Status)) {
      Private->IpSec.DisabledFlag = TRUE;
      Private->IsIPsecDisabling   = FALSE;
      return ;
    }
  }

  //
  // Delete established IKEv2 SAs.
  //
  if (!IsListEmpty (&Private->Ikev2EstablishedList)) {
    for (Entry = Private->Ikev2EstablishedList.ForwardLink; Entry != &Private->Ikev2EstablishedList;) {
      Ikev2SaSession = IKEV2_SA_SESSION_BY_SESSION (Entry);
      Entry = Entry->ForwardLink;

      Ikev2SaSession->SessionCommon.State = IkeStateSaDeleting;

      //
      // Call for Information Exchange.
      //
      IkeVersion = IkeGetVersionFromSession ((UINT8*)Ikev2SaSession);
      if (IkeVersion == 2) {
        Exchange = mIkeExchange[IkeVersion - 1];
        Exchange->NegotiateInfo((UINT8*)Ikev2SaSession, NULL);
      }
    }
  }

}