xref: /device/linaro/bootloader/edk2/NetworkPkg/Application/IpsecConfig/PolicyEntryOperation.c

/** @file
  The implementation of policy entry operation function in IpSecConfig application.

  Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.<BR>

  This program and the accompanying materials
  are licensed and made available under the terms and conditions of the BSD License
  which accompanies this distribution.  The full text of the license may be found at
  http://opensource.org/licenses/bsd-license.php.

  THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
  WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.

**/

#include "IpSecConfig.h"
#include "Indexer.h"
#include "Match.h"
#include "Helper.h"
#include "ForEach.h"
#include "PolicyEntryOperation.h"

/**
  Fill in EFI_IPSEC_SPD_SELECTOR through ParamPackage list.

  @param[out]     Selector        The pointer to the EFI_IPSEC_SPD_SELECTOR structure.
  @param[in]      ParamPackage    The pointer to the ParamPackage list.
  @param[in, out] Mask            The pointer to the Mask.

  @retval EFI_SUCCESS              Fill in EFI_IPSEC_SPD_SELECTOR successfully.
  @retval EFI_INVALID_PARAMETER    Invalid user input parameter.

**/
EFI_STATUS
CreateSpdSelector (
     OUT EFI_IPSEC_SPD_SELECTOR    *Selector,
  IN     LIST_ENTRY                *ParamPackage,
  IN OUT UINT32                    *Mask
  )
{
  EFI_STATUS      Status;
  EFI_STATUS      ReturnStatus;
  CONST CHAR16    *ValueStr;

  Status       = EFI_SUCCESS;
  ReturnStatus = EFI_SUCCESS;

  //
  // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.
  //
  ValueStr = ShellCommandLineGetValue (ParamPackage, L"--local");
  if (ValueStr != NULL) {
    Selector->LocalAddressCount = 1;
    Status = EfiInetAddrRange ((CHAR16 *) ValueStr, Selector->LocalAddress);
    if (EFI_ERROR (Status)) {
      ShellPrintHiiEx (
        -1,
        -1,
        NULL,
        STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE),
        mHiiHandle,
        mAppName,
        L"--local",
        ValueStr
        );
      ReturnStatus = EFI_INVALID_PARAMETER;
    } else {
      *Mask |= LOCAL;
    }
  }

  //
  // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.
  //
  ValueStr = ShellCommandLineGetValue (ParamPackage, L"--remote");
  if (ValueStr != NULL) {
    Selector->RemoteAddressCount = 1;
    Status = EfiInetAddrRange ((CHAR16 *) ValueStr, Selector->RemoteAddress);
    if (EFI_ERROR (Status)) {
      ShellPrintHiiEx (
        -1,
        -1,
        NULL,
        STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE),
        mHiiHandle,
        mAppName,
        L"--remote",
        ValueStr
        );
      ReturnStatus = EFI_INVALID_PARAMETER;
    } else {
      *Mask |= REMOTE;
    }
  }

  Selector->NextLayerProtocol = EFI_IPSEC_ANY_PROTOCOL;

  //
  // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.
  //
  Status = GetNumber (
             L"--proto",
             (UINT16) -1,
             &Selector->NextLayerProtocol,
             sizeof (UINT16),
             mMapIpProtocol,
             ParamPackage,
             FORMAT_NUMBER | FORMAT_STRING
             );
  if (!EFI_ERROR (Status)) {
    *Mask |= PROTO;
  }

  if (Status == EFI_INVALID_PARAMETER) {
    ReturnStatus = EFI_INVALID_PARAMETER;
  }

  Selector->LocalPort  = EFI_IPSEC_ANY_PORT;
  Selector->RemotePort = EFI_IPSEC_ANY_PORT;

  //
  // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.
  //
  ValueStr = ShellCommandLineGetValue (ParamPackage, L"--local-port");
  if (ValueStr != NULL) {
    Status = EfiInetPortRange ((CHAR16 *) ValueStr, &Selector->LocalPort, &Selector->LocalPortRange);
    if (EFI_ERROR (Status)) {
      ShellPrintHiiEx (
        -1,
        -1,
        NULL,
        STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE),
        mHiiHandle,
        mAppName,
        L"--local-port",
        ValueStr
        );
      ReturnStatus = EFI_INVALID_PARAMETER;
    } else {
      *Mask |= LOCAL_PORT;
    }
  }

  //
  // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.
  //
  ValueStr = ShellCommandLineGetValue (ParamPackage, L"--remote-port");
  if (ValueStr != NULL) {
    Status = EfiInetPortRange ((CHAR16 *) ValueStr, &Selector->RemotePort, &Selector->RemotePortRange);
    if (EFI_ERROR (Status)) {
      ShellPrintHiiEx (
        -1,
        -1,
        NULL,
        STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE),
        mHiiHandle,
        mAppName,
        L"--remote-port",
        ValueStr
        );
      ReturnStatus = EFI_INVALID_PARAMETER;
    } else {
      *Mask |= REMOTE_PORT;
    }
  }

  //
  // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.
  //
  Status = GetNumber (
             L"--icmp-type",
             (UINT8) -1,
             &Selector->LocalPort,
             sizeof (UINT16),
             NULL,
             ParamPackage,
             FORMAT_NUMBER
             );
  if (!EFI_ERROR (Status)) {
    *Mask |= ICMP_TYPE;
  }

  if (Status == EFI_INVALID_PARAMETER) {
    ReturnStatus = EFI_INVALID_PARAMETER;
  }

  //
  // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.
  //
  Status = GetNumber (
             L"--icmp-code",
             (UINT8) -1,
             &Selector->RemotePort,
             sizeof (UINT16),
             NULL,
             ParamPackage,
             FORMAT_NUMBER
             );
  if (!EFI_ERROR (Status)) {
    *Mask |= ICMP_CODE;
  }

  if (Status == EFI_INVALID_PARAMETER) {
    ReturnStatus = EFI_INVALID_PARAMETER;
  }

  return ReturnStatus;
}

/**
  Fill in EFI_IPSEC_SPD_SELECTOR and EFI_IPSEC_SPD_DATA through ParamPackage list.

  @param[out] Selector        The pointer to the EFI_IPSEC_SPD_SELECTOR structure.
  @param[out] Data            The pointer to the EFI_IPSEC_SPD_DATA structure.
  @param[in]  ParamPackage    The pointer to the ParamPackage list.
  @param[out] Mask            The pointer to the Mask.
  @param[in]  CreateNew       The switch to create new.

  @retval EFI_SUCCESS              Fill in EFI_IPSEC_SPD_SELECTOR and EFI_IPSEC_SPD_DATA successfully.
  @retval EFI_INVALID_PARAMETER    Invalid user input parameter.

**/
EFI_STATUS
CreateSpdEntry (
  OUT EFI_IPSEC_SPD_SELECTOR    **Selector,
  OUT EFI_IPSEC_SPD_DATA        **Data,
  IN  LIST_ENTRY                *ParamPackage,
  OUT UINT32                    *Mask,
  IN  BOOLEAN                   CreateNew
  )
{
  EFI_STATUS      Status;
  EFI_STATUS      ReturnStatus;
  CONST CHAR16    *ValueStr;
  UINTN           DataSize;

  Status    = EFI_SUCCESS;
  *Mask     = 0;

  *Selector = AllocateZeroPool (sizeof (EFI_IPSEC_SPD_SELECTOR) + 2 * sizeof (EFI_IP_ADDRESS_INFO));
  ASSERT (*Selector != NULL);

  (*Selector)->LocalAddress  = (EFI_IP_ADDRESS_INFO *) (*Selector + 1);
  (*Selector)->RemoteAddress = (*Selector)->LocalAddress + 1;

  ReturnStatus = CreateSpdSelector (*Selector, ParamPackage, Mask);

  //
  // SPD DATA
  // NOTE: Allocate enough memory and add padding for different arch.
  //
  DataSize  = ALIGN_VARIABLE (sizeof (EFI_IPSEC_SPD_DATA));
  DataSize  = ALIGN_VARIABLE (DataSize + sizeof (EFI_IPSEC_PROCESS_POLICY));
  DataSize += sizeof (EFI_IPSEC_TUNNEL_OPTION);

  *Data = AllocateZeroPool (DataSize);
  ASSERT (*Data != NULL);

  (*Data)->ProcessingPolicy               = (EFI_IPSEC_PROCESS_POLICY *) ALIGN_POINTER (
                                                                           (*Data + 1),
                                                                           sizeof (UINTN)
                                                                           );
  (*Data)->ProcessingPolicy->TunnelOption = (EFI_IPSEC_TUNNEL_OPTION *) ALIGN_POINTER (
                                                                          ((*Data)->ProcessingPolicy + 1),
                                                                          sizeof (UINTN)
                                                                          );


  //
  // Convert user imput from string to integer, and fill in the Name in EFI_IPSEC_SPD_DATA.
  //
  ValueStr = ShellCommandLineGetValue (ParamPackage, L"--name");
  if (ValueStr != NULL) {
    UnicodeStrToAsciiStr (ValueStr, (CHAR8 *) (*Data)->Name);
    *Mask |= NAME;
  }

  //
  // Convert user imput from string to integer, and fill in the PackageFlag in EFI_IPSEC_SPD_DATA.
  //
  Status = GetNumber (
             L"--packet-flag",
             (UINT8) -1,
             &(*Data)->PackageFlag,
             sizeof (UINT32),
             NULL,
             ParamPackage,
             FORMAT_NUMBER
             );
  if (!EFI_ERROR (Status)) {
    *Mask |= PACKET_FLAG;
  }

  if (Status == EFI_INVALID_PARAMETER) {
    ReturnStatus = EFI_INVALID_PARAMETER;
  }

  //
  // Convert user imput from string to integer, and fill in the Action in EFI_IPSEC_SPD_DATA.
  //
  Status = GetNumber (
             L"--action",
             (UINT8) -1,
             &(*Data)->Action,
             sizeof (UINT32),
             mMapIpSecAction,
             ParamPackage,
             FORMAT_STRING
             );
  if (!EFI_ERROR (Status)) {
    *Mask |= ACTION;
  }

  if (Status == EFI_INVALID_PARAMETER) {
    ReturnStatus = EFI_INVALID_PARAMETER;
  }

  //
  // Convert user imput from string to integer, and fill in the ExtSeqNum in EFI_IPSEC_SPD_DATA.
  //
  if (ShellCommandLineGetFlag (ParamPackage, L"--ext-sequence")) {
    (*Data)->ProcessingPolicy->ExtSeqNum   = TRUE;
    *Mask |= EXT_SEQUENCE;
  } else if (ShellCommandLineGetFlag (ParamPackage, L"--ext-sequence-")) {
    (*Data)->ProcessingPolicy->ExtSeqNum   = FALSE;
    *Mask |= EXT_SEQUENCE;
  }

  //
  // Convert user imput from string to integer, and fill in the SeqOverflow in EFI_IPSEC_SPD_DATA.
  //
  if (ShellCommandLineGetFlag (ParamPackage, L"--sequence-overflow")) {
    (*Data)->ProcessingPolicy->SeqOverflow = TRUE;
    *Mask |= SEQUENCE_OVERFLOW;
  } else if (ShellCommandLineGetFlag (ParamPackage, L"--sequence-overflow-")) {
    (*Data)->ProcessingPolicy->SeqOverflow = FALSE;
    *Mask |= SEQUENCE_OVERFLOW;
  }

  //
  // Convert user imput from string to integer, and fill in the FragCheck in EFI_IPSEC_SPD_DATA.
  //
  if (ShellCommandLineGetFlag (ParamPackage, L"--fragment-check")) {
    (*Data)->ProcessingPolicy->FragCheck   = TRUE;
    *Mask |= FRAGMENT_CHECK;
  } else if (ShellCommandLineGetFlag (ParamPackage, L"--fragment-check-")) {
    (*Data)->ProcessingPolicy->FragCheck   = FALSE;
    *Mask |= FRAGMENT_CHECK;
  }

  //
  // Convert user imput from string to integer, and fill in the ProcessingPolicy in EFI_IPSEC_SPD_DATA.
  //
  Status = GetNumber (
             L"--lifebyte",
             (UINT64) -1,
             &(*Data)->ProcessingPolicy->SaLifetime.ByteCount,
             sizeof (UINT64),
             NULL,
             ParamPackage,
             FORMAT_NUMBER
             );
  if (!EFI_ERROR (Status)) {
    *Mask |= LIFEBYTE;
  }

  if (Status == EFI_INVALID_PARAMETER) {
    ReturnStatus = EFI_INVALID_PARAMETER;
  }

  Status = GetNumber (
             L"--lifetime",
             (UINT64) -1,
             &(*Data)->ProcessingPolicy->SaLifetime.HardLifetime,
             sizeof (UINT64),
             NULL,
             ParamPackage,
             FORMAT_NUMBER
             );
  if (!EFI_ERROR (Status)) {
    *Mask |= LIFETIME;
  }
  if (Status == EFI_INVALID_PARAMETER) {
    ReturnStatus = EFI_INVALID_PARAMETER;
  }

  Status = GetNumber (
             L"--lifetime-soft",
             (UINT64) -1,
             &(*Data)->ProcessingPolicy->SaLifetime.SoftLifetime,
             sizeof (UINT64),
             NULL,
             ParamPackage,
             FORMAT_NUMBER
             );
  if (!EFI_ERROR (Status)) {
    *Mask |= LIFETIME_SOFT;
  }

  if (Status == EFI_INVALID_PARAMETER) {
    ReturnStatus = EFI_INVALID_PARAMETER;
  }

  (*Data)->ProcessingPolicy->Mode = EfiIPsecTransport;
  Status = GetNumber (
             L"--mode",
             0,
             &(*Data)->ProcessingPolicy->Mode,
             sizeof (UINT32),
             mMapIpSecMode,
             ParamPackage,
             FORMAT_STRING
             );
  if (!EFI_ERROR (Status)) {
    *Mask |= MODE;
  }

  if (Status == EFI_INVALID_PARAMETER) {
    ReturnStatus = EFI_INVALID_PARAMETER;
  }

  ValueStr = ShellCommandLineGetValue (ParamPackage, L"--tunnel-local");
  if (ValueStr != NULL) {
    Status = EfiInetAddr2 ((CHAR16 *) ValueStr, &(*Data)->ProcessingPolicy->TunnelOption->LocalTunnelAddress);
    if (EFI_ERROR (Status)) {
      ShellPrintHiiEx (
        -1,
        -1,
        NULL,
        STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE),
        mHiiHandle,
        mAppName,
        L"--tunnel-local",
        ValueStr
        );
      ReturnStatus = EFI_INVALID_PARAMETER;
    } else {
      *Mask |= TUNNEL_LOCAL;
    }
  }

  ValueStr = ShellCommandLineGetValue (ParamPackage, L"--tunnel-remote");
  if (ValueStr != NULL) {
    Status = EfiInetAddr2 ((CHAR16 *) ValueStr, &(*Data)->ProcessingPolicy->TunnelOption->RemoteTunnelAddress);
    if (EFI_ERROR (Status)) {
      ShellPrintHiiEx (
        -1,
        -1,
        NULL,
        STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE),
        mHiiHandle,
        mAppName,
        L"--tunnel-remote",
        ValueStr
        );
      ReturnStatus = EFI_INVALID_PARAMETER;
    } else {
      *Mask |= TUNNEL_REMOTE;
    }
  }

  (*Data)->ProcessingPolicy->TunnelOption->DF = EfiIPsecTunnelCopyDf;
  Status = GetNumber (
             L"--dont-fragment",
             0,
             &(*Data)->ProcessingPolicy->TunnelOption->DF,
             sizeof (UINT32),
             mMapDfOption,
             ParamPackage,
             FORMAT_STRING
             );
  if (!EFI_ERROR (Status)) {
    *Mask |= DONT_FRAGMENT;
  }

  if (Status == EFI_INVALID_PARAMETER) {
    ReturnStatus = EFI_INVALID_PARAMETER;
  }

  (*Data)->ProcessingPolicy->Proto = EfiIPsecESP;
  Status = GetNumber (
             L"--ipsec-proto",
             0,
             &(*Data)->ProcessingPolicy->Proto,
             sizeof (UINT32),
             mMapIpSecProtocol,
             ParamPackage,
             FORMAT_STRING
             );
  if (!EFI_ERROR (Status)) {
    *Mask |= IPSEC_PROTO;
  }

  if (Status == EFI_INVALID_PARAMETER) {
    ReturnStatus = EFI_INVALID_PARAMETER;
  }

  Status = GetNumber (
             L"--encrypt-algo",
             0,
             &(*Data)->ProcessingPolicy->EncAlgoId,
             sizeof (UINT8),
             mMapEncAlgo,
             ParamPackage,
             FORMAT_STRING
             );
  if (!EFI_ERROR (Status)) {
    *Mask |= ENCRYPT_ALGO;
  }

  if (Status == EFI_INVALID_PARAMETER) {
    ReturnStatus = EFI_INVALID_PARAMETER;
  }

  Status = GetNumber (
             L"--auth-algo",
             0,
             &(*Data)->ProcessingPolicy->AuthAlgoId,
             sizeof (UINT8),
             mMapAuthAlgo,
             ParamPackage,
             FORMAT_STRING
             );
  if (!EFI_ERROR (Status)) {
    *Mask |= AUTH_ALGO;
  }

  if (Status == EFI_INVALID_PARAMETER) {
    ReturnStatus = EFI_INVALID_PARAMETER;
  }

  //
  // Cannot check Mode against EfiIPsecTunnel, because user may want to change tunnel_remote only so the Mode is not set.
  //
  if ((*Mask & (TUNNEL_LOCAL | TUNNEL_REMOTE | DONT_FRAGMENT)) == 0) {
    (*Data)->ProcessingPolicy->TunnelOption = NULL;
  }

  if ((*Mask & (EXT_SEQUENCE | SEQUENCE_OVERFLOW | FRAGMENT_CHECK | LIFEBYTE |
                LIFETIME_SOFT | LIFETIME | MODE | TUNNEL_LOCAL | TUNNEL_REMOTE |
                DONT_FRAGMENT | IPSEC_PROTO | AUTH_ALGO | ENCRYPT_ALGO)) == 0) {
    if ((*Data)->Action != EfiIPsecActionProtect) {
      //
      // User may not provide additional parameter for Protect action, so we cannot simply set ProcessingPolicy to NULL.
      //
      (*Data)->ProcessingPolicy = NULL;
    }
  }

  if (CreateNew) {
    if ((*Mask & (LOCAL | REMOTE | PROTO | ACTION)) != (LOCAL | REMOTE | PROTO | ACTION)) {
      ShellPrintHiiEx (
        -1,
        -1,
        NULL,
        STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS),
        mHiiHandle,
        mAppName,
        L"--local --remote --proto --action"
        );
      ReturnStatus = EFI_INVALID_PARAMETER;
    } else if (((*Data)->Action == EfiIPsecActionProtect) &&
               ((*Data)->ProcessingPolicy->Mode == EfiIPsecTunnel) &&
               ((*Mask & (TUNNEL_LOCAL | TUNNEL_REMOTE)) != (TUNNEL_LOCAL | TUNNEL_REMOTE))) {
      ShellPrintHiiEx (
        -1,
        -1,
        NULL,
        STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS),
        mHiiHandle,
        mAppName,
        L"--tunnel-local --tunnel-remote"
        );
      ReturnStatus = EFI_INVALID_PARAMETER;
    }
  }

  return ReturnStatus;
}

/**
  Fill in EFI_IPSEC_SA_ID and EFI_IPSEC_SA_DATA2 through ParamPackage list.

  @param[out] SaId            The pointer to the EFI_IPSEC_SA_ID structure.
  @param[out] Data            The pointer to the EFI_IPSEC_SA_DATA2 structure.
  @param[in]  ParamPackage    The pointer to the ParamPackage list.
  @param[out] Mask            The pointer to the Mask.
  @param[in]  CreateNew       The switch to create new.

  @retval EFI_SUCCESS              Fill in EFI_IPSEC_SA_ID and EFI_IPSEC_SA_DATA2 successfully.
  @retval EFI_INVALID_PARAMETER    Invalid user input parameter.

**/
EFI_STATUS
CreateSadEntry (
  OUT EFI_IPSEC_SA_ID      **SaId,
  OUT EFI_IPSEC_SA_DATA2   **Data,
  IN  LIST_ENTRY           *ParamPackage,
  OUT UINT32               *Mask,
  IN  BOOLEAN              CreateNew
  )
{
  EFI_STATUS      Status;
  EFI_STATUS      ReturnStatus;
  UINTN           AuthKeyLength;
  UINTN           EncKeyLength;
  CONST CHAR16    *ValueStr;
  CHAR8           *AsciiStr;
  UINTN           DataSize;

  Status        = EFI_SUCCESS;
  ReturnStatus  = EFI_SUCCESS;
  *Mask         = 0;
  AuthKeyLength = 0;
  EncKeyLength  = 0;

  *SaId = AllocateZeroPool (sizeof (EFI_IPSEC_SA_ID));
  ASSERT (*SaId != NULL);

  //
  // Convert user imput from string to integer, and fill in the Spi in EFI_IPSEC_SA_ID.
  //
  Status = GetNumber (L"--spi", (UINT32) -1, &(*SaId)->Spi, sizeof (UINT32), NULL, ParamPackage, FORMAT_NUMBER);
  if (!EFI_ERROR (Status)) {
    *Mask |= SPI;
  }

  if (Status == EFI_INVALID_PARAMETER) {
    ReturnStatus = EFI_INVALID_PARAMETER;
  }

  //
  // Convert user imput from string to integer, and fill in the Proto in EFI_IPSEC_SA_ID.
  //
  Status = GetNumber (
             L"--ipsec-proto",
             0,
             &(*SaId)->Proto,
             sizeof (EFI_IPSEC_PROTOCOL_TYPE),
             mMapIpSecProtocol,
             ParamPackage,
             FORMAT_STRING
             );
  if (!EFI_ERROR (Status)) {
    *Mask |= IPSEC_PROTO;
  }

  if (Status == EFI_INVALID_PARAMETER) {
    ReturnStatus = EFI_INVALID_PARAMETER;
  }

  //
  // Convert user imput from string to integer, and fill in EFI_IPSEC_SA_DATA2.
  //
  ValueStr = ShellCommandLineGetValue (ParamPackage, L"--auth-key");
  if (ValueStr != NULL) {
    AuthKeyLength = StrLen (ValueStr);
  }

  ValueStr = ShellCommandLineGetValue (ParamPackage, L"--encrypt-key");
  if (ValueStr != NULL) {
    EncKeyLength = StrLen (ValueStr);
  }

  //
  // EFI_IPSEC_SA_DATA2:
  //   +------------
  //   | EFI_IPSEC_SA_DATA2
  //   +-----------------------
  //   | AuthKey
  //   +-------------------------
  //   | EncKey
  //   +-------------------------
  //   | SpdSelector
  //
  // Notes: To make sure the address alignment add padding after each data if needed.
  //
  DataSize  = ALIGN_VARIABLE (sizeof (EFI_IPSEC_SA_DATA2));
  DataSize  = ALIGN_VARIABLE (DataSize + AuthKeyLength);
  DataSize  = ALIGN_VARIABLE (DataSize + EncKeyLength);
  DataSize  = ALIGN_VARIABLE (DataSize + sizeof (EFI_IPSEC_SPD_SELECTOR));
  DataSize  = ALIGN_VARIABLE (DataSize + sizeof (EFI_IP_ADDRESS_INFO));
  DataSize += sizeof (EFI_IP_ADDRESS_INFO);



  *Data = AllocateZeroPool (DataSize);
  ASSERT (*Data != NULL);

  (*Data)->ManualSet                    = TRUE;
  (*Data)->AlgoInfo.EspAlgoInfo.AuthKey = (VOID *) ALIGN_POINTER (((*Data) + 1), sizeof (UINTN));
  (*Data)->AlgoInfo.EspAlgoInfo.EncKey  = (VOID *) ALIGN_POINTER (
                                                     ((UINT8 *) (*Data)->AlgoInfo.EspAlgoInfo.AuthKey + AuthKeyLength),
                                                     sizeof (UINTN)
                                                     );
  (*Data)->SpdSelector                  = (EFI_IPSEC_SPD_SELECTOR *) ALIGN_POINTER (
                                                                       ((UINT8 *) (*Data)->AlgoInfo.EspAlgoInfo.EncKey + EncKeyLength),
                                                                       sizeof (UINTN)
                                                                       );
  (*Data)->SpdSelector->LocalAddress    = (EFI_IP_ADDRESS_INFO *) ALIGN_POINTER (
                                                                    ((UINT8 *) (*Data)->SpdSelector + sizeof (EFI_IPSEC_SPD_SELECTOR)),
                                                                    sizeof (UINTN));
  (*Data)->SpdSelector->RemoteAddress   = (EFI_IP_ADDRESS_INFO *) ALIGN_POINTER (
                                                                    (*Data)->SpdSelector->LocalAddress + 1,
                                                                    sizeof (UINTN)
                                                                    );

  (*Data)->Mode = EfiIPsecTransport;
  Status = GetNumber (
             L"--mode",
             0,
             &(*Data)->Mode,
             sizeof (EFI_IPSEC_MODE),
             mMapIpSecMode,
             ParamPackage,
             FORMAT_STRING
             );
  if (!EFI_ERROR (Status)) {
    *Mask |= MODE;
  }

  if (Status == EFI_INVALID_PARAMETER) {
    ReturnStatus = EFI_INVALID_PARAMETER;
  }

  //
  // According to RFC 4303-3.3.3. The first packet sent using a given SA
  // will contain a sequence number of 1.
  //
  (*Data)->SNCount = 1;
  Status = GetNumber (
             L"--sequence-number",
             (UINT64) -1,
             &(*Data)->SNCount,
             sizeof (UINT64),
             NULL,
             ParamPackage,
             FORMAT_NUMBER
             );
  if (!EFI_ERROR (Status)) {
    *Mask |= SEQUENCE_NUMBER;
  }

  if (Status == EFI_INVALID_PARAMETER) {
    ReturnStatus = EFI_INVALID_PARAMETER;
  }

  (*Data)->AntiReplayWindows = 0;
  Status = GetNumber (
             L"--antireplay-window",
             (UINT8) -1,
             &(*Data)->AntiReplayWindows,
             sizeof (UINT8),
             NULL,
             ParamPackage,
             FORMAT_NUMBER
             );
  if (!EFI_ERROR (Status)) {
    *Mask |= SEQUENCE_NUMBER;
  }

  if (Status == EFI_INVALID_PARAMETER) {
    ReturnStatus = EFI_INVALID_PARAMETER;
  }

  Status = GetNumber (
             L"--encrypt-algo",
             0,
             &(*Data)->AlgoInfo.EspAlgoInfo.EncAlgoId,
             sizeof (UINT8),
             mMapEncAlgo,
             ParamPackage,
             FORMAT_STRING
             );
  if (!EFI_ERROR (Status)) {
    *Mask |= ENCRYPT_ALGO;
  }

  if (Status == EFI_INVALID_PARAMETER) {
    ReturnStatus = EFI_INVALID_PARAMETER;
  }

  ValueStr = ShellCommandLineGetValue (ParamPackage, L"--encrypt-key");
  if (ValueStr != NULL ) {
    (*Data)->AlgoInfo.EspAlgoInfo.EncKeyLength = EncKeyLength;
    AsciiStr = AllocateZeroPool (EncKeyLength + 1);
    ASSERT (AsciiStr != NULL);
    UnicodeStrToAsciiStr (ValueStr, AsciiStr);
    CopyMem ((*Data)->AlgoInfo.EspAlgoInfo.EncKey,  AsciiStr, EncKeyLength);
    FreePool (AsciiStr);
    *Mask |= ENCRYPT_KEY;
  } else {
    (*Data)->AlgoInfo.EspAlgoInfo.EncKey = NULL;
  }

  Status = GetNumber (
             L"--auth-algo",
             0,
             &(*Data)->AlgoInfo.EspAlgoInfo.AuthAlgoId,
             sizeof (UINT8),
             mMapAuthAlgo,
             ParamPackage,
             FORMAT_STRING
             );
  if (!EFI_ERROR (Status)) {
    *Mask |= AUTH_ALGO;
  }

  if (Status == EFI_INVALID_PARAMETER) {
    ReturnStatus = EFI_INVALID_PARAMETER;
  }

  ValueStr = ShellCommandLineGetValue (ParamPackage, L"--auth-key");
  if (ValueStr != NULL) {
    (*Data)->AlgoInfo.EspAlgoInfo.AuthKeyLength = AuthKeyLength;
    AsciiStr = AllocateZeroPool (AuthKeyLength + 1);
    ASSERT (AsciiStr != NULL);
    UnicodeStrToAsciiStr (ValueStr, AsciiStr);
    CopyMem ((*Data)->AlgoInfo.EspAlgoInfo.AuthKey, AsciiStr, AuthKeyLength);
    FreePool (AsciiStr);
    *Mask |= AUTH_KEY;
  } else {
    (*Data)->AlgoInfo.EspAlgoInfo.AuthKey = NULL;
  }

  Status = GetNumber (
             L"--lifebyte",
             (UINT64) -1,
             &(*Data)->SaLifetime.ByteCount,
             sizeof (UINT64),
             NULL,
             ParamPackage,
             FORMAT_NUMBER
             );
  if (!EFI_ERROR (Status)) {
    *Mask |= LIFEBYTE;
  }

  if (Status == EFI_INVALID_PARAMETER) {
    ReturnStatus = EFI_INVALID_PARAMETER;
  }

  Status = GetNumber (
             L"--lifetime",
             (UINT64) -1,
             &(*Data)->SaLifetime.HardLifetime,
             sizeof (UINT64),
             NULL,
             ParamPackage,
             FORMAT_NUMBER
             );
  if (!EFI_ERROR (Status)) {
    *Mask |= LIFETIME;
  }

  if (Status == EFI_INVALID_PARAMETER) {
    ReturnStatus = EFI_INVALID_PARAMETER;
  }

  Status = GetNumber (
             L"--lifetime-soft",
             (UINT64) -1,
             &(*Data)->SaLifetime.SoftLifetime,
             sizeof (UINT64),
             NULL,
             ParamPackage,
             FORMAT_NUMBER
             );
  if (!EFI_ERROR (Status)) {
    *Mask |= LIFETIME_SOFT;
  }

  if (Status == EFI_INVALID_PARAMETER) {
    ReturnStatus = EFI_INVALID_PARAMETER;
  }

  Status = GetNumber (
             L"--path-mtu",
             (UINT32) -1,
             &(*Data)->PathMTU,
             sizeof (UINT32),
             NULL,
             ParamPackage,
             FORMAT_NUMBER
             );
  if (!EFI_ERROR (Status)) {
    *Mask |= PATH_MTU;
  }

  if (Status == EFI_INVALID_PARAMETER) {
    ReturnStatus = EFI_INVALID_PARAMETER;
  }

  //
  // Convert user imput from string to integer, and fill in the DestAddress in EFI_IPSEC_SA_ID.
  //
  ValueStr = ShellCommandLineGetValue (ParamPackage, L"--tunnel-dest");
  if (ValueStr != NULL) {
    Status = EfiInetAddr2 ((CHAR16 *) ValueStr, &(*Data)->TunnelDestinationAddress);
    if (EFI_ERROR (Status)) {
      ShellPrintHiiEx (
        -1,
        -1,
        NULL,
        STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE),
        mHiiHandle,
        mAppName,
        L"--tunnel-dest",
        ValueStr
        );
      ReturnStatus = EFI_INVALID_PARAMETER;
    } else {
      *Mask |= DEST;
    }
  }

  //
  // Convert user input from string to integer, and fill in the DestAddress in EFI_IPSEC_SA_ID.
  //
  ValueStr = ShellCommandLineGetValue (ParamPackage, L"--tunnel-source");
  if (ValueStr != NULL) {
    Status = EfiInetAddr2 ((CHAR16 *) ValueStr, &(*Data)->TunnelSourceAddress);
    if (EFI_ERROR (Status)) {
      ShellPrintHiiEx (
        -1,
        -1,
        NULL,
        STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE),
        mHiiHandle,
        mAppName,
        L"--tunnel-source",
        ValueStr
        );
      ReturnStatus = EFI_INVALID_PARAMETER;
    } else {
      *Mask |= SOURCE;
    }
  }

  //
  // If it is TunnelMode, then check if the tunnel-source and --tunnel-dest are set
  //
  if ((*Data)->Mode == EfiIPsecTunnel) {
    if ((*Mask & (DEST|SOURCE)) != (DEST|SOURCE)) {
      ShellPrintHiiEx (
        -1,
        -1,
        NULL,
        STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS),
        mHiiHandle,
        mAppName,
        L"--tunnel-source --tunnel-dest"
        );
      ReturnStatus = EFI_INVALID_PARAMETER;
    }
  }
  ReturnStatus = CreateSpdSelector ((*Data)->SpdSelector, ParamPackage, Mask);

  if (CreateNew) {
    if ((*Mask & (SPI|IPSEC_PROTO|LOCAL|REMOTE)) != (SPI|IPSEC_PROTO|LOCAL|REMOTE)) {
      ShellPrintHiiEx (
        -1,
        -1,
        NULL,
        STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS),
        mHiiHandle,
        mAppName,
        L"--spi --ipsec-proto --local --remote"
        );
      ReturnStatus = EFI_INVALID_PARAMETER;
    } else {
      if ((*SaId)->Proto == EfiIPsecAH) {
        if ((*Mask & AUTH_ALGO) == 0) {
          ShellPrintHiiEx (
            -1,
            -1,
            NULL,
            STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER),
            mHiiHandle,
            mAppName,
            L"--auth-algo"
            );
          ReturnStatus = EFI_INVALID_PARAMETER;
        } else if ((*Data)->AlgoInfo.EspAlgoInfo.AuthAlgoId != IPSEC_AALG_NONE && (*Mask & AUTH_KEY) == 0) {
          ShellPrintHiiEx (
            -1,
            -1,
            NULL,
            STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER),
            mHiiHandle,
            mAppName,
            L"--auth-key"
            );
          ReturnStatus = EFI_INVALID_PARAMETER;
        }
      } else {
        if ((*Mask & (ENCRYPT_ALGO|AUTH_ALGO)) != (ENCRYPT_ALGO|AUTH_ALGO) ) {
          ShellPrintHiiEx (
            -1,
            -1,
            NULL,
            STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER),
            mHiiHandle,
            mAppName,
            L"--encrypt-algo --auth-algo"
            );
          ReturnStatus = EFI_INVALID_PARAMETER;
        } else if ((*Data)->AlgoInfo.EspAlgoInfo.EncAlgoId != IPSEC_EALG_NONE && (*Mask & ENCRYPT_KEY) == 0) {
          ShellPrintHiiEx (
            -1,
            -1,
            NULL,
            STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER),
            mHiiHandle,
            mAppName,
            L"--encrypt-key"
            );
          ReturnStatus = EFI_INVALID_PARAMETER;
        } else if ((*Data)->AlgoInfo.EspAlgoInfo.AuthAlgoId != IPSEC_AALG_NONE && (*Mask & AUTH_KEY) == 0) {
          ShellPrintHiiEx (
            -1,
            -1,
            NULL,
            STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER),
            mHiiHandle,
            mAppName,
            L"--auth-key"
            );
          ReturnStatus = EFI_INVALID_PARAMETER;
        }
      }
    }
  }

  return ReturnStatus;
}

/**
  Fill in EFI_IPSEC_PAD_ID and EFI_IPSEC_PAD_DATA through ParamPackage list.

  @param[out] PadId           The pointer to the EFI_IPSEC_PAD_ID structure.
  @param[out] Data            The pointer to the EFI_IPSEC_PAD_DATA structure.
  @param[in]  ParamPackage    The pointer to the ParamPackage list.
  @param[out] Mask            The pointer to the Mask.
  @param[in]  CreateNew       The switch to create new.

  @retval EFI_SUCCESS              Fill in EFI_IPSEC_PAD_ID and EFI_IPSEC_PAD_DATA successfully.
  @retval EFI_INVALID_PARAMETER    Invalid user input parameter.

**/
EFI_STATUS
CreatePadEntry (
  OUT EFI_IPSEC_PAD_ID      **PadId,
  OUT EFI_IPSEC_PAD_DATA    **Data,
  IN  LIST_ENTRY            *ParamPackage,
  OUT UINT32                *Mask,
  IN  BOOLEAN               CreateNew
  )
{
  EFI_STATUS         Status;
  EFI_STATUS         ReturnStatus;
  SHELL_FILE_HANDLE  FileHandle;
  UINT64             FileSize;
  UINTN              AuthDataLength;
  UINTN              RevocationDataLength;
  UINTN              DataLength;
  UINTN              Index;
  CONST CHAR16       *ValueStr;
  UINTN              DataSize;

  Status               = EFI_SUCCESS;
  ReturnStatus         = EFI_SUCCESS;
  *Mask                = 0;
  AuthDataLength       = 0;
  RevocationDataLength = 0;

  *PadId = AllocateZeroPool (sizeof (EFI_IPSEC_PAD_ID));
  ASSERT (*PadId != NULL);

  //
  // Convert user imput from string to integer, and fill in EFI_IPSEC_PAD_ID.
  //
  ValueStr = ShellCommandLineGetValue (ParamPackage, L"--peer-address");
  if (ValueStr != NULL) {
    (*PadId)->PeerIdValid = FALSE;
    Status = EfiInetAddrRange ((CHAR16 *) ValueStr, &(*PadId)->Id.IpAddress);
    if (EFI_ERROR (Status)) {
      ShellPrintHiiEx (
        -1,
        -1,
        NULL,
        STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE),
        mHiiHandle,
        mAppName,
        L"--peer-address",
        ValueStr
        );
      ReturnStatus = EFI_INVALID_PARAMETER;
    } else {
      *Mask |= PEER_ADDRESS;
    }
  }

  ValueStr = ShellCommandLineGetValue (ParamPackage, L"--peer-id");
  if (ValueStr != NULL) {
    (*PadId)->PeerIdValid = TRUE;
    StrnCpyS ((CHAR16 *) (*PadId)->Id.PeerId, MAX_PEERID_LEN / sizeof (CHAR16), ValueStr, MAX_PEERID_LEN / sizeof (CHAR16) - 1);
    *Mask |= PEER_ID;
  }

  ValueStr = ShellCommandLineGetValue (ParamPackage, L"--auth-data");
  if (ValueStr != NULL) {
    if (ValueStr[0] == L'@') {
      //
      // Input is a file: --auth-data "@fs1:\My Certificates\tom.dat"
      //
      Status = ShellOpenFileByName (&ValueStr[1], &FileHandle, EFI_FILE_MODE_READ, 0);
      if (EFI_ERROR (Status)) {
        ShellPrintHiiEx (
          -1,
          -1,
          NULL,
          STRING_TOKEN (STR_IPSEC_CONFIG_FILE_OPEN_FAILED),
          mHiiHandle,
          mAppName,
          &ValueStr[1]
          );
        ReturnStatus = EFI_INVALID_PARAMETER;
      } else {
        Status = ShellGetFileSize (FileHandle, &FileSize);
        ShellCloseFile (&FileHandle);
        if (EFI_ERROR (Status)) {
          ShellPrintHiiEx (
            -1,
            -1,
            NULL,
            STRING_TOKEN (STR_IPSEC_CONFIG_FILE_OPEN_FAILED),
            mHiiHandle,
            mAppName,
            &ValueStr[1]
            );
          ReturnStatus = EFI_INVALID_PARAMETER;
        } else {
          AuthDataLength = (UINTN) FileSize;
        }
      }
    } else {
      AuthDataLength = StrLen (ValueStr);
    }
  }

  ValueStr = ShellCommandLineGetValue (ParamPackage, L"--revocation-data");
  if (ValueStr != NULL) {
    RevocationDataLength = (StrLen (ValueStr) + 1) * sizeof (CHAR16);
  }

  //
  // Allocate Buffer for Data. Add padding after each struct to make sure the alignment
  // in different Arch.
  //
  DataSize  = ALIGN_VARIABLE (sizeof (EFI_IPSEC_PAD_DATA));
  DataSize  = ALIGN_VARIABLE (DataSize + AuthDataLength);
  DataSize += RevocationDataLength;

  *Data = AllocateZeroPool (DataSize);
  ASSERT (*Data != NULL);

  (*Data)->AuthData       = (VOID *) ALIGN_POINTER ((*Data + 1), sizeof (UINTN));
  (*Data)->RevocationData = (VOID *) ALIGN_POINTER (((UINT8 *) (*Data + 1) + AuthDataLength), sizeof (UINTN));
  (*Data)->AuthProtocol   = EfiIPsecAuthProtocolIKEv1;

  //
  // Convert user imput from string to integer, and fill in EFI_IPSEC_PAD_DATA.
  //
  Status = GetNumber (
             L"--auth-proto",
             0,
             &(*Data)->AuthProtocol,
             sizeof (EFI_IPSEC_AUTH_PROTOCOL_TYPE),
             mMapAuthProto,
             ParamPackage,
             FORMAT_STRING
             );
  if (!EFI_ERROR (Status)) {
    *Mask |= AUTH_PROTO;
  }

  if (Status == EFI_INVALID_PARAMETER) {
    ReturnStatus = EFI_INVALID_PARAMETER;
  }

  Status = GetNumber (
             L"--auth-method",
             0,
             &(*Data)->AuthMethod,
             sizeof (EFI_IPSEC_AUTH_METHOD),
             mMapAuthMethod,
             ParamPackage,
             FORMAT_STRING
             );
  if (!EFI_ERROR (Status)) {
    *Mask |= AUTH_METHOD;
  }

  if (Status == EFI_INVALID_PARAMETER) {
    ReturnStatus = EFI_INVALID_PARAMETER;
  }

  if (ShellCommandLineGetFlag (ParamPackage, L"--ike-id")) {
    (*Data)->IkeIdFlag = TRUE;
    *Mask |= IKE_ID;
  }

  if (ShellCommandLineGetFlag (ParamPackage, L"--ike-id-")) {
    (*Data)->IkeIdFlag = FALSE;
    *Mask |= IKE_ID;
  }

  ValueStr = ShellCommandLineGetValue (ParamPackage, L"--auth-data");
  if (ValueStr != NULL) {
    if (ValueStr[0] == L'@') {
      //
      // Input is a file: --auth-data "@fs1:\My Certificates\tom.dat"
      //

      Status = ShellOpenFileByName (&ValueStr[1], &FileHandle, EFI_FILE_MODE_READ, 0);
      if (EFI_ERROR (Status)) {
        ShellPrintHiiEx (
          -1,
          -1,
          NULL,
          STRING_TOKEN (STR_IPSEC_CONFIG_FILE_OPEN_FAILED),
          mHiiHandle,
          mAppName,
          &ValueStr[1]
          );
        ReturnStatus = EFI_INVALID_PARAMETER;
        (*Data)->AuthData = NULL;
      } else {
        DataLength = AuthDataLength;
        Status     = ShellReadFile (FileHandle, &DataLength, (*Data)->AuthData);
        ShellCloseFile (&FileHandle);
        if (EFI_ERROR (Status)) {
          ShellPrintHiiEx (
            -1,
            -1,
            NULL,
            STRING_TOKEN (STR_IPSEC_CONFIG_FILE_OPEN_FAILED),
            mHiiHandle,
            mAppName,
            &ValueStr[1]
            );
          ReturnStatus = EFI_INVALID_PARAMETER;
          (*Data)->AuthData = NULL;
        } else {
          ASSERT (DataLength == AuthDataLength);
          *Mask |= AUTH_DATA;
        }
      }
    } else {
      for (Index = 0; Index < AuthDataLength; Index++) {
        ((CHAR8 *) (*Data)->AuthData)[Index] = (CHAR8) ValueStr[Index];
      }
      (*Data)->AuthDataSize = AuthDataLength;
      *Mask |= AUTH_DATA;
    }
  }

  ValueStr = ShellCommandLineGetValue (ParamPackage, L"--revocation-data");
  if (ValueStr != NULL) {
    CopyMem ((*Data)->RevocationData, ValueStr, RevocationDataLength);
    (*Data)->RevocationDataSize = RevocationDataLength;
    *Mask |= REVOCATION_DATA;
  } else {
    (*Data)->RevocationData = NULL;
  }

  if (CreateNew) {
    if ((*Mask & (PEER_ID | PEER_ADDRESS)) == 0) {
      ShellPrintHiiEx (
        -1,
        -1,
        NULL,
        STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS),
        mHiiHandle,
        mAppName,
        L"--peer-id --peer-address"
        );
      ReturnStatus = EFI_INVALID_PARAMETER;
    } else if ((*Mask & (AUTH_METHOD | AUTH_DATA)) != (AUTH_METHOD | AUTH_DATA)) {
      ShellPrintHiiEx (
        -1,
        -1,
        NULL,
        STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS),
        mHiiHandle,
        mAppName,
        L"--auth-method --auth-data"
        );
      ReturnStatus = EFI_INVALID_PARAMETER;
    }
  }

  return ReturnStatus;
}

CREATE_POLICY_ENTRY mCreatePolicyEntry[] = {
  (CREATE_POLICY_ENTRY) CreateSpdEntry,
  (CREATE_POLICY_ENTRY) CreateSadEntry,
  (CREATE_POLICY_ENTRY) CreatePadEntry
};

/**
  Combine old SPD entry with new SPD entry.

  @param[in, out] OldSelector    The pointer to the EFI_IPSEC_SPD_SELECTOR structure.
  @param[in, out] OldData        The pointer to the EFI_IPSEC_SPD_DATA structure.
  @param[in]      NewSelector    The pointer to the EFI_IPSEC_SPD_SELECTOR structure.
  @param[in]      NewData        The pointer to the EFI_IPSEC_SPD_DATA structure.
  @param[in]      Mask           The pointer to the Mask.
  @param[out]     CreateNew      The switch to create new.

  @retval EFI_SUCCESS              Combined successfully.
  @retval EFI_INVALID_PARAMETER    Invalid user input parameter.

**/
EFI_STATUS
CombineSpdEntry (
  IN OUT EFI_IPSEC_SPD_SELECTOR    *OldSelector,
  IN OUT EFI_IPSEC_SPD_DATA        *OldData,
  IN     EFI_IPSEC_SPD_SELECTOR    *NewSelector,
  IN     EFI_IPSEC_SPD_DATA        *NewData,
  IN     UINT32                    Mask,
     OUT BOOLEAN                   *CreateNew
  )
{

  //
  // Process Selector
  //
  *CreateNew = FALSE;
  if ((Mask & LOCAL) == 0) {
    NewSelector->LocalAddressCount = OldSelector->LocalAddressCount;
    NewSelector->LocalAddress      = OldSelector->LocalAddress;
  } else if ((NewSelector->LocalAddressCount != OldSelector->LocalAddressCount) ||
             (CompareMem (NewSelector->LocalAddress, OldSelector->LocalAddress, NewSelector->LocalAddressCount * sizeof (EFI_IP_ADDRESS_INFO)) != 0)) {
    *CreateNew = TRUE;
  }

  if ((Mask & REMOTE) == 0) {
    NewSelector->RemoteAddressCount = OldSelector->RemoteAddressCount;
    NewSelector->RemoteAddress      = OldSelector->RemoteAddress;
  } else if ((NewSelector->RemoteAddressCount != OldSelector->RemoteAddressCount) ||
             (CompareMem (NewSelector->RemoteAddress, OldSelector->RemoteAddress, NewSelector->RemoteAddressCount * sizeof (EFI_IP_ADDRESS_INFO)) != 0)) {
    *CreateNew = TRUE;
  }

  if ((Mask & PROTO) == 0) {
    NewSelector->NextLayerProtocol = OldSelector->NextLayerProtocol;
  } else if (NewSelector->NextLayerProtocol != OldSelector->NextLayerProtocol) {
    *CreateNew = TRUE;
  }

  switch (NewSelector->NextLayerProtocol) {
    case EFI_IP4_PROTO_TCP:
    case EFI_IP4_PROTO_UDP:
      if ((Mask & LOCAL_PORT) == 0) {
        NewSelector->LocalPort      = OldSelector->LocalPort;
        NewSelector->LocalPortRange = OldSelector->LocalPortRange;
      } else if ((NewSelector->LocalPort != OldSelector->LocalPort) ||
        (NewSelector->LocalPortRange != OldSelector->LocalPortRange)) {
        *CreateNew = TRUE;
      }

      if ((Mask & REMOTE_PORT) == 0) {
        NewSelector->RemotePort      = OldSelector->RemotePort;
        NewSelector->RemotePortRange = OldSelector->RemotePortRange;
      } else if ((NewSelector->RemotePort != OldSelector->RemotePort) ||
        (NewSelector->RemotePortRange != OldSelector->RemotePortRange)) {
        *CreateNew = TRUE;
      }
      break;

    case EFI_IP4_PROTO_ICMP:
      if ((Mask & ICMP_TYPE) == 0) {
        NewSelector->LocalPort = OldSelector->LocalPort;
      } else if (NewSelector->LocalPort != OldSelector->LocalPort) {
        *CreateNew = TRUE;
      }

      if ((Mask & ICMP_CODE) == 0) {
        NewSelector->RemotePort = OldSelector->RemotePort;
      } else if (NewSelector->RemotePort != OldSelector->RemotePort) {
        *CreateNew = TRUE;
      }
      break;
  }
  //
  // Process Data
  //
  if ((Mask & NAME) != 0) {
    AsciiStrCpyS ((CHAR8 *) OldData->Name, MAX_PEERID_LEN, (CHAR8 *) NewData->Name);
  }

  if ((Mask & PACKET_FLAG) != 0) {
    OldData->PackageFlag = NewData->PackageFlag;
  }

  if ((Mask & ACTION) != 0) {
    OldData->Action = NewData->Action;
  }

  if (OldData->Action != EfiIPsecActionProtect) {
    OldData->ProcessingPolicy = NULL;
  } else {
    //
    // Protect
    //
    if (OldData->ProcessingPolicy == NULL) {
      //
      // Just point to new data if originally NULL.
      //
      OldData->ProcessingPolicy = NewData->ProcessingPolicy;
      if (OldData->ProcessingPolicy->Mode == EfiIPsecTunnel &&
          (Mask & (TUNNEL_LOCAL | TUNNEL_REMOTE)) != (TUNNEL_LOCAL | TUNNEL_REMOTE)
        ) {
        //
        // Change to Protect action and Tunnel mode, but without providing local/remote tunnel address.
        //
        ShellPrintHiiEx (
          -1,
          -1,
          NULL,
          STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS),
          mHiiHandle,
          mAppName,
          L"--tunnel-local --tunnel-remote"
          );
        return EFI_INVALID_PARAMETER;
      }
    } else {
      //
      // Modify some of the data.
      //
      if ((Mask & EXT_SEQUENCE) != 0) {
        OldData->ProcessingPolicy->ExtSeqNum = NewData->ProcessingPolicy->ExtSeqNum;
      }

      if ((Mask & SEQUENCE_OVERFLOW) != 0) {
        OldData->ProcessingPolicy->SeqOverflow = NewData->ProcessingPolicy->SeqOverflow;
      }

      if ((Mask & FRAGMENT_CHECK) != 0) {
        OldData->ProcessingPolicy->FragCheck = NewData->ProcessingPolicy->FragCheck;
      }

      if ((Mask & LIFEBYTE) != 0) {
        OldData->ProcessingPolicy->SaLifetime.ByteCount = NewData->ProcessingPolicy->SaLifetime.ByteCount;
      }

      if ((Mask & LIFETIME_SOFT) != 0) {
        OldData->ProcessingPolicy->SaLifetime.SoftLifetime = NewData->ProcessingPolicy->SaLifetime.SoftLifetime;
      }

      if ((Mask & LIFETIME) != 0) {
        OldData->ProcessingPolicy->SaLifetime.HardLifetime = NewData->ProcessingPolicy->SaLifetime.HardLifetime;
      }

      if ((Mask & MODE) != 0) {
        OldData->ProcessingPolicy->Mode = NewData->ProcessingPolicy->Mode;
      }

      if ((Mask & IPSEC_PROTO) != 0) {
        OldData->ProcessingPolicy->Proto = NewData->ProcessingPolicy->Proto;
      }

      if ((Mask & AUTH_ALGO) != 0) {
        OldData->ProcessingPolicy->AuthAlgoId = NewData->ProcessingPolicy->AuthAlgoId;
      }

      if ((Mask & ENCRYPT_ALGO) != 0) {
        OldData->ProcessingPolicy->EncAlgoId = NewData->ProcessingPolicy->EncAlgoId;
      }

      if (OldData->ProcessingPolicy->Mode != EfiIPsecTunnel) {
        OldData->ProcessingPolicy->TunnelOption = NULL;
      } else {
        if (OldData->ProcessingPolicy->TunnelOption == NULL) {
          //
          // Set from Transport mode to Tunnel mode, should ensure TUNNEL_LOCAL & TUNNEL_REMOTE both exists.
          //
          if ((Mask & (TUNNEL_LOCAL | TUNNEL_REMOTE)) != (TUNNEL_LOCAL | TUNNEL_REMOTE)) {
            ShellPrintHiiEx (
              -1,
              -1,
              NULL,
              STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS),
              mHiiHandle,
              mAppName,
              L"--tunnel-local --tunnel-remote"
              );
            return EFI_INVALID_PARAMETER;
          }

          OldData->ProcessingPolicy->TunnelOption = NewData->ProcessingPolicy->TunnelOption;
        } else {
          if ((Mask & TUNNEL_LOCAL) != 0) {
            CopyMem (
              &OldData->ProcessingPolicy->TunnelOption->LocalTunnelAddress,
              &NewData->ProcessingPolicy->TunnelOption->LocalTunnelAddress,
              sizeof (EFI_IP_ADDRESS)
              );
          }

          if ((Mask & TUNNEL_REMOTE) != 0) {
            CopyMem (
              &OldData->ProcessingPolicy->TunnelOption->RemoteTunnelAddress,
              &NewData->ProcessingPolicy->TunnelOption->RemoteTunnelAddress,
              sizeof (EFI_IP_ADDRESS)
              );
          }

          if ((Mask & DONT_FRAGMENT) != 0) {
            OldData->ProcessingPolicy->TunnelOption->DF = NewData->ProcessingPolicy->TunnelOption->DF;
          }
        }
      }
    }
  }

  return EFI_SUCCESS;
}

/**
  Combine old SAD entry with new SAD entry.

  @param[in, out] OldSaId      The pointer to the EFI_IPSEC_SA_ID structure.
  @param[in, out] OldData      The pointer to the EFI_IPSEC_SA_DATA2 structure.
  @param[in]      NewSaId      The pointer to the EFI_IPSEC_SA_ID structure.
  @param[in]      NewData      The pointer to the EFI_IPSEC_SA_DATA2 structure.
  @param[in]      Mask         The pointer to the Mask.
  @param[out]     CreateNew    The switch to create new.

  @retval EFI_SUCCESS              Combined successfully.
  @retval EFI_INVALID_PARAMETER    Invalid user input parameter.

**/
EFI_STATUS
CombineSadEntry (
  IN OUT EFI_IPSEC_SA_ID      *OldSaId,
  IN OUT EFI_IPSEC_SA_DATA2   *OldData,
  IN     EFI_IPSEC_SA_ID      *NewSaId,
  IN     EFI_IPSEC_SA_DATA2   *NewData,
  IN     UINT32               Mask,
     OUT BOOLEAN              *CreateNew
  )
{

  *CreateNew = FALSE;

  if ((Mask & SPI) == 0) {
    NewSaId->Spi = OldSaId->Spi;
  } else if (NewSaId->Spi != OldSaId->Spi) {
    *CreateNew = TRUE;
  }

  if ((Mask & IPSEC_PROTO) == 0) {
    NewSaId->Proto = OldSaId->Proto;
  } else if (NewSaId->Proto != OldSaId->Proto) {
    *CreateNew = TRUE;
  }

  if ((Mask & DEST) == 0) {
    CopyMem (&NewData->TunnelDestinationAddress, &OldData->TunnelDestinationAddress, sizeof (EFI_IP_ADDRESS));
  } else if (CompareMem (&NewData->TunnelDestinationAddress, &OldData->TunnelDestinationAddress, sizeof (EFI_IP_ADDRESS)) != 0) {
    *CreateNew = TRUE;
  }

  if ((Mask & SOURCE) == 0) {
    CopyMem (&NewData->TunnelSourceAddress, &OldData->TunnelSourceAddress, sizeof (EFI_IP_ADDRESS));
  } else if (CompareMem (&NewData->TunnelSourceAddress, &OldData->TunnelSourceAddress, sizeof (EFI_IP_ADDRESS)) != 0) {
    *CreateNew = TRUE;
  }
  //
  // Process SA_DATA.
  //
  if ((Mask & MODE) != 0) {
    OldData->Mode = NewData->Mode;
  }

  if ((Mask & SEQUENCE_NUMBER) != 0) {
    OldData->SNCount = NewData->SNCount;
  }

  if ((Mask & ANTIREPLAY_WINDOW) != 0) {
    OldData->AntiReplayWindows = NewData->AntiReplayWindows;
  }

  if ((Mask & AUTH_ALGO) != 0) {
    OldData->AlgoInfo.EspAlgoInfo.AuthAlgoId    = NewData->AlgoInfo.EspAlgoInfo.AuthAlgoId;
  }

  if ((Mask & AUTH_KEY) != 0) {
    OldData->AlgoInfo.EspAlgoInfo.AuthKey       = NewData->AlgoInfo.EspAlgoInfo.AuthKey;
    OldData->AlgoInfo.EspAlgoInfo.AuthKeyLength = NewData->AlgoInfo.EspAlgoInfo.AuthKeyLength;
  }

  if ((Mask & ENCRYPT_ALGO) != 0) {
    OldData->AlgoInfo.EspAlgoInfo.EncAlgoId     = NewData->AlgoInfo.EspAlgoInfo.EncAlgoId;
  }

  if ((Mask & ENCRYPT_KEY) != 0) {
    OldData->AlgoInfo.EspAlgoInfo.EncKey        = NewData->AlgoInfo.EspAlgoInfo.EncKey;
    OldData->AlgoInfo.EspAlgoInfo.EncKeyLength  = NewData->AlgoInfo.EspAlgoInfo.EncKeyLength;
  }

  if (NewSaId->Proto == EfiIPsecAH) {
    if ((Mask & (ENCRYPT_ALGO | ENCRYPT_KEY)) != 0) {
      //
      // Should not provide encrypt_* if AH.
      //
      ShellPrintHiiEx (
        -1,
        -1,
        NULL,
        STRING_TOKEN (STR_IPSEC_CONFIG_UNWANTED_PARAMETER),
        mHiiHandle,
        mAppName,
        L"--encrypt-algo --encrypt-key"
        );
      return EFI_INVALID_PARAMETER;
    }
  }

  if (NewSaId->Proto == EfiIPsecESP && OldSaId->Proto == EfiIPsecAH) {
    //
    // AH -> ESP
    // Should provide encrypt_algo at least.
    //
    if ((Mask & ENCRYPT_ALGO) == 0) {
      ShellPrintHiiEx (
        -1,
        -1,
        NULL,
        STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER),
        mHiiHandle,
        mAppName,
        L"--encrypt-algo"
        );
      return EFI_INVALID_PARAMETER;
    }

    //
    // Encrypt_key should be provided if algorithm is not NONE.
    //
    if (NewData->AlgoInfo.EspAlgoInfo.EncAlgoId != IPSEC_EALG_NONE && (Mask & ENCRYPT_KEY) == 0) {
      ShellPrintHiiEx (
        -1,
        -1,
        NULL,
        STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER),
        mHiiHandle,
        mAppName,
        L"--encrypt-algo"
        );
      return EFI_INVALID_PARAMETER;
    }
  }

  if ((Mask & LIFEBYTE) != 0) {
    OldData->SaLifetime.ByteCount    = NewData->SaLifetime.ByteCount;
  }

  if ((Mask & LIFETIME_SOFT) != 0) {
    OldData->SaLifetime.SoftLifetime = NewData->SaLifetime.SoftLifetime;
  }

  if ((Mask & LIFETIME) != 0) {
    OldData->SaLifetime.HardLifetime = NewData->SaLifetime.HardLifetime;
  }

  if ((Mask & PATH_MTU) != 0) {
    OldData->PathMTU                 = NewData->PathMTU;
  }
  //
  // Process SpdSelector.
  //
  if (OldData->SpdSelector == NULL) {
    if ((Mask & (LOCAL | REMOTE | PROTO | LOCAL_PORT | REMOTE_PORT | ICMP_TYPE | ICMP_CODE)) != 0) {
      if ((Mask & (LOCAL | REMOTE | PROTO)) != (LOCAL | REMOTE | PROTO)) {
        ShellPrintHiiEx (
          -1,
          -1,
          NULL,
          STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS),
          mHiiHandle,
          mAppName,
          L"--local --remote --proto"
          );
        return EFI_INVALID_PARAMETER;
      }

      OldData->SpdSelector = NewData->SpdSelector;
    }
  } else {
    if ((Mask & LOCAL) != 0) {
      OldData->SpdSelector->LocalAddressCount  = NewData->SpdSelector->LocalAddressCount;
      OldData->SpdSelector->LocalAddress       = NewData->SpdSelector->LocalAddress;
    }

    if ((Mask & REMOTE) != 0) {
      OldData->SpdSelector->RemoteAddressCount = NewData->SpdSelector->RemoteAddressCount;
      OldData->SpdSelector->RemoteAddress      = NewData->SpdSelector->RemoteAddress;
    }

    if ((Mask & PROTO) != 0) {
      OldData->SpdSelector->NextLayerProtocol  = NewData->SpdSelector->NextLayerProtocol;
    }

    if (OldData->SpdSelector != NULL) {
      switch (OldData->SpdSelector->NextLayerProtocol) {
        case EFI_IP4_PROTO_TCP:
        case EFI_IP4_PROTO_UDP:
          if ((Mask & LOCAL_PORT) != 0) {
            OldData->SpdSelector->LocalPort  = NewData->SpdSelector->LocalPort;
          }

          if ((Mask & REMOTE_PORT) != 0) {
            OldData->SpdSelector->RemotePort = NewData->SpdSelector->RemotePort;
          }
          break;

        case EFI_IP4_PROTO_ICMP:
          if ((Mask & ICMP_TYPE) != 0) {
            OldData->SpdSelector->LocalPort  = (UINT8) NewData->SpdSelector->LocalPort;
          }

          if ((Mask & ICMP_CODE) != 0) {
            OldData->SpdSelector->RemotePort = (UINT8) NewData->SpdSelector->RemotePort;
          }
          break;
      }
    }
  }

  return EFI_SUCCESS;
}

/**
  Combine old PAD entry with new PAD entry.

  @param[in, out] OldPadId     The pointer to the EFI_IPSEC_PAD_ID structure.
  @param[in, out] OldData      The pointer to the EFI_IPSEC_PAD_DATA structure.
  @param[in]      NewPadId     The pointer to the EFI_IPSEC_PAD_ID structure.
  @param[in]      NewData      The pointer to the EFI_IPSEC_PAD_DATA structure.
  @param[in]      Mask         The pointer to the Mask.
  @param[out]     CreateNew    The switch to create new.

  @retval EFI_SUCCESS              Combined successfully.
  @retval EFI_INVALID_PARAMETER    Invalid user input parameter.

**/
EFI_STATUS
CombinePadEntry (
  IN OUT EFI_IPSEC_PAD_ID      *OldPadId,
  IN OUT EFI_IPSEC_PAD_DATA    *OldData,
  IN     EFI_IPSEC_PAD_ID      *NewPadId,
  IN     EFI_IPSEC_PAD_DATA    *NewData,
  IN     UINT32                Mask,
     OUT BOOLEAN               *CreateNew
  )
{

  *CreateNew = FALSE;

  if ((Mask & (PEER_ID | PEER_ADDRESS)) == 0) {
    CopyMem (NewPadId, OldPadId, sizeof (EFI_IPSEC_PAD_ID));
  } else {
    if ((Mask & PEER_ID) != 0) {
      if (OldPadId->PeerIdValid) {
        if (StrCmp ((CONST CHAR16 *) OldPadId->Id.PeerId, (CONST CHAR16 *) NewPadId->Id.PeerId) != 0) {
          *CreateNew = TRUE;
        }
      } else {
        *CreateNew = TRUE;
      }
    } else {
      //
      // MASK & PEER_ADDRESS
      //
      if (OldPadId->PeerIdValid) {
        *CreateNew = TRUE;
      } else {
        if ((CompareMem (&OldPadId->Id.IpAddress.Address, &NewPadId->Id.IpAddress.Address, sizeof (EFI_IP_ADDRESS)) != 0) ||
            (OldPadId->Id.IpAddress.PrefixLength != NewPadId->Id.IpAddress.PrefixLength)) {
          *CreateNew = TRUE;
        }
      }
    }
  }

  if ((Mask & AUTH_PROTO) != 0) {
    OldData->AuthProtocol = NewData->AuthProtocol;
  }

  if ((Mask & AUTH_METHOD) != 0) {
    OldData->AuthMethod = NewData->AuthMethod;
  }

  if ((Mask & IKE_ID) != 0) {
    OldData->IkeIdFlag = NewData->IkeIdFlag;
  }

  if ((Mask & AUTH_DATA) != 0) {
    OldData->AuthDataSize = NewData->AuthDataSize;
    OldData->AuthData     = NewData->AuthData;
  }

  if ((Mask & REVOCATION_DATA) != 0) {
    OldData->RevocationDataSize = NewData->RevocationDataSize;
    OldData->RevocationData     = NewData->RevocationData;
  }

  return EFI_SUCCESS;
}

COMBINE_POLICY_ENTRY mCombinePolicyEntry[] = {
  (COMBINE_POLICY_ENTRY) CombineSpdEntry,
  (COMBINE_POLICY_ENTRY) CombineSadEntry,
  (COMBINE_POLICY_ENTRY) CombinePadEntry
};

/**
  Edit entry information in the database.

  @param[in] Selector    The pointer to the EFI_IPSEC_CONFIG_SELECTOR structure.
  @param[in] Data        The pointer to the data.
  @param[in] Context     The pointer to the INSERT_POLICY_ENTRY_CONTEXT structure.

  @retval EFI_SUCCESS    Continue the iteration.
  @retval EFI_ABORTED    Abort the iteration.
**/
EFI_STATUS
EditOperatePolicyEntry (
  IN EFI_IPSEC_CONFIG_SELECTOR    *Selector,
  IN VOID                         *Data,
  IN EDIT_POLICY_ENTRY_CONTEXT    *Context
  )
{
  EFI_STATUS    Status;
  BOOLEAN       CreateNew;

  if (mMatchPolicyEntry[Context->DataType] (Selector, Data, &Context->Indexer)) {
    ASSERT (Context->DataType < 3);

    Status = mCombinePolicyEntry[Context->DataType] (
               Selector,
               Data,
               Context->Selector,
               Context->Data,
               Context->Mask,
               &CreateNew
               );
    if (!EFI_ERROR (Status)) {
      if (CreateNew) {
        //
        // Insert new entry before old entry
        //
        Status = mIpSecConfig->SetData (
                                 mIpSecConfig,
                                 Context->DataType,
                                 Context->Selector,
                                 Data,
                                 Selector
                                 );
        ASSERT_EFI_ERROR (Status);
        //
        // Delete old entry
        //
        Status = mIpSecConfig->SetData (
                                 mIpSecConfig,
                                 Context->DataType,
                                 Selector,
                                 NULL,
                                 NULL
                                 );
        ASSERT_EFI_ERROR (Status);
      } else {
        Status = mIpSecConfig->SetData (
                                 mIpSecConfig,
                                 Context->DataType,
                                 Context->Selector,
                                 Data,
                                 NULL
                                 );
      }
    }

    Context->Status = Status;
    return EFI_ABORTED;
  }

  return EFI_SUCCESS;
}

/**
  Edit entry information in database according to datatype.

  @param[in] DataType        The value of EFI_IPSEC_CONFIG_DATA_TYPE.
  @param[in] ParamPackage    The pointer to the ParamPackage list.

  @retval EFI_SUCCESS             Edit entry information successfully.
  @retval EFI_NOT_FOUND           Can't find the specified entry.
  @retval Others                  Some mistaken case.
**/
EFI_STATUS
EditPolicyEntry (
  IN EFI_IPSEC_CONFIG_DATA_TYPE    DataType,
  IN LIST_ENTRY                    *ParamPackage
  )
{
  EFI_STATUS                   Status;
  EDIT_POLICY_ENTRY_CONTEXT    Context;
  CONST CHAR16                 *ValueStr;

  ValueStr = ShellCommandLineGetValue (ParamPackage, L"-e");
  if (ValueStr == NULL) {
    ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_INDEX_NOT_SPECIFIED), mHiiHandle, mAppName, ValueStr);
    return EFI_NOT_FOUND;
  }

  Status = mConstructPolicyEntryIndexer[DataType] (&Context.Indexer, ParamPackage);
  if (!EFI_ERROR (Status)) {
    Context.DataType = DataType;
    Context.Status   = EFI_NOT_FOUND;
    Status = mCreatePolicyEntry[DataType] (&Context.Selector, &Context.Data, ParamPackage, &Context.Mask, FALSE);
    if (!EFI_ERROR (Status)) {
      ForeachPolicyEntry (DataType, (VISIT_POLICY_ENTRY) EditOperatePolicyEntry, &Context);
      Status = Context.Status;
    }

    if (Context.Selector != NULL) {
      gBS->FreePool (Context.Selector);
    }

    if (Context.Data != NULL) {
      gBS->FreePool (Context.Data);
    }
  }

  if (Status == EFI_NOT_FOUND) {
    ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_INDEX_NOT_FOUND), mHiiHandle, mAppName, ValueStr);
  } else if (EFI_ERROR (Status)) {
    ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_EDIT_FAILED), mHiiHandle, mAppName);
  }

  return Status;

}

/**
  Insert entry information in database.

  @param[in] Selector    The pointer to the EFI_IPSEC_CONFIG_SELECTOR structure.
  @param[in] Data        The pointer to the data.
  @param[in] Context     The pointer to the INSERT_POLICY_ENTRY_CONTEXT structure.

  @retval EFI_SUCCESS    Continue the iteration.
  @retval EFI_ABORTED    Abort the iteration.
**/
EFI_STATUS
InsertPolicyEntry (
  IN EFI_IPSEC_CONFIG_SELECTOR      *Selector,
  IN VOID                           *Data,
  IN INSERT_POLICY_ENTRY_CONTEXT    *Context
  )
{
  //
  // Found the entry which we want to insert before.
  //
  if (mMatchPolicyEntry[Context->DataType] (Selector, Data, &Context->Indexer)) {

    Context->Status = mIpSecConfig->SetData (
                                      mIpSecConfig,
                                      Context->DataType,
                                      Context->Selector,
                                      Context->Data,
                                      Selector
                                      );
    //
    // Abort the iteration after the insertion.
    //
    return EFI_ABORTED;
  }

  return EFI_SUCCESS;
}

/**
  Insert or add entry information in database according to datatype.

  @param[in] DataType        The value of EFI_IPSEC_CONFIG_DATA_TYPE.
  @param[in] ParamPackage    The pointer to the ParamPackage list.

  @retval EFI_SUCCESS             Insert or add entry information successfully.
  @retval EFI_NOT_FOUND           Can't find the specified entry.
  @retval EFI_BUFFER_TOO_SMALL    The entry already existed.
  @retval EFI_UNSUPPORTED         The operation is not supported.
  @retval Others                  Some mistaken case.
**/
EFI_STATUS
AddOrInsertPolicyEntry (
  IN EFI_IPSEC_CONFIG_DATA_TYPE    DataType,
  IN LIST_ENTRY                    *ParamPackage
  )
{
  EFI_STATUS                     Status;
  EFI_IPSEC_CONFIG_SELECTOR      *Selector;
  VOID                           *Data;
  INSERT_POLICY_ENTRY_CONTEXT    Context;
  UINT32                         Mask;
  UINTN                          DataSize;
  CONST CHAR16                   *ValueStr;

  Status = mCreatePolicyEntry[DataType] (&Selector, &Data, ParamPackage, &Mask, TRUE);
  if (!EFI_ERROR (Status)) {
    //
    // Find if the Selector to be inserted already exists.
    //
    DataSize = 0;
    Status = mIpSecConfig->GetData (
                             mIpSecConfig,
                             DataType,
                             Selector,
                             &DataSize,
                             NULL
                             );
    if (Status == EFI_BUFFER_TOO_SMALL) {
      ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_ALREADY_EXISTS), mHiiHandle, mAppName);
    } else if (ShellCommandLineGetFlag (ParamPackage, L"-a")) {
      Status = mIpSecConfig->SetData (
                               mIpSecConfig,
                               DataType,
                               Selector,
                               Data,
                               NULL
                               );
    } else {
      ValueStr = ShellCommandLineGetValue (ParamPackage, L"-i");
      if (ValueStr == NULL) {
        ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_INDEX_NOT_SPECIFIED), mHiiHandle, mAppName, ValueStr);
        return EFI_NOT_FOUND;
      }

      Status = mConstructPolicyEntryIndexer[DataType] (&Context.Indexer, ParamPackage);
      if (!EFI_ERROR (Status)) {
        Context.DataType  = DataType;
        Context.Status    = EFI_NOT_FOUND;
        Context.Selector  = Selector;
        Context.Data      = Data;

        ForeachPolicyEntry (DataType, (VISIT_POLICY_ENTRY) InsertPolicyEntry, &Context);
        Status = Context.Status;
        if (Status == EFI_NOT_FOUND) {
          ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_INDEX_NOT_FOUND), mHiiHandle, mAppName, ValueStr);
        }
      }
    }

    gBS->FreePool (Selector);
    gBS->FreePool (Data);
  }

  if (Status == EFI_UNSUPPORTED) {
    ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_INSERT_UNSUPPORT), mHiiHandle, mAppName);
  } else if (EFI_ERROR (Status)) {
    ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_INSERT_FAILED), mHiiHandle, mAppName);
  }

  return Status;
}