1 /** @file
2   The common definition of IPsec Key Exchange (IKE).
3 
4   Copyright (c) 2010, Intel Corporation. All rights reserved.<BR>
5 
6   This program and the accompanying materials
7   are licensed and made available under the terms and conditions of the BSD License
8   which accompanies this distribution.  The full text of the license may be found at
9   http://opensource.org/licenses/bsd-license.php.
10 
11   THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
12   WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
13 
14 
15 **/
16 
17 #ifndef _IKE_H_
18 #define _IKE_H_
19 
20 #include <Library/UdpIoLib.h>
21 #include <Library/BaseCryptLib.h>
22 #include "IpSecImpl.h"
23 
24 #define IKE_VERSION_MAJOR_MASK  0xf0
25 #define IKE_VERSION_MINOR_MASK  0x0f
26 
27 #define IKE_MAJOR_VERSION(v)    (((v) & IKE_VERSION_MAJOR_MASK) >> 4)
28 #define IKE_MINOR_VERSION(v)    ((v) & IKE_VERSION_MINOR_MASK)
29 
30 //
31 // Protocol Value Use in IKEv1 and IKEv2
32 //
33 #define IPSEC_PROTO_ISAKMP    1
34 #define IPSEC_PROTO_IPSEC_AH  2
35 #define IPSEC_PROTO_IPSEC_ESP 3
36 #define IPSEC_PROTO_IPCOMP    4 // For IKEv1 this value is reserved
37 
38 //
39 //  For Algorithm search in support list.Last two types are for IKEv2 only.
40 //
41 #define IKE_ENCRYPT_TYPE      0
42 #define IKE_AUTH_TYPE         1
43 #define IKE_PRF_TYPE          2
44 #define IKE_DH_TYPE           3
45 
46 //
47 // Encryption Algorithm present in IKEv1 phasrs2 and IKEv2 transform payload (Transform Type 1)
48 //
49 #define IPSEC_ESP_DES_IV64            1
50 #define IPSEC_ESP_DES                 2
51 #define IPSEC_ESP_3DES                3
52 #define IPSEC_ESP_RC5                 4
53 #define IPSEC_ESP_IDEA                5
54 #define IPSEC_ESP_CAST                6
55 #define IPSEC_ESP_BLOWFISH            7
56 #define IPSEC_ESP_3IDEA               8
57 #define IPSEC_ESP_DES_IV32            9
58 #define IPSEC_ESP_RC4                 10  // It's reserved in IKEv2
59 #define IPSEC_ESP_NULL                11
60 #define IPSEC_ESP_AES                 12
61 
62 #define IKE_XCG_TYPE_NONE             0
63 #define IKE_XCG_TYPE_BASE             1
64 #define IKE_XCG_TYPE_IDENTITY_PROTECT 2
65 #define IKE_XCG_TYPE_AUTH_ONLY        3
66 #define IKE_XCG_TYPE_AGGR             4
67 #define IKE_XCG_TYPE_INFO             5
68 #define IKE_XCG_TYPE_QM               32
69 #define IKE_XCG_TYPE_NGM              33
70 #define IKE_XCG_TYPE_SA_INIT          34
71 #define IKE_XCG_TYPE_AUTH             35
72 #define IKE_XCG_TYPE_CREATE_CHILD_SA  36
73 #define IKE_XCG_TYPE_INFO2            37
74 
75 #define IKE_LIFE_TYPE_SECONDS         1
76 #define IKE_LIFE_TYPE_KILOBYTES       2
77 
78 //
79 // Deafult IKE SA lifetime and CHILD SA lifetime
80 //
81 #define IKE_SA_DEFAULT_LIFETIME       1200
82 #define CHILD_SA_DEFAULT_LIFETIME     3600
83 
84 //
85 // Next payload type presented within Proposal payload
86 //
87 #define IKE_PROPOSAL_NEXT_PAYLOAD_MORE  2
88 #define IKE_PROPOSAL_NEXT_PAYLOAD_NONE  0
89 
90 //
91 // Next payload type presented within Transform payload
92 //
93 #define IKE_TRANSFORM_NEXT_PAYLOAD_MORE 3
94 #define IKE_TRANSFORM_NEXT_PAYLOAD_NONE 0
95 
96 //
97 // Max size of the SA attribute
98 //
99 #define MAX_SA_ATTRS_SIZE     48
100 #define SA_ATTR_FORMAT_BIT    0x8000
101 //
102 // The definition for Information Message ID.
103 //
104 #define INFO_MID_SIGNATURE    SIGNATURE_32 ('I', 'N', 'F', 'M')
105 
106 //
107 // Type for the IKE SESSION COMMON
108 //
109 typedef enum {
110   IkeSessionTypeIkeSa,
111   IkeSessionTypeChildSa,
112   IkeSessionTypeInfo,
113   IkeSessionTypeMax
114 } IKE_SESSION_TYPE;
115 
116 //
117 // The DH Group ID defined RFC3526 and RFC 2409
118 //
119 typedef enum {
120   OakleyGroupModp768  = 1,
121   OakleyGroupModp1024 = 2,
122   OakleyGroupGp155    = 3,  // Unsupported Now.
123   OakleyGroupGp185    = 4,  // Unsupported Now.
124   OakleyGroupModp1536 = 5,
125 
126   OakleyGroupModp2048 = 14,
127   OakleyGroupModp3072 = 15,
128   OakleyGroupModp4096 = 16,
129   OakleyGroupModp6144 = 17,
130   OakleyGroupModp8192 = 18,
131   OakleyGroupMax
132 } OAKLEY_GROUP_ID;
133 
134 //
135 // IKE Header
136 //
137 #pragma pack(1)
138 typedef struct {
139   UINT64  InitiatorCookie;
140   UINT64  ResponderCookie;
141   UINT8   NextPayload;
142   UINT8   Version;
143   UINT8   ExchangeType;
144   UINT8   Flags;
145   UINT32  MessageId;
146   UINT32  Length;
147 } IKE_HEADER;
148 #pragma pack()
149 
150 typedef union {
151   UINT16  AttrLength;
152   UINT16  AttrValue;
153 } IKE_SA_ATTR_UNION;
154 
155 //
156 // SA Attribute present in Transform Payload
157 //
158 #pragma pack(1)
159 typedef struct {
160   UINT16            AttrType;
161   IKE_SA_ATTR_UNION Attr;
162 } IKE_SA_ATTRIBUTE;
163 #pragma pack()
164 
165 //
166 // Contains the IKE packet information.
167 //
168 typedef struct {
169   UINTN               RefCount;
170   BOOLEAN             IsHdrExt;
171   IKE_HEADER          *Header;
172   BOOLEAN             IsPayloadsBufExt;
173   UINT8               *PayloadsBuf; // The whole IkePakcet trimed the IKE header.
174   UINTN               PayloadTotalSize;
175   LIST_ENTRY          PayloadList;
176   EFI_IP_ADDRESS      RemotePeerIp;
177   BOOLEAN             IsEncoded;    // whether HTON is done when sending the packet
178   UINT32              Spi;          // For the Delete Information Exchange
179   BOOLEAN             IsDeleteInfo; // For the Delete Information Exchange
180   IPSEC_PRIVATE_DATA  *Private;     // For the Delete Information Exchange
181 } IKE_PACKET;
182 
183 //
184 // The generic structure to all kinds of IKE payloads.
185 //
186 typedef struct {
187   UINT32      Signature;
188   BOOLEAN     IsPayloadBufExt;
189   UINT8       PayloadType;
190   UINT8       *PayloadBuf;
191   UINTN       PayloadSize;
192   LIST_ENTRY  ByPacket;
193 } IKE_PAYLOAD;
194 
195 //
196 // Udp Service
197 //
198 typedef struct {
199   UINT32          Signature;
200   UINT8           IpVersion;
201   LIST_ENTRY      List;
202   LIST_ENTRY      *ListHead;
203   EFI_HANDLE      NicHandle;
204   EFI_HANDLE      ImageHandle;
205   UDP_IO          *Input;
206   UDP_IO          *Output;
207   EFI_IP_ADDRESS  DefaultAddress;
208   BOOLEAN         IsConfigured;
209 } IKE_UDP_SERVICE;
210 
211 //
212 // Each IKE session has its own Key sets for local peer and remote peer.
213 //
214 typedef struct {
215   EFI_IPSEC_ALGO_INFO LocalPeerInfo;
216   EFI_IPSEC_ALGO_INFO RemotePeerInfo;
217 } SA_KEYMATS;
218 
219 //
220 // Each algorithm has its own Id, Guid, BlockSize and KeyLength.
221 // This struct contains these information for each algorithm. It is generic structure
222 // for both encryption and authentication algorithm.
223 // For authentication algorithm, the AlgSize means IcvSize. For encryption algorithm,
224 // it means IvSize.
225 //
226 #pragma pack(1)
227 typedef struct {
228   UINT8     AlgorithmId;       // Encryption or Authentication Id used by ESP/AH
229   EFI_GUID  *AlgGuid;
230   UINT8     AlgSize;     // IcvSize or IvSize
231   UINT8     BlockSize;
232   UINTN     KeyMateLen;
233 } IKE_ALG_GUID_INFO;   // For IPsec Authentication and Encryption Algorithm.
234 #pragma pack()
235 
236 //
237 // Structure used to store the DH group
238 //
239 typedef struct {
240   UINT8 GroupId;
241   UINTN Size;
242   UINT8 *Modulus;
243   UINTN GroupGenerator;
244 } MODP_GROUP;
245 
246 /**
247   This is prototype definition of general interface to phase the payloads
248   after/before the decode/encode.
249 
250   @param[in]  SessionCommon    Point to the SessionCommon
251   @param[in]  PayloadBuf       Point to the buffer of Payload.
252   @param[in]  PayloadSize      The size of the PayloadBuf in bytes.
253   @param[in]  PayloadType      The type of Payload.
254 
255 **/
256 typedef
257 VOID
258 (*IKE_ON_PAYLOAD_FROM_NET) (
259   IN UINT8    *SessionCommon,
260   IN UINT8    *PayloadBuf,
261   IN UINTN    PayloadSize,
262   IN UINT8    PayloadType
263   );
264 
265 #endif
266 
267