*v2: update the commit log and refine the code comments.
There are three kinds of IKE Exchange process:
#1. Initial Exchange
#2. CREATE_CHILD_SA_Exchange
#3. Information Exchange
The IKE header "FLAG" update is incorrect in #2 and #3 exchange,
which may cause the continue session failure. This patch is used
to correct the updates of IKE header "FLAG" according the RFC4306
section 3.1.
Cc: Ye Ting <ting...@intel.com>
Cc: Fu Siyuan <siyuan...@intel.com>
Cc: Zhang Lubo <lubo.zh...@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Jiaxin Wu <jiaxin...@intel.com>
---
NetworkPkg/IpSecDxe/Ikev2/ChildSa.c | 14 +++++++-------
NetworkPkg/IpSecDxe/Ikev2/Exchange.c | 2 +-
NetworkPkg/IpSecDxe/Ikev2/Info.c | 17 ++++++++++++-----
NetworkPkg/IpSecDxe/Ikev2/Payload.h | 11 ++++++++---
4 files changed, 28 insertions(+), 16 deletions(-)
diff --git a/NetworkPkg/IpSecDxe/Ikev2/ChildSa.c
b/NetworkPkg/IpSecDxe/Ikev2/ChildSa.c
index 1f0199b..eaccad2 100644
--- a/NetworkPkg/IpSecDxe/Ikev2/ChildSa.c
+++ b/NetworkPkg/IpSecDxe/Ikev2/ChildSa.c
@@ -74,13 +74,11 @@ Ikev2CreateChildGenerator (
} else {
IkePacket->Header->MessageId = ChildSaSession->MessageId;
}
if (ChildSaSession->SessionCommon.IsInitiator) {
- IkePacket->Header->Flags = IKE_HEADER_FLAGS_CHILD_INIT;
- } else {
- IkePacket->Header->Flags = IKE_HEADER_FLAGS_RESPOND;
+ IkePacket->Header->Flags = IKE_HEADER_FLAGS_INIT;
}
} else {
IkeSaSession = (IKEV2_SA_SESSION *) SaSession;
//
@@ -94,15 +92,17 @@ Ikev2CreateChildGenerator (
} else {
IkePacket->Header->MessageId = IkeSaSession->MessageId;
}
if (IkeSaSession->SessionCommon.IsInitiator) {
- IkePacket->Header->Flags = IKE_HEADER_FLAGS_CHILD_INIT;
- } else {
- IkePacket->Header->Flags = IKE_HEADER_FLAGS_RESPOND;
+ IkePacket->Header->Flags = IKE_HEADER_FLAGS_INIT;
}
- }
+ }
+
+ if (MessageId != NULL) {
+ IkePacket->Header->Flags |= IKE_HEADER_FLAGS_RESPOND;
+ }
//
// According to RFC4306, Chapter 4.
// A minimal implementation may support the CREATE_CHILD_SA exchange only to
// recognize requests and reject them with a Notify payload of type
NO_ADDITIONAL_SAS.
diff --git a/NetworkPkg/IpSecDxe/Ikev2/Exchange.c
b/NetworkPkg/IpSecDxe/Ikev2/Exchange.c
index 1eddbfb..5609964 100644
--- a/NetworkPkg/IpSecDxe/Ikev2/Exchange.c
+++ b/NetworkPkg/IpSecDxe/Ikev2/Exchange.c
@@ -703,11 +703,11 @@ Ikev2HandleChildSa (
ON_REPLY:
//
// Generate the reply packet if needed and send it out.
//
- if (IkePacket->Header->Flags != IKE_HEADER_FLAGS_RESPOND) {
+ if (!(IkePacket->Header->Flags & IKE_HEADER_FLAGS_RESPOND)) {
Reply = mIkev2CreateChild.Generator ((UINT8 *) IkeSaSession,
&IkePacket->Header->MessageId);
if (Reply != NULL) {
Status = Ikev2SendIkePacket (UdpService, (UINT8 *)
&(IkeSaSession->SessionCommon), Reply, 0);
if (EFI_ERROR (Status)) {
//
diff --git a/NetworkPkg/IpSecDxe/Ikev2/Info.c b/NetworkPkg/IpSecDxe/Ikev2/Info.c
index 23e47ce..0d2b290 100644
--- a/NetworkPkg/IpSecDxe/Ikev2/Info.c
+++ b/NetworkPkg/IpSecDxe/Ikev2/Info.c
@@ -126,11 +126,15 @@ Ikev2InfoGenerator (
} else {
//
// The input parameter is not correct.
//
goto ERROR_EXIT;
- }
+ }
+
+ if (IkeSaSession->SessionCommon.IsInitiator) {
+ IkePacket->Header->Flags = IKE_HEADER_FLAGS_INIT ;
+ }
} else {
//
// Delete the Child SA Information Exchagne
//
ChildSaSession = (IKEV2_CHILD_SA_SESSION *) SaSession;
@@ -178,17 +182,20 @@ Ikev2InfoGenerator (
//
// Change the IsOnDeleting Flag
//
ChildSaSession->SessionCommon.IsOnDeleting = TRUE;
+
+ if (ChildSaSession->SessionCommon.IsInitiator) {
+ IkePacket->Header->Flags = IKE_HEADER_FLAGS_INIT ;
+ }
}
- if (InfoContext == NULL) {
- IkePacket->Header->Flags = IKE_HEADER_FLAGS_INIT;
- } else {
- IkePacket->Header->Flags = IKE_HEADER_FLAGS_RESPOND;
+ if (InfoContext != NULL) {
+ IkePacket->Header->Flags |= IKE_HEADER_FLAGS_RESPOND;
}
+
return IkePacket;
ERROR_EXIT:
if (IkePacket != NULL) {
FreePool (IkePacket);
diff --git a/NetworkPkg/IpSecDxe/Ikev2/Payload.h
b/NetworkPkg/IpSecDxe/Ikev2/Payload.h
index 6096a3b..7a85792 100644
--- a/NetworkPkg/IpSecDxe/Ikev2/Payload.h
+++ b/NetworkPkg/IpSecDxe/Ikev2/Payload.h
@@ -1,9 +1,9 @@
/** @file
The Definitions related to IKEv2 payload.
- Copyright (c) 2010, Intel Corporation. All rights reserved.<BR>
+ Copyright (c) 2010 - 2016, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD
License
which accompanies this distribution. The full text of the license may be
found at
http://opensource.org/licenses/bsd-license.php.
@@ -35,15 +35,20 @@
#define IKEV2_PAYLOAD_TYPE_ENCRYPT 46
#define IKEV2_PAYLOAD_TYPE_CP 47
#define IKEV2_PAYLOAD_TYPE_EAP 48
//
-// IKE header Flag for IKEv2
+// IKE header Flag (1 octet) for IKEv2, defined in RFC 4306 section 3.1
+//
+// I(nitiator) (bit 3 of Flags, 0x08) - This bit MUST be set in messages sent
by the
+// original initiator of the IKE_SA
+//
+// R(esponse) (bit 5 of Flags, 0x20) - This bit indicates that this message
is a response to
+// a message containing the same message
ID.
//
#define IKE_HEADER_FLAGS_INIT 0x08
#define IKE_HEADER_FLAGS_RESPOND 0x20
-#define IKE_HEADER_FLAGS_CHILD_INIT 0
//
// IKE Header Exchange Type for IKEv2
//
#define IKEV2_EXCHANGE_TYPE_INIT 34
--
1.9.5.msysgit.1
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
