diff options
author | Jiaxin Wu <jiaxin.wu@intel.com> | 2016-01-18 01:59:41 +0000 |
---|---|---|
committer | jiaxinwu <jiaxinwu@Edk2> | 2016-01-18 01:59:41 +0000 |
commit | a51896e475cd62e742d54f1a0addd699237a24c2 (patch) | |
tree | fc1e268255bca43da5a5e17b49aae70572996bf7 /NetworkPkg/Application | |
parent | 4991eeffcd86e1dc0bf2b15655b986b932551854 (diff) | |
download | edk2-platforms-a51896e475cd62e742d54f1a0addd699237a24c2.tar.xz |
NetworkPkg: Fix SPD entry edit policy issue in IPSecConfig.
The current implementation doesn't handle the relationship
between SPD and SAD well, which may introduce some security
and connection issue after SPD updated.
For SPD entry edit policy, if one SPD entry is edited/updated,
the original SAs list should be discard. Current IPSecConfig
tool does not dealt properly with those rules.
Cc: Ye Ting <ting.ye@intel.com>
Cc: Fu Siyuan <siyuan.fu@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Jiaxin Wu <jiaxin.wu@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>
Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@19653 6f19259b-4bc3-4df7-8a09-765794883524
Diffstat (limited to 'NetworkPkg/Application')
-rw-r--r-- | NetworkPkg/Application/IpsecConfig/PolicyEntryOperation.c | 41 |
1 files changed, 18 insertions, 23 deletions
diff --git a/NetworkPkg/Application/IpsecConfig/PolicyEntryOperation.c b/NetworkPkg/Application/IpsecConfig/PolicyEntryOperation.c index 970caa16ca..9bbc11490c 100644 --- a/NetworkPkg/Application/IpsecConfig/PolicyEntryOperation.c +++ b/NetworkPkg/Application/IpsecConfig/PolicyEntryOperation.c @@ -1,7 +1,7 @@ /** @file
The implementation of policy entry operation function in IpSecConfig application.
- Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.<BR>
+ Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
@@ -1398,6 +1398,8 @@ CombineSpdEntry ( //
// Process Data
//
+ OldData->SaIdCount = 0;
+
if ((Mask & NAME) != 0) {
AsciiStrCpyS ((CHAR8 *) OldData->Name, MAX_PEERID_LEN, (CHAR8 *) NewData->Name);
}
@@ -1862,37 +1864,30 @@ EditOperatePolicyEntry ( &CreateNew
);
if (!EFI_ERROR (Status)) {
+ //
+ // If the Selector already existed, this Entry will be updated by set data.
+ //
+ Status = mIpSecConfig->SetData (
+ mIpSecConfig,
+ Context->DataType,
+ Context->Selector, /// New created selector.
+ Data, /// Old date which has been modified, need to be set data.
+ Selector
+ );
+ ASSERT_EFI_ERROR (Status);
+
if (CreateNew) {
//
- // Insert new entry before old entry
+ // Edit the entry to a new one. So, we need delete the old entry.
//
Status = mIpSecConfig->SetData (
mIpSecConfig,
Context->DataType,
- Context->Selector,
- Data,
- Selector
- );
- ASSERT_EFI_ERROR (Status);
- //
- // Delete old entry
- //
- Status = mIpSecConfig->SetData (
- mIpSecConfig,
- Context->DataType,
- Selector,
- NULL,
+ Selector, /// Old selector.
+ NULL, /// NULL means to delete this Entry specified by Selector.
NULL
);
ASSERT_EFI_ERROR (Status);
- } else {
- Status = mIpSecConfig->SetData (
- mIpSecConfig,
- Context->DataType,
- Context->Selector,
- Data,
- NULL
- );
}
}
|