From 7822a1d91d53e80525f571183a24d54488f5437f Mon Sep 17 00:00:00 2001 From: Jiaxin Wu Date: Mon, 15 Aug 2016 11:49:56 +0800 Subject: NetworkPkg/IpSecDxe: Fix wrong IKE header "FLAG" update *v2: update the commit log and refine the code comments. There are three kinds of IKE Exchange process: #1. Initial Exchange #2. CREATE_CHILD_SA_Exchange #3. Information Exchange The IKE header "FLAG" update is incorrect in #2 and #3 exchange, which may cause the continue session failure. This patch is used to correct the updates of IKE header "FLAG" according the RFC4306 section 3.1. Cc: Ye Ting Cc: Fu Siyuan Cc: Zhang Lubo Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Jiaxin Wu Reviewed-by: Ye Ting --- NetworkPkg/IpSecDxe/Ikev2/ChildSa.c | 14 +++++++------- NetworkPkg/IpSecDxe/Ikev2/Exchange.c | 2 +- NetworkPkg/IpSecDxe/Ikev2/Info.c | 17 ++++++++++++----- NetworkPkg/IpSecDxe/Ikev2/Payload.h | 11 ++++++++--- 4 files changed, 28 insertions(+), 16 deletions(-) (limited to 'NetworkPkg/IpSecDxe') diff --git a/NetworkPkg/IpSecDxe/Ikev2/ChildSa.c b/NetworkPkg/IpSecDxe/Ikev2/ChildSa.c index 1f0199b22d..eaccad2086 100644 --- a/NetworkPkg/IpSecDxe/Ikev2/ChildSa.c +++ b/NetworkPkg/IpSecDxe/Ikev2/ChildSa.c @@ -76,9 +76,7 @@ Ikev2CreateChildGenerator ( } if (ChildSaSession->SessionCommon.IsInitiator) { - IkePacket->Header->Flags = IKE_HEADER_FLAGS_CHILD_INIT; - } else { - IkePacket->Header->Flags = IKE_HEADER_FLAGS_RESPOND; + IkePacket->Header->Flags = IKE_HEADER_FLAGS_INIT; } } else { @@ -96,11 +94,13 @@ Ikev2CreateChildGenerator ( } if (IkeSaSession->SessionCommon.IsInitiator) { - IkePacket->Header->Flags = IKE_HEADER_FLAGS_CHILD_INIT; - } else { - IkePacket->Header->Flags = IKE_HEADER_FLAGS_RESPOND; + IkePacket->Header->Flags = IKE_HEADER_FLAGS_INIT; } - } + } + + if (MessageId != NULL) { + IkePacket->Header->Flags |= IKE_HEADER_FLAGS_RESPOND; + } // // According to RFC4306, Chapter 4. diff --git a/NetworkPkg/IpSecDxe/Ikev2/Exchange.c b/NetworkPkg/IpSecDxe/Ikev2/Exchange.c index 1eddbfbcf1..5609964fa4 100644 --- a/NetworkPkg/IpSecDxe/Ikev2/Exchange.c +++ b/NetworkPkg/IpSecDxe/Ikev2/Exchange.c @@ -705,7 +705,7 @@ ON_REPLY: // // Generate the reply packet if needed and send it out. // - if (IkePacket->Header->Flags != IKE_HEADER_FLAGS_RESPOND) { + if (!(IkePacket->Header->Flags & IKE_HEADER_FLAGS_RESPOND)) { Reply = mIkev2CreateChild.Generator ((UINT8 *) IkeSaSession, &IkePacket->Header->MessageId); if (Reply != NULL) { Status = Ikev2SendIkePacket (UdpService, (UINT8 *) &(IkeSaSession->SessionCommon), Reply, 0); diff --git a/NetworkPkg/IpSecDxe/Ikev2/Info.c b/NetworkPkg/IpSecDxe/Ikev2/Info.c index 23e47ceea8..0d2b290817 100644 --- a/NetworkPkg/IpSecDxe/Ikev2/Info.c +++ b/NetworkPkg/IpSecDxe/Ikev2/Info.c @@ -128,7 +128,11 @@ Ikev2InfoGenerator ( // The input parameter is not correct. // goto ERROR_EXIT; - } + } + + if (IkeSaSession->SessionCommon.IsInitiator) { + IkePacket->Header->Flags = IKE_HEADER_FLAGS_INIT ; + } } else { // // Delete the Child SA Information Exchagne @@ -180,13 +184,16 @@ Ikev2InfoGenerator ( // Change the IsOnDeleting Flag // ChildSaSession->SessionCommon.IsOnDeleting = TRUE; + + if (ChildSaSession->SessionCommon.IsInitiator) { + IkePacket->Header->Flags = IKE_HEADER_FLAGS_INIT ; + } } - if (InfoContext == NULL) { - IkePacket->Header->Flags = IKE_HEADER_FLAGS_INIT; - } else { - IkePacket->Header->Flags = IKE_HEADER_FLAGS_RESPOND; + if (InfoContext != NULL) { + IkePacket->Header->Flags |= IKE_HEADER_FLAGS_RESPOND; } + return IkePacket; ERROR_EXIT: diff --git a/NetworkPkg/IpSecDxe/Ikev2/Payload.h b/NetworkPkg/IpSecDxe/Ikev2/Payload.h index 6096a3ba77..7a85792ed7 100644 --- a/NetworkPkg/IpSecDxe/Ikev2/Payload.h +++ b/NetworkPkg/IpSecDxe/Ikev2/Payload.h @@ -1,7 +1,7 @@ /** @file The Definitions related to IKEv2 payload. - Copyright (c) 2010, Intel Corporation. All rights reserved.
+ Copyright (c) 2010 - 2016, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License @@ -37,11 +37,16 @@ #define IKEV2_PAYLOAD_TYPE_EAP 48 // -// IKE header Flag for IKEv2 +// IKE header Flag (1 octet) for IKEv2, defined in RFC 4306 section 3.1 +// +// I(nitiator) (bit 3 of Flags, 0x08) - This bit MUST be set in messages sent by the +// original initiator of the IKE_SA +// +// R(esponse) (bit 5 of Flags, 0x20) - This bit indicates that this message is a response to +// a message containing the same message ID. // #define IKE_HEADER_FLAGS_INIT 0x08 #define IKE_HEADER_FLAGS_RESPOND 0x20 -#define IKE_HEADER_FLAGS_CHILD_INIT 0 // // IKE Header Exchange Type for IKEv2 -- cgit v1.2.3