[Patch 2/2] NetworkPkg/IpSecDxe: Fix wrong IKE header "FLAG" update

public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed

From: Jiaxin Wu <jiaxin.wu@intel.com>
To: edk2-devel@lists.01.org
Cc: Ye Ting <ting.ye@intel.com>, Fu Siyuan <siyuan.fu@intel.com>,
	Zhang Lubo <lubo.zhang@intel.com>
Subject: [Patch 2/2] NetworkPkg/IpSecDxe: Fix wrong IKE header "FLAG" update
Date: Mon, 15 Aug 2016 11:59:18 +0800	[thread overview]
Message-ID: <1471233558-40232-3-git-send-email-jiaxin.wu@intel.com> (raw)
In-Reply-To: <1471233558-40232-1-git-send-email-jiaxin.wu@intel.com>

There are three kinds of IKE Exchange process:
#1. Initial Exchange
#2. CREATE_CHILD_SA_Exchange
#3. Information Exchange

The IKE header "FLAG" update is incorrect in #2 and #3 exchange,
which may cause the continue session failure.

Cc: Ye Ting <ting.ye@intel.com>
Cc: Fu Siyuan <siyuan.fu@intel.com>
Cc: Zhang Lubo <lubo.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Jiaxin Wu <jiaxin.wu@intel.com>
---
 NetworkPkg/IpSecDxe/Ikev2/ChildSa.c  | 14 +++++++-------
 NetworkPkg/IpSecDxe/Ikev2/Exchange.c |  2 +-
 NetworkPkg/IpSecDxe/Ikev2/Info.c     | 17 ++++++++++++-----
 NetworkPkg/IpSecDxe/Ikev2/Payload.h  | 11 ++++++++---
 4 files changed, 28 insertions(+), 16 deletions(-)

diff --git a/NetworkPkg/IpSecDxe/Ikev2/ChildSa.c b/NetworkPkg/IpSecDxe/Ikev2/ChildSa.c
index 1f0199b..eaccad2 100644
--- a/NetworkPkg/IpSecDxe/Ikev2/ChildSa.c
+++ b/NetworkPkg/IpSecDxe/Ikev2/ChildSa.c
@@ -74,13 +74,11 @@ Ikev2CreateChildGenerator (
     } else {
       IkePacket->Header->MessageId     = ChildSaSession->MessageId;
     }    
     
     if (ChildSaSession->SessionCommon.IsInitiator) {
-      IkePacket->Header->Flags = IKE_HEADER_FLAGS_CHILD_INIT;
-    } else {
-      IkePacket->Header->Flags = IKE_HEADER_FLAGS_RESPOND;
+      IkePacket->Header->Flags = IKE_HEADER_FLAGS_INIT;
     }
       
   } else {
     IkeSaSession  = (IKEV2_SA_SESSION *) SaSession;
     //
@@ -94,15 +92,17 @@ Ikev2CreateChildGenerator (
     } else {
       IkePacket->Header->MessageId     = IkeSaSession->MessageId;
     }    
     
     if (IkeSaSession->SessionCommon.IsInitiator) {
-      IkePacket->Header->Flags = IKE_HEADER_FLAGS_CHILD_INIT;
-    } else {
-      IkePacket->Header->Flags = IKE_HEADER_FLAGS_RESPOND;
+      IkePacket->Header->Flags = IKE_HEADER_FLAGS_INIT;
     }
-  } 
+  }
+
+  if (MessageId != NULL) {
+    IkePacket->Header->Flags |= IKE_HEADER_FLAGS_RESPOND;
+  }
    
   //
   // According to RFC4306, Chapter 4.
   // A minimal implementation may support the CREATE_CHILD_SA exchange only to
   // recognize requests and reject them with a Notify payload of type NO_ADDITIONAL_SAS.
diff --git a/NetworkPkg/IpSecDxe/Ikev2/Exchange.c b/NetworkPkg/IpSecDxe/Ikev2/Exchange.c
index 1eddbfb..5609964 100644
--- a/NetworkPkg/IpSecDxe/Ikev2/Exchange.c
+++ b/NetworkPkg/IpSecDxe/Ikev2/Exchange.c
@@ -703,11 +703,11 @@ Ikev2HandleChildSa (
 
 ON_REPLY:
   //
   // Generate the reply packet if needed and send it out.
   //
-  if (IkePacket->Header->Flags != IKE_HEADER_FLAGS_RESPOND) {
+  if (!(IkePacket->Header->Flags & IKE_HEADER_FLAGS_RESPOND)) {
     Reply = mIkev2CreateChild.Generator ((UINT8 *) IkeSaSession, &IkePacket->Header->MessageId);
     if (Reply != NULL) {
       Status = Ikev2SendIkePacket (UdpService, (UINT8 *) &(IkeSaSession->SessionCommon), Reply, 0);
       if (EFI_ERROR (Status)) {
         //
diff --git a/NetworkPkg/IpSecDxe/Ikev2/Info.c b/NetworkPkg/IpSecDxe/Ikev2/Info.c
index 23e47ce..0d2b290 100644
--- a/NetworkPkg/IpSecDxe/Ikev2/Info.c
+++ b/NetworkPkg/IpSecDxe/Ikev2/Info.c
@@ -126,11 +126,15 @@ Ikev2InfoGenerator (
     } else {
       //
       // The input parameter is not correct.
       //
       goto ERROR_EXIT;
-    } 
+    }
+
+    if (IkeSaSession->SessionCommon.IsInitiator) {
+      IkePacket->Header->Flags = IKE_HEADER_FLAGS_INIT ;
+    }  
   } else {
     //
     // Delete the Child SA Information Exchagne
     //
     ChildSaSession                     = (IKEV2_CHILD_SA_SESSION *) SaSession;
@@ -178,17 +182,20 @@ Ikev2InfoGenerator (
 
     //
     // Change the IsOnDeleting Flag
     //
     ChildSaSession->SessionCommon.IsOnDeleting = TRUE;
+
+    if (ChildSaSession->SessionCommon.IsInitiator) {
+      IkePacket->Header->Flags = IKE_HEADER_FLAGS_INIT ;
+    }
   }
 
-  if (InfoContext == NULL) {
-    IkePacket->Header->Flags = IKE_HEADER_FLAGS_INIT;
-  } else {
-    IkePacket->Header->Flags = IKE_HEADER_FLAGS_RESPOND;
+  if (InfoContext != NULL) {
+    IkePacket->Header->Flags |= IKE_HEADER_FLAGS_RESPOND;
   }
+  
   return IkePacket;
 
 ERROR_EXIT:
    if (IkePacket != NULL) {
      FreePool (IkePacket);
diff --git a/NetworkPkg/IpSecDxe/Ikev2/Payload.h b/NetworkPkg/IpSecDxe/Ikev2/Payload.h
index 6096a3b..62de897 100644
--- a/NetworkPkg/IpSecDxe/Ikev2/Payload.h
+++ b/NetworkPkg/IpSecDxe/Ikev2/Payload.h
@@ -1,9 +1,9 @@
 /** @file
   The Definitions related to IKEv2 payload.
 
-  Copyright (c) 2010, Intel Corporation. All rights reserved.<BR>
+  Copyright (c) 2010 - 2016, Intel Corporation. All rights reserved.<BR>
 
   This program and the accompanying materials
   are licensed and made available under the terms and conditions of the BSD License
   which accompanies this distribution.  The full text of the license may be found at
   http://opensource.org/licenses/bsd-license.php.
@@ -35,15 +35,20 @@
 #define IKEV2_PAYLOAD_TYPE_ENCRYPT  46
 #define IKEV2_PAYLOAD_TYPE_CP       47
 #define IKEV2_PAYLOAD_TYPE_EAP      48
 
 //
-// IKE header Flag for IKEv2
+// IKE header Flag (1 octet) for IKEv2
+//
+// I(nitiator) (bit 3 of Flags, 0x08) - This bit MUST be set in messages sent by the 
+//                                      original initiator of the IKE_SA
+//
+// R(esponse) (bit 5 of Flags, 0x20)  - This bit indicates that this message is a response to 
+//                                      a message containing the same message ID.
 //
 #define IKE_HEADER_FLAGS_INIT       0x08
 #define IKE_HEADER_FLAGS_RESPOND    0x20
-#define IKE_HEADER_FLAGS_CHILD_INIT 0
 
 //
 // IKE Header Exchange Type for IKEv2
 //
 #define IKEV2_EXCHANGE_TYPE_INIT         34
-- 
1.9.5.msysgit.1

     prev parent reply	other threads:[~2016-08-15  3:59 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-08-15  3:59 [Patch 0/2] NetworkPkg/IpSecDxe: IKE functionality issue fix Jiaxin Wu
2016-08-15  3:59 ` [Patch 1/2] NetworkPkg/IpSecDxe: Fix UEFI IKE Initial Exchange failure Jiaxin Wu
2016-08-15  3:59 ` Jiaxin Wu [this message]

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:1f0199b dfblob:eaccad2 dfblob:1eddbfb dfblob:5609964
dfblob:23e47ce dfblob:0d2b290 dfblob:6096a3b dfblob:62de897 )
 OR (
bs:"[Patch 2/2] NetworkPkg/IpSecDxe: Fix wrong IKE header "
bs:"FLAG"
bs:" update" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1471233558-40232-3-git-send-email-jiaxin.wu@intel.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox