public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "Fu, Siyuan" <siyuan.fu@intel.com>
To: "Wu, Jiaxin" <jiaxin.wu@intel.com>,
	"edk2-devel@lists.01.org" <edk2-devel@lists.01.org>
Cc: "Ye, Ting" <ting.ye@intel.com>
Subject: Re: [Patch] NetworkPkg/IpSecDxe: Generate SPI randomly and correct IKE_SPI_BASE value
Date: Tue, 6 Sep 2016 03:55:27 +0000	[thread overview]
Message-ID: <B1FF2E9001CE9041BD10B825821D5BC58A76773F@shsmsx102.ccr.corp.intel.com> (raw)
In-Reply-To: <1473133142-41256-1-git-send-email-jiaxin.wu@intel.com>

Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>



> -----Original Message-----
> From: Wu, Jiaxin
> Sent: Tuesday, September 6, 2016 11:39 AM
> To: edk2-devel@lists.01.org
> Cc: Ye, Ting <ting.ye@intel.com>; Fu, Siyuan <siyuan.fu@intel.com>
> Subject: [Patch] NetworkPkg/IpSecDxe: Generate SPI randomly and correct
> IKE_SPI_BASE value
> 
> This path made the following update:
> * Generate SPI randomly.
> * Correct IKE_SPI_BASE value according RFC 4302/4303.
> 
> Cc: Ye Ting <ting.ye@intel.com>
> Cc: Fu Siyuan <siyuan.fu@intel.com>
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Jiaxin Wu <jiaxin.wu@intel.com>
> ---
>  NetworkPkg/IpSecDxe/IkeCommon.c     | 102
> +++++++++++++++++++++++++++++++-----
>  NetworkPkg/IpSecDxe/IkeCommon.h     |  20 ++++---
>  NetworkPkg/IpSecDxe/Ikev2/Utility.c |  11 +++-
>  3 files changed, 112 insertions(+), 21 deletions(-)
> 
> diff --git a/NetworkPkg/IpSecDxe/IkeCommon.c
> b/NetworkPkg/IpSecDxe/IkeCommon.c
> index 6fc7c06..b1e4321 100644
> --- a/NetworkPkg/IpSecDxe/IkeCommon.c
> +++ b/NetworkPkg/IpSecDxe/IkeCommon.c
> @@ -1,9 +1,9 @@
>  /** @file
>    Common operation of the IKE
> 
> -  Copyright (c) 2010 - 2015, Intel Corporation. All rights reserved.<BR>
> +  Copyright (c) 2010 - 2016, Intel Corporation. All rights reserved.<BR>
> 
>    This program and the accompanying materials
>    are licensed and made available under the terms and conditions of the
> BSD License
>    which accompanies this distribution.  The full text of the license may
> be found at
>    http://opensource.org/licenses/bsd-license.php.
> @@ -16,14 +16,56 @@
>  #include "Ike.h"
>  #include "IkeCommon.h"
>  #include "IpSecConfigImpl.h"
>  #include "IpSecDebug.h"
> 
> -//
> -// Initial the SPI
> -//
> -UINT32            mNextSpi  = IKE_SPI_BASE;
> +/**
> +  Check whether the new generated Spi has existed.
> +
> +  @param[in]   IkeSaSession   Pointer to the Child SA Session.
> +  @param[in]   SpiValue       SPI Value.
> +
> +  @retval  TRUE    This SpiValue has existed in the Child SA Session
> +  @retval  FALSE   This SpiValue doesn't exist in the Child SA Session.
> +
> +**/
> +BOOLEAN
> +IkeSpiValueExisted (
> +  IN IKEV2_SA_SESSION      *IkeSaSession,
> +  IN UINT32                SpiValue
> +  )
> +{
> +  LIST_ENTRY              *Entry;
> +  LIST_ENTRY              *Next;
> +  IKEV2_CHILD_SA_SESSION  *SaSession;
> +
> +  Entry     = NULL;
> +  Next      = NULL;
> +  SaSession = NULL;
> +
> +  //
> +  // Check whether the SPI value has existed in
> ChildSaEstablishSessionList.
> +  //
> +  NET_LIST_FOR_EACH_SAFE (Entry, Next, &IkeSaSession-
> >ChildSaEstablishSessionList) {
> +    SaSession= IKEV2_CHILD_SA_SESSION_BY_IKE_SA (Entry);
> +    if (SaSession->LocalPeerSpi == SpiValue) {
> +      return TRUE;
> +    }
> +  }
> +
> +  //
> +  // Check whether the SPI value has existed in ChildSaSessionList.
> +  //
> +  NET_LIST_FOR_EACH_SAFE (Entry, Next, &IkeSaSession->ChildSaSessionList)
> {
> +    SaSession= IKEV2_CHILD_SA_SESSION_BY_IKE_SA (Entry);
> +    if (SaSession->LocalPeerSpi == SpiValue) {
> +      return TRUE;
> +    }
> +  }
> +
> +  return FALSE;
> +}
> 
>  /**
>    Call Crypto Lib to generate a random value with eight-octet length.
> 
>    @return the 64 byte vaule.
> @@ -156,23 +198,57 @@ IkePayloadFree (
>    FreePool (IkePayload);
>  }
> 
>  /**
>    Generate an new SPI.
> -
> -  @return a SPI in 4 bytes.
> +
> +  @param[in]      IkeSaSession   Pointer to IKEV2_SA_SESSION related to
> this Child SA
> +                                 Session.
> +  @param[in out]  SpiValue       Pointer to the new generated SPI value.
> +
> +  @retval EFI_SUCCESS         The operation performs successfully.
> +  @retval Otherwise           The operation is failed.
> 
>  **/
> -UINT32
> +EFI_STATUS
>  IkeGenerateSpi (
> -  VOID
> +  IN  IKEV2_SA_SESSION         *IkeSaSession,
> +  OUT UINT32                   *SpiValue
>    )
>  {
> -  //
> -  // TODO: should generate SPI randomly to avoid security issue
> -  //
> -  return mNextSpi++;
> +  EFI_STATUS   Status;
> +
> +  Status = EFI_SUCCESS;
> +
> +  while (TRUE) {
> +    //
> +    // Generate SPI randomly
> +    //
> +    Status = IpSecCryptoIoGenerateRandomBytes ((UINT8 *)SpiValue, sizeof
> (UINT32));
> +    if (EFI_ERROR (Status)) {
> +      break;
> +    }
> +
> +    //
> +    // The set of SPI values in the range 1 through 255 are reserved by
> the
> +    // Internet Assigned Numbers Authority (IANA) for future use; a
> reserved
> +    // SPI value will not normally be assigned by IANA unless the use of
> the
> +    // assigned SPI value is specified in an RFC.
> +    //
> +    if (*SpiValue < IKE_SPI_BASE) {
> +      *SpiValue += IKE_SPI_BASE;
> +    }
> +
> +    //
> +    // Check whether the new generated SPI has existed.
> +    //
> +    if (!IkeSpiValueExisted (IkeSaSession, *SpiValue)) {
> +      break;
> +    }
> +  }
> +
> +  return Status;
>  }
> 
>  /**
>    Generate a random data for IV
> 
> diff --git a/NetworkPkg/IpSecDxe/IkeCommon.h
> b/NetworkPkg/IpSecDxe/IkeCommon.h
> index 714ecaa..7f7fd4d 100644
> --- a/NetworkPkg/IpSecDxe/IkeCommon.h
> +++ b/NetworkPkg/IpSecDxe/IkeCommon.h
> @@ -1,9 +1,9 @@
>  /** @file
>    Common operation of the IKE.
> 
> -  Copyright (c) 2010 - 2015, Intel Corporation. All rights reserved.<BR>
> +  Copyright (c) 2010 - 2016, Intel Corporation. All rights reserved.<BR>
> 
>    This program and the accompanying materials
>    are licensed and made available under the terms and conditions of the
> BSD License
>    which accompanies this distribution.  The full text of the license may
> be found at
>    http://opensource.org/licenses/bsd-license.php.
> @@ -37,11 +37,11 @@
> 
>  #define IKE_DEFAULT_PORT              500
>  #define IKE_DEFAULT_TIMEOUT_INTERVAL  10000 // 10s
>  #define IKE_NONCE_SIZE                16
>  #define IKE_MAX_RETRY                 4
> -#define IKE_SPI_BASE                  0x10000
> +#define IKE_SPI_BASE                  0x100
>  #define IKE_PAYLOAD_SIGNATURE         SIGNATURE_32('I','K','E','P')
>  #define IKE_PAYLOAD_BY_PACKET(a)
> CR(a,IKE_PAYLOAD,ByPacket,IKE_PAYLOAD_SIGNATURE)
> 
> 
>  #define IKE_PACKET_APPEND_PAYLOAD(IkePacket,IkePayload)                 \
> @@ -128,18 +128,24 @@ VOID
>  IkePayloadFree (
>    IN IKE_PAYLOAD *IkePayload
>    );
> 
>  /**
> -  Generate an unused SPI
> -
> -  @return a SPI in 4 bytes.
> +  Generate an new SPI.
> +
> +  @param[in]      IkeSaSession   Pointer to IKEV2_SA_SESSION related to
> this Child SA
> +                                 Session.
> +  @param[in out]  SpiValue       Pointer to the new generated SPI value.
> +
> +  @retval EFI_SUCCESS         The operation performs successfully.
> +  @retval Otherwise           The operation is failed.
> 
>  **/
> -UINT32
> +EFI_STATUS
>  IkeGenerateSpi (
> -  VOID
> +  IN  IKEV2_SA_SESSION         *IkeSaSession,
> +  OUT UINT32                   *SpiValue
>    );
> 
>  /**
>    Generate a random data for IV
> 
> diff --git a/NetworkPkg/IpSecDxe/Ikev2/Utility.c
> b/NetworkPkg/IpSecDxe/Ikev2/Utility.c
> index 5b26ba1..c365532 100644
> --- a/NetworkPkg/IpSecDxe/Ikev2/Utility.c
> +++ b/NetworkPkg/IpSecDxe/Ikev2/Utility.c
> @@ -523,11 +523,20 @@ Ikev2ChildSaSessionAlloc (
>    // Initialize the fields of ChildSaSession and its SessionCommon.
>    //
>    ChildSaSession->Signature          = IKEV2_CHILD_SA_SESSION_SIGNATURE;
>    ChildSaSession->IkeSaSession       = IkeSaSession;
>    ChildSaSession->MessageId          = IkeSaSession->MessageId;
> -  ChildSaSession->LocalPeerSpi       = IkeGenerateSpi ();
> +
> +  //
> +  // Generate an new SPI.
> +  //
> +  Status = IkeGenerateSpi (IkeSaSession, &(ChildSaSession->LocalPeerSpi));
> +  if (EFI_ERROR (Status)) {
> +    FreePool (ChildSaSession);
> +    return NULL;
> +  }
> +
>    ChildSaCommon                      = &ChildSaSession->SessionCommon;
>    ChildSaCommon->UdpService          = UdpService;
>    ChildSaCommon->Private             = IkeSaSession-
> >SessionCommon.Private;
>    ChildSaCommon->IkeSessionType      = IkeSessionTypeChildSa;
>    ChildSaCommon->IkeVer              = 2;
> --
> 1.9.5.msysgit.1



  parent reply	other threads:[~2016-09-06  3:55 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-09-06  3:39 [Patch] NetworkPkg/IpSecDxe: Generate SPI randomly and correct IKE_SPI_BASE value Jiaxin Wu
2016-09-06  3:39 ` [Patch] NetworkPkg/DnsDxe: Handle CNAME type responded from the name server Jiaxin Wu
2016-09-06  3:55   ` Fu, Siyuan
2016-09-06  7:05     ` Wu, Jiaxin
2016-09-06  7:13       ` Fu, Siyuan
2016-09-06  7:54         ` Wu, Jiaxin
2016-09-06  3:55 ` Fu, Siyuan [this message]
2016-09-06  6:37 ` [Patch] NetworkPkg/IpSecDxe: Generate SPI randomly and correct IKE_SPI_BASE value Ye, Ting

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=B1FF2E9001CE9041BD10B825821D5BC58A76773F@shsmsx102.ccr.corp.intel.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox