The current implementation doesn't handle the relationship between SPD and SAD well, which may introduce some security and connection issue after SPD updated. For SPD entry edit policy, if one SPD entry is edited/updated, the original SAs list should be discard. Current IPSecConfig tool does not dealt properly with those rules.
Cc: Ye Ting <ting...@intel.com> Cc: Fu Siyuan <siyuan...@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Jiaxin Wu <jiaxin...@intel.com> --- .../Application/IpsecConfig/PolicyEntryOperation.c | 41 ++++++++++------------ 1 file changed, 18 insertions(+), 23 deletions(-) diff --git a/NetworkPkg/Application/IpsecConfig/PolicyEntryOperation.c b/NetworkPkg/Application/IpsecConfig/PolicyEntryOperation.c index 970caa1..9bbc114 100644 --- a/NetworkPkg/Application/IpsecConfig/PolicyEntryOperation.c +++ b/NetworkPkg/Application/IpsecConfig/PolicyEntryOperation.c @@ -1,9 +1,9 @@ /** @file The implementation of policy entry operation function in IpSecConfig application. - Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.<BR> + Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.<BR> This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at http://opensource.org/licenses/bsd-license.php. @@ -1396,10 +1396,12 @@ CombineSpdEntry ( break; } // // Process Data // + OldData->SaIdCount = 0; + if ((Mask & NAME) != 0) { AsciiStrCpyS ((CHAR8 *) OldData->Name, MAX_PEERID_LEN, (CHAR8 *) NewData->Name); } if ((Mask & PACKET_FLAG) != 0) { @@ -1860,41 +1862,34 @@ EditOperatePolicyEntry ( Context->Data, Context->Mask, &CreateNew ); if (!EFI_ERROR (Status)) { + // + // If the Selector already existed, this Entry will be updated by set data. + // + Status = mIpSecConfig->SetData ( + mIpSecConfig, + Context->DataType, + Context->Selector, /// New created selector. + Data, /// Old date which has been modified, need to be set data. + Selector + ); + ASSERT_EFI_ERROR (Status); + if (CreateNew) { // - // Insert new entry before old entry + // Edit the entry to a new one. So, we need delete the old entry. // Status = mIpSecConfig->SetData ( mIpSecConfig, Context->DataType, - Context->Selector, - Data, - Selector - ); - ASSERT_EFI_ERROR (Status); - // - // Delete old entry - // - Status = mIpSecConfig->SetData ( - mIpSecConfig, - Context->DataType, - Selector, - NULL, + Selector, /// Old selector. + NULL, /// NULL means to delete this Entry specified by Selector. NULL ); ASSERT_EFI_ERROR (Status); - } else { - Status = mIpSecConfig->SetData ( - mIpSecConfig, - Context->DataType, - Context->Selector, - Data, - NULL - ); } } Context->Status = Status; return EFI_ABORTED; -- 1.9.5.msysgit.1 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
