/* ipsec_network_interface.c - WindNet IPsec and IKE - network i/f code *//*  * Copyright (c) 2000-2005 Wind River Systems, Inc.  *  * The right to copy, distribute, modify or otherwise make use  * of this software may be licensed only pursuant to the terms  * of an applicable Wind River license agreement.  *//*modification history--------------------02o,12dec05,djp  removed compiler warnings02n,28nov05,djp  replace WRN_INET with WRSEC_INET02m,12apr05,djp  Fixed compiler warnings02l,13jan05,ps  eliminate aliased function names.02i,10sep04,rlm  Minor fixes to #include stmts for compile errors with                 -DINCLUDE_IPFW_HOOKS -DVIRTUAL_STACK02h,30jul04,rlm  Fixes to virtual stack variable names to match new unified                 network stack02g,12jun03,rparkhil added support for STACK_NAME02f,24Apr03,sam(teamf1) renamed ipsec_get_pmtu_message to ipsecPmtuMessageGet.02e,19Apr03,rks(teamf1) semaphore was not getting released when returning     from a error path in ipsecDetachIfMapi.02d,15apr03,sam(teamf1) added functions to set and get PMTU age(SPR #86677).02c,24feb03,mad(teamf1) replaced wrSecFree with wrSecFree in the functions                             ipsecAttachIfMapi() and ipsecDetachIfMapi().02b,18Dec02,mhb(teamf1) added code for deleting the spd policies that                             are added when ipsecAttachIf is called. 03a,20Sep02,rks(teamf1) added support for IPV6_STACK02b,25mar02,rpt   added mapi func "ipsecDFBitMapi" for DF bit configuration02a,19mar02,rpt   updated func definitions to support IPv4 and IPv6 address                   data structures 01a,20oct00,aos   written*//******************************************************************************/#include <stdio.h>#include <stdarg.h>#include <stdlib.h>#include <vxWorks.h>/* Following two #includes required to get quad_t datatype when   VIRTUAL_STACK and INCLUDE_IPFW_HOOKS are defined. */#if (_WRS_VXWORKS_MAJOR < 6)#include <osdep.h>#include <machdep.h>#endif#include <netinet/in.h>#ifdef _KERNEL#define _KERNEL_PREDEFINED#else#define _KERNEL#endif#include <net/if.h>#include <net/if_var.h>#include <netinet/in_var.h> /* for _in_ifaddrhead */#ifndef _KERNEL_PREDEFINED#undef _KERNEL#else#undef _KERNEL_PREDEFINED#endif#include "ipsecP.h"#include "ipsec_class.h"#include "ipsec_globals.h"#include "ipsec_network_interface.h"#include "ipsec_print_routines.h"#ifdef VIRTUAL_STACK#include <netinet/vsLib.h>#include <netinet/vsData.h> /* for vsTbl[] */#include <vs/vsIf.h>        /* for ifnet_head *//* required if INCLUDE_IPFW_HOOKS defined */#ifdef _KERNEL#define _KERNEL_PREDEFINED#else#define _KERNEL#endif#include <netinet/vsIp.h> /* for _in_ifaddrhead */#ifndef _KERNEL_PREDEFINED#undef _KERNEL#else#undef _KERNEL_PREDEFINED#endif#else#include <net/if_var.h> /* for ifnet_head */#endif                  /* VIRTUAL_STACK *//*******************************************************************************//*DESCRIPTION*//* defines *//* globals *//* forward declarations */NET_IF *sadb_create_network_interface(void);/******************************************************************************** ipsecAttachIfMapi - Attaches a network interface to IPsec* RETURNS: OK if network interface is successfully attached to IPsec, * otherwise ERROR*/STATUS ipsecAttachIfMapi    (    WRSEC_INET_ADDR *pAddress    )    {    int s;    IPSEC_NETWORK_INTERFACE *p_ipsec_network_interface;    STATUS return_value;    struct ifnet ifnet_clone;	struct ifnet *sptr_ifnet;	struct ifnet *sptr_ifnet_original;    char addr_string[40];    WRSEC_INET_ADDR_FAMILY wrn_inet_address_family;    DF_BIT_CONFIG df_bit_config = CLEAR;    if (ipsec_global_class.ipsec_enabled == FALSE)        {        return (ERROR);        }    wrn_inet_address_family = pAddress->type;    if (wrn_inet_address_family != WRSEC_AF_INET4 && wrn_inet_address_family != WRSEC_AF_INET6)        {        ipsec_printf (IPSEC_ERROR_PRINTF, "IPsec: Invalid Address\n");        return (ERROR);        }    if (ipsec_find_network_interface_based_on_ip_address (pAddress) != NULL)        {        wrSecFree (pAddress);        return (OK);        }    sptr_ifnet = NULL;    p_ipsec_network_interface = NULL;    return_value = ERROR;    s = splnet ();    /* Find the corresponding ifnet entry */    sptr_ifnet = ipsec_get_ifnet_handle (pAddress);    if (sptr_ifnet != NULL)        {        ifnet_clone = *sptr_ifnet;        splx (s);        sptr_ifnet_original = sptr_ifnet;        sptr_ifnet = &ifnet_clone;        p_ipsec_network_interface = wrSecCalloc (1, sizeof (IPSEC_NETWORK_INTERFACE));        if (p_ipsec_network_interface != NULL)            {            p_ipsec_network_interface->net_interface = sadb_create_network_interface ();            if (!p_ipsec_network_interface->net_interface)                {                ipsec_printf_mon (                    IPSEC_ERROR_PRINTF,                      "IPsec: Failed to add network interface %s%u into SADB\n",						sptr_ifnet->if_name, sptr_ifnet->if_unit);                wrSecFree (p_ipsec_network_interface);                }            else                {                strcpy (p_ipsec_network_interface->cptr_netif_name, sptr_ifnet->if_name);                p_ipsec_network_interface->enabled = TRUE;                p_ipsec_network_interface->port_number = sptr_ifnet->if_index;                p_ipsec_network_interface->port_sub_unit = sptr_ifnet->if_unit;                p_ipsec_network_interface->sptr_ifnet = sptr_ifnet_original;                p_ipsec_network_interface->p_address = pAddress;                p_ipsec_network_interface->df_bit = df_bit_config;                p_ipsec_network_interface->pmtu_age = IPSEC_DEFAULT_PMTU_AGE;                if (sadbAddNetIfAddr(p_ipsec_network_interface->net_interface, p_ipsec_network_interface->p_address) == FALSE)                    {                    wrSecInetAddrToString(addr_string, 40, pAddress);                    ipsec_printf_mon (                        IPSEC_ERROR_PRINTF,                      "IPsec: Failed to add address %s %s %s%u into SADB\n",                        addr_string,                             "to network interface",							sptr_ifnet->if_name, sptr_ifnet->if_unit);                    wrSecFree (p_ipsec_network_interface);                    }                else                    {                    /* Add a secure network interface to IPsec */                    if (wrSecListAddFront (ipsec_global_class.ipsec_network_interface_list, p_ipsec_network_interface) == ERROR)                        {                        wrSecInetAddrToString(addr_string, 40, pAddress);                        ipsec_printf_mon (IPSEC_ERROR_PRINTF,                "IPsec: %s %s to list\n",                                          "Failed to add network interface", addr_string);                        }                    else                        {                        return_value = OK;                        }                    }                }            }        else            {            ipsec_printf_mon (IPSEC_ERROR_PRINTF, "IPsec: Error: ipsecAttachIfMapi(): wrSecAlloc failed\n");            }        }    else        {        splx (s);        wrSecInetAddrToString(addr_string, 40, pAddress);        ipsec_printf_mon (IPSEC_ERROR_PRINTF, "IPsec: Failed to get NETINTERFACE for IP Address: %s\n", addr_string);        }    return (return_value);    }/******************************************************************************** ipsecDetachIfMapi - Detaches a network interface from IPsec** RETURNS: OK if network interface is successfully detached from IPsec, * otherwise ERROR*/STATUS ipsecDetachIfMapi    (    WRSEC_INET_ADDR *pAddress    )    {    void *iterator = (void*)NULL;    IPSEC_NETWORK_INTERFACE *p_ipsec_network_interface;    STATUS return_value;    WRSEC_INET_ADDR_FAMILY wrn_inet_address_family;    char addr_string[40];    struct ifnet ifnet_clone;	struct ifnet *sptr_ifnet;	struct ifnet *sptr_ifnet_original;    int s;    DF_BIT_CONFIG df_bit_config = CLEAR;    if (ipsec_global_class.ipsec_enabled == FALSE)        {        return (ERROR);        }    return_value = ERROR;    p_ipsec_network_interface = NULL;    wrn_inet_address_family = pAddress->type;    if (wrn_inet_address_family != WRSEC_AF_INET4 && wrn_inet_address_family != WRSEC_AF_INET6)        {        ipsec_printf (IPSEC_ERROR_PRINTF, "IPsec: Invalid Address format\n");        return (ERROR);        }	wrSecListScanLock( ipsec_global_class.ipsec_network_interface_list );	while ((p_ipsec_network_interface = wrSecListScan(ipsec_global_class.ipsec_network_interface_list,                                                      &iterator)) != NULL)		{		if ((pAddress->type == p_ipsec_network_interface->p_address->type) &&            wrSecInetAddrEquals(pAddress, p_ipsec_network_interface->p_address))			{			sptr_ifnet = NULL;			s = splimp ();			/* Find the corresponding ifnet entry */			sptr_ifnet = ipsec_get_ifnet_handle (pAddress);			if (sptr_ifnet != NULL)				{				ifnet_clone = *sptr_ifnet;				splx (s);				sptr_ifnet_original = sptr_ifnet;				sptr_ifnet = &ifnet_clone;				strcpy (p_ipsec_network_interface->cptr_netif_name, sptr_ifnet->if_name);				p_ipsec_network_interface->enabled = TRUE;				p_ipsec_network_interface->port_number = sptr_ifnet->if_index;				p_ipsec_network_interface->port_sub_unit = sptr_ifnet->if_unit;				p_ipsec_network_interface->sptr_ifnet = sptr_ifnet_original;				p_ipsec_network_interface->p_address = pAddress;				p_ipsec_network_interface->df_bit = df_bit_config;				if (sadbDeleteNetIfAddr (p_ipsec_network_interface->net_interface, p_ipsec_network_interface->p_address)						== FALSE)					{					wrSecInetAddrToString(addr_string, 40, pAddress);					ipsec_printf_mon (						IPSEC_ERROR_PRINTF,						"IPsec: Failed to delete address %s %s %s%u from SADB\n",						addr_string,						"from network interface",						sptr_ifnet->if_name,						sptr_ifnet->if_unit);					return ERROR;					}				}			else				{				splx (s);				wrSecInetAddrToString(addr_string, 40, pAddress);				ipsec_printf_mon (IPSEC_ERROR_PRINTF, "IPsec: Failed to get NETINTERFACE for IP Address: %s\n",								  addr_string);				return ERROR;				}			/* delete the network interface from			the security association database */			if (sadbDeleteNetIf (p_ipsec_network_interface->net_interface) == FALSE)				{				ipsec_printf_mon (					IPSEC_WARNING_PRINTF,                          "IPsec: %s %s%u\n",					"Failed to delete SADB for network interface", p_ipsec_network_interface->cptr_netif_name,					p_ipsec_network_interface->port_sub_unit);				}			else				{								/* remove the remove ipsec network interface  */				if (!wrSecListScanRemove(ipsec_global_class.ipsec_network_interface_list, &iterator))				{					ipsec_printf_mon (						IPSEC_WARNING_PRINTF,						"IPsec: %s %s%u\n",						"Failed to remove iterator network interface",						p_ipsec_network_interface->cptr_netif_name,						p_ipsec_network_interface->port_sub_unit);				}				ipsec_printf (					IPSEC_DEBUG_PRINTF,                         "IPSec:  Network interface removed %s%u\n",					p_ipsec_network_interface->cptr_netif_name, p_ipsec_network_interface->port_sub_unit);				wrSecFree (pAddress);				wrSecFree (p_ipsec_network_interface);				p_ipsec_network_interface = NULL;				return_value = OK;				}			break;			}		}	wrSecListScanUnlock( ipsec_global_class.ipsec_network_interface_list );    return (return_value);    }/******************************************************************************** ipsecDFBitMapi - Configures the DF bit handling (SET/COPY/CLEAR) for each * interface enabled with IPSec. * RETURNS: OK if DF bit is successfully configured for the given IPSec enabled * interface  otherwise ERROR*/