/* ipsec_tsi.c - Tornado Shell Interface routines for IPsec configuration     *//*  * Copyright (c) 2000-2006 Wind River Systems, Inc.  *  * The right to copy, distribute, modify or otherwise make use  * of this software may be licensed only pursuant to the terms  * of an applicable Wind River license agreement.  *//*modification history--------------------03p,13jan06,djp  removed rwos dependencies03o,12jan06,djp  removed rwos dependencies, moved parseAddrString wrSecInetAddr03n,12dec05,djp  removed compiler warnings03m,28nov05,djp  replace WRN_INET with WRSEC_INET03l,28sep05,rma  Create major/minor versions03k,14apr05,rob  Patchability updates03j,08mar05,djp  Added message channel functionality. Moved APIs to ipsec_tsi_api.c03i,07feb05,rlm  All failed alloca() calls now result in taskSuspend().03h,22feb05,msa Added code to ipsecAttachIf and ipsecDetachIf to wrSecFree the                address pointer when there is an error.03g,13jan05,ps  eliminate aliased function names.03f,07dec04,ps  re-entrancy changes for ipsecDFBit() and ipsecSetPMTUAge()03e,30nov04,jfb  Beautified again03d,29nov04,jfb  Beautified03c,29sep04,ps  fixes for Coverity bugs 322, 323 (potential mem leaks)03b,21sep04,ps  fixes for Coverity bug 343 (null ptr issues)03a,06may04,rma Added ipsecShowVer() function02d,21apr03,mhb(teamf1) code cleanup ( 80 character alignment changes ) in                    ipsecShowIf	02c,15apr03,sam(teamf1) TSI to configure PMTU for interface(SPR #86677).02b,21Feb03,rks(teamf1) removed printfs for FilterHookCount from ipsecShow.02a,20Sep02,rks(teamf1)	modification for IPv6 + formatted ipsecShowIf01c,25mar02,rpt   added TSI func definition "ipsecDFBit" for DF bit config,                   moved DF bit config from ipsecShow to ipsecShowIf routine.01b,19mar02,rpt   changed func definitions to use WRN_INET_ADDR* instead of                   ULONG's.01a,20oct00,aos   written*//******************************************************************************//* DESCRIPTION Tornado Shell Interface routines for IPsec configuration.INCLUDE:  ipsec_tsi.h*/#include <vxWorks.h>#include <stdio.h>#include <string.h>#include "../common/wrSecInetAddr.h"#include "../common/wrSecMem.h"#include "../common/wrSecList.h"#include "../common/wrSecUtil.h"#include "ipsec_print_routines.h"#include "ipsec_tsi.h"#include "ipsec_if.h"#include "ipsec_class.h"#include "ipsec_globals.h"#include "ipsec_network_interface.h"/******************************************************************************/extern char *uitoa    (    UINT n,    char s []    );/******************************************************************************/const char *df_bit_config_string [] =    {        "CLEAR", "SET", "COPY"    };STATUS ipsecAttachIfHandler (char* cptr_address_string);STATUS ipsecDFBitHandler    (char *cptrDFBitConfig);STATUS sadbMonHandler       (char* configString);/********************************************************************************* ipsecShowVerHandler  - print the IPsec version* * Prints all the secure network interfaces.* * RETURNS: N/A* ERRNO: N/A** NOMANUAL*/void ipsecShowVerHandler    (    void    )    {    printf ("\n IPsec/IKE version - %u.%u\n\n", IPSEC_VERSION_MAJOR, IPSEC_VERSION_MINOR);    }/******************************************************************************/void ipsecAttachIf_nvram    (    char *cptr_address_string    )    {    ipsecAttachIfHandler (cptr_address_string);    }/********************************************************************************* ipsecAttachIfHandler - attach a network interface to IPsec based on the IP address** This routine parses the supplied configuration string and adds a* secure network interface to IPsec.** Parameters:* \is* \i <cptrAddrString>* A string holding either an IPv4 host address in dotted decimal notation or an IPv6 host * address in colon hexadecimal notation.* * \ie* EXAMPLES:** \cs*   For IPv4:**   ipsecAttachIfHandler("10.10.10.10")**   For IPv6:**   ipsecAttachIfHandler("3ffe:2::2")** \ce* RETURNS: OK on success, otherwise ERROR.* * ERRNO: N/A ** NOMANUAL*/STATUS ipsecAttachIfHandler    (    char *cptrAddrString /* IP address */    )    {    STATUS return_value;    WRSEC_INET_ADDR *p_wrn_inet_address;    return_value = parseAddrString (cptrAddrString, &p_wrn_inet_address);    if (return_value == OK)        {        return_value = ipsecAttachIfMapi (p_wrn_inet_address);        if (return_value == ERROR)            {            wrSecFree (p_wrn_inet_address);            }        }    return (return_value);    }/********************************************************************************* ipsecDetachIfHandler - detach a network interface from IPsec based on the IP address** This routine parses the supplied configuration string and removes a* secure network interface from IPsec.** Parameters:* \is* \i <cptrAddrString>* A string holding either an IPv4 host address in dotted decimal notation or an IPv6 host * address in colon hexadecimal notation.* * \ie* EXAMPLES:** \cs*   For IPv4:**   ipsecDetachIfHandler("10.10.10.10")**   For IPv6:**   ipsecDetachIfHandler("3ffe:2::2")** \ce* * RETURNS: OK on success, otherwise ERROR.** ERRNO: N/A** NOMANUAL*/STATUS ipsecDetachIfHandler    (    char *cptrAddrString /* IP address */    )    {    STATUS return_value;    WRSEC_INET_ADDR *p_wrn_inet_address;    return_value = parseAddrString (cptrAddrString, &p_wrn_inet_address);    if (return_value == OK)        {        return_value = ipsecDetachIfMapi (p_wrn_inet_address);        if (return_value == ERROR)            {            wrSecFree (p_wrn_inet_address);            }        }    return (return_value);    }/******************************************************************************/void ipsecDFBit_nvram    (    char *cptr_df_bit_config    )    {    ipsecDFBitHandler (cptr_df_bit_config);    }/********************************************************************************* ipsecDFBitHandler - clear, set or copy the inner IP Don't Fragment (DF) bit.** This routine is used in tunneled IP header construction to clear,* set, or copy the inner IP header DF (Don't fragment) bit.  Configure this parameter* for each IPsec-enabled interface.** The DF Bit setting determines whether the DF bit for a tunnelled packet that is to be * forwarded on an interface will be (1) cleared (DF Bit = 0 or CLEAR), * (2) set (DF Bit = 1 or SET), or (3) copied from the original packet (DF Bit = 2 or COPY). ** Parameters:* \is* \i <cptrDFBitConfig>* A string formatted as follows:** <ipAddress>,<dfBitConfig>* \ml* \m <ipAddress> is the IP address of an IPsec-enabled network interface.* \m <dfBitConfig> is 'CLEAR' | 'SET' | 'COPY' (clear, set or copy the DB bit). * \me* \ie* EXAMPLES:* \cs*   ipsecDFBitHandler("10.10.10.10,CLEAR")* \ce *** RETURNS: OK if the DF bit for the IPsec-enabled interface is set to clear, set or * copy; otherwise ERROR.** ERRNO: N/A** NOMANUAL*/STATUS ipsecDFBitHandler    (    char *cptrDFBitConfig /* parameter string */    )    {    STATUS return_value = ERROR;    char *cptr_address = NULL;    char *cptr_df_bit_config = NULL;    char *cptr_delimiter = NULL;    int dfBitConfig = 0;    int  cfgStrLen;             /* length of passed in config string      */    char *pLocalDFBitConfig;  /* local copy of config string for re-entrancy */    char *pStrtokContextHandle; /* also for re-entrancy issues            */    WRSEC_INET_ADDR *p_wrn_inet_address = NULL;    if (cptrDFBitConfig == NULL)        {        return (ERROR);        }    /* make a local copy of the cptrDFBitConfig due to the use of strtok_r */    cfgStrLen = strlen (cptrDFBitConfig);    pLocalDFBitConfig = alloca (cfgStrLen + 1);    if (pLocalDFBitConfig == NULL)        {        return (ERROR);        }    strncpy (pLocalDFBitConfig, cptrDFBitConfig, cfgStrLen + 1);    pLocalDFBitConfig[cfgStrLen] = '\0';    /* Expected string syntax := ("<x.x.x.x>,SET/COPY/CLEAR") */    /*get the IPv4 address */    cptr_address = strtok_r (pLocalDFBitConfig, ",", &pStrtokContextHandle);    if (cptr_address == NULL)        {        return (return_value);        }    cptr_delimiter = strpbrk (cptr_address, ".:");    if (cptr_delimiter == NULL)        {        ipsec_printf (IPSEC_WARNING_PRINTF, "IPSec: Configuration Error, address format not valid\n");        return (return_value);        }    else if (*cptr_delimiter == '.')        {        p_wrn_inet_address = wrSecInetAddrCreate(WRSEC_AF_INET4);        if (p_wrn_inet_address == NULL)            {            ipsec_printf (IPSEC_ERROR_PRINTF, "IPSec: Failed address structure allocation\n");            return (return_value);            }        wrSecInetAddrStringToAddr (cptr_address, p_wrn_inet_address);        if (WRSEC_INET4_IS_ADDR_UNSPECIFIED (((WRSEC_INET4_ADDR *)p_wrn_inet_address)))            {            ipsec_printf (IPSEC_ERROR_PRINTF, "IPSec: Invalid IPv4 Address\n");            wrSecFree (p_wrn_inet_address);            return (return_value);            }        }    else if (*cptr_delimiter == ':')        {        p_wrn_inet_address = wrSecInetAddrCreate(WRSEC_AF_INET6);        if (p_wrn_inet_address == NULL)            {            ipsec_printf (IPSEC_ERROR_PRINTF, "IPSec: Failed address structure allocation\n");            return (return_value);            }        wrSecInetAddrStringToAddr (cptr_address, p_wrn_inet_address);        if (WRSEC_INET6_IS_ADDR_UNSPECIFIED (((WRSEC_INET6_ADDR *)p_wrn_inet_address)))            {            ipsec_printf (IPSEC_ERROR_PRINTF, "IPSec: Invalid IPv6 Address\n");            wrSecFree (p_wrn_inet_address);            return (return_value);            }        }    cptr_df_bit_config = strtok_r (NULL, ",\r\n", &pStrtokContextHandle);    if (strcmp (cptr_df_bit_config, "SET") == 0)        {        dfBitConfig = 1;        }    else if (strcmp (cptr_df_bit_config, "COPY") == 0)        {        dfBitConfig = 2;        }    else if (strcmp (cptr_df_bit_config, "CLEAR") == 0)        {        dfBitConfig = 0;        }    else        {        ipsec_printf (IPSEC_ERROR_PRINTF, "IPSec: Configuration Error! %s\n", "Invalid DF Bit Configuration");