/* ipsec_io.c - WindNet IPsec I/O Code *//*  * Copyright (c) 2000-2006 Wind River Systems, Inc.  *  * The right to copy, distribute, modify or otherwise make use  * of this software may be licensed only pursuant to the terms  * of an applicable Wind River license agreement.  *//* Copyright (c) 2002-2003 teamF1, Inc. *//*modification history--------------------05i,14mar06,djp  Added initialization of return_value in ipsecApplyPolicy()05h,23sep05,jfb  Fixed TSR 457668.  Semaphores (ipsec_global_class.mutex  and                  splimp/slpx) taken in inconsistent order.05g,14sep05,djp  Removed extern declarations for ip_input and ip_output05f,11apr05,djp  Fixed include paths05e,01apr05,rlm  Added #ifdef around v6 code to fix v4-only compile in                 ipsecProcessTunnelmBlk()05d,30mar05,rlm  Renamed ipsecRestoreTunnelmBlk() to ipsecProcessTunnelmBlk()05c,30mar05,rlm  Fix for SPR 106493 (TTL incorrect after tunnel decapsulation)05b,22mar05,djp  Fixed SADB/splimp mutex deadlock05a,16dec04,djp  Added code to reduce chance of tNetTask ring buffer                 overflow.04z,08oct04,rlm  Fix to ipsecReinsert(): ip_output() hook is now passed NULL                 for cached route (arg 3). NOTE that previous versions of this                 file had an erroneous comment describing this fix (it wasn't                 checked in due to the stack not handling a NULL argument at                 the time).04y,28sep04,msa  Added checks after calls to routines that returned values                 in ipsecApplyPolicy and ipsecRestoremBlk.04x,23sep04,ps   fix for Coverity bug 239 (null ptr issue)04w,10sep04,rlm  Minor fixes to #include stmts for compile errors with                 -DINCLUDE_IPFW_HOOKS -DVIRTUAL_STACK04v,25aug04,cdw  Change to use protection suite manager mutex when required04u,23aug04,rlm  Fixed potential NULL dereference in                 ipsec_get_attached_network_interface()04t,30jul04,rlm  Fixes to virtual stack variable names to match new unified                 network stack04s,01jun04,swc  added ipsec counters04r,21aug03,rep removed ROUTER_STACK check, replaced with STACK_NAME_V4 check04r,14aug03,rlm wrapped clearing of mbuf *pp_memory_buffer in            ipsecReInsert() to only occur for Clarinet-based stacks04q,12jun03,rep added support for STACK_NAME04r,30Jun03,rks(teamf1) BugFix:moved mode check down in ipsecProcessSecurePacket                        spdGetPolicyTraf sets the mode only when,                        policy indicator is APPLY.04q,12jun03,rep added support for STACK_NAME04p,05jun03,mad(teamf1) added ifdef for IPV4_DUAL_STACK04o,03Jun03,rks(teamf1) added check to bypass PMTU packets. moved up IPv6 ICMP                         message checking code in ipsecApplyPolicy  and removed same                        check from ipsecInProcessPlainTextPacket.04n,29May03,rks(teamf1) setting *pp_memory_buffer to NULL after                        calling ip(6)_output in ipsecReinsert. Added check                        for return_value before modifying mbuf in ipsecOutput.04m,08may03,sam(teamf1) added code to avoid recursion if bypass policy is not                         added for ah and esp.04l,24apr03,sam(teamf1) renamed icmp pmtu functions as part of code cleanup.04k,23apr03,mad(teamf1) moved the routines ipsecInputIPv6(), ipsecOutputIPv6()            and ipsecForwardIPv6() to a separate file ipsec_ipv6_io.c04j,23Apr03,mhb(teamf1) incorporated code review comments + removed             extern declarations os inetdomain, ip_forward, icmp6_error            as they are no more used.04i,21Apr03,sam(teamf1) added code to send back pmtu message in             ipsecApplyPolicy(SPR #86677).    04h,21Apr03,rks(teamf1) added code to return EMSGSIZE from ip_output to caller    routine.04g,19Apr03,mhb(teamf1) added case for ROUTER_STACK_11 in ipsecTunnelEndDriver04f,19Apr03,sam(teamf1) added call to icmp6_error(SPR #86677).  04e,14Apr03,sam(teamf1) changes for PMTU support(SPR #86677).04d,14Feb03,rks(teamf1) changes for supporting iterated tunnel      (case 4 of RFC 2401 Section 4.5: Combination of Secuturity Association ).04c,24feb03,mad (teamf1)   replaced free with table_free in the functions                             ipsecSecure() and ipsecReinsert().04b,17Feb03,rks(teamf1) now we call ip(6)_output instead of ip(6)_forward             after adding tunnel header because ip(6)_forward                         generates icmp_redirect message.04a,31Jan03,rks(teamf1) changes for merging ipsecFilterHook with ipsecInput.            renamed ipsecFilterHook as ipsecFilterHookProcessing.03m,31Dec02,rks(teamf1) taking splnet before taking ipsec mutex to avoid             deadlock. (it happens when __IPSEC_QUEUING__ is                         enabled)03l,29Dec02,rks(teamf1) changes for doing NTOHS/HTONS on ip_id in case of             non-clarinet stack.03k,28Dec02,rks(teamf1) changes for supporting IPv6 when IPSEC_QUEUING enabled03j,26Dec02,rks(teamf1) replaced m_free with WRN_M_FREEM.03i,25nov02,mhb(teamf1) added checks to drop packets which have AH/ESP as             next header even after returning from ipsecApplyPolicy 03g,25nov02,mhb(teamf1) added source address as argument to the function             ipsecFindNetworkInterfaceBasedOnIfnet,                         so that the right p_ipsec_network_interface is                         returned.03f,15nov02,mhb(teamf1) moved checks for IN6_IS_SCOPE_LINKLOCAL from clarinet                         code inside IPSEC hooks03e,11nov02,mhb(teamf1) added ipsecIsIcmp6Message check, so that icmp6             solicitation and advertisement messages are always                         sent.03d,20Oct02,rks(teamf1) fixed a bug. NTOHL was being called on ip_id instead             on ip_off before calling ip_forward.03c,08oct02,sam(teamf1) put IPv6 code in #ifdef __IPV6_STACK__03b,30Sep02,rks(temaf1) support for veloce added in ipsecTunnelEndDriver03a,20Sep02,rks(teamf1) Modification for IPv6. Added IPsec Hooks for V602b,19mar02,rtp   replaced use of structure IP_MESSAGE by IP_VI_MESSAGE and                   structure NETWORK_TRAFFIC_INFO by VI_NETWORK_TRAFFIC_INFO in                   func definitions. 01b,27jun01,tkp   Using/checking policy handle01a,01dec00,aos   Add ipsecFilterHook, ipsec_protect_packet,                   ipsec_apply_security_processing,                   ipsec_is_network_interface_attached and                   ipsecCreateTrafficInfo routines. In addition, general code                  clean-up to ipsecInput and ipsecOutput and deleted                   ipsecForward, and ipsecOutputProcessing routines.*//******************************************************************************/#include <stdio.h>#include <stdarg.h>#include <time.h>#include <vxWorks.h>#if defined (__IPSEC_QUEUING__)#if defined (__IPSEC_PROTOSW__)#include <net/domain.h>#include <net/protosw.h>#endif /*__IPSEC_PROTOSW__*/#endif /*__IPSEC_QUEUING__*/#if (_WRS_VXWORKS_MAJOR < 6)#include <osdep.h>        /* Core IP headers */#include <machdep.h>#endif#ifdef _KERNEL#define _KERNEL_PREDEFINED#else#define _KERNEL#endif#include <net/if.h>#include <net/if_var.h>#include <netinet/in.h>#include <netinet/in_var.h>#include <netinet/ip.h>#include <netinet/ip_var.h> /* to get IP_FORWARDING definition */#ifndef _KERNEL_PREDEFINED#undef _KERNEL#else#undef _KERNEL_PREDEFINED#endif#include <netLib.h>#include "ipsecP.h"#include "../spd/spd_if.h"#include "ipsec_class.h"#include "ipsec_globals.h"#include "ipsec_network_interface.h"#include "ipsec_print_routines.h"#include "ipsec_spd.h"#include "ipsec_icmp_pmtu.h"#include <wrn/ipsec/ipsecLogger.h>#include "ipsec_logger_util.h"#include "ipsec_stats.h"#include "../common/wrSecTrace.h"#include <wrn/ipsec/ipsecStats.h>#ifdef INCLUDE_COUNTERS_PROTECTION_SUITESextern void protection_suite_manager_mutex_give ();#endif#if defined (VIRTUAL_STACK)#include <netinet/vsLib.h>#include <netinet/vsData.h> /* for vsTbl[] *//* required if INCLUDE_IPFW_HOOKS defined */#ifdef _KERNEL#define _KERNEL_PREDEFINED#else#define _KERNEL#endif#include <netinet/vsIp.h> /* for IPSEC_INPUT_FUNCPTR, IPSEC_OUTPUT_FUNCPTR definitions */#ifndef _KERNEL_PREDEFINED#undef _KERNEL#else#undef _KERNEL_PREDEFINED#endif#if STACK_NAME == STACK_NAME_V4_V6 && defined (INET6)#include <netinet6/in6_var.h>#include <vs/vsIp6.h>#include "ipsec_ipv6_utilities.h"#endif /* STACK_NAME_V4_V6 && defined (INET6) */#else#if STACK_NAME == STACK_NAME_V4_V6#include <netinet/ip4_ext_in.h>  /* for IPSEC_INPUT_FUNCPTR definition */#include <netinet/ip4_ext_out.h> /* for IPSEC_OUTPUT_FUNCPTR definition */#endif#if STACK_NAME == STACK_NAME_V4_V6 && defined (INET6)#include <netinet6/ip6_var.h>#include <netinet6/ip6_ext_in.h>  /* for INPUT_HOOK_IPV6_FUNCPTR definition */#include <netinet6/ip6_ext_out.h> /* for IPSEC_OUTPUT_IPV6_FUNCPTR definition */#ifdef _KERNEL#define _KERNEL_PREDEFINED#else#define _KERNEL#endif#include <netinet6/icmp6.h>#include "ipsec_ipv6_utilities.h"#ifndef _KERNEL_PREDEFINED#undef _KERNEL#else#undef _KERNEL_PREDEFINED#endif#endif#endif /* defined (VIRTUAL_STACK) */#if defined (__IPSEC_QUEUING__)#if defined (__IPSEC_PROTOSW__)extern u_char ip_protox[IPPROTO_MAX];#if STACK_NAME == STACK_NAME_V4_V6extern struct ipprotosw inetsw [];#if STACK_NAME == STACK_NAME_V4_V6 && defined (INET6)extern struct ip6protosw inet6sw [];extern struct domain inet6domain;extern u_char ip6_protox[IPPROTO_MAX];#endif /* #if STACK_NAME == STACK_NAME_V4_V6 && defined (INET6) */#else  /* __IPV6_STACK__ || __IPV4_DUAL_STACK__ */extern struct protosw inetsw [];#endif /* __IPV6_STACK__ || __IPV4_DUAL_STACK_*/#endif /*__IPSEC_PROTOSW__*/#endif /*__IPSEC_QUEUING__*//* The following prevents the IPsec Tunnel END Driver from overflowing the * Network Stack Job queue.  * IPSEC_NET_JOB_MAX must be set to a value lower than NET_JOB_NUM_CFG  * (a configurable parameter under  * Network Component -> Network Private Components) *  * ipsecNetJobPacketsDropped tracks the number of packets dropped by IPsec due * to an overflow in the job queue. ipsecNetJobAvailable specifies the current  * number of jobs that can be put on the queue by IPsec. This number is set via * the ipsecNetJobMaxSet() API and retrievable via ipsecNetJobMaxGet(). * IPSEC_NET_JOB_MAX */LOCAL int ipsecNetJobPacketsDropped = 0;LOCAL int ipsecNetJobMax            = 0;LOCAL int ipsecNetJobAvailable      = 0;IPSEC_NETWORK_INTERFACE *ipsecFindNetworkInterfaceBasedOnIfnet    (    struct ifnet *sptr_ifnet,    WRSEC_INET_FAMILY family    );LOCAL int ipsecApplyPolicy    (    TRAFFIC_DIRECTION direction,    VI_NETWORK_TRAFFIC_INFO *p_traffic_info,	SECURITY_POLICY *sptr_policy,    SA_BUNDLE *pSABundle,    NET_IF *net_interface,    struct mbuf ** pp_memory_buffer,    struct ip ** pp_ip_header,    int header_length,    int flags    );LOCAL BOOL ipsecRestoremBlk    (    struct mbuf ** m,    int hlen,    struct ip ** ip,    IP_VI_MESSAGE *p_ip_message    );LOCAL BOOL ipSerializeMessageHeader    (    struct mbuf ** m0,    IP_VI_MESSAGE *p_ip_message    );LOCAL BOOL ipsecProcessTunnelmBlk    (    struct mbuf ** m,    IP_VI_MESSAGE *p_ip_message,    TRAFFIC_DIRECTION direction    );LOCAL STATUS ipsecInProcessPlainTextPacket    (    SECURITY_POLICY *sptr_policy,    struct mbuf ** pp_memory_buffer,    struct ip ** pp_ip_header,    int header_length,    VI_NETWORK_TRAFFIC_INFO *p_traffic_info    );LOCAL STATUS ipsecTunnelEndDriver    (    struct ifnet *ifp,    struct mbuf *m,    BOOL wakeup    );LOCAL WRSEC_INET_ADDR *getDestAddrFromTrafficInfo    (    VI_NETWORK_TRAFFIC_INFO *trafficInfo,    WRSEC_INET_FAMILY inetFam    );LOCAL WRSEC_INET_ADDR *getSrcAddrFromTrafficInfo    (    VI_NETWORK_TRAFFIC_INFO *trafficInfo,    WRSEC_INET_FAMILY inetFam    );LOCAL BOOL isSameIP    (    WRSEC_INET_ADDR *addr1,    WRSEC_INET_ADDR *addr2    );LOCAL int ipsecProcessInsecurePacket    (    TRAFFIC_DIRECTION direction,    VI_NETWORK_TRAFFIC_INFO *p_traffic_info,	SECURITY_POLICY *sptr_policy,    SA_BUNDLE *pSABundle,    NET_IF *net_interface,    struct mbuf ** pp_memory_buffer,    struct ip ** pp_ip_header,    int header_length,    int flags    );LOCAL int ipsecProcessSecurePacket    (    TRAFFIC_DIRECTION direction,    VI_NETWORK_TRAFFIC_INFO *p_traffic_info,	SECURITY_POLICY *sptr_policy,    SA_BUNDLE *pSABundle,    NET_IF *net_interface,    struct mbuf ** pp_memory_buffer,    struct ip ** pp_ip_header,    int header_length,    int flags    );IMPORT STATUS spdGetCachedPolicyTraffic	( 	TRAFFIC_DIRECTION direction, 											VI_NETWORK_TRAFFIC_INFO *p_traffic_info, 	SECURITY_POLICY **sptr_policy,	SA_BUNDLE **pSABundle	);/******************************************************************************* ipsecGetNetIf - Get interface that belongs to IP packets* * This function searches the ipsec interface containers for the one on which* we received the packet based on ip address in packet ( source address* incase of outbound packet, destination address incase of inbound packet )*