/* ipsec_tunnel_utilities.c - WindNet IPsec and IKE tunnel utilities *//*  * Copyright (c) 2000-2006 Wind River Systems, Inc.  *  * The right to copy, distribute, modify or otherwise make use  * of this software may be licensed only pursuant to the terms  * of an applicable Wind River license agreement.  *//*modification history--------------------03m,13jan06,djp  removed rwos dependencies03l,12jan06,djp  removed rwos dependencies03k,28nov05,djp  replace WRN_INET with WRSEC_INET03j,28oct05,rlm  Fix to IP header checksum calculation (SPR#114627)03i,12apr05,djp  Fixed compiler errors03h,01apr05,rlm  Removed TTL/hop_limit decrement in tunnel code03g,10sep04,rlm  Minor fixes to #include stmts for compile errors with                 -DINCLUDE_IPFW_HOOKS -DVIRTUAL_STACK03f,30jul04,rlm  Fixes to virtual stack variable names to match new unified                 network stack03e,12jun03,rparkhil added support for STACK_NAME03d,24apr03,mad(teamf1) Modified to guard include file ipsec_ipv6_utilities.h            under ifdef __IPV6_STACK__03c,24Apr03,sam(teamf1) code cleanup.03b,08oct02,sam(teamf1) placed v6 code under __IPV6_STACK__.03a,31Sep02,rks(teamf1) added DF bit setting in tunnel header based on                     configuration on that interface.02b,25mar02,rpt   removed use of "ipsec_retain_df_bit", by default clear DF bit                  for tunneled packet. 02a,19mar02,rpt   replaced IP_MESSAGE* with IP_VI_MESSAGE* in func definitions01a,19mar02,rpt   extracted from WindNet IPSec 1.1, added modification history*//******************************************************************************/#include <vxWorks.h>#if (_WRS_VXWORKS_MAJOR < 6)#include <osdep.h>     /* Core IP headers */#include <machdep.h>#endif#ifdef _KERNEL#define _KERNEL_PREDEFINED#else#define _KERNEL#endif#include <net/if.h>#include <net/if_var.h>#include <netinet/in.h>#include <netinet/in_var.h>#include <netinet/ip.h>#include <netinet/ip_var.h>#ifndef _KERNEL_PREDEFINED#undef _KERNEL#else#undef _KERNEL_PREDEFINED#endif#include "../common/wrSecSerialize.h"#include "../common/wrSecInetAddr.h"#include "ipsecP.h"#include "ipsec_ah_message.h"#include "ipsec_esp_message.h"#include "ipsec_class.h"#include "ipsec_globals.h"#include "ipsec_tunnel_utilities.h"#include "ipsec_print_routines.h"#include "ipsec_network_interface.h"#include "packetBuf.h"#if defined (VIRTUAL_STACK)#include <netinet/vsLib.h>#include <netinet/vsData.h> /* for vsTbl[] *//* required if INCLUDE_IPFW_HOOKS defined */#ifdef _KERNEL#define _KERNEL_PREDEFINED#else#define _KERNEL#endif#include <netinet/vsIp.h> /* for IPSEC_INPUT_FUNCPTR, IPSEC_OUTPUT_FUNCPTR definitions */#ifndef _KERNEL_PREDEFINED#undef _KERNEL#else#undef _KERNEL_PREDEFINED#endif#if STACK_NAME == STACK_NAME_V4_V6 && defined (INET6)#include <netinet6/in6_var.h>#include <vs/vsIp6.h>#include "ipsec_ipv6_utilities.h"#endif /* STACK_NAME_V4_V6 && defined (INET6) */#else#if STACK_NAME == STACK_NAME_V4_V6#include <netinet/ip4_ext_in.h>  /* for IPSEC_INPUT_FUNCPTR definition */#include <netinet/ip4_ext_out.h> /* for IPSEC_OUTPUT_FUNCPTR definition */#endif#if STACK_NAME == STACK_NAME_V4_V6 && defined (INET6)#include <netinet6/ip6_var.h>#include <netinet6/ip6_ext_in.h>  /* for INPUT_HOOK_IPV6_FUNCPTR definition */#include <netinet6/ip6_ext_out.h> /* for IPSEC_OUTPUT_IPV6_FUNCPTR definition */#include "ipsec_ipv6_utilities.h"#ifdef _KERNEL#define _KERNEL_PREDEFINED#else#define _KERNEL#endif#include <netinet6/icmp6.h>#ifndef _KERNEL_PREDEFINED#undef _KERNEL#else#undef _KERNEL_PREDEFINED#endif#endif#endif /* defined (VIRTUAL_STACK) *//******************************************************************************//******************************************************************************/BOOL ipsec_deserialize_tunnel_message    (    SA_SPEC *p_spec,    IP_VI_MESSAGE *p_ip_message    )    {    UCHAR *p_payload;    UINT version_and_header_length;    UINT version;    UINT header_length;    UINT flags_and_fragment_offset;    UINT total_length;    IP_VERSION_NUMBER ip_version;    PARAMETER_NOT_USED (p_spec);    p_payload = NULL;    version_and_header_length = 0;    version = 0;    header_length = 0;    flags_and_fragment_offset = 0;    total_length = 0;    p_payload = packetBufDataGet(p_ip_message->pPayload);    if (p_payload == NULL)        {        return (FALSE);        }    ip_version = p_ip_message->version;    if (ip_version == IP_V4)        {        /*IPv4 Processing*/        version_and_header_length = wrSecDeserializeUChar (&p_payload);        version = (version_and_header_length >> 4);        header_length = version_and_header_length & 0xf;        header_length *= IP_WORD_SIZE;        /*version*/        /* header length */        ((IP_V4_MESSAGE *)p_ip_message)->header_length = header_length;        /*type of service*/        ((IP_V4_MESSAGE *)p_ip_message)->type_of_service = wrSecDeserializeUChar(&p_payload);        /*total length */        ((IP_V4_MESSAGE *)p_ip_message)->total_length = wrSecDeserializeUShort(&p_payload);        /*identifier*/        ((IP_V4_MESSAGE *)p_ip_message)->datagram_identifier = wrSecDeserializeUShort(&p_payload);        /* the first three bits contain the fragmentation flags.         * The next 13 bits contain the fragment offset.        */        flags_and_fragment_offset = wrSecDeserializeUShort(&p_payload);        /* skip the flags bits and note that the         fragment offset is on 8 byte boundary */        ((IP_V4_MESSAGE *)p_ip_message)->fragment_offset = (flags_and_fragment_offset & IP_FRAGMENT_OFFSET_MASK);        /* eliminate the lower 13 bits representing the fragment offset */        flags_and_fragment_offset >>= 13;        /* now the lsb is the more fragments flag */        ((IP_V4_MESSAGE *)p_ip_message)->more_fragment_flag = (flags_and_fragment_offset & 0x1) ? TRUE : FALSE;        /* eliminate the lower 1 bit representing the more fragments flag. */        flags_and_fragment_offset >>= 1;        /* now the lsb is the do not fragment flag */        ((IP_V4_MESSAGE *)p_ip_message)->dont_fragment_flag = (flags_and_fragment_offset & 0x1) ? TRUE : FALSE;        /* time to live */        ((IP_V4_MESSAGE *)p_ip_message)->time_to_live = wrSecDeserializeUChar(&p_payload);        /* protocol */        ((IP_V4_MESSAGE *)p_ip_message)->transport_protocol = wrSecDeserializeUChar(&p_payload);        /*checksum */        ((IP_V4_MESSAGE *)p_ip_message)->checksum = wrSecDeserializeUShort(&p_payload);        /* source IP address*/        wrSecInetAddrDeserialize(&p_payload,                                  (WRSEC_INET_ADDR *)&(((IP_V4_MESSAGE *)p_ip_message)->source_address));        /* destination IP address */        wrSecInetAddrDeserialize(&p_payload,                                  (WRSEC_INET_ADDR *)&(((IP_V4_MESSAGE *)p_ip_message)->destination_address));        packetBufReduceFront(p_ip_message->pPayload, header_length);        return (TRUE);        }    #if STACK_NAME == STACK_NAME_V4_V6 && defined (INET6)    else if (ip_version == IP_V6)        {        IP_V6_MESSAGE *p_ip6_message = (IP_V6_MESSAGE *)p_ip_message;        UCHAR *ip6Hdr = p_payload;        /*IPv6 Processing*/        /* version, traffic class & flow label */        (p_ip6_message)->flow_label = wrSecDeserializeULong(&p_payload);        /* payload len */        (p_ip6_message)->payload_length = wrSecDeserializeUShort(&p_payload);        /* next header*/        (p_ip6_message)->next_header = wrSecDeserializeUChar(&p_payload);        /* store next_header in transport_protocol */        (p_ip6_message)->transport_protocol = ipsecIpv6GetIpsecOrTransportProtocol (NULL, (struct ip6_hdr *)ip6Hdr);        p_ip6_message->extn_headers_len = 0;        p_ip6_message->extn_headers_len = ipsecIpv6ExtnHdrLenGet ((struct ip6_hdr *)ip6Hdr);        if (p_ip6_message->extn_headers_len)            {            p_ip6_message->first_extn_header = (p_ip6_message)->next_header;            p_ip6_message->next_header = (p_ip6_message)->transport_protocol;            }        /* hop limit */        (p_ip6_message)->hop_limit = wrSecDeserializeUChar(&p_payload);        /* source IP address*/        wrSecInetAddrDeserialize(&p_payload,                                  (WRSEC_INET_ADDR *)&((p_ip6_message)->source_address));        /* destination IP address */        wrSecInetAddrDeserialize(&p_payload,                                 (WRSEC_INET_ADDR *)&((p_ip6_message)->destination_address));        p_ip6_message->p_extn_headers = NULL;        /* Copy Extension Headers */        if (p_ip6_message->extn_headers_len)            {            p_ip6_message->p_extn_headers =                (UCHAR *)ip6Hdr - packetBufMaxWritableHeaderSizeGet(p_ip_message->pPayload);            }        memmove (p_ip6_message->p_extn_headers, p_payload, p_ip6_message->extn_headers_len);        packetBufReduceFront(p_ip_message->pPayload,                             MINIMUM_IP_V6_HEADER_LENGTH + p_ip6_message->extn_headers_len);        return (TRUE);        }    #endif /* STACK_NAME == STACK_NAME_V4_V6 && defined (INET6)  */    else        {        ipsec_printf (IPSEC_WARNING_PRINTF, "IPsec: IP Message: INVALID_VERSION\n");        return (FALSE);        }    }/******************************************************************************/BOOL ipsec_serialize_tunnel_message    (    SA_SPEC *p_spec,    IP_VI_MESSAGE *p_ip_message    )    {    IP_VERSION_NUMBER ip_version;    ip_version = p_ip_message->version;    if (ip_version == IP_V4)        {        /*IPv4 Processing*/        /*        ** version - construct        ** =====================        */        /*IP_VERSION_4;*/        /*         ** header length - construct        ** =====================        */        ((IP_V4_MESSAGE *)p_ip_message)->header_length = IP_PACKET_HEADER_MINIMUM_LENGTH / IP_WORD_SIZE;        /*        ** type of service - copied from inner header        ** =====================        */        /* p_ip_message->type_of_service = ; */        /*        ** total length        ** =====================        */        ((IP_V4_MESSAGE *)p_ip_message)->total_length            = packetBufDataSizeGet(p_ip_message->pPayload) + IP_PACKET_HEADER_MINIMUM_LENGTH;        /*        ** identification - construct        ** =====================        */        #ifdef VIRTUAL_STACK        ((IP_V4_MESSAGE *)p_ip_message)->datagram_identifier = _ip_id++;        #else        ((IP_V4_MESSAGE *)p_ip_message)->datagram_identifier = _ip_id++;        #endif        /* MF = 0, no more fragments to follow*/        ((IP_V4_MESSAGE *)p_ip_message)->dont_fragment_flag = 0;        ((IP_V4_MESSAGE *)p_ip_message)->more_fragment_flag = 0;        ((IP_V4_MESSAGE *)p_ip_message)->fragment_offset = 0;        /*        ** time to live - constructed        ** =====================        */        ((IP_V4_MESSAGE *)p_ip_message)->time_to_live = 64;        /*        ** protocol -  AH, ESP, routing hdr        ** =====================        */        ((IP_V4_MESSAGE *)p_ip_message)->transport_protocol = TRANSPORT_PORTO_IP_IN_IP_IPV4;        /*        ** checksum - construct         ** =====================        */        ((IP_V4_MESSAGE *)p_ip_message)->checksum = 0;        /*        ** source IP Address - Tunnel endpoint        ** =====================        */        WRSEC_INET4_ASSIGN_B_TO_A (            (&((IP_V4_MESSAGE *)p_ip_message)->source_address),            ((WRSEC_INET4_ADDR *) (((OUTBOUND_TUNNEL_SA_SPEC *)p_spec)->p_src_address)));        /*        ** destination IP Address - Tunnel endpoint