ipsec_io.c

ipsec PNE 3.3 source code, running at more than vxworks6.x version.

/* ipsec_io.c - WindNet IPsec I/O Code */

/* 
 * Copyright (c) 2000-2006 Wind River Systems, Inc. 
 * 
 * The right to copy, distribute, modify or otherwise make use 
 * of this software may be licensed only pursuant to the terms 
 * of an applicable Wind River license agreement. 
 */

/* Copyright (c) 2002-2003 teamF1, Inc. */
/*
modification history
--------------------
05i,14mar06,djp  Added initialization of return_value in ipsecApplyPolicy()
05h,23sep05,jfb  Fixed TSR 457668.  Semaphores (ipsec_global_class.mutex  and 
                 splimp/slpx) taken in inconsistent order.
05g,14sep05,djp  Removed extern declarations for ip_input and ip_output
05f,11apr05,djp  Fixed include paths
05e,01apr05,rlm  Added #ifdef around v6 code to fix v4-only compile in
                 ipsecProcessTunnelmBlk()
05d,30mar05,rlm  Renamed ipsecRestoreTunnelmBlk() to ipsecProcessTunnelmBlk()
05c,30mar05,rlm  Fix for SPR 106493 (TTL incorrect after tunnel decapsulation)
05b,22mar05,djp  Fixed SADB/splimp mutex deadlock
05a,16dec04,djp  Added code to reduce chance of tNetTask ring buffer
                 overflow.
04z,08oct04,rlm  Fix to ipsecReinsert(): ip_output() hook is now passed NULL
                 for cached route (arg 3). NOTE that previous versions of this
                 file had an erroneous comment describing this fix (it wasn't
                 checked in due to the stack not handling a NULL argument at
                 the time).
04y,28sep04,msa  Added checks after calls to routines that returned values
                 in ipsecApplyPolicy and ipsecRestoremBlk.
04x,23sep04,ps   fix for Coverity bug 239 (null ptr issue)
04w,10sep04,rlm  Minor fixes to #include stmts for compile errors with
                 -DINCLUDE_IPFW_HOOKS -DVIRTUAL_STACK
04v,25aug04,cdw  Change to use protection suite manager mutex when required
04u,23aug04,rlm  Fixed potential NULL dereference in
                 ipsec_get_attached_network_interface()
04t,30jul04,rlm  Fixes to virtual stack variable names to match new unified
                 network stack
04s,01jun04,swc  added ipsec counters
04r,21aug03,rep removed ROUTER_STACK check, replaced with STACK_NAME_V4 check
04r,14aug03,rlm wrapped clearing of mbuf *pp_memory_buffer in
            ipsecReInsert() to only occur for Clarinet-based stacks
04q,12jun03,rep added support for STACK_NAME
04r,30Jun03,rks(teamf1) BugFix:moved mode check down in ipsecProcessSecurePacket
                        spdGetPolicyTraf sets the mode only when,
                        policy indicator is APPLY.
04q,12jun03,rep added support for STACK_NAME
04p,05jun03,mad(teamf1) added ifdef for IPV4_DUAL_STACK
04o,03Jun03,rks(teamf1) added check to bypass PMTU packets. moved up IPv6 ICMP 
                        message checking code in ipsecApplyPolicy  and removed same
                        check from ipsecInProcessPlainTextPacket.
04n,29May03,rks(teamf1) setting *pp_memory_buffer to NULL after
                        calling ip(6)_output in ipsecReinsert. Added check
                        for return_value before modifying mbuf in ipsecOutput.
04m,08may03,sam(teamf1) added code to avoid recursion if bypass policy is not 
                        added for ah and esp.
04l,24apr03,sam(teamf1) renamed icmp pmtu functions as part of code cleanup.
04k,23apr03,mad(teamf1) moved the routines ipsecInputIPv6(), ipsecOutputIPv6()
            and ipsecForwardIPv6() to a separate file ipsec_ipv6_io.c
04j,23Apr03,mhb(teamf1) incorporated code review comments + removed 
            extern declarations os inetdomain, ip_forward, icmp6_error
            as they are no more used.
04i,21Apr03,sam(teamf1) added code to send back pmtu message in 
            ipsecApplyPolicy(SPR #86677).    
04h,21Apr03,rks(teamf1) added code to return EMSGSIZE from ip_output to caller
    routine.
04g,19Apr03,mhb(teamf1) added case for ROUTER_STACK_11 in ipsecTunnelEndDriver
04f,19Apr03,sam(teamf1) added call to icmp6_error(SPR #86677).  
04e,14Apr03,sam(teamf1) changes for PMTU support(SPR #86677).
04d,14Feb03,rks(teamf1) changes for supporting iterated tunnel  
    (case 4 of RFC 2401 Section 4.5: Combination of Secuturity Association ).
04c,24feb03,mad (teamf1)   replaced free with table_free in the functions
                             ipsecSecure() and ipsecReinsert().
04b,17Feb03,rks(teamf1) now we call ip(6)_output instead of ip(6)_forward
             after adding tunnel header because ip(6)_forward
                         generates icmp_redirect message.
04a,31Jan03,rks(teamf1) changes for merging ipsecFilterHook with ipsecInput.
            renamed ipsecFilterHook as ipsecFilterHookProcessing.
03m,31Dec02,rks(teamf1) taking splnet before taking ipsec mutex to avoid
             deadlock. (it happens when __IPSEC_QUEUING__ is
                         enabled)
03l,29Dec02,rks(teamf1) changes for doing NTOHS/HTONS on ip_id in case of
             non-clarinet stack.
03k,28Dec02,rks(teamf1) changes for supporting IPv6 when IPSEC_QUEUING enabled
03j,26Dec02,rks(teamf1) replaced m_free with WRN_M_FREEM.
03i,25nov02,mhb(teamf1) added checks to drop packets which have AH/ESP as
             next header even after returning from ipsecApplyPolicy 
03g,25nov02,mhb(teamf1) added source address as argument to the function
             ipsecFindNetworkInterfaceBasedOnIfnet,
                         so that the right p_ipsec_network_interface is
                         returned.
03f,15nov02,mhb(teamf1) moved checks for IN6_IS_SCOPE_LINKLOCAL from clarinet
                         code inside IPSEC hooks
03e,11nov02,mhb(teamf1) added ipsecIsIcmp6Message check, so that icmp6
             solicitation and advertisement messages are always
                         sent.
03d,20Oct02,rks(teamf1) fixed a bug. NTOHL was being called on ip_id instead
             on ip_off before calling ip_forward.
03c,08oct02,sam(teamf1) put IPv6 code in #ifdef __IPV6_STACK__
03b,30Sep02,rks(temaf1) support for veloce added in ipsecTunnelEndDriver
03a,20Sep02,rks(teamf1) Modification for IPv6. Added IPsec Hooks for V6
02b,19mar02,rtp   replaced use of structure IP_MESSAGE by IP_VI_MESSAGE and 
                  structure NETWORK_TRAFFIC_INFO by VI_NETWORK_TRAFFIC_INFO in 
                  func definitions. 
01b,27jun01,tkp   Using/checking policy handle
01a,01dec00,aos   Add ipsecFilterHook, ipsec_protect_packet, 
                  ipsec_apply_security_processing, 
                  ipsec_is_network_interface_attached and 
                  ipsecCreateTrafficInfo routines. In addition, general code
                  clean-up to ipsecInput and ipsecOutput and deleted 
                  ipsecForward, and ipsecOutputProcessing routines.
*/
/******************************************************************************/

#include <stdio.h>
#include <stdarg.h>
#include <time.h>

#include <vxWorks.h>

#if defined (__IPSEC_QUEUING__)
#if defined (__IPSEC_PROTOSW__)
#include <net/domain.h>
#include <net/protosw.h>
#endif /*__IPSEC_PROTOSW__*/
#endif /*__IPSEC_QUEUING__*/
#if (_WRS_VXWORKS_MAJOR < 6)
#include <osdep.h>        /* Core IP headers */
#include <machdep.h>
#endif

#ifdef _KERNEL
#define _KERNEL_PREDEFINED
#else
#define _KERNEL
#endif
#include <net/if.h>
#include <net/if_var.h>
#include <netinet/in.h>
#include <netinet/in_var.h>
#include <netinet/ip.h>
#include <netinet/ip_var.h> /* to get IP_FORWARDING definition */

#ifndef _KERNEL_PREDEFINED
#undef _KERNEL
#else
#undef _KERNEL_PREDEFINED
#endif
#include <netLib.h>

#include "ipsecP.h"
#include "../spd/spd_if.h"

#include "ipsec_class.h"
#include "ipsec_globals.h"
#include "ipsec_network_interface.h"
#include "ipsec_print_routines.h"
#include "ipsec_spd.h"
#include "ipsec_icmp_pmtu.h"

#include <wrn/ipsec/ipsecLogger.h>
#include "ipsec_logger_util.h"
#include "ipsec_stats.h"

#include "../common/wrSecTrace.h"

#include <wrn/ipsec/ipsecStats.h>

#ifdef INCLUDE_COUNTERS_PROTECTION_SUITES

extern void protection_suite_manager_mutex_give ();
#endif

#if defined (VIRTUAL_STACK)
#include <netinet/vsLib.h>
#include <netinet/vsData.h> /* for vsTbl[] */
/* required if INCLUDE_IPFW_HOOKS defined */
#ifdef _KERNEL
#define _KERNEL_PREDEFINED
#else
#define _KERNEL
#endif
#include <netinet/vsIp.h> /* for IPSEC_INPUT_FUNCPTR, IPSEC_OUTPUT_FUNCPTR definitions */

#ifndef _KERNEL_PREDEFINED
#undef _KERNEL
#else
#undef _KERNEL_PREDEFINED
#endif
#if STACK_NAME == STACK_NAME_V4_V6 && defined (INET6)
#include <netinet6/in6_var.h>
#include <vs/vsIp6.h>
#include "ipsec_ipv6_utilities.h"
#endif /* STACK_NAME_V4_V6 && defined (INET6) */
#else
#if STACK_NAME == STACK_NAME_V4_V6
#include <netinet/ip4_ext_in.h>  /* for IPSEC_INPUT_FUNCPTR definition */
#include <netinet/ip4_ext_out.h> /* for IPSEC_OUTPUT_FUNCPTR definition */
#endif
#if STACK_NAME == STACK_NAME_V4_V6 && defined (INET6)
#include <netinet6/ip6_var.h>
#include <netinet6/ip6_ext_in.h>  /* for INPUT_HOOK_IPV6_FUNCPTR definition */
#include <netinet6/ip6_ext_out.h> /* for IPSEC_OUTPUT_IPV6_FUNCPTR definition */

#ifdef _KERNEL
#define _KERNEL_PREDEFINED
#else
#define _KERNEL
#endif
#include <netinet6/icmp6.h>
#include "ipsec_ipv6_utilities.h"
#ifndef _KERNEL_PREDEFINED
#undef _KERNEL
#else
#undef _KERNEL_PREDEFINED
#endif
#endif
#endif /* defined (VIRTUAL_STACK) */

#if defined (__IPSEC_QUEUING__)
#if defined (__IPSEC_PROTOSW__)
extern u_char ip_protox[IPPROTO_MAX];
#if STACK_NAME == STACK_NAME_V4_V6
extern struct ipprotosw inetsw [];
#if STACK_NAME == STACK_NAME_V4_V6 && defined (INET6)
extern struct ip6protosw inet6sw [];
extern struct domain inet6domain;
extern u_char ip6_protox[IPPROTO_MAX];
#endif /* #if STACK_NAME == STACK_NAME_V4_V6 && defined (INET6) */
#else  /* __IPV6_STACK__ || __IPV4_DUAL_STACK__ */
extern struct protosw inetsw [];
#endif /* __IPV6_STACK__ || __IPV4_DUAL_STACK_*/
#endif /*__IPSEC_PROTOSW__*/
#endif /*__IPSEC_QUEUING__*/
/* The following prevents the IPsec Tunnel END Driver from overflowing the
 * Network Stack Job queue. 
 * IPSEC_NET_JOB_MAX must be set to a value lower than NET_JOB_NUM_CFG 
 * (a configurable parameter under 
 * Network Component -> Network Private Components)
 * 
 * ipsecNetJobPacketsDropped tracks the number of packets dropped by IPsec due
 * to an overflow in the job queue. ipsecNetJobAvailable specifies the current 
 * number of jobs that can be put on the queue by IPsec. This number is set via
 * the ipsecNetJobMaxSet() API and retrievable via ipsecNetJobMaxGet().
 * IPSEC_NET_JOB_MAX
 */
LOCAL int ipsecNetJobPacketsDropped = 0;
LOCAL int ipsecNetJobMax            = 0;
LOCAL int ipsecNetJobAvailable      = 0;

IPSEC_NETWORK_INTERFACE *ipsecFindNetworkInterfaceBasedOnIfnet
    (
    struct ifnet *sptr_ifnet,
    WRSEC_INET_FAMILY family
    );


LOCAL int ipsecApplyPolicy
    (
    TRAFFIC_DIRECTION direction,
    VI_NETWORK_TRAFFIC_INFO *p_traffic_info,
	SECURITY_POLICY *sptr_policy,
    SA_BUNDLE *pSABundle,
    NET_IF *net_interface,
    struct mbuf ** pp_memory_buffer,
    struct ip ** pp_ip_header,
    int header_length,
    int flags
    );

LOCAL BOOL ipsecRestoremBlk
    (
    struct mbuf ** m,
    int hlen,
    struct ip ** ip,
    IP_VI_MESSAGE *p_ip_message
    );

LOCAL BOOL ipSerializeMessageHeader
    (
    struct mbuf ** m0,
    IP_VI_MESSAGE *p_ip_message
    );

LOCAL BOOL ipsecProcessTunnelmBlk
    (
    struct mbuf ** m,
    IP_VI_MESSAGE *p_ip_message,
    TRAFFIC_DIRECTION direction
    );

LOCAL STATUS ipsecInProcessPlainTextPacket
    (
    SECURITY_POLICY *sptr_policy,
    struct mbuf ** pp_memory_buffer,
    struct ip ** pp_ip_header,
    int header_length,
    VI_NETWORK_TRAFFIC_INFO *p_traffic_info
    );

LOCAL STATUS ipsecTunnelEndDriver
    (
    struct ifnet *ifp,
    struct mbuf *m,
    BOOL wakeup
    );

LOCAL WRSEC_INET_ADDR *getDestAddrFromTrafficInfo
    (
    VI_NETWORK_TRAFFIC_INFO *trafficInfo,
    WRSEC_INET_FAMILY inetFam
    );

LOCAL WRSEC_INET_ADDR *getSrcAddrFromTrafficInfo
    (
    VI_NETWORK_TRAFFIC_INFO *trafficInfo,
    WRSEC_INET_FAMILY inetFam
    );

LOCAL BOOL isSameIP
    (
    WRSEC_INET_ADDR *addr1,
    WRSEC_INET_ADDR *addr2
    );

LOCAL int ipsecProcessInsecurePacket
    (
    TRAFFIC_DIRECTION direction,
    VI_NETWORK_TRAFFIC_INFO *p_traffic_info,
	SECURITY_POLICY *sptr_policy,
    SA_BUNDLE *pSABundle,
    NET_IF *net_interface,
    struct mbuf ** pp_memory_buffer,
    struct ip ** pp_ip_header,
    int header_length,
    int flags
    );

LOCAL int ipsecProcessSecurePacket
    (
    TRAFFIC_DIRECTION direction,
    VI_NETWORK_TRAFFIC_INFO *p_traffic_info,
	SECURITY_POLICY *sptr_policy,
    SA_BUNDLE *pSABundle,
    NET_IF *net_interface,
    struct mbuf ** pp_memory_buffer,
    struct ip ** pp_ip_header,
    int header_length,
    int flags
    );


IMPORT STATUS spdGetCachedPolicyTraffic
	( 
	TRAFFIC_DIRECTION direction, 										
	VI_NETWORK_TRAFFIC_INFO *p_traffic_info, 
	SECURITY_POLICY **sptr_policy,
	SA_BUNDLE **pSABundle
	);


/******************************************************************************
* ipsecGetNetIf - Get interface that belongs to IP packets
* 
* This function searches the ipsec interface containers for the one on which
* we received the packet based on ip address in packet ( source address
* incase of outbound packet, destination address incase of inbound packet )
*