ipsec_tunnel_utilities.c

ipsec PNE 3.3 source code, running at more than vxworks6.x version.

/* ipsec_tunnel_utilities.c - WindNet IPsec and IKE tunnel utilities */

/* 
 * Copyright (c) 2000-2006 Wind River Systems, Inc. 
 * 
 * The right to copy, distribute, modify or otherwise make use 
 * of this software may be licensed only pursuant to the terms 
 * of an applicable Wind River license agreement. 
 */

/*
modification history
--------------------
03m,13jan06,djp  removed rwos dependencies
03l,12jan06,djp  removed rwos dependencies
03k,28nov05,djp  replace WRN_INET with WRSEC_INET
03j,28oct05,rlm  Fix to IP header checksum calculation (SPR#114627)
03i,12apr05,djp  Fixed compiler errors
03h,01apr05,rlm  Removed TTL/hop_limit decrement in tunnel code
03g,10sep04,rlm  Minor fixes to #include stmts for compile errors with
                 -DINCLUDE_IPFW_HOOKS -DVIRTUAL_STACK
03f,30jul04,rlm  Fixes to virtual stack variable names to match new unified
                 network stack
03e,12jun03,rparkhil added support for STACK_NAME
03d,24apr03,mad(teamf1) Modified to guard include file ipsec_ipv6_utilities.h
            under ifdef __IPV6_STACK__
03c,24Apr03,sam(teamf1) code cleanup.
03b,08oct02,sam(teamf1) placed v6 code under __IPV6_STACK__.
03a,31Sep02,rks(teamf1) added DF bit setting in tunnel header based on 
                    configuration on that interface.
02b,25mar02,rpt   removed use of "ipsec_retain_df_bit", by default clear DF bit
                  for tunneled packet. 
02a,19mar02,rpt   replaced IP_MESSAGE* with IP_VI_MESSAGE* in func definitions
01a,19mar02,rpt   extracted from WindNet IPSec 1.1, added modification history
*/
/******************************************************************************/


#include <vxWorks.h>


#if (_WRS_VXWORKS_MAJOR < 6)
#include <osdep.h>     /* Core IP headers */
#include <machdep.h>
#endif

#ifdef _KERNEL
#define _KERNEL_PREDEFINED
#else
#define _KERNEL
#endif
#include <net/if.h>
#include <net/if_var.h>
#include <netinet/in.h>
#include <netinet/in_var.h>
#include <netinet/ip.h>
#include <netinet/ip_var.h>

#ifndef _KERNEL_PREDEFINED
#undef _KERNEL
#else
#undef _KERNEL_PREDEFINED
#endif

#include "../common/wrSecSerialize.h"
#include "../common/wrSecInetAddr.h"

#include "ipsecP.h"
#include "ipsec_ah_message.h"
#include "ipsec_esp_message.h"
#include "ipsec_class.h"
#include "ipsec_globals.h"
#include "ipsec_tunnel_utilities.h"
#include "ipsec_print_routines.h"
#include "ipsec_network_interface.h"
#include "packetBuf.h"

#if defined (VIRTUAL_STACK)
#include <netinet/vsLib.h>
#include <netinet/vsData.h> /* for vsTbl[] */
/* required if INCLUDE_IPFW_HOOKS defined */
#ifdef _KERNEL
#define _KERNEL_PREDEFINED
#else
#define _KERNEL
#endif
#include <netinet/vsIp.h> /* for IPSEC_INPUT_FUNCPTR, IPSEC_OUTPUT_FUNCPTR definitions */
#ifndef _KERNEL_PREDEFINED
#undef _KERNEL
#else
#undef _KERNEL_PREDEFINED
#endif
#if STACK_NAME == STACK_NAME_V4_V6 && defined (INET6)
#include <netinet6/in6_var.h>
#include <vs/vsIp6.h>
#include "ipsec_ipv6_utilities.h"
#endif /* STACK_NAME_V4_V6 && defined (INET6) */
#else
#if STACK_NAME == STACK_NAME_V4_V6
#include <netinet/ip4_ext_in.h>  /* for IPSEC_INPUT_FUNCPTR definition */
#include <netinet/ip4_ext_out.h> /* for IPSEC_OUTPUT_FUNCPTR definition */
#endif
#if STACK_NAME == STACK_NAME_V4_V6 && defined (INET6)
#include <netinet6/ip6_var.h>
#include <netinet6/ip6_ext_in.h>  /* for INPUT_HOOK_IPV6_FUNCPTR definition */
#include <netinet6/ip6_ext_out.h> /* for IPSEC_OUTPUT_IPV6_FUNCPTR definition */
#include "ipsec_ipv6_utilities.h"
#ifdef _KERNEL
#define _KERNEL_PREDEFINED
#else
#define _KERNEL
#endif
#include <netinet6/icmp6.h>
#ifndef _KERNEL_PREDEFINED
#undef _KERNEL
#else
#undef _KERNEL_PREDEFINED
#endif
#endif
#endif /* defined (VIRTUAL_STACK) */
/******************************************************************************/

/******************************************************************************/
BOOL ipsec_deserialize_tunnel_message
    (
    SA_SPEC *p_spec,
    IP_VI_MESSAGE *p_ip_message
    )
    {
    UCHAR *p_payload;
    UINT version_and_header_length;
    UINT version;
    UINT header_length;
    UINT flags_and_fragment_offset;
    UINT total_length;
    IP_VERSION_NUMBER ip_version;

    PARAMETER_NOT_USED (p_spec);

    p_payload = NULL;

    version_and_header_length = 0;
    version = 0;
    header_length = 0;
    flags_and_fragment_offset = 0;
    total_length = 0;

    p_payload = packetBufDataGet(p_ip_message->pPayload);

    if (p_payload == NULL)
        {
        return (FALSE);
        }

    ip_version = p_ip_message->version;
    if (ip_version == IP_V4)
        {
        /*IPv4 Processing*/
        version_and_header_length = wrSecDeserializeUChar (&p_payload);

        version = (version_and_header_length >> 4);

        header_length = version_and_header_length & 0xf;

        header_length *= IP_WORD_SIZE;

        /*version*/

        /* header length */
        ((IP_V4_MESSAGE *)p_ip_message)->header_length = header_length;

        /*type of service*/
        ((IP_V4_MESSAGE *)p_ip_message)->type_of_service = wrSecDeserializeUChar(&p_payload);

        /*total length */
        ((IP_V4_MESSAGE *)p_ip_message)->total_length = wrSecDeserializeUShort(&p_payload);

        /*identifier*/
        ((IP_V4_MESSAGE *)p_ip_message)->datagram_identifier = wrSecDeserializeUShort(&p_payload);

        /* the first three bits contain the fragmentation flags. 
        * The next 13 bits contain the fragment offset.
        */
        flags_and_fragment_offset = wrSecDeserializeUShort(&p_payload);

        /* skip the flags bits and note that the 
        fragment offset is on 8 byte boundary */
        ((IP_V4_MESSAGE *)p_ip_message)->fragment_offset = (flags_and_fragment_offset & IP_FRAGMENT_OFFSET_MASK);

        /* eliminate the lower 13 bits representing the fragment offset */
        flags_and_fragment_offset >>= 13;

        /* now the lsb is the more fragments flag */
        ((IP_V4_MESSAGE *)p_ip_message)->more_fragment_flag = (flags_and_fragment_offset & 0x1) ? TRUE : FALSE;

        /* eliminate the lower 1 bit representing the more fragments flag. */
        flags_and_fragment_offset >>= 1;

        /* now the lsb is the do not fragment flag */
        ((IP_V4_MESSAGE *)p_ip_message)->dont_fragment_flag = (flags_and_fragment_offset & 0x1) ? TRUE : FALSE;

        /* time to live */
        ((IP_V4_MESSAGE *)p_ip_message)->time_to_live = wrSecDeserializeUChar(&p_payload);

        /* protocol */
        ((IP_V4_MESSAGE *)p_ip_message)->transport_protocol = wrSecDeserializeUChar(&p_payload);

        /*checksum */
        ((IP_V4_MESSAGE *)p_ip_message)->checksum = wrSecDeserializeUShort(&p_payload);

        /* source IP address*/
        wrSecInetAddrDeserialize(&p_payload, 
                                 (WRSEC_INET_ADDR *)&(((IP_V4_MESSAGE *)p_ip_message)->source_address));

        /* destination IP address */
        wrSecInetAddrDeserialize(&p_payload, 
                                 (WRSEC_INET_ADDR *)&(((IP_V4_MESSAGE *)p_ip_message)->destination_address));

        packetBufReduceFront(p_ip_message->pPayload, header_length);

        return (TRUE);
        }

    #if STACK_NAME == STACK_NAME_V4_V6 && defined (INET6)
    else if (ip_version == IP_V6)
        {
        IP_V6_MESSAGE *p_ip6_message = (IP_V6_MESSAGE *)p_ip_message;
        UCHAR *ip6Hdr = p_payload;

        /*IPv6 Processing*/

        /* version, traffic class & flow label */
        (p_ip6_message)->flow_label = wrSecDeserializeULong(&p_payload);

        /* payload len */
        (p_ip6_message)->payload_length = wrSecDeserializeUShort(&p_payload);

        /* next header*/
        (p_ip6_message)->next_header = wrSecDeserializeUChar(&p_payload);

        /* store next_header in transport_protocol */
        (p_ip6_message)->transport_protocol = ipsecIpv6GetIpsecOrTransportProtocol (NULL, (struct ip6_hdr *)ip6Hdr);

        p_ip6_message->extn_headers_len = 0;

        p_ip6_message->extn_headers_len = ipsecIpv6ExtnHdrLenGet ((struct ip6_hdr *)ip6Hdr);

        if (p_ip6_message->extn_headers_len)
            {
            p_ip6_message->first_extn_header = (p_ip6_message)->next_header;
            p_ip6_message->next_header = (p_ip6_message)->transport_protocol;
            }

        /* hop limit */
        (p_ip6_message)->hop_limit = wrSecDeserializeUChar(&p_payload);

        /* source IP address*/
        wrSecInetAddrDeserialize(&p_payload, 
                                 (WRSEC_INET_ADDR *)&((p_ip6_message)->source_address));

        /* destination IP address */
        wrSecInetAddrDeserialize(&p_payload,
                                 (WRSEC_INET_ADDR *)&((p_ip6_message)->destination_address));

        p_ip6_message->p_extn_headers = NULL;

        /* Copy Extension Headers */
        if (p_ip6_message->extn_headers_len)
            {
            p_ip6_message->p_extn_headers =
                (UCHAR *)ip6Hdr - packetBufMaxWritableHeaderSizeGet(p_ip_message->pPayload);
            }

        memmove (p_ip6_message->p_extn_headers, p_payload, p_ip6_message->extn_headers_len);

        packetBufReduceFront(p_ip_message->pPayload,
                             MINIMUM_IP_V6_HEADER_LENGTH + p_ip6_message->extn_headers_len);

        return (TRUE);
        }
    #endif /* STACK_NAME == STACK_NAME_V4_V6 && defined (INET6)  */

    else
        {
        ipsec_printf (IPSEC_WARNING_PRINTF, "IPsec: IP Message: INVALID_VERSION\n");
        return (FALSE);
        }
    }

/******************************************************************************/
BOOL ipsec_serialize_tunnel_message
    (
    SA_SPEC *p_spec,
    IP_VI_MESSAGE *p_ip_message
    )
    {
    IP_VERSION_NUMBER ip_version;

    ip_version = p_ip_message->version;
    if (ip_version == IP_V4)
        {
        /*IPv4 Processing*/
        /*
        ** version - construct
        ** =====================
        */
        /*IP_VERSION_4;*/

        /* 
        ** header length - construct
        ** =====================
        */
        ((IP_V4_MESSAGE *)p_ip_message)->header_length = IP_PACKET_HEADER_MINIMUM_LENGTH / IP_WORD_SIZE;

        /*
        ** type of service - copied from inner header
        ** =====================
        */
        /* p_ip_message->type_of_service = ; */

        /*
        ** total length
        ** =====================
        */
        ((IP_V4_MESSAGE *)p_ip_message)->total_length
            = packetBufDataSizeGet(p_ip_message->pPayload) + IP_PACKET_HEADER_MINIMUM_LENGTH;

        /*
        ** identification - construct
        ** =====================
        */

        #ifdef VIRTUAL_STACK
        ((IP_V4_MESSAGE *)p_ip_message)->datagram_identifier = _ip_id++;
        #else
        ((IP_V4_MESSAGE *)p_ip_message)->datagram_identifier = _ip_id++;
        #endif

        /* MF = 0, no more fragments to follow*/

        ((IP_V4_MESSAGE *)p_ip_message)->dont_fragment_flag = 0;
        ((IP_V4_MESSAGE *)p_ip_message)->more_fragment_flag = 0;

        ((IP_V4_MESSAGE *)p_ip_message)->fragment_offset = 0;

        /*
        ** time to live - constructed
        ** =====================
        */
        ((IP_V4_MESSAGE *)p_ip_message)->time_to_live = 64;

        /*
        ** protocol -  AH, ESP, routing hdr
        ** =====================
        */
        ((IP_V4_MESSAGE *)p_ip_message)->transport_protocol = TRANSPORT_PORTO_IP_IN_IP_IPV4;

        /*
        ** checksum - construct 
        ** =====================
        */
        ((IP_V4_MESSAGE *)p_ip_message)->checksum = 0;

        /*
        ** source IP Address - Tunnel endpoint
        ** =====================
        */
        WRSEC_INET4_ASSIGN_B_TO_A (
            (&((IP_V4_MESSAGE *)p_ip_message)->source_address),
            ((WRSEC_INET4_ADDR *) (((OUTBOUND_TUNNEL_SA_SPEC *)p_spec)->p_src_address)));

        /*
        ** destination IP Address - Tunnel endpoint