Newer
Older
/*
* @author STF 276
* @version $Id$
* @desc This module specifies functions definitions
* based on the IPv6 meta message type.
*
*/
module LibIpv6_Interface_Functions {
//LibCommon
import from LibCommon_BasicTypesAndValues all;
import from LibCommon_DataStrings all;
import from LibCommon_VerdictControl { type FncRetCode };
//LibIpv6
import from LibIpv6_Interface_TypesAndValues all;
import from LibIpv6_Interface_Templates all;
import from LibIpv6_ModuleParameters all;
import from LibIpv6_ExternalFunctions all;
import from LibIpv6_CommonRfcs_Functions all;
import from LibIpv6_CommonRfcs_TypesAndValues all;
import from LibIpv6_Rfc4306Ikev2_TypesAndValues all;
group rfc2460Root_Functions {
group ipv6Packets {
/*
* @desc This sends a General IPv6 packet
* from an IPv6 node to any NUT.
* A General IPv6 packet is used in the case where only Extension headers
* need to be sent.
* @remark Time limit is defined by module parameter PX_TAC (see comp type)
* @param p_msg MIPHeader to be sent
* @return execution status
*/
function f_sendGeneralIpv6(template Ipv6Packet p_msg)
runs on LibIpv6Node
return FncRetCode {
//Variables
var Ipv6Packet v_ipPkt;
v_ipPkt := valueof(p_msg);
//calc payloadLen
v_ipPkt.ipv6Hdr.payloadLength := fx_payloadLength (v_ipPkt);
//set extensionHeaders
if(f_setExtensionHeaders( v_ipPkt,
v_ipPkt.ipv6Hdr.sourceAddress,
v_ipPkt.ipv6Hdr.destinationAddress) != e_success) {
log(" **** f_sendGeneralIpv6: Error when calculating length of extension headers ****");
return e_error;
}
//send
ipPort.send(v_ipPkt);
return e_success;
}//end f_sendGeneralIpv6
group extHdrFns {
/*
* @desc This goes through the extension header list and calculates length, checksum
* and other specific functions of the different extension headers
* @param p_srcAddr Source Address of IPv6 packet
* @param p_dstAddr Dst Address of IPv6 packet
* @param p_extHdrList Extension Header List
* @return execution status
*/
function f_setExtensionHeaders( inout Ipv6Packet p_ipv6Packet,
var Ipv6Address v_homeAddress := c_16ZeroBytes;
var UInt8 v_nrOfTunnelHdr := 0;
var Ipv6Address v_pseudoSrcAddr := c_16ZeroBytes;
var Ipv6Address v_pseudoDstAddr := c_16ZeroBytes;
var Ipv6Packet v_pseudoIpv6Packet;
var Ipv6Packet v_activeIpv6Packet := p_ipv6Packet;
v_pseudoDstAddr := v_activeIpv6Packet.ipv6Hdr.destinationAddress;
v_pseudoSrcAddr := v_activeIpv6Packet.ipv6Hdr.sourceAddress;
if (v_activeIpv6Packet.ipv6Hdr.payloadLength == c_uInt16Zero ) {
v_activeIpv6Packet.ipv6Hdr.payloadLength := fx_payloadLength (v_activeIpv6Packet);
}
if (ispresent(v_activeIpv6Packet.extHdrList)) {
for (i:=0; i<sizeof(v_activeIpv6Packet.extHdrList) and v_loop ;i:=i+1) {
// Process Home Address Destination Option, non-recursive
if (ischosen(v_activeIpv6Packet.extHdrList[i].destinationOptionHeader)) {
for (j:=0; j<sizeof(v_activeIpv6Packet.extHdrList[i].destinationOptionHeader.destOptionList);j:=j+1) {
if (ischosen(v_activeIpv6Packet.extHdrList[i].destinationOptionHeader.destOptionList[j].homeAddressOption)) {
v_pseudoSrcAddr := v_activeIpv6Packet.extHdrList[i].destinationOptionHeader.destOptionList[j].homeAddressOption.homeAddress;
}
}
// Proccess Routing Header Type 2, non-recursive
else if (ischosen(v_activeIpv6Packet.extHdrList[i].routingHeader) and (v_activeIpv6Packet.extHdrList[i].routingHeader.routingType == c_routeHdrType2)) {
if (ischosen(v_activeIpv6Packet.extHdrList[i].routingHeader.routingHeaderData.rtHdrDataHomeAddress)) {
v_pseudoDstAddr := v_activeIpv6Packet.extHdrList[i].routingHeader.routingHeaderData.rtHdrDataHomeAddress;
}
// Process Mobile Header, non-recursive
else if (ischosen(v_activeIpv6Packet.extHdrList[i].mobileHeader)) {
v_ret := f_setMobileHeader( v_activeIpv6Packet.ipv6Hdr.sourceAddress,
v_activeIpv6Packet.ipv6Hdr.destinationAddress,
v_pseudoSrcAddr,
v_pseudoDstAddr,
v_activeIpv6Packet.extHdrList[i].mobileHeader);
// update packet payloadLen
v_activeIpv6Packet.ipv6Hdr.payloadLength := fx_payloadLength (v_activeIpv6Packet);
// Process Tunneled Header, recursive
else if (ischosen(v_activeIpv6Packet.extHdrList[i].tunneledIpv6)) {
v_nrOfTunnelHdr := v_nrOfTunnelHdr + 1;
//Build original packet
v_pseudoIpv6Packet.ipv6Hdr := v_activeIpv6Packet.extHdrList[i].tunneledIpv6;
for (j:=0; (i+j+1)<sizeof(v_activeIpv6Packet.extHdrList) ;j:=j+1) {
v_pseudoIpv6Packet.extHdrList[j] := v_activeIpv6Packet.extHdrList[i+1];
}
if (ispresent(v_activeIpv6Packet.ipv6Payload)) {
v_pseudoIpv6Packet.ipv6Payload := v_activeIpv6Packet.ipv6Payload;
v_pseudoIpv6Packet.ipv6Hdr.payloadLength := fx_payloadLength (v_pseudoIpv6Packet);
// recursive call, original packet can still contain other headers
f_setExtensionHeaders( v_pseudoIpv6Packet,
v_pseudoIpv6Packet.ipv6Hdr.sourceAddress,
v_pseudoIpv6Packet.ipv6Hdr.destinationAddress);
v_pseudoIpv6Packet.ipv6Hdr.payloadLength := fx_payloadLength (v_pseudoIpv6Packet);
v_activeIpv6Packet.extHdrList[i].tunneledIpv6.payloadLength := v_pseudoIpv6Packet.ipv6Hdr.payloadLength;
if (ispresent(v_pseudoIpv6Packet.extHdrList)) {
for (j:=0; j<sizeof(v_pseudoIpv6Packet.extHdrList) ;j:=j+1) {
v_activeIpv6Packet.extHdrList[i+1] := v_pseudoIpv6Packet.extHdrList[j];
if (ispresent(v_pseudoIpv6Packet.ipv6Payload)) {
v_activeIpv6Packet.ipv6Payload := v_pseudoIpv6Packet.ipv6Payload;
//Process ESP Header, recursive
else if (ischosen(v_activeIpv6Packet.extHdrList[i].espHeader)) {
if (vc_sad[c_saOut].espEncryptionAlgo == e_null) {
v_activeIpv6Packet.extHdrList[i].espHeader.espPayload.iv := omit;
}
else {
v_activeIpv6Packet.extHdrList[i].espHeader.espPayload.iv := int2oct(128, f_getEncryptionIvLen(PX_ENCRYPTION_ALGO));
//Update the original packet
v_activeIpv6Packet.ipv6Hdr.payloadLength := fx_payloadLength (v_activeIpv6Packet);
v_ret := f_getOriginalIpv6Packet(
v_activeIpv6Packet,
v_activeIpv6Packet.extHdrList[i].espHeader,
v_pseudoIpv6Packet);
v_pseudoIpv6Packet.ipv6Hdr.destinationAddress := v_pseudoDstAddr;
v_pseudoIpv6Packet.ipv6Hdr.sourceAddress := v_pseudoSrcAddr;
f_setExtensionHeaders( v_pseudoIpv6Packet,
v_pseudoIpv6Packet.ipv6Hdr.sourceAddress,
v_pseudoIpv6Packet.ipv6Hdr.destinationAddress);
// include recursion results
if (ispresent(v_pseudoIpv6Packet.extHdrList)) {
v_activeIpv6Packet.extHdrList[i].espHeader.espPayload.espIpDatagram.extHdrList := v_pseudoIpv6Packet.extHdrList
if (ispresent(v_pseudoIpv6Packet.ipv6Payload)) {
v_activeIpv6Packet.extHdrList[i].espHeader.espPayload.espIpDatagram.ipv6Payload := v_pseudoIpv6Packet.ipv6Payload;
// all extension headers have been processed
// Is there still a payload to be processed and which has not been already processed in a recursive call?
if (v_loop==true and ispresent(v_activeIpv6Packet.ipv6Payload)) {
v_ret := f_calcIpv6PayloadChecksum(v_pseudoSrcAddr, v_pseudoDstAddr, v_activeIpv6Packet.ipv6Payload);
v_ret := f_setAuthHeader (v_activeIpv6Packet);
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
/*
* @desc This goes through the extension header list and looks for
* Authentication Header to compute ICV.
* Only 1 Authentication Header is processed
* @param p_srcAddr Source Address of IPv6 packet
* @param p_dstAddr Dst Address of IPv6 packet
* @param p_extHdrList Extension Header List
* @return execution status
*/
function f_setAuthHeader( inout Ipv6Packet p_ipv6Packet)
runs on LibIpv6Node
return FncRetCode {
var FncRetCode v_ret := e_success;
var UInt8 i, j;
var boolean v_loop := true;
var Ipv6Packet v_pseudoIpv6Packet;
var Ipv6Packet v_activeIpv6Packet := p_ipv6Packet;
if (ispresent(v_activeIpv6Packet.extHdrList)) {
for (i:=0; i<sizeof(v_activeIpv6Packet.extHdrList) and v_loop ;i:=i+1) {
// Process Home Address Destination Option, predictable field
if (ischosen(v_activeIpv6Packet.extHdrList[i].destinationOptionHeader)) {
for (j:=0; j<sizeof(v_activeIpv6Packet.extHdrList[i].destinationOptionHeader.destOptionList);j:=j+1) {
if (ischosen(v_activeIpv6Packet.extHdrList[i].destinationOptionHeader.destOptionList[j].homeAddressOption)) {
//TODO
}
}
}
// Proccess Routing Header Type 2, predictable field
else if (ischosen(v_activeIpv6Packet.extHdrList[i].routingHeader) and (v_activeIpv6Packet.extHdrList[i].routingHeader.routingType == c_routeHdrType2)) {
if (ischosen(v_activeIpv6Packet.extHdrList[i].routingHeader.routingHeaderData.rtHdrDataHomeAddress)) {
//TODO
}
}
// Process Tunneled Header, recursive
else if (ischosen(v_activeIpv6Packet.extHdrList[i].tunneledIpv6)) {
//Build original packet
v_pseudoIpv6Packet.ipv6Hdr := v_activeIpv6Packet.extHdrList[i].tunneledIpv6;
for (j:=0; (i+j+1)<sizeof(v_activeIpv6Packet.extHdrList) ;j:=j+1) {
v_pseudoIpv6Packet.extHdrList[j] := v_activeIpv6Packet.extHdrList[i+1];
}
if (ispresent(v_activeIpv6Packet.ipv6Payload)) {
v_pseudoIpv6Packet.ipv6Payload := v_activeIpv6Packet.ipv6Payload;
}
// recursive call, original packet can still contain Auth header
f_setAuthHeader( v_pseudoIpv6Packet );
v_loop := false;
}
// Process Authentication Header Header
else if (ischosen(v_activeIpv6Packet.extHdrList[i].authHeader)) {
p_ipv6Packet.extHdrList[i].authHeader.icv := omit;
}
else {
p_ipv6Packet.extHdrList[i].authHeader.icv := int2oct(0, vc_sad[c_saOut].icvLen);
}
p_ipv6Packet.extHdrList[i].authHeader.icvPadding := omit;
}
else {
p_ipv6Packet.extHdrList[i].authHeader.icvPadding := int2oct(0, vc_sad[c_saOut].icvPadLen);
}
// Update AuthHeader payloadLen
p_ipv6Packet.extHdrList[i].authHeader.payloadLen := (12 + vc_sad[c_saOut].icvLen + vc_sad[c_saOut].icvPadLen) / 4 - 2;
//Update IPv6 payload based on the calculated ICV + padding
p_ipv6Packet.ipv6Hdr.payloadLength := fx_payloadLength (p_ipv6Packet);
v_activeIpv6Packet := p_ipv6Packet;
//zero mutable fields
v_activeIpv6Packet.ipv6Hdr.flowLabel := 0;
v_activeIpv6Packet.ipv6Hdr.hopLimit := 0;
if (vc_sad[c_saOut].icvLen != 0) {
p_ipv6Packet.extHdrList[i].authHeader.icv := fx_mac( vc_sad[c_saOut].ahIntegrityAlgo , vc_sad[c_saOut].ahIntegrityKey, fx_encodeMessage(v_activeIpv6Packet));
v_loop := false;
}
}//end for
}
return v_ret;
}//end f_setAuthHeader
function f_calcIpv6PayloadChecksum( in template Ipv6Address p_srcAddr,
in template Ipv6Address p_dstAddr,
if(ischosen(p_ipv6Payload.echoReplyMsg)) {
if(p_ipv6Payload.echoReplyMsg.checksum == c_2ZeroBytes) {
p_ipv6Payload.echoReplyMsg.checksum := fx_calcPayloadChecksum (p_srcAddr, p_dstAddr, p_ipv6Payload);
else if(ischosen(p_ipv6Payload.echoRequestMsg)) {
if(p_ipv6Payload.echoRequestMsg.checksum == c_2ZeroBytes) {
p_ipv6Payload.echoRequestMsg.checksum := fx_calcPayloadChecksum (p_srcAddr, p_dstAddr, p_ipv6Payload);
else if(ischosen(p_ipv6Payload.nbrAdvMsg)) {
if(p_ipv6Payload.nbrAdvMsg.checksum == c_2ZeroBytes) {
p_ipv6Payload.nbrAdvMsg.checksum := fx_calcPayloadChecksum (p_srcAddr, p_dstAddr, p_ipv6Payload);
else if(ischosen(p_ipv6Payload.nbrSolMsg)) {
if(p_ipv6Payload.nbrSolMsg.checksum == c_2ZeroBytes) {
p_ipv6Payload.nbrSolMsg.checksum := fx_calcPayloadChecksum (p_srcAddr, p_dstAddr, p_ipv6Payload);
else if(ischosen(p_ipv6Payload.routerAdvMsg)) {
if(p_ipv6Payload.routerAdvMsg.checksum == c_2ZeroBytes) {
p_ipv6Payload.routerAdvMsg.checksum := fx_calcPayloadChecksum (p_srcAddr, p_dstAddr, p_ipv6Payload);
else if(ischosen(p_ipv6Payload.routerSolMsg)) {
if(p_ipv6Payload.routerSolMsg.checksum == c_2ZeroBytes) {
p_ipv6Payload.routerSolMsg.checksum := fx_calcPayloadChecksum (p_srcAddr, p_dstAddr, p_ipv6Payload);
else if(ischosen(p_ipv6Payload.redirectMsg)) {
if(p_ipv6Payload.redirectMsg.checksum == c_2ZeroBytes) {
p_ipv6Payload.redirectMsg.checksum := fx_calcPayloadChecksum (p_srcAddr, p_dstAddr, p_ipv6Payload);
else if(ischosen(p_ipv6Payload.parameterProblemMsg)) {
if(p_ipv6Payload.parameterProblemMsg.checksum == c_2ZeroBytes) {
p_ipv6Payload.parameterProblemMsg.checksum := fx_calcPayloadChecksum (p_srcAddr, p_dstAddr, p_ipv6Payload);
else if(ischosen(p_ipv6Payload.timeExceededMsg)) {
if(p_ipv6Payload.timeExceededMsg.checksum == c_2ZeroBytes) {
p_ipv6Payload.timeExceededMsg.checksum := fx_calcPayloadChecksum (p_srcAddr, p_dstAddr, p_ipv6Payload);
else if(ischosen(p_ipv6Payload.packetTooBigMsg)) {
if(p_ipv6Payload.packetTooBigMsg.checksum == c_2ZeroBytes) {
p_ipv6Payload.packetTooBigMsg.checksum := fx_calcPayloadChecksum (p_srcAddr, p_dstAddr, p_ipv6Payload);
else if(ischosen(p_ipv6Payload.destinationUnreachableMsg)) {
if(p_ipv6Payload.destinationUnreachableMsg.checksum == c_2ZeroBytes) {
p_ipv6Payload.destinationUnreachableMsg.checksum := fx_calcPayloadChecksum (p_srcAddr, p_dstAddr, p_ipv6Payload);
else if(ischosen(p_ipv6Payload.mobileRouterAdvMsg)) {
if(p_ipv6Payload.mobileRouterAdvMsg.checksum == c_2ZeroBytes) {
p_ipv6Payload.mobileRouterAdvMsg.checksum := fx_calcPayloadChecksum (p_srcAddr, p_dstAddr, p_ipv6Payload);
else if(ischosen(p_ipv6Payload.homeAgentAddrDiscRequestMsg)) {
if(p_ipv6Payload.homeAgentAddrDiscRequestMsg.checksum == c_2ZeroBytes) {
p_ipv6Payload.homeAgentAddrDiscRequestMsg.checksum := fx_calcPayloadChecksum (p_srcAddr, p_dstAddr, p_ipv6Payload);
else if(ischosen(p_ipv6Payload.homeAgentAddrDiscReplyMsg)) {
if(p_ipv6Payload.homeAgentAddrDiscReplyMsg.checksum == c_2ZeroBytes) {
p_ipv6Payload.homeAgentAddrDiscReplyMsg.checksum := fx_calcPayloadChecksum (p_srcAddr, p_dstAddr, p_ipv6Payload);
else if(ischosen(p_ipv6Payload.mobilePrefixSolMsg)) {
if(p_ipv6Payload.mobilePrefixSolMsg.checksum == c_2ZeroBytes) {
p_ipv6Payload.mobilePrefixSolMsg.checksum := fx_calcPayloadChecksum (p_srcAddr, p_dstAddr, p_ipv6Payload);
else if(ischosen(p_ipv6Payload.mobilePrefixAdvMsg)) {
if(p_ipv6Payload.mobilePrefixAdvMsg.checksum == c_2ZeroBytes) {
p_ipv6Payload.mobilePrefixAdvMsg.checksum := fx_calcPayloadChecksum (p_srcAddr, p_dstAddr, p_ipv6Payload);
else if(ischosen(p_ipv6Payload.otherIcmpv6Msg)) {
if(p_ipv6Payload.otherIcmpv6Msg.checksum == c_2ZeroBytes) {
p_ipv6Payload.otherIcmpv6Msg.checksum := fx_calcPayloadChecksum (p_srcAddr, p_dstAddr, p_ipv6Payload);
else if(ischosen(p_ipv6Payload.ikeMsg)) {
if(p_ipv6Payload.ikeMsg.checksum == c_2ZeroBytes) {
//calc checksum
p_ipv6Payload.ikeMsg.checksum := fx_calcPayloadChecksum (p_srcAddr, p_dstAddr, p_ipv6Payload);
}
if(p_ipv6Payload.ikeMsg.msgLength == 0) {
//calc payloadLen of UDP msg
//smu 2007 check that calc is correct
p_ipv6Payload.ikeMsg.msgLength := lengthof(fx_ipv6PayloadToOct(p_ipv6Payload));
}
}
return e_success;
}//end f_calcIpv6PayloadChecksum
} //end group ipv6Packets
}//end group rfc2460Root_Functions
group rfc3775Mipv6_ExtHdrFunctions {
/*
* @desc This goes through the Mip header and calculates length, checksum
* and other specific functions of the different messages.
* This function is used when sending messages.
* @param p_msg ExtensionHeaderList to be treated
* @return execution status
*/
function f_setMobileHeader( in Ipv6Address p_srcAddr,
in Ipv6Address p_dstAddr,
in Ipv6Address p_pseudoSrcAddr,
in Ipv6Address p_pseudoDstAddr,
inout MobileHeader p_mobileHeader)
runs on LibIpv6Node
return FncRetCode {
tepelmann
committed
var MobileHeader v_mobileHeader := valueof(p_mobileHeader);
var Ipv6Address v_homeAddress := c_16ZeroBytes ;
tepelmann
committed
//if (ischosen(p_mobileHeader.mobileMessage.homeTestInit)) {
tepelmann
committed
//p_mobileHeader.mobileMessage.homeTestInit.homeInitCookie := f_createInitCookie();
tepelmann
committed
//else if (ischosen(p_mobileHeader.mobileMessage.homeTest)) {//CNSimu sends this message
tepelmann
committed
//else if (ischosen(p_mobileHeader.mobileMessage.careOfTestInit) and (PX_TEST_IPSEC == true)) {
tepelmann
committed
//else if (ischosen(p_mobileHeader.mobileMessage.careOfTest) and (PX_TEST_IPSEC == true)) {
tepelmann
committed
if (ischosen(p_mobileHeader.mobileMessage.bindingUpdateMsg)) {//Authorization data is only needed for BU sent to CN=IUT
var UInt8 v_position := 0;
//Concept of including bindingAuthentication
// specifiy on template level all options
tepelmann
committed
// 1) if authenticator == c_20ZeroBytes then value is calculated in f_setMobileHeader
// 2) if authenticator != c_20ZeroBytes then no value is calculated in f_setMobileHeader,
// because it's assumed that the correct value was set on template level
// 3) same applies to nonceIndex etc
if (f_isPresentNonceIndicesInBU(p_mobileHeader.mobileMessage.bindingUpdateMsg, v_position) == e_success) {
// Fill Home Nonce Index only when set to c_uInt16Zero
if (p_mobileHeader.mobileMessage.bindingUpdateMsg.mobileOptions[v_position].mobileOptNonceIndices.homeNonceIndex == c_uInt16Zero ) {
if(vc_mobileSec.mnSimuParams.receivedHomeNonceIndex != c_uInt16Zero) {
p_mobileHeader.mobileMessage.bindingUpdateMsg.mobileOptions[v_position].mobileOptNonceIndices.homeNonceIndex
:= vc_mobileSec.mnSimuParams.receivedHomeNonceIndex;
}
else {
log("f_setMobileHeader: Info: NonceIndices included in Binding Update, but mnSimuParams.receivedHomeNonceIndex not initialized");
}
}
// Fill Care-Of Nonce Index only when set to c_uInt16Zero
if (p_mobileHeader.mobileMessage.bindingUpdateMsg.mobileOptions[v_position].mobileOptNonceIndices.careOfNonceIndex == c_uInt16Zero) {
if(vc_mobileSec.mnSimuParams.receivedCareOfNonceIndex != c_uInt16Zero) {
p_mobileHeader.mobileMessage.bindingUpdateMsg.mobileOptions[v_position].mobileOptNonceIndices.careOfNonceIndex
:= vc_mobileSec.mnSimuParams.receivedCareOfNonceIndex;
}
else {
log("f_setMobileHeader: Info: NonceIndices included in Binding Update, but mnSimuParams.receivedCareOfNonceIndex not initialized");
if (f_isPresentBindingAuthorizationDataOptionInBU(p_mobileHeader.mobileMessage.bindingUpdateMsg, v_position) == e_success) {
tepelmann
committed
if(vc_mobileSec.mnSimuParams.receivedHomeKeygenToken != c_64ZeroBits
and vc_mobileSec.mnSimuParams.receivedCareOfKeygenToken != c_64ZeroBits) {
// kbm is different if BU is sent for de-registration
if (p_mobileHeader.mobileMessage.bindingUpdateMsg.lifeTime != 0) {
vc_mobileSec.mnSimuParams.kbm := fx_mac( e_sha1, c_1ZeroByte,
bit2oct(vc_mobileSec.mnSimuParams.receivedHomeKeygenToken)
& bit2oct(vc_mobileSec.mnSimuParams.receivedCareOfKeygenToken));
}
else {
vc_mobileSec.mnSimuParams.kbm := fx_mac( e_sha1, c_1ZeroByte,
bit2oct(vc_mobileSec.mnSimuParams.receivedHomeKeygenToken));
}
//set Authenticator option with dummy Authenticator
tepelmann
committed
p_mobileHeader.mobileMessage.bindingUpdateMsg.mobileOptions[v_position].mobileBindingAuthorizationData := {
mobileOptType := 5,
mobileOptLen := 12,
authenticator := c_12ZeroBytes}
//calculate the mipHeaderLength over the dummy Authenticator
//modified by AMB to easily send packets with wrong mobileHdrLen
//calc mobileHeaderLen
if (p_mobileHeader.headerLen == c_uInt8Zero ) {
p_mobileHeader.headerLen := fx_mipHeaderLength(p_mobileHeader) ;
}
//set Authenticator to omit in order to calc the authenticator
tepelmann
committed
p_mobileHeader.mobileMessage.bindingUpdateMsg.mobileOptions[v_position].mobileBindingAuthorizationData.authenticator := omit;
p_mobileHeader.mobileMessage.bindingUpdateMsg.mobileOptions[v_position].mobileBindingAuthorizationData.authenticator
tepelmann
committed
:= fx_mac( e_hmac_sha1_96, vc_mobileSec.mnSimuParams.kbm,
tepelmann
committed
& fx_mipHdrToOct(p_mobileHeader) );
tepelmann
committed
log("f_setMobileHeader: Error: BindingAuthorizationDataOption included in Binding Update, but receivedHomeKeygenToken/receivedCareOfKeygenToken not initialized");
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
else if (ischosen(p_mobileHeader.mobileMessage.bindingAckMsg)) {
var UInt8 v_position := 0;
//Concept of including bindingAuthentication
// specifiy on template level all options
// 1) if authenticator == c_20ZeroBytes then value is calculated in f_setMobileHeader
// 2) if authenticator != c_20ZeroBytes then no value is calculated in f_setMobileHeader,
// because it's assumed that the correct value was set on template level
// 3) same applies to nonceIndex etc
// Process Nonce Indices
if (f_isPresentNonceIndicesInBA(p_mobileHeader.mobileMessage.bindingAckMsg, v_position) == e_success) {
// Fill Home Nonce Index only when set to c_uInt16Zero
if (p_mobileHeader.mobileMessage.bindingAckMsg.mobileOptions[v_position].mobileOptNonceIndices.homeNonceIndex == c_uInt16Zero ) {
if(vc_mobileSec.cnSimuParams.nonceIndex != c_uInt16Zero) {
p_mobileHeader.mobileMessage.bindingAckMsg.mobileOptions[v_position].mobileOptNonceIndices.homeNonceIndex
:= vc_mobileSec.cnSimuParams.nonceIndex;
}
else {
log("f_setMobileHeader: Info: NonceIndices included in Binding Ack, but cnSimuParams.nonceIndex not initialized");
}
}
// Fill Care-Of Nonce Index only when set to c_uInt16Zero
if (p_mobileHeader.mobileMessage.bindingAckMsg.mobileOptions[v_position].mobileOptNonceIndices.careOfNonceIndex == c_uInt16Zero) {
if(vc_mobileSec.cnSimuParams.nonceIndex != c_uInt16Zero) {
p_mobileHeader.mobileMessage.bindingAckMsg.mobileOptions[v_position].mobileOptNonceIndices.careOfNonceIndex
:= vc_mobileSec.cnSimuParams.nonceIndex;
}
else {
log("f_setMobileHeader: Info: NonceIndices included in Binding Ack, but cnSimuParams.nonceIndex not initialized");
}
}
} // end Process Nonce Indices
if (f_isPresentBindingAuthorizationDataOptionInBA(p_mobileHeader.mobileMessage.bindingAckMsg, v_position) == e_success) {
if(vc_mobileSec.cnSimuParams.homeKeygenToken != c_64ZeroBits
and vc_mobileSec.cnSimuParams.careOfKeygenToken != c_64ZeroBits) {
// kbm is different if BA is sent for de-registration
if (p_mobileHeader.mobileMessage.bindingAckMsg.lifeTime != 0) {
vc_mobileSec.cnSimuParams.kbm := fx_mac( e_sha1, c_1ZeroByte,
bit2oct(vc_mobileSec.cnSimuParams.homeKeygenToken)
& bit2oct(vc_mobileSec.cnSimuParams.careOfKeygenToken));
}
else {
vc_mobileSec.cnSimuParams.kbm := fx_mac( e_sha1, c_1ZeroByte,
bit2oct(vc_mobileSec.cnSimuParams.homeKeygenToken));
}
//set Authenticator option with dummy Authenticator
p_mobileHeader.mobileMessage.bindingAckMsg.mobileOptions[v_position].mobileBindingAuthorizationData := {
mobileOptType := 5,
mobileOptLen := 12,
authenticator := c_12ZeroBytes}
//calculate the mipHeaderLength over the dummy Authenticator
//modified by AMB to easily send packets with wrong mobileHdrLen
//calc mobileHeaderLen
if (p_mobileHeader.headerLen == c_uInt8Zero ) {
p_mobileHeader.headerLen := fx_mipHeaderLength(p_mobileHeader) ;
}
//set Authenticator to omit in order to calc the authenticator
p_mobileHeader.mobileMessage.bindingAckMsg.mobileOptions[v_position].mobileBindingAuthorizationData.authenticator := omit;
// compute authenticator
p_mobileHeader.mobileMessage.bindingAckMsg.mobileOptions[v_position].mobileBindingAuthorizationData.authenticator
:= fx_mac( e_hmac_sha1_96, vc_mobileSec.cnSimuParams.kbm,
p_dstAddr //cnAddr /!\ inverted /!\
& p_srcAddr //careOfaddr /!\ for BA /!\
& fx_mipHdrToOct(p_mobileHeader) );
}
else {
log("f_setMobileHeader: Error: BindingAuthorizationDataOption included in Binding Ack, but HomeKeygenToken/CareOfKeygenToken not initialized");
return e_error;
}
}
}
// calc mobileHeaderLen only when set to c_uInt8Zero
p_mobileHeader.headerLen := fx_mipHeaderLength(p_mobileHeader);
}
// calc mipChecksum only when set to c_2ZeroBytes
p_mobileHeader.checksum := fx_mipHeaderChecksum ( p_pseudoSrcAddr,
p_pseudoDstAddr,
p_mobileHeader);
function f_checkAuthenticator ( in Ipv6Address p_srcAddr,
in Ipv6Address p_dstAddr,
in MobileHeader p_mobileHeader,
in octetstring p_receivedAuthenticator)
runs on LibIpv6Node
return FncRetCode {
var UInt8 v_position := 0;
var octetstring v_computedAuthenticator;
if (f_isPresentBindingAuthorizationDataOptionInBU(p_mobileHeader.mobileMessage.bindingUpdateMsg, v_position) == e_success) {
p_mobileHeader.checksum := c_2ZeroBytes;
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
if (p_mobileHeader.mobileMessage.bindingUpdateMsg.lifeTime != 0) {
vc_mobileSec.cnSimuParams.kbm := fx_mac( e_sha1, c_1ZeroByte,
bit2oct(vc_mobileSec.cnSimuParams.homeKeygenToken)
& bit2oct(vc_mobileSec.cnSimuParams.careOfKeygenToken));
}
else {
vc_mobileSec.cnSimuParams.kbm := fx_mac( e_sha1, c_1ZeroByte,
bit2oct(vc_mobileSec.cnSimuParams.homeKeygenToken));
}
//set Authenticator option with dummy Authenticator
p_mobileHeader.mobileMessage.bindingUpdateMsg.mobileOptions[v_position].mobileBindingAuthorizationData := {
mobileOptType := 5,
mobileOptLen := 12,
authenticator := c_12ZeroBytes}
//calculate the mipHeaderLength over the dummy Authenticator
p_mobileHeader.headerLen := fx_mipHeaderLength(p_mobileHeader) ;
//set Authenticator to omit in order to calc the authenticator
p_mobileHeader.mobileMessage.bindingUpdateMsg.mobileOptions[v_position].mobileBindingAuthorizationData.authenticator := omit;
v_computedAuthenticator := fx_mac( e_hmac_sha1_96, vc_mobileSec.cnSimuParams.kbm,
p_srcAddr //careOfaddr
& p_dstAddr //cnAddr
& fx_mipHdrToOct(p_mobileHeader) );
if (p_receivedAuthenticator != v_computedAuthenticator) {
return e_error;
}
return e_success;
}
else {
log("f_checkAuthenticator: Error: This packet does not contain any Binding Update");
return e_error;
}
} //end function f_checkAuthenticator
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
/*
* @desc This goes through the BindingAck and
* checks if a NonceIndicesOption is present.
* @param p_bindingUpdate Binding Update to be treated
* @param v_position Position of the NonceIndicesOption in the MobileOptionList
* @return execution status
*/
function f_isPresentNonceIndicesInBA( in BindingAckMsg p_bindingAck,
inout UInt8 v_position)
runs on LibIpv6Node
return FncRetCode {
var FncRetCode v_ret := e_error;
var UInt8 i;
//select ext hdrs that need special calculation
for (i:=0; i<sizeof(p_bindingAck.mobileOptions) and (v_ret != e_success); i:=i+1) {
if (ischosen(p_bindingAck.mobileOptions[i].mobileOptNonceIndices)) {
v_position := i;
v_ret := e_success;
}
}
return v_ret;
}//end function f_isPresentNonceIndicesInBA
/*
* @desc This goes through the BindingAck and
* checks if a AuthorizationDataOption is present.
* @param p_bindingUpdate Binding Update to be treated
* @param v_position Position of the AuthorizationDataOption in the MobileOptionList
* @return execution status
*/
function f_isPresentBindingAuthorizationDataOptionInBA( in BindingAckMsg p_bindingAck,
inout UInt8 v_position)
runs on LibIpv6Node
return FncRetCode {
var FncRetCode v_ret := e_error;
var UInt8 i;
//select ext hdrs that need special calculation
for (i:=0; i<sizeof(p_bindingAck.mobileOptions) and (v_ret != e_success); i:=i+1) {
if (ischosen(p_bindingAck.mobileOptions[i].mobileBindingAuthorizationData)) {
v_position := i;
v_ret := e_success;
}
}
return v_ret;
}//end function f_isPresentBindingAuthorizationDataOptionInBA
/*
* @desc This goes through the BindingUpdate and
* checks if a NonceIndicesOption is present.
* @param p_bindingUpdate Binding Update to be treated
tepelmann
committed
* @param v_position Position of the NonceIndicesOption in the MobileOptionList
function f_isPresentNonceIndicesInBU( in BindingUpdateMsg p_bindingUpdate,
inout UInt8 v_position)
runs on LibIpv6Node
return FncRetCode {
var FncRetCode v_ret := e_error;
var UInt8 i;
//select ext hdrs that need special calculation
tepelmann
committed
for (i:=0; i<sizeof(p_bindingUpdate.mobileOptions) and (v_ret != e_success); i:=i+1) {
if (ischosen(p_bindingUpdate.mobileOptions[i].mobileOptNonceIndices)) {
v_position := i;
v_ret := e_success;
}
}
return v_ret;
}//end function f_isPresentNonceIndicesInBU
/*
* @desc This goes through the BindingUpdate and
* checks if a AuthorizationDataOption is present.
* @param p_bindingUpdate Binding Update to be treated
tepelmann
committed
* @param v_position Position of the AuthorizationDataOption in the MobileOptionList
function f_isPresentBindingAuthorizationDataOptionInBU( in BindingUpdateMsg p_bindingUpdate,
inout UInt8 v_position)
runs on LibIpv6Node
return FncRetCode {
var FncRetCode v_ret := e_error;
var UInt8 i;
//select ext hdrs that need special calculation
tepelmann
committed
for (i:=0; i<sizeof(p_bindingUpdate.mobileOptions) and (v_ret != e_success); i:=i+1) {
if (ischosen(p_bindingUpdate.mobileOptions[i].mobileBindingAuthorizationData)) {
v_position := i;
v_ret := e_success;
}
}
return v_ret;
}//end function f_isPresentBindingAuthorizationDataOptionInBU
/*
* @desc This sends a IPv6 packet with MipExtHdr - Binding Update
* from an IPv6 node to any NUT.
*
* @remark
* @param p_msg MIPHeader to be sent
* @return execution status
*/
function f_sendBU(template BindingUpdate p_msg)
runs on LibIpv6Node
return FncRetCode {
//Variables
var BindingUpdate v_ipPkt;
v_ipPkt := valueof(p_msg);
//calc payloadLen
v_ipPkt.ipv6Hdr.payloadLength := fx_payloadLength (v_ipPkt);
//set extensionHeaders
if(f_setExtensionHeaders( v_ipPkt,
v_ipPkt.ipv6Hdr.sourceAddress,
v_ipPkt.ipv6Hdr.destinationAddress) != e_success) {
log(" **** f_sendBU: Error when calculating length of extension headers ****");
return e_error;
}
//send
ipPort.send(v_ipPkt);
return e_success;
}//end f_sendBU
/*
* @desc This sends a IPv6 packet with MipExtHdr - Binding Acknowledgement
* from an IPv6 node to any NUT.
*
* @remark
* @param p_msg MIPHeader to be sent
* @return execution status
*/
function f_sendBA(template BindingAcknowledgement p_msg)
runs on LibIpv6Node
return FncRetCode {
//Variables
var BindingAcknowledgement v_ipPkt;
v_ipPkt := valueof(p_msg);
//calc payloadLen
v_ipPkt.ipv6Hdr.payloadLength := fx_payloadLength (v_ipPkt);
//set extensionHeaders
if(f_setExtensionHeaders( v_ipPkt,
v_ipPkt.ipv6Hdr.sourceAddress,
v_ipPkt.ipv6Hdr.destinationAddress) != e_success) {
log(" **** f_sendBA: Error when calculating length of extension headers ****");
return e_error;
}
//send
ipPort.send(v_ipPkt);
return e_success;
}//end f_sendBA
/*
* @desc This sends a IPv6 packet with MipExtHdr - Binding Error
* from an IPv6 node to any NUT.
*
* @remark
* @param p_msg MIPHeader to be sent
* @return execution status
*/
function f_sendBE(template BindingError p_msg)
runs on LibIpv6Node
return FncRetCode {
//Variables
var BindingError v_ipPkt;
v_ipPkt := valueof(p_msg);
//calc payloadLen
v_ipPkt.ipv6Hdr.payloadLength := fx_payloadLength (v_ipPkt);
//set extensionHeaders
if(f_setExtensionHeaders( v_ipPkt,
v_ipPkt.ipv6Hdr.sourceAddress,
v_ipPkt.ipv6Hdr.destinationAddress) != e_success) {
log(" **** f_sendBE: Error when calculating length of extension headers ****");
return e_error;
}
//send
ipPort.send(v_ipPkt);
return e_success;
}//end f_sendBE
/*
* @desc This sends a IPv6 packet with MipExtHdr - Binding Refresh Request
* from an IPv6 node to any NUT.
*
* @remark
* @param p_msg MIPHeader to be sent
* @return execution status
*/
function f_sendBR(template BindingRefreshRequest p_msg)
runs on LibIpv6Node
return FncRetCode {
//Variables
var BindingRefreshRequest v_ipPkt;
v_ipPkt := valueof(p_msg);
//calc payloadLen
v_ipPkt.ipv6Hdr.payloadLength := fx_payloadLength (v_ipPkt);
if(f_setExtensionHeaders( v_ipPkt,
v_ipPkt.ipv6Hdr.sourceAddress,
v_ipPkt.ipv6Hdr.destinationAddress) != e_success) {
log(" **** f_sendBR: Error when calculating length of extension headers ****");
return e_error;
}
//send
ipPort.send(v_ipPkt);
return e_success;
}//end f_sendBR
/*
* @desc This sends a IPv6 packet with MipExtHdr - Home Test
* from an IPv6 node to any NUT.
*
* @remark
* @param p_msg MIPHeader to be sent
* @return execution status
*/
function f_sendHot(template HomeTest p_msg)
runs on LibIpv6Node
return FncRetCode {
//Variables
var HomeTest v_ipPkt;
v_ipPkt := valueof(p_msg);
//calc payloadLen
v_ipPkt.ipv6Hdr.payloadLength := fx_payloadLength (v_ipPkt);
//set extensionHeaders
if(f_setExtensionHeaders( v_ipPkt,
v_ipPkt.ipv6Hdr.sourceAddress,
v_ipPkt.ipv6Hdr.destinationAddress) != e_success) {
log(" **** f_sendHot: Error when calculating length of extension headers ****");
return e_error;
}
//send
ipPort.send(v_ipPkt);
return e_success;
}//end f_sendHot
/*
* @desc This sends a IPv6 packet with MipExtHdr - Home Test Init
* from an IPv6 node to any NUT.
*
* @remark
* @param p_msg MIPHeader to be sent
* @return execution status
*/
function f_sendHoti(template HomeTestInit p_msg)
runs on LibIpv6Node
return FncRetCode {
//Variables
var HomeTestInit v_ipPkt;
v_ipPkt := valueof(p_msg);
//calc payloadLen
v_ipPkt.ipv6Hdr.payloadLength := fx_payloadLength (v_ipPkt);
//set extensionHeaders
if(f_setExtensionHeaders( v_ipPkt,
v_ipPkt.ipv6Hdr.sourceAddress,
v_ipPkt.ipv6Hdr.destinationAddress) != e_success) {
log(" **** f_sendHoti: Error when calculating length of extension headers ****");
return e_error;
}
//send
ipPort.send(v_ipPkt);
return e_success;
}//end f_sendHoti
/*
* @desc This sends a IPv6 packet with MipExtHdr - CareOfTestInit
* from an IPv6 node to any NUT.
*
* @remark
* @param p_msg MIPHeader to be sent
* @return execution status
*/
function f_sendCoti(template CareOfTestInit p_msg)
runs on LibIpv6Node
return FncRetCode {
//Variables
var CareOfTestInit v_ipPkt;
v_ipPkt := valueof(p_msg);
//calc payloadLen
v_ipPkt.ipv6Hdr.payloadLength := fx_payloadLength (v_ipPkt);
//set extensionHeaders
if(f_setExtensionHeaders( v_ipPkt,
v_ipPkt.ipv6Hdr.sourceAddress,
v_ipPkt.ipv6Hdr.destinationAddress) != e_success) {
log(" **** f_sendCoti: Error when calculating length of extension headers ****");
return e_error;
}
//send
ipPort.send(v_ipPkt);
return e_success;
}//end f_sendCoti
/*
* @desc This sends a IPv6 packet with MipExtHdr - CareOfTest
* from an IPv6 node to any NUT.
*
* @remark
* @param p_msg MIPHeader to be sent
* @return execution status
*/
function f_sendCot(template CareOfTest p_msg)
runs on LibIpv6Node
return FncRetCode {
//Variables
var CareOfTest v_ipPkt;
v_ipPkt := valueof(p_msg);
//calc payloadLen
v_ipPkt.ipv6Hdr.payloadLength := fx_payloadLength (v_ipPkt);
//set extensionHeaders
if(f_setExtensionHeaders( v_ipPkt,
v_ipPkt.ipv6Hdr.sourceAddress,
v_ipPkt.ipv6Hdr.destinationAddress) != e_success) {
log(" **** f_sendCoti: Error when calculating length of extension headers ****");
return e_error;
}
//send
ipPort.send(v_ipPkt);
return e_success;
}//end f_sendCot
/*
* @desc This sends a IPv6 packet with MipExtHdr - Fast Nbr Adv
* from an IPv6 node to any NUT.
*
* @remark
* @param p_msg MIPHeader to be sent
* @return execution status
*/
tepelmann
committed
function f_sendFastNbrAdv(template FastNeighborAdvertisement p_msg)
runs on LibIpv6Node
return FncRetCode {
//Variables
tepelmann
committed
var FastNeighborAdvertisement v_ipPkt;
//calc payloadLen
v_ipPkt.ipv6Hdr.payloadLength := fx_payloadLength (v_ipPkt);
//set extensionHeaders
if(f_setExtensionHeaders( v_ipPkt,
v_ipPkt.ipv6Hdr.sourceAddress,
v_ipPkt.ipv6Hdr.destinationAddress) != e_success) {
log(" **** f_sendFastNbrAdv: Error when calculating length of extension headers ****");
return e_error;
}
//send
ipPort.send(v_ipPkt);
return e_success;
}//end f_sendFastNbrAdv
}//end group rfc3775Mipv6_ExtHdrFunctions
group rfc4303Esp_ExtHdrFunctions {
// if( (f_getEncryptionIvLen(PX_ENCRYPTION_ALGO) != 0) and (f_getEncryptionIvLen(PX_ENCRYPTION_ALGO) != lengthof(PX_IV))) {
// v_ret := e_error;
// log("**** fx_setSecurityParameters: ERROR: Incorrect IV length for the selected encryption algorithm ****");
// }
berge
committed
if( f_checkEncryptionKeyLen(PX_ENCRYPTION_ALGO,lengthof(PX_ESP_ENCR_KEY)) != true) {
log("**** f_init_ipSecParams: ERROR: Incorrect key length for the selected encryption algorithm ****");
return e_error;
berge
committed
}
if( f_checkIntegrityKeyLen(PX_INTEGRITY_ALGO, lengthof(PX_INTEGRITY_KEY)) != true) {
log("**** f_init_ipSecParams: ERROR: Incorrect key length for the selected integrity algorithm ****");
return e_error;
berge
committed
}
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
// SAD-OUT
vc_sad[c_saOut] := {
spi := PX_SPI/*f_createSpi()*/,
seqNr := c_uInt32Zero,
// AH Integrity
ahIntegrityAlgo := PX_INTEGRITY_ALGO,
ahIntegrityKey := PX_INTEGRITY_KEY/*f_createSecretKey()*/,
icvLen := f_getIcvLen(PX_INTEGRITY_ALGO),
icvPadLen := f_getIcvPadLen(PX_INTEGRITY_ALGO),
// ESP encryption
espEncryptionAlgo := PX_ENCRYPTION_ALGO,
espEncryptionKey := PX_ESP_ENCR_KEY/*f_createSecretKey()*/,
// ESP integrity
espIntegrityAlgo := PX_INTEGRITY_ALGO,
espIntegrityKey := PX_INTEGRITY_KEY/*f_createSecretKey()*/,
// Combined mode
espCombinedModeAlgo := PX_COMBINED_MODE_ALGO,
espCombinedModeKey := PX_COMBINED_MODE_KEY/*f_createSecretKey()*/,
// Protocol mode
ipSecProtocolMode := PX_IP_SEC_PROTOCOL_MODE
}
// SAD-IN
vc_sad[c_saIn] := {
spi := PX_SPI/*f_createSpi()*/,
// AH Integrity
ahIntegrityAlgo := PX_INTEGRITY_ALGO,
ahIntegrityKey := PX_INTEGRITY_KEY/*f_createSecretKey()*/,
icvLen := f_getIcvLen(PX_INTEGRITY_ALGO),
icvPadLen := f_getIcvPadLen(PX_INTEGRITY_ALGO),
// ESP encryption
espEncryptionAlgo := PX_ENCRYPTION_ALGO,
espEncryptionKey := PX_ESP_ENCR_KEY/*f_createSecretKey()*/,
// ESP integrity
espIntegrityAlgo := PX_INTEGRITY_ALGO,
espIntegrityKey := PX_INTEGRITY_KEY/*f_createSecretKey()*/,
// Combined mode
espCombinedModeAlgo := PX_COMBINED_MODE_ALGO,
espCombinedModeKey := PX_COMBINED_MODE_KEY/*f_createSecretKey()*/,
// Protocol mode
ipSecProtocolMode := PX_IP_SEC_PROTOCOL_MODE
}
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
// SAD-OUT
vc_sad[c_saRrpOut] := {
spi := c_saRrpOut/*f_createSpi()*/,
seqNr := c_uInt32Zero,
// AH Integrity
ahIntegrityAlgo := PX_INTEGRITY_ALGO,
ahIntegrityKey := PX_INTEGRITY_KEY/*f_createSecretKey()*/,
icvLen := f_getIcvLen(PX_INTEGRITY_ALGO),
icvPadLen := f_getIcvPadLen(PX_INTEGRITY_ALGO),
// ESP encryption
espEncryptionAlgo := PX_ENCRYPTION_ALGO,
espEncryptionKey := PX_ESP_ENCR_KEY/*f_createSecretKey()*/,
// ESP integrity
espIntegrityAlgo := PX_INTEGRITY_ALGO,
espIntegrityKey := PX_INTEGRITY_KEY/*f_createSecretKey()*/,
// Combined mode
espCombinedModeAlgo := PX_COMBINED_MODE_ALGO,
espCombinedModeKey := PX_COMBINED_MODE_KEY/*f_createSecretKey()*/,
// Protocol mode
ipSecProtocolMode := PX_IP_SEC_PROTOCOL_MODE
}
// SAD-IN
vc_sad[c_saRrpIn] := {
spi := c_saRrpIn/*f_createSpi()*/,
seqNr := c_uInt32Zero,
// AH Integrity
ahIntegrityAlgo := PX_INTEGRITY_ALGO,
ahIntegrityKey := PX_INTEGRITY_KEY/*f_createSecretKey()*/,
icvLen := f_getIcvLen(PX_INTEGRITY_ALGO),
icvPadLen := f_getIcvPadLen(PX_INTEGRITY_ALGO),
// ESP encryption
espEncryptionAlgo := PX_ENCRYPTION_ALGO,
espEncryptionKey := PX_ESP_ENCR_KEY/*f_createSecretKey()*/,
// ESP integrity
espIntegrityAlgo := PX_INTEGRITY_ALGO,
espIntegrityKey := PX_INTEGRITY_KEY/*f_createSecretKey()*/,
// Combined mode
espCombinedModeAlgo := PX_COMBINED_MODE_ALGO,
espCombinedModeKey := PX_COMBINED_MODE_KEY/*f_createSecretKey()*/,
// Protocol mode
ipSecProtocolMode := PX_IP_SEC_PROTOCOL_MODE
}
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
// SAD-OUT
vc_sad[c_saCnOut] := {
spi := c_saCnOut/*f_createSpi()*/,
seqNr := c_uInt32Zero,
// AH Integrity
ahIntegrityAlgo := PX_INTEGRITY_ALGO,
ahIntegrityKey := PX_INTEGRITY_KEY/*f_createSecretKey()*/,
icvLen := f_getIcvLen(PX_INTEGRITY_ALGO),
icvPadLen := f_getIcvPadLen(PX_INTEGRITY_ALGO),
// ESP encryption
espEncryptionAlgo := PX_ENCRYPTION_ALGO,
espEncryptionKey := PX_ESP_ENCR_KEY/*f_createSecretKey()*/,
// ESP integrity
espIntegrityAlgo := PX_INTEGRITY_ALGO,
espIntegrityKey := PX_INTEGRITY_KEY/*f_createSecretKey()*/,
// Combined mode
espCombinedModeAlgo := PX_COMBINED_MODE_ALGO,
espCombinedModeKey := PX_COMBINED_MODE_KEY/*f_createSecretKey()*/,
// Protocol mode
ipSecProtocolMode := PX_IP_SEC_PROTOCOL_MODE
}
// SAD-IN
vc_sad[c_saCnIn] := {
spi := c_saCnIn/*f_createSpi()*/,
seqNr := c_uInt32Zero,
// AH Integrity
ahIntegrityAlgo := PX_INTEGRITY_ALGO,
ahIntegrityKey := PX_INTEGRITY_KEY/*f_createSecretKey()*/,
icvLen := f_getIcvLen(PX_INTEGRITY_ALGO),
icvPadLen := f_getIcvPadLen(PX_INTEGRITY_ALGO),
// ESP encryption
espEncryptionAlgo := PX_ENCRYPTION_ALGO,
espEncryptionKey := PX_ESP_ENCR_KEY/*f_createSecretKey()*/,
// ESP integrity
espIntegrityAlgo := PX_INTEGRITY_ALGO,
espIntegrityKey := PX_INTEGRITY_KEY/*f_createSecretKey()*/,
// Combined mode
espCombinedModeAlgo := PX_COMBINED_MODE_ALGO,
espCombinedModeKey := PX_COMBINED_MODE_KEY/*f_createSecretKey()*/,
// Protocol mode
ipSecProtocolMode := PX_IP_SEC_PROTOCOL_MODE
}
//TODO chose in function of PX_SPI the SAD to be used for testing
// v_ret := fx_setSecurityParameters(Sad:{vc_sad[c_saOut]});
//SMU 2007 how is it solved to know when to use which SAD?
v_ret := fx_setSecurityParameters(vc_sad);
if (v_ret != e_success) {log("f_init_ipSecParams: Error when setting security parameters");}
return v_ret;
function f_getIcvLen(IntegrityAlgo p_integrityAlgo)
runs on LibIpv6Node
return UInt8 {
if(p_integrityAlgo == e_sha1) {
return 20;
}
else if (p_integrityAlgo == e_hmac_sha1_64){
return 8;
}
else if(p_integrityAlgo == e_null) {
return 0;
}
return 12;
}
function f_getIcvPadLen(IntegrityAlgo p_integrityAlgo)
runs on LibIpv6Node
return UInt8 {
if(p_integrityAlgo == e_sha1) {
return 0;
}
else if (p_integrityAlgo == e_hmac_sha1_64){
return 4;
}
return 0;
}
berge
committed
//in units of octets
function f_checkIntegrityKeyLen(IntegrityAlgo p_integrityAlgo, UInt8 p_keyLen)
runs on LibIpv6Node
return boolean {
if((p_integrityAlgo == e_sha1) and (p_keyLen != 20)) {
return false;
}
else if ((p_integrityAlgo == e_sha1_96) and (p_keyLen != 20)){
return false;
}
berge
committed
else if ((p_integrityAlgo == e_hmac_sha1_64) and (p_keyLen != 20)){
return false;
}
else if ((p_integrityAlgo == e_hmac_sha1_96) and (p_keyLen != 20)){
return false;
}
berge
committed
else if((p_integrityAlgo == e_hmac_md5_96) and (p_keyLen != 16)) {
return false;
}
return true;
}
berge
committed
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
//in units of octets
function f_getEncryptionIvLen(EncryptionAlgo p_encryptionAlgo)
runs on LibIpv6Node
return UInt8 {
if(p_encryptionAlgo == e_tripleDes_cbc) {
return 8;
}
else if (p_encryptionAlgo == e_aes_cbc){
return 16;
}
else if(p_encryptionAlgo == e_aes_ctr) {
return 8;
}
else if(p_encryptionAlgo == e_des_cbc) {
return 8;
}
return 0;
}
//in units of octets
function f_checkEncryptionKeyLen(EncryptionAlgo p_encryptionAlgo, UInt8 p_keyLen)
runs on LibIpv6Node
return boolean {
if((p_encryptionAlgo == e_tripleDes_cbc) and (p_keyLen != 24)){
return false;
}
else if ((p_encryptionAlgo == e_aes_cbc) and ((p_keyLen < 0) or (p_keyLen > 32))){
berge
committed
return false;
}
else if((p_encryptionAlgo == e_aes_ctr)
and (p_keyLen != 20) and (p_keyLen != 28) and (p_keyLen != 36)){
return false;
}
else if((p_encryptionAlgo == e_des_cbc) and (p_keyLen != 8)){
return false;
}
return true;
}
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
/*
* @desc This generates Security Parameters Index
* @return Security Parameters Index
*/
function f_createSpi()
runs on LibIpv6Node
return UInt32 {
var Oct4 v_spi := int2oct(float2int(int2float(20000-5000)*rnd())+5000, 4);
return oct2int(v_spi);
}//end f_createSpi
/*
* @desc This generates a secret key
* @return Secret key
*/
function f_createSecretKey()
runs on LibIpv6Node
return octetstring {
var Oct20 v_key := int2oct(float2int(int2float(20000-5000)*rnd())+5000, 20);
return v_key;
}//end f_createSecretKey
/*
* @desc
* This function is used when sending messages.
* @param p_msg ExtensionHeaderList to be treated
* @return execution status
*/
function f_getOriginalIpv6Packet( in Ipv6Packet p_ipv6Packet,
in EspHeader p_espHeader,
out Ipv6Packet p_originalIpv6Packet)
runs on LibIpv6Node
return FncRetCode {
var UInt8 i;
var boolean v_loop := true;
if (not(ispresent(p_espHeader.espPayload.espIpDatagram.extHdrList))
and not(ispresent(p_espHeader.espPayload.espIpDatagram.ipv6Payload))) {
log("**** f_setEspHeader: EspHeader.espPayload.espIpDatagram received that does neither contain extHdrList not ipv6Payload => EspHeader is not constructed correctly ****") ;
return e_error;
}
//Build original packet
p_originalIpv6Packet.ipv6Hdr := p_ipv6Packet.ipv6Hdr;
if (ispresent(p_espHeader.espPayload.espIpDatagram.extHdrList)) {
p_originalIpv6Packet.extHdrList := p_espHeader.espPayload.espIpDatagram.extHdrList;
}
if (ispresent(p_espHeader.espPayload.espIpDatagram.ipv6Payload)) {
p_originalIpv6Packet.ipv6Payload := p_espHeader.espPayload.espIpDatagram.ipv6Payload;
}
// is a tunneledIpv6Hdr in the extHdrList? If yes, then it becomes the Ipv6Hdr of the original packet
if (ispresent(p_espHeader.espPayload.espIpDatagram.extHdrList)) {
for (i:=0; i<sizeof(p_espHeader.espPayload.espIpDatagram.extHdrList) and v_loop ;i:=i+1) {
if (ischosen(p_espHeader.espPayload.espIpDatagram.extHdrList[i].tunneledIpv6)) {
p_originalIpv6Packet.ipv6Hdr := p_espHeader.espPayload.espIpDatagram.extHdrList[i].tunneledIpv6;
v_loop := false;
}
else {
p_originalIpv6Packet.extHdrList[i] := p_espHeader.espPayload.espIpDatagram.extHdrList[i];
}
}
}
p_originalIpv6Packet.ipv6Hdr.payloadLength := fx_payloadLength (p_originalIpv6Packet);
return e_success;
}//end f_setEspHeader
* This function is used when sending messages.
* @param p_msg ExtensionHeaderList to be treated
* @return execution status
*/
/* function f_setEspHeader( in Ipv6Packet p_ipv6Packet,
inout EspHeader p_espHeader)
runs on LibIpv6Node
return FncRetCode {
var Ipv6Header v_originalIpv6Hdr;
var EchoRequest v_originalEchoRequest;
var EchoReply v_originalEchoReply;
//treat MipHdr and other ext
if (ispresent(p_espHeader.espPayload.espIpDatagram.extHdrList)) {
}
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
if (ispresent(p_espHeader.espPayload.espIpDatagram.ipv6Payload)) {
if (ischosen(p_espHeader.espPayload.espIpDatagram.ipv6Payload.echoRequestMsg)) {
if (ischosen(p_espHeader.espPayload.espIpDatagram.extHdrList[0].tunneledIpv6)) {//tunnelMode
v_originalIpv6Hdr := p_espHeader.espPayload.espIpDatagram.extHdrList[0].tunneledIpv6;
}
else { //transportMode
v_originalIpv6Hdr := p_ipv6Packet.ipv6Hdr;
}
//build original packet
v_originalEchoRequest := {
ipv6Hdr := v_originalIpv6Hdr,
extHdrList := omit,
ipv6Payload := p_espHeader.espPayload.espIpDatagram.ipv6Payload
}
//calc checksum
if (v_originalEchoRequest.ipv6Payload.echoRequestMsg.checksum != c_2ZeroBytes) {
//calc checksum
v_originalEchoRequest.ipv6Payload.echoRequestMsg.checksum := fx_icmpv6Checksum(v_originalEchoRequest);
}
//assign checksum
p_espHeader.espPayload.espIpDatagram.ipv6Payload.echoRequestMsg.checksum := v_originalEchoRequest.ipv6Payload.echoRequestMsg.checksum;
}
else if (ischosen(p_espHeader.espPayload.espIpDatagram.ipv6Payload.echoReplyMsg)) {
if (ischosen(p_espHeader.espPayload.espIpDatagram.extHdrList[0].tunneledIpv6)) {//tunnelMode
v_originalIpv6Hdr := p_espHeader.espPayload.espIpDatagram.extHdrList[0].tunneledIpv6;
}
else { //transportMode
v_originalIpv6Hdr := p_ipv6Packet.ipv6Hdr;
}
//build original packet
v_originalEchoReply := {
ipv6Hdr := v_originalIpv6Hdr,
extHdrList := omit,
ipv6Payload := p_espHeader.espPayload.espIpDatagram.ipv6Payload
}
//calc checksum
if (v_originalEchoReply.ipv6Payload.echoReplyMsg.checksum != c_2ZeroBytes) {
//calc checksum
v_originalEchoReply.ipv6Payload.echoReplyMsg.checksum := fx_icmpv6Checksum(v_originalEchoReply);
}
//assign checksum
p_espHeader.espPayload.espIpDatagram.ipv6Payload.echoReplyMsg.checksum := v_originalEchoReply.ipv6Payload.echoReplyMsg.checksum;
}