Loading ttcn3/EtsiLibrary/LibIpv6/LibSec/LibIpv6_Rfc4306Ikev2_Functions.ttcn +318 −242 Original line number Diff line number Diff line Loading @@ -547,7 +547,6 @@ module LibIpv6_Rfc4306Ikev2_Functions { { v_ret := e_timeout; log("**** f_waitForIkeSaInitReq: ERROR: tc_wait.timeout **** "); return v_ret; } } // end alt Loading @@ -556,17 +555,15 @@ module LibIpv6_Rfc4306Ikev2_Functions { } //end f_waitForIkeSaInitReq /* * @desc Test Node waits for IKE_AUTH request * @param p_src address of IUT * @param p_dst address of test node * @desc Test Node analyzes IKE_AUTH request * @param p_ipv6Packet complete IPv6 packet */ function f_waitForIkeAuthReq( in template Ipv6Address p_src, in template Ipv6Address p_dst) function f_analyzeIkeAuthReq(in template Ipv6Packet p_ipv6Packet) runs on LibIpv6Node return FncRetCode { var FncRetCode v_ret; var FncRetCode v_ret_local; var Ipv6Packet v_ipv6Packet; var Ipv6Packet v_ipv6Packet := valueof(p_ipv6Packet); // next payload from IKE header var UInt8 v_nextPayload; // list of payloads Loading @@ -577,20 +574,6 @@ module LibIpv6_Rfc4306Ikev2_Functions { // transform var SaTransform v_saTransform; tc_wait.start; alt { [] ipPort.receive(mw_ikeAuthReq( p_src, p_dst, vc_ikeSad[0].udpIutPort, vc_ikeSad[0].udpTnPort, vc_ikeSad[0].spiInitiator, vc_ikeSad[0].spiResponder, vc_ikeSad[0].messageID, mw_encryptedPLL(mw_ikeAuthReqPLL))) -> value v_ipv6Packet { tc_wait.stop; vc_ikeSad[0].messageID := vc_ikeSad[0].messageID + 1; v_nextPayload := v_ipv6Packet.ipv6Payload.ikeMsg.payloadList[0].encrypted.nextPayload; v_ikePayloadList := v_ipv6Packet.ipv6Payload.ikeMsg.payloadList[0].encrypted.payloadList; Loading @@ -599,25 +582,25 @@ module LibIpv6_Rfc4306Ikev2_Functions { if (v_ret_local == e_success) { vc_ikeSad[0].iDi := v_ikePayload.idInitiator.data; } else { log("**** f_waitForIkeAuthReq: ERROR: No Identification payload in payload list **** "); { log("**** f_analyzeIkeAuthReq: ERROR: No Identification payload in payload list **** "); v_ret := e_error;} // get Traffic selector initiator payload data v_ret_local := f_getPayload(v_ikePayloadList,v_nextPayload,c_tsInitiatorPL,v_ikePayload); if (v_ret_local == e_error) { log("**** f_waitForIkeAuthReq: ERROR: No Traffic selector initiator payload in payload list **** "); { log("**** f_analyzeIkeAuthReq: ERROR: No Traffic selector initiator payload in payload list **** "); v_ret := e_error;} // get Traffic selector responder payload data v_ret_local := f_getPayload(v_ikePayloadList,v_nextPayload,c_tsResponderPL,v_ikePayload); if (v_ret_local == e_error) { log("**** f_waitForIkeAuthReq: ERROR: No Traffic selector responder payload in payload list **** "); { log("**** f_analyzeIkeAuthReq: ERROR: No Traffic selector responder payload in payload list **** "); v_ret := e_error;} // get Authentication payload data v_ret_local := f_getPayload(v_ikePayloadList,v_nextPayload,c_authenticationPL,v_ikePayload); if (v_ret_local == e_error) { log("**** f_waitForIkeAuthReq: ERROR: No Authentication payload in payload list **** "); { log("**** f_analyzeIkeAuthReq: ERROR: No Authentication payload in payload list **** "); v_ret := e_error;} // get Security Association payload proposal data Loading @@ -640,7 +623,7 @@ module LibIpv6_Rfc4306Ikev2_Functions { {vc_sad[c_saIn].espEncrKeyLen := v_saTransform.saTransformAttributeList[0].keyLength.attributeValue;} } else { log("**** f_waitForIkeAuthReq: ERROR: No encryption algorithm transform in 1st proposal of Security Association payload **** "); { log("**** f_analyzeIkeAuthReq: ERROR: No encryption algorithm transform in 1st proposal of Security Association payload **** "); v_ret := e_error;} // store optional ESP integrity algorithm, if present Loading @@ -653,7 +636,7 @@ module LibIpv6_Rfc4306Ikev2_Functions { {vc_sad[c_saIn].espIntegrKeyLen := v_saTransform.saTransformAttributeList[0].keyLength.attributeValue;} } else { log("**** f_waitForIkeAuthReq: WARNING: No ESP integrity algorithm transform in 1st proposal of Security Association payload **** ") } { log("**** f_analyzeIkeAuthReq: WARNING: No ESP integrity algorithm transform in 1st proposal of Security Association payload **** ") } } if (v_protocolId == c_protocolAh) Loading @@ -668,7 +651,7 @@ module LibIpv6_Rfc4306Ikev2_Functions { {vc_sad[c_saIn].ahIntegrKeyLen := v_saTransform.saTransformAttributeList[0].keyLength.attributeValue;} } else { log("**** f_waitForIkeAuthReq: ERROR: No AH integrity algorithm transform in 1st proposal of Security Association payload **** "); { log("**** f_analyzeIkeAuthReq: ERROR: No AH integrity algorithm transform in 1st proposal of Security Association payload **** "); v_ret := e_error;} } Loading @@ -678,20 +661,68 @@ module LibIpv6_Rfc4306Ikev2_Functions { if (v_ret_local == e_success) {vc_sad[c_saIn].extentedSequenceNumbers := v_saTransform.transformId.extentedSequenceNumbers; } else { log("**** f_waitForIkeAuthReq: ERROR: No extended sequence numbers transform in 1st proposal of Security Association payload **** "); { log("**** f_analyzeIkeAuthReq: ERROR: No extended sequence numbers transform in 1st proposal of Security Association payload **** "); v_ret := e_error;} } else { log("**** f_waitForIkeAuthReq: ERROR: No Security Association payload in payload list **** "); { log("**** f_analyzeIkeAuthReq: ERROR: No Security Association payload in payload list **** "); v_ret := e_error;} return v_ret; } //end f_analyzeIkeAuthReq /* * @desc Test Node waits for IKE_AUTH request * @param p_src address of IUT * @param p_dst address of test node */ function f_waitForIkeAuthReq( in template Ipv6Address p_src, in template Ipv6Address p_dst) runs on LibIpv6Node return FncRetCode { var FncRetCode v_ret; var Ipv6Packet v_ipv6Packet; tc_wait.start; alt { // Transport mode, Notify payload requesting 'UseTransportMode' is included in IKE_AUTH request [] ipPort.receive(mw_ikeAuthReq( p_src, p_dst, vc_ikeSad[0].udpIutPort, vc_ikeSad[0].udpTnPort, vc_ikeSad[0].spiInitiator, vc_ikeSad[0].spiResponder, vc_ikeSad[0].messageID, mw_encryptedPLL(mw_ikeAuthReqTransportModePLL))) -> value v_ipv6Packet { tc_wait.stop; vc_ikeSad[0].messageID := vc_ikeSad[0].messageID + 1; v_ret := f_analyzeIkeAuthReq(v_ipv6Packet); vc_sad[c_saIn].ipSecProtocolMode := e_transportMode; } // Tunnel mode, Notify payload requesting 'UseTransportMode' is not included in IKE_AUTH request [] ipPort.receive(mw_ikeAuthReq( p_src, p_dst, vc_ikeSad[0].udpIutPort, vc_ikeSad[0].udpTnPort, vc_ikeSad[0].spiInitiator, vc_ikeSad[0].spiResponder, vc_ikeSad[0].messageID, mw_encryptedPLL(mw_ikeAuthReqPLL))) -> value v_ipv6Packet { tc_wait.stop; vc_ikeSad[0].messageID := vc_ikeSad[0].messageID + 1; v_ret := f_analyzeIkeAuthReq(v_ipv6Packet); vc_sad[c_saIn].ipSecProtocolMode := e_tunnelMode; } [] tc_wait.timeout { v_ret := e_timeout; log("**** f_waitForIkeAuthReq: ERROR: tc_wait.timeout **** "); return v_ret; } } // end alt Loading Loading @@ -883,7 +914,6 @@ module LibIpv6_Rfc4306Ikev2_Functions { { v_ret := e_timeout; log("**** f_waitForIkeSaInitRsp: ERROR: tc_wait.timeout **** "); return v_ret; } } // end alt Loading @@ -892,19 +922,15 @@ module LibIpv6_Rfc4306Ikev2_Functions { } //end f_waitForIkeSaInitRsp /* * @desc Test Node waits for IKE_AUTH response * @param p_src address of IUT * @param p_dst address of test node * @desc Test Node analyzes IKE_AUTH response * @param p_ipv6Packet complete IPv6 packet */ function f_waitForIkeAuthRsp( template Ipv6Address p_src, template Ipv6Address p_dst ) function f_analyzeIkeAuthRsp(in template Ipv6Packet p_ipv6Packet) runs on LibIpv6Node return FncRetCode { var FncRetCode v_ret; var FncRetCode v_ret_local; var Ipv6Packet v_ipv6Packet; var Ipv6Packet v_ipv6Packet := valueof (p_ipv6Packet); // next payload from IKE header var UInt8 v_nextPayload; // list of payloads Loading @@ -915,20 +941,6 @@ module LibIpv6_Rfc4306Ikev2_Functions { // transform var SaTransform v_saTransform; tc_wait.start; alt { [] ipPort.receive(mw_ikeAuthRsp( p_src, p_dst, vc_ikeSad[0].udpIutPort, vc_ikeSad[0].udpTnPort, vc_ikeSad[0].spiInitiator, vc_ikeSad[0].spiResponder, vc_ikeSad[0].messageID, mw_encryptedPLL(mw_ikeAuthRspPLL))) -> value v_ipv6Packet { tc_wait.stop; vc_ikeSad[0].messageID := vc_ikeSad[0].messageID + 1; v_nextPayload := v_ipv6Packet.ipv6Payload.ikeMsg.payloadList[0].encrypted.nextPayload; v_ikePayloadList := v_ipv6Packet.ipv6Payload.ikeMsg.payloadList[0].encrypted.payloadList; Loading @@ -937,25 +949,25 @@ module LibIpv6_Rfc4306Ikev2_Functions { if (v_ret_local == e_success) { vc_ikeSad[0].iDr := v_ikePayload.idInitiator.data; } else { log("**** f_waitForIkeAuthRsp: ERROR: No Identification payload in payload list **** "); { log("**** f_analyzeIkeAuthRsp: ERROR: No Identification payload in payload list **** "); v_ret := e_error;} // get Traffic selector initiator payload data v_ret_local := f_getPayload(v_ikePayloadList,v_nextPayload,c_tsInitiatorPL,v_ikePayload); if (v_ret_local == e_error) { log("**** f_waitForIkeAuthRsp: ERROR: No Traffic selector initiator payload in payload list **** "); { log("**** f_analyzeIkeAuthRsp: ERROR: No Traffic selector initiator payload in payload list **** "); v_ret := e_error;} // get Traffic selector responder payload data v_ret_local := f_getPayload(v_ikePayloadList,v_nextPayload,c_tsResponderPL,v_ikePayload); if (v_ret_local == e_error) { log("**** f_waitForIkeAuthRsp: ERROR: No Traffic selector responder payload in payload list **** "); { log("**** f_analyzeIkeAuthRsp: ERROR: No Traffic selector responder payload in payload list **** "); v_ret := e_error;} // get Authentication payload data v_ret_local := f_getPayload(v_ikePayloadList,v_nextPayload,c_authenticationPL,v_ikePayload); if (v_ret_local == e_error) { log("**** f_waitForIkeAuthRsp: ERROR: No Authentication payload in payload list **** "); { log("**** f_analyzeIkeAuthRsp: ERROR: No Authentication payload in payload list **** "); v_ret := e_error;} // get Security Association payload proposal data Loading @@ -973,21 +985,21 @@ module LibIpv6_Rfc4306Ikev2_Functions { c_transformTypeEncr,v_saTransform); if (v_ret_local == e_success) { if (vc_sad[c_saIn].espEncryptionAlgo != v_saTransform.transformId.encryptionAlgo) {log("**** f_waitForIkeAuthRsp: ERROR: Security Association payload indicates wrong encryption algorithm **** "); {log("**** f_analyzeIkeAuthRsp: ERROR: Security Association payload indicates wrong encryption algorithm **** "); v_ret := e_error;} // check attribute key length, if present in vc_sad if (ispresent(vc_sad[c_saIn].espEncrKeyLen)) { if (ispresent(v_saTransform.saTransformAttributeList)) { if(vc_sad[c_saIn].espEncrKeyLen != v_saTransform.saTransformAttributeList[0].keyLength.attributeValue) { log("**** f_waitForIkeSaInitRsp: ERROR: Security Association payload indicates wrong encryption algorithm attribute length **** "); { log("**** f_analyzeIkeAuthRsp: ERROR: Security Association payload indicates wrong encryption algorithm attribute length **** "); v_ret := e_error;}} else { log("**** f_waitForIkeSaInitRsp: ERROR: Expected encryption algorithm attribute length not found **** "); { log("**** f_analyzeIkeAuthRsp: ERROR: Expected encryption algorithm attribute length not found **** "); v_ret := e_error;} } } else { log("**** f_waitForIkeAuthRsp: ERROR: No encryption algorithm transform in 1st proposal of Security Association payload **** "); { log("**** f_analyzeIkeAuthRsp: ERROR: No encryption algorithm transform in 1st proposal of Security Association payload **** "); v_ret := e_error;} // check optional ESP integrity algorithm, if present Loading @@ -996,21 +1008,21 @@ module LibIpv6_Rfc4306Ikev2_Functions { c_transformTypeInteg,v_saTransform); if (v_ret_local == e_success) { if(vc_sad[c_saIn].espIntegrityAlgo != v_saTransform.transformId.integAlgorithms) {log("**** f_waitForIkeAuthRsp: ERROR: Security Association payload indicates wrong ESP integrity algorithm **** "); {log("**** f_analyzeIkeAuthRsp: ERROR: Security Association payload indicates wrong ESP integrity algorithm **** "); v_ret := e_error;} // check attribute key length, if present in vc_sad if (ispresent(vc_sad[c_saIn].espIntegrKeyLen)) { if (ispresent(v_saTransform.saTransformAttributeList)) { if(vc_sad[c_saIn].espIntegrKeyLen != v_saTransform.saTransformAttributeList[0].keyLength.attributeValue) { log("**** f_waitForIkeSaInitRsp: ERROR: Security Association payload indicates wrong ESP integrity algorithm attribute length **** "); { log("**** f_analyzeIkeAuthRsp: ERROR: Security Association payload indicates wrong ESP integrity algorithm attribute length **** "); v_ret := e_error;}} else { log("**** f_waitForIkeSaInitRsp: ERROR: Expected ESP integrity algorithm attribute length not found **** "); { log("**** f_analyzeIkeAuthRsp: ERROR: Expected ESP integrity algorithm attribute length not found **** "); v_ret := e_error;} } } else { log("**** f_waitForIkeAuthRsp: ERROR: No ESP integrity algorithm transform in 1st proposal of Security Association payload **** "); { log("**** f_analyzeIkeAuthRsp: ERROR: No ESP integrity algorithm transform in 1st proposal of Security Association payload **** "); v_ret := e_error;}} } Loading @@ -1021,21 +1033,21 @@ module LibIpv6_Rfc4306Ikev2_Functions { c_transformTypeInteg,v_saTransform); if (v_ret_local == e_success) { if(vc_sad[c_saIn].ahIntegrityAlgo != v_saTransform.transformId.integAlgorithms) {log("**** f_waitForIkeAuthRsp: ERROR: Security Association payload indicates wrong AH integrity algorithm **** "); {log("**** f_analyzeIkeAuthRsp: ERROR: Security Association payload indicates wrong AH integrity algorithm **** "); v_ret := e_error;} // check attribute key length, if present in vc_sad if (ispresent(vc_sad[c_saIn].ahIntegrKeyLen)) { if (ispresent(v_saTransform.saTransformAttributeList)) { if(vc_sad[c_saIn].ahIntegrKeyLen != v_saTransform.saTransformAttributeList[0].keyLength.attributeValue) { log("**** f_waitForIkeSaInitRsp: ERROR: Security Association payload indicates wrong AH integrity algorithm attribute length **** "); { log("**** f_analyzeIkeAuthRsp: ERROR: Security Association payload indicates wrong AH integrity algorithm attribute length **** "); v_ret := e_error;}} else { log("**** f_waitForIkeSaInitRsp: ERROR: Expected AH integrity algorithm attribute length not found **** "); { log("**** f_analyzeIkeAuthRsp: ERROR: Expected AH integrity algorithm attribute length not found **** "); v_ret := e_error;} } } else { log("**** f_waitForIkeAuthRsp: ERROR: No AH integrity algorithm transform in 1st proposal of Security Association payload **** "); { log("**** f_analyzeIkeAuthRsp: ERROR: No AH integrity algorithm transform in 1st proposal of Security Association payload **** "); v_ret := e_error;} } Loading @@ -1044,17 +1056,80 @@ module LibIpv6_Rfc4306Ikev2_Functions { c_transformTypeEsn,v_saTransform); if (v_ret_local == e_success) { if (vc_sad[c_saIn].extentedSequenceNumbers != v_saTransform.transformId.extentedSequenceNumbers) {log("**** f_waitForIkeAuthRsp: ERROR: Security Association payload indicates wrong extented sequence numbers **** "); {log("**** f_analyzeIkeAuthRsp: ERROR: Security Association payload indicates wrong extented sequence numbers **** "); v_ret := e_error;} } else { log("**** f_waitForIkeAuthRsp: ERROR: No extended sequence numbers transform in 1st proposal of Security Association payload **** "); { log("**** f_analyzeIkeAuthRsp: ERROR: No extended sequence numbers transform in 1st proposal of Security Association payload **** "); v_ret := e_error;} } else { log("**** f_waitForIkeAuthRsp: ERROR: No Security Association payload in payload list **** "); { log("**** f_analyzeIkeAuthRsp: ERROR: No Security Association payload in payload list **** "); v_ret := e_error;} return v_ret; } // End f_analyzeIkeAuthRsp /* * @desc Test Node waits for IKE_AUTH response * @param p_src address of IUT * @param p_dst address of test node */ function f_waitForIkeAuthRsp( template Ipv6Address p_src, template Ipv6Address p_dst ) runs on LibIpv6Node return FncRetCode { var FncRetCode v_ret; var FncRetCode v_ret_local; var Ipv6Packet v_ipv6Packet; // next payload from IKE header var UInt8 v_nextPayload; // list of payloads var IkePayloadList v_ikePayloadList; var IkePayload v_ikePayload; tc_wait.start; alt { // Transport mode, Notify payload indicating 'UseTransportMode' is included in IKE_AUTH response [] ipPort.receive(mw_ikeAuthRsp( p_src, p_dst, vc_ikeSad[0].udpIutPort, vc_ikeSad[0].udpTnPort, vc_ikeSad[0].spiInitiator, vc_ikeSad[0].spiResponder, vc_ikeSad[0].messageID, mw_encryptedPLL(mw_ikeAuthRspTransportModePLL))) -> value v_ipv6Packet { tc_wait.stop; if (vc_sad[c_saOut].ipSecProtocolMode == e_transportMode) { vc_ikeSad[0].messageID := vc_ikeSad[0].messageID + 1; v_ret := f_analyzeIkeAuthRsp(v_ipv6Packet);} else { log("**** f_waitForIkeAuthRsp: ERROR: IKE_AUTH response with unexpected transport mode indication in Notify payload **** "); v_ret := e_error;} return v_ret; } // Tunnel mode, Notify payload indicating 'UseTransportMode' is not included in IKE_AUTH response [] ipPort.receive(mw_ikeAuthRsp( p_src, p_dst, vc_ikeSad[0].udpIutPort, vc_ikeSad[0].udpTnPort, vc_ikeSad[0].spiInitiator, vc_ikeSad[0].spiResponder, vc_ikeSad[0].messageID, mw_encryptedPLL(mw_ikeAuthRspPLL))) -> value v_ipv6Packet { tc_wait.stop; if (vc_sad[c_saOut].ipSecProtocolMode != e_tunnelMode) { log("**** f_waitForIkeAuthRsp: WARNING: IKE_AUTH response rejects request for transport mode, tunnel mode shall be used for this SA! **** ");} vc_ikeSad[0].messageID := vc_ikeSad[0].messageID + 1; v_ret := f_analyzeIkeAuthRsp(v_ipv6Packet); return v_ret; } // A unexpected IKE_AUTH response with a Notify payload is received Loading @@ -1074,11 +1149,12 @@ module LibIpv6_Rfc4306Ikev2_Functions { // get Notify payload data v_ret_local := f_getPayload(v_ikePayloadList,v_nextPayload,c_notifyPL,v_ikePayload); if (v_ret_local == e_success) { log("**** f_waitForIkeAuthRsp: ERROR: IKE_AUTH response with Notify payload received, error/status value = ",v_ikePayload.notify.notifyMessageType," **** "); { log("**** f_waitForIkeAuthRsp: ERROR: IKE_AUTH response with unexpected Notify payload received, error/status value = ",v_ikePayload.notify.notifyMessageType," **** "); v_ret := e_error;} else { log("**** f_waitForIkeAuthRsp: ERROR: Unexpected IKE_AUTH response received **** "); v_ret := e_error;} return v_ret; } [] tc_wait.timeout Loading ttcn3/EtsiLibrary/LibIpv6/LibSec/LibIpv6_Rfc4306Ikev2_Templates.ttcn +65 −43 Original line number Diff line number Diff line Loading @@ -305,7 +305,7 @@ superset ( mw_securityAssociationIkePL, mw_noncePL, mw_keyExchangePL); template IkePayloadList mw_ikeSaInitRsp_Notify := superset ( mw_notifyPL); superset ( mw_notifyAnyPL); template IkePayloadList mw_encryptedPLL(template IkePayloadList p_ikepayloads) := { mw_encryptedPL(p_ikepayloads) }; Loading @@ -313,11 +313,19 @@ template IkePayloadList mw_ikeAuthReqPLL := superset ( mw_securityAssociationPL, mw_idInitiatorPL, mw_tsInitiatorPL, mw_tsResponderPL, mw_authPL); template IkePayloadList mw_ikeAuthReqTransportModePLL := superset ( mw_securityAssociationPL, mw_idInitiatorPL, mw_tsInitiatorPL, mw_tsResponderPL, mw_authPL, mw_notifyPL(c_notifyUseTransportMode)); template IkePayloadList mw_ikeAuthRspPLL := superset ( mw_securityAssociationPL, mw_idResponderPL, mw_tsInitiatorPL, mw_tsResponderPL, mw_authPL); template IkePayloadList mw_ikeAuthRspTransportModePLL := superset ( mw_securityAssociationPL, mw_idResponderPL, mw_tsInitiatorPL, mw_tsResponderPL, mw_authPL, mw_notifyPL(c_notifyUseTransportMode)); template IkePayloadList mw_ikeAuthRsp_Notify := superset ( mw_notifyPL); superset ( mw_notifyAnyPL); }//end group payLoadListTemplates Loading Loading @@ -624,7 +632,21 @@ group payloadTemplates { } template IkePayload mw_notifyPL := { template IkePayload mw_notifyPL(UInt16 p_notifyMessageType) := { notify := { nextPayload := ?, criticalFlag := 0, reserved := ?, payloadLength := ?, protocolId := ?, spiSize := ?, notifyMessageType := p_notifyMessageType, spi := *, data := * } } template IkePayload mw_notifyAnyPL := { notify := { nextPayload := ?, criticalFlag := 0, Loading Loading
ttcn3/EtsiLibrary/LibIpv6/LibSec/LibIpv6_Rfc4306Ikev2_Functions.ttcn +318 −242 Original line number Diff line number Diff line Loading @@ -547,7 +547,6 @@ module LibIpv6_Rfc4306Ikev2_Functions { { v_ret := e_timeout; log("**** f_waitForIkeSaInitReq: ERROR: tc_wait.timeout **** "); return v_ret; } } // end alt Loading @@ -556,17 +555,15 @@ module LibIpv6_Rfc4306Ikev2_Functions { } //end f_waitForIkeSaInitReq /* * @desc Test Node waits for IKE_AUTH request * @param p_src address of IUT * @param p_dst address of test node * @desc Test Node analyzes IKE_AUTH request * @param p_ipv6Packet complete IPv6 packet */ function f_waitForIkeAuthReq( in template Ipv6Address p_src, in template Ipv6Address p_dst) function f_analyzeIkeAuthReq(in template Ipv6Packet p_ipv6Packet) runs on LibIpv6Node return FncRetCode { var FncRetCode v_ret; var FncRetCode v_ret_local; var Ipv6Packet v_ipv6Packet; var Ipv6Packet v_ipv6Packet := valueof(p_ipv6Packet); // next payload from IKE header var UInt8 v_nextPayload; // list of payloads Loading @@ -577,20 +574,6 @@ module LibIpv6_Rfc4306Ikev2_Functions { // transform var SaTransform v_saTransform; tc_wait.start; alt { [] ipPort.receive(mw_ikeAuthReq( p_src, p_dst, vc_ikeSad[0].udpIutPort, vc_ikeSad[0].udpTnPort, vc_ikeSad[0].spiInitiator, vc_ikeSad[0].spiResponder, vc_ikeSad[0].messageID, mw_encryptedPLL(mw_ikeAuthReqPLL))) -> value v_ipv6Packet { tc_wait.stop; vc_ikeSad[0].messageID := vc_ikeSad[0].messageID + 1; v_nextPayload := v_ipv6Packet.ipv6Payload.ikeMsg.payloadList[0].encrypted.nextPayload; v_ikePayloadList := v_ipv6Packet.ipv6Payload.ikeMsg.payloadList[0].encrypted.payloadList; Loading @@ -599,25 +582,25 @@ module LibIpv6_Rfc4306Ikev2_Functions { if (v_ret_local == e_success) { vc_ikeSad[0].iDi := v_ikePayload.idInitiator.data; } else { log("**** f_waitForIkeAuthReq: ERROR: No Identification payload in payload list **** "); { log("**** f_analyzeIkeAuthReq: ERROR: No Identification payload in payload list **** "); v_ret := e_error;} // get Traffic selector initiator payload data v_ret_local := f_getPayload(v_ikePayloadList,v_nextPayload,c_tsInitiatorPL,v_ikePayload); if (v_ret_local == e_error) { log("**** f_waitForIkeAuthReq: ERROR: No Traffic selector initiator payload in payload list **** "); { log("**** f_analyzeIkeAuthReq: ERROR: No Traffic selector initiator payload in payload list **** "); v_ret := e_error;} // get Traffic selector responder payload data v_ret_local := f_getPayload(v_ikePayloadList,v_nextPayload,c_tsResponderPL,v_ikePayload); if (v_ret_local == e_error) { log("**** f_waitForIkeAuthReq: ERROR: No Traffic selector responder payload in payload list **** "); { log("**** f_analyzeIkeAuthReq: ERROR: No Traffic selector responder payload in payload list **** "); v_ret := e_error;} // get Authentication payload data v_ret_local := f_getPayload(v_ikePayloadList,v_nextPayload,c_authenticationPL,v_ikePayload); if (v_ret_local == e_error) { log("**** f_waitForIkeAuthReq: ERROR: No Authentication payload in payload list **** "); { log("**** f_analyzeIkeAuthReq: ERROR: No Authentication payload in payload list **** "); v_ret := e_error;} // get Security Association payload proposal data Loading @@ -640,7 +623,7 @@ module LibIpv6_Rfc4306Ikev2_Functions { {vc_sad[c_saIn].espEncrKeyLen := v_saTransform.saTransformAttributeList[0].keyLength.attributeValue;} } else { log("**** f_waitForIkeAuthReq: ERROR: No encryption algorithm transform in 1st proposal of Security Association payload **** "); { log("**** f_analyzeIkeAuthReq: ERROR: No encryption algorithm transform in 1st proposal of Security Association payload **** "); v_ret := e_error;} // store optional ESP integrity algorithm, if present Loading @@ -653,7 +636,7 @@ module LibIpv6_Rfc4306Ikev2_Functions { {vc_sad[c_saIn].espIntegrKeyLen := v_saTransform.saTransformAttributeList[0].keyLength.attributeValue;} } else { log("**** f_waitForIkeAuthReq: WARNING: No ESP integrity algorithm transform in 1st proposal of Security Association payload **** ") } { log("**** f_analyzeIkeAuthReq: WARNING: No ESP integrity algorithm transform in 1st proposal of Security Association payload **** ") } } if (v_protocolId == c_protocolAh) Loading @@ -668,7 +651,7 @@ module LibIpv6_Rfc4306Ikev2_Functions { {vc_sad[c_saIn].ahIntegrKeyLen := v_saTransform.saTransformAttributeList[0].keyLength.attributeValue;} } else { log("**** f_waitForIkeAuthReq: ERROR: No AH integrity algorithm transform in 1st proposal of Security Association payload **** "); { log("**** f_analyzeIkeAuthReq: ERROR: No AH integrity algorithm transform in 1st proposal of Security Association payload **** "); v_ret := e_error;} } Loading @@ -678,20 +661,68 @@ module LibIpv6_Rfc4306Ikev2_Functions { if (v_ret_local == e_success) {vc_sad[c_saIn].extentedSequenceNumbers := v_saTransform.transformId.extentedSequenceNumbers; } else { log("**** f_waitForIkeAuthReq: ERROR: No extended sequence numbers transform in 1st proposal of Security Association payload **** "); { log("**** f_analyzeIkeAuthReq: ERROR: No extended sequence numbers transform in 1st proposal of Security Association payload **** "); v_ret := e_error;} } else { log("**** f_waitForIkeAuthReq: ERROR: No Security Association payload in payload list **** "); { log("**** f_analyzeIkeAuthReq: ERROR: No Security Association payload in payload list **** "); v_ret := e_error;} return v_ret; } //end f_analyzeIkeAuthReq /* * @desc Test Node waits for IKE_AUTH request * @param p_src address of IUT * @param p_dst address of test node */ function f_waitForIkeAuthReq( in template Ipv6Address p_src, in template Ipv6Address p_dst) runs on LibIpv6Node return FncRetCode { var FncRetCode v_ret; var Ipv6Packet v_ipv6Packet; tc_wait.start; alt { // Transport mode, Notify payload requesting 'UseTransportMode' is included in IKE_AUTH request [] ipPort.receive(mw_ikeAuthReq( p_src, p_dst, vc_ikeSad[0].udpIutPort, vc_ikeSad[0].udpTnPort, vc_ikeSad[0].spiInitiator, vc_ikeSad[0].spiResponder, vc_ikeSad[0].messageID, mw_encryptedPLL(mw_ikeAuthReqTransportModePLL))) -> value v_ipv6Packet { tc_wait.stop; vc_ikeSad[0].messageID := vc_ikeSad[0].messageID + 1; v_ret := f_analyzeIkeAuthReq(v_ipv6Packet); vc_sad[c_saIn].ipSecProtocolMode := e_transportMode; } // Tunnel mode, Notify payload requesting 'UseTransportMode' is not included in IKE_AUTH request [] ipPort.receive(mw_ikeAuthReq( p_src, p_dst, vc_ikeSad[0].udpIutPort, vc_ikeSad[0].udpTnPort, vc_ikeSad[0].spiInitiator, vc_ikeSad[0].spiResponder, vc_ikeSad[0].messageID, mw_encryptedPLL(mw_ikeAuthReqPLL))) -> value v_ipv6Packet { tc_wait.stop; vc_ikeSad[0].messageID := vc_ikeSad[0].messageID + 1; v_ret := f_analyzeIkeAuthReq(v_ipv6Packet); vc_sad[c_saIn].ipSecProtocolMode := e_tunnelMode; } [] tc_wait.timeout { v_ret := e_timeout; log("**** f_waitForIkeAuthReq: ERROR: tc_wait.timeout **** "); return v_ret; } } // end alt Loading Loading @@ -883,7 +914,6 @@ module LibIpv6_Rfc4306Ikev2_Functions { { v_ret := e_timeout; log("**** f_waitForIkeSaInitRsp: ERROR: tc_wait.timeout **** "); return v_ret; } } // end alt Loading @@ -892,19 +922,15 @@ module LibIpv6_Rfc4306Ikev2_Functions { } //end f_waitForIkeSaInitRsp /* * @desc Test Node waits for IKE_AUTH response * @param p_src address of IUT * @param p_dst address of test node * @desc Test Node analyzes IKE_AUTH response * @param p_ipv6Packet complete IPv6 packet */ function f_waitForIkeAuthRsp( template Ipv6Address p_src, template Ipv6Address p_dst ) function f_analyzeIkeAuthRsp(in template Ipv6Packet p_ipv6Packet) runs on LibIpv6Node return FncRetCode { var FncRetCode v_ret; var FncRetCode v_ret_local; var Ipv6Packet v_ipv6Packet; var Ipv6Packet v_ipv6Packet := valueof (p_ipv6Packet); // next payload from IKE header var UInt8 v_nextPayload; // list of payloads Loading @@ -915,20 +941,6 @@ module LibIpv6_Rfc4306Ikev2_Functions { // transform var SaTransform v_saTransform; tc_wait.start; alt { [] ipPort.receive(mw_ikeAuthRsp( p_src, p_dst, vc_ikeSad[0].udpIutPort, vc_ikeSad[0].udpTnPort, vc_ikeSad[0].spiInitiator, vc_ikeSad[0].spiResponder, vc_ikeSad[0].messageID, mw_encryptedPLL(mw_ikeAuthRspPLL))) -> value v_ipv6Packet { tc_wait.stop; vc_ikeSad[0].messageID := vc_ikeSad[0].messageID + 1; v_nextPayload := v_ipv6Packet.ipv6Payload.ikeMsg.payloadList[0].encrypted.nextPayload; v_ikePayloadList := v_ipv6Packet.ipv6Payload.ikeMsg.payloadList[0].encrypted.payloadList; Loading @@ -937,25 +949,25 @@ module LibIpv6_Rfc4306Ikev2_Functions { if (v_ret_local == e_success) { vc_ikeSad[0].iDr := v_ikePayload.idInitiator.data; } else { log("**** f_waitForIkeAuthRsp: ERROR: No Identification payload in payload list **** "); { log("**** f_analyzeIkeAuthRsp: ERROR: No Identification payload in payload list **** "); v_ret := e_error;} // get Traffic selector initiator payload data v_ret_local := f_getPayload(v_ikePayloadList,v_nextPayload,c_tsInitiatorPL,v_ikePayload); if (v_ret_local == e_error) { log("**** f_waitForIkeAuthRsp: ERROR: No Traffic selector initiator payload in payload list **** "); { log("**** f_analyzeIkeAuthRsp: ERROR: No Traffic selector initiator payload in payload list **** "); v_ret := e_error;} // get Traffic selector responder payload data v_ret_local := f_getPayload(v_ikePayloadList,v_nextPayload,c_tsResponderPL,v_ikePayload); if (v_ret_local == e_error) { log("**** f_waitForIkeAuthRsp: ERROR: No Traffic selector responder payload in payload list **** "); { log("**** f_analyzeIkeAuthRsp: ERROR: No Traffic selector responder payload in payload list **** "); v_ret := e_error;} // get Authentication payload data v_ret_local := f_getPayload(v_ikePayloadList,v_nextPayload,c_authenticationPL,v_ikePayload); if (v_ret_local == e_error) { log("**** f_waitForIkeAuthRsp: ERROR: No Authentication payload in payload list **** "); { log("**** f_analyzeIkeAuthRsp: ERROR: No Authentication payload in payload list **** "); v_ret := e_error;} // get Security Association payload proposal data Loading @@ -973,21 +985,21 @@ module LibIpv6_Rfc4306Ikev2_Functions { c_transformTypeEncr,v_saTransform); if (v_ret_local == e_success) { if (vc_sad[c_saIn].espEncryptionAlgo != v_saTransform.transformId.encryptionAlgo) {log("**** f_waitForIkeAuthRsp: ERROR: Security Association payload indicates wrong encryption algorithm **** "); {log("**** f_analyzeIkeAuthRsp: ERROR: Security Association payload indicates wrong encryption algorithm **** "); v_ret := e_error;} // check attribute key length, if present in vc_sad if (ispresent(vc_sad[c_saIn].espEncrKeyLen)) { if (ispresent(v_saTransform.saTransformAttributeList)) { if(vc_sad[c_saIn].espEncrKeyLen != v_saTransform.saTransformAttributeList[0].keyLength.attributeValue) { log("**** f_waitForIkeSaInitRsp: ERROR: Security Association payload indicates wrong encryption algorithm attribute length **** "); { log("**** f_analyzeIkeAuthRsp: ERROR: Security Association payload indicates wrong encryption algorithm attribute length **** "); v_ret := e_error;}} else { log("**** f_waitForIkeSaInitRsp: ERROR: Expected encryption algorithm attribute length not found **** "); { log("**** f_analyzeIkeAuthRsp: ERROR: Expected encryption algorithm attribute length not found **** "); v_ret := e_error;} } } else { log("**** f_waitForIkeAuthRsp: ERROR: No encryption algorithm transform in 1st proposal of Security Association payload **** "); { log("**** f_analyzeIkeAuthRsp: ERROR: No encryption algorithm transform in 1st proposal of Security Association payload **** "); v_ret := e_error;} // check optional ESP integrity algorithm, if present Loading @@ -996,21 +1008,21 @@ module LibIpv6_Rfc4306Ikev2_Functions { c_transformTypeInteg,v_saTransform); if (v_ret_local == e_success) { if(vc_sad[c_saIn].espIntegrityAlgo != v_saTransform.transformId.integAlgorithms) {log("**** f_waitForIkeAuthRsp: ERROR: Security Association payload indicates wrong ESP integrity algorithm **** "); {log("**** f_analyzeIkeAuthRsp: ERROR: Security Association payload indicates wrong ESP integrity algorithm **** "); v_ret := e_error;} // check attribute key length, if present in vc_sad if (ispresent(vc_sad[c_saIn].espIntegrKeyLen)) { if (ispresent(v_saTransform.saTransformAttributeList)) { if(vc_sad[c_saIn].espIntegrKeyLen != v_saTransform.saTransformAttributeList[0].keyLength.attributeValue) { log("**** f_waitForIkeSaInitRsp: ERROR: Security Association payload indicates wrong ESP integrity algorithm attribute length **** "); { log("**** f_analyzeIkeAuthRsp: ERROR: Security Association payload indicates wrong ESP integrity algorithm attribute length **** "); v_ret := e_error;}} else { log("**** f_waitForIkeSaInitRsp: ERROR: Expected ESP integrity algorithm attribute length not found **** "); { log("**** f_analyzeIkeAuthRsp: ERROR: Expected ESP integrity algorithm attribute length not found **** "); v_ret := e_error;} } } else { log("**** f_waitForIkeAuthRsp: ERROR: No ESP integrity algorithm transform in 1st proposal of Security Association payload **** "); { log("**** f_analyzeIkeAuthRsp: ERROR: No ESP integrity algorithm transform in 1st proposal of Security Association payload **** "); v_ret := e_error;}} } Loading @@ -1021,21 +1033,21 @@ module LibIpv6_Rfc4306Ikev2_Functions { c_transformTypeInteg,v_saTransform); if (v_ret_local == e_success) { if(vc_sad[c_saIn].ahIntegrityAlgo != v_saTransform.transformId.integAlgorithms) {log("**** f_waitForIkeAuthRsp: ERROR: Security Association payload indicates wrong AH integrity algorithm **** "); {log("**** f_analyzeIkeAuthRsp: ERROR: Security Association payload indicates wrong AH integrity algorithm **** "); v_ret := e_error;} // check attribute key length, if present in vc_sad if (ispresent(vc_sad[c_saIn].ahIntegrKeyLen)) { if (ispresent(v_saTransform.saTransformAttributeList)) { if(vc_sad[c_saIn].ahIntegrKeyLen != v_saTransform.saTransformAttributeList[0].keyLength.attributeValue) { log("**** f_waitForIkeSaInitRsp: ERROR: Security Association payload indicates wrong AH integrity algorithm attribute length **** "); { log("**** f_analyzeIkeAuthRsp: ERROR: Security Association payload indicates wrong AH integrity algorithm attribute length **** "); v_ret := e_error;}} else { log("**** f_waitForIkeSaInitRsp: ERROR: Expected AH integrity algorithm attribute length not found **** "); { log("**** f_analyzeIkeAuthRsp: ERROR: Expected AH integrity algorithm attribute length not found **** "); v_ret := e_error;} } } else { log("**** f_waitForIkeAuthRsp: ERROR: No AH integrity algorithm transform in 1st proposal of Security Association payload **** "); { log("**** f_analyzeIkeAuthRsp: ERROR: No AH integrity algorithm transform in 1st proposal of Security Association payload **** "); v_ret := e_error;} } Loading @@ -1044,17 +1056,80 @@ module LibIpv6_Rfc4306Ikev2_Functions { c_transformTypeEsn,v_saTransform); if (v_ret_local == e_success) { if (vc_sad[c_saIn].extentedSequenceNumbers != v_saTransform.transformId.extentedSequenceNumbers) {log("**** f_waitForIkeAuthRsp: ERROR: Security Association payload indicates wrong extented sequence numbers **** "); {log("**** f_analyzeIkeAuthRsp: ERROR: Security Association payload indicates wrong extented sequence numbers **** "); v_ret := e_error;} } else { log("**** f_waitForIkeAuthRsp: ERROR: No extended sequence numbers transform in 1st proposal of Security Association payload **** "); { log("**** f_analyzeIkeAuthRsp: ERROR: No extended sequence numbers transform in 1st proposal of Security Association payload **** "); v_ret := e_error;} } else { log("**** f_waitForIkeAuthRsp: ERROR: No Security Association payload in payload list **** "); { log("**** f_analyzeIkeAuthRsp: ERROR: No Security Association payload in payload list **** "); v_ret := e_error;} return v_ret; } // End f_analyzeIkeAuthRsp /* * @desc Test Node waits for IKE_AUTH response * @param p_src address of IUT * @param p_dst address of test node */ function f_waitForIkeAuthRsp( template Ipv6Address p_src, template Ipv6Address p_dst ) runs on LibIpv6Node return FncRetCode { var FncRetCode v_ret; var FncRetCode v_ret_local; var Ipv6Packet v_ipv6Packet; // next payload from IKE header var UInt8 v_nextPayload; // list of payloads var IkePayloadList v_ikePayloadList; var IkePayload v_ikePayload; tc_wait.start; alt { // Transport mode, Notify payload indicating 'UseTransportMode' is included in IKE_AUTH response [] ipPort.receive(mw_ikeAuthRsp( p_src, p_dst, vc_ikeSad[0].udpIutPort, vc_ikeSad[0].udpTnPort, vc_ikeSad[0].spiInitiator, vc_ikeSad[0].spiResponder, vc_ikeSad[0].messageID, mw_encryptedPLL(mw_ikeAuthRspTransportModePLL))) -> value v_ipv6Packet { tc_wait.stop; if (vc_sad[c_saOut].ipSecProtocolMode == e_transportMode) { vc_ikeSad[0].messageID := vc_ikeSad[0].messageID + 1; v_ret := f_analyzeIkeAuthRsp(v_ipv6Packet);} else { log("**** f_waitForIkeAuthRsp: ERROR: IKE_AUTH response with unexpected transport mode indication in Notify payload **** "); v_ret := e_error;} return v_ret; } // Tunnel mode, Notify payload indicating 'UseTransportMode' is not included in IKE_AUTH response [] ipPort.receive(mw_ikeAuthRsp( p_src, p_dst, vc_ikeSad[0].udpIutPort, vc_ikeSad[0].udpTnPort, vc_ikeSad[0].spiInitiator, vc_ikeSad[0].spiResponder, vc_ikeSad[0].messageID, mw_encryptedPLL(mw_ikeAuthRspPLL))) -> value v_ipv6Packet { tc_wait.stop; if (vc_sad[c_saOut].ipSecProtocolMode != e_tunnelMode) { log("**** f_waitForIkeAuthRsp: WARNING: IKE_AUTH response rejects request for transport mode, tunnel mode shall be used for this SA! **** ");} vc_ikeSad[0].messageID := vc_ikeSad[0].messageID + 1; v_ret := f_analyzeIkeAuthRsp(v_ipv6Packet); return v_ret; } // A unexpected IKE_AUTH response with a Notify payload is received Loading @@ -1074,11 +1149,12 @@ module LibIpv6_Rfc4306Ikev2_Functions { // get Notify payload data v_ret_local := f_getPayload(v_ikePayloadList,v_nextPayload,c_notifyPL,v_ikePayload); if (v_ret_local == e_success) { log("**** f_waitForIkeAuthRsp: ERROR: IKE_AUTH response with Notify payload received, error/status value = ",v_ikePayload.notify.notifyMessageType," **** "); { log("**** f_waitForIkeAuthRsp: ERROR: IKE_AUTH response with unexpected Notify payload received, error/status value = ",v_ikePayload.notify.notifyMessageType," **** "); v_ret := e_error;} else { log("**** f_waitForIkeAuthRsp: ERROR: Unexpected IKE_AUTH response received **** "); v_ret := e_error;} return v_ret; } [] tc_wait.timeout Loading
ttcn3/EtsiLibrary/LibIpv6/LibSec/LibIpv6_Rfc4306Ikev2_Templates.ttcn +65 −43 Original line number Diff line number Diff line Loading @@ -305,7 +305,7 @@ superset ( mw_securityAssociationIkePL, mw_noncePL, mw_keyExchangePL); template IkePayloadList mw_ikeSaInitRsp_Notify := superset ( mw_notifyPL); superset ( mw_notifyAnyPL); template IkePayloadList mw_encryptedPLL(template IkePayloadList p_ikepayloads) := { mw_encryptedPL(p_ikepayloads) }; Loading @@ -313,11 +313,19 @@ template IkePayloadList mw_ikeAuthReqPLL := superset ( mw_securityAssociationPL, mw_idInitiatorPL, mw_tsInitiatorPL, mw_tsResponderPL, mw_authPL); template IkePayloadList mw_ikeAuthReqTransportModePLL := superset ( mw_securityAssociationPL, mw_idInitiatorPL, mw_tsInitiatorPL, mw_tsResponderPL, mw_authPL, mw_notifyPL(c_notifyUseTransportMode)); template IkePayloadList mw_ikeAuthRspPLL := superset ( mw_securityAssociationPL, mw_idResponderPL, mw_tsInitiatorPL, mw_tsResponderPL, mw_authPL); template IkePayloadList mw_ikeAuthRspTransportModePLL := superset ( mw_securityAssociationPL, mw_idResponderPL, mw_tsInitiatorPL, mw_tsResponderPL, mw_authPL, mw_notifyPL(c_notifyUseTransportMode)); template IkePayloadList mw_ikeAuthRsp_Notify := superset ( mw_notifyPL); superset ( mw_notifyAnyPL); }//end group payLoadListTemplates Loading Loading @@ -624,7 +632,21 @@ group payloadTemplates { } template IkePayload mw_notifyPL := { template IkePayload mw_notifyPL(UInt16 p_notifyMessageType) := { notify := { nextPayload := ?, criticalFlag := 0, reserved := ?, payloadLength := ?, protocolId := ?, spiSize := ?, notifyMessageType := p_notifyMessageType, spi := *, data := * } } template IkePayload mw_notifyAnyPL := { notify := { nextPayload := ?, criticalFlag := 0, Loading
