Loading ttcn3/EtsiLibrary/LibIpv6/LibCommonRfcs/LibIpv6_CommonRfcs_Functions.ttcn +37 −18 Original line number Diff line number Diff line Loading @@ -774,6 +774,7 @@ group ipSecFns { //ikeIntegrityKey := PX_IKE_INT_KEY, ikeIntegrKeyLen := omit, ikeIntegrBlockSize := 0, ikeIcvLen := f_getIcvLen(PX_IKE_INTALGO), diffieHellmanGroup := PX_IKE_DIFFIEHELLMAN_GROUP, diffieHellmanPrivKey := PX_IKE_DIFFIEHELLMAN_PRIVKEY, diffieHellmanSharedSecret := '00'O, Loading Loading @@ -807,8 +808,8 @@ group ipSecFns { ahIntegrityAlgo := PX_INTEGRITY_ALGO, ahIntegrityKey := PX_INTEGRITY_KEY/*f_createSecretKey()*/, ahIntegrKeyLen := omit, icvLen := f_getIcvLen(PX_INTEGRITY_ALGO), icvPadLen := f_getIcvPadLen(PX_INTEGRITY_ALGO), ahIcvLen := f_getIcvLen(PX_INTEGRITY_ALGO), ahIcvPadLen := f_getIcvPadLen(PX_INTEGRITY_ALGO), // ESP encryption espEncryptionAlgo := PX_ENCRYPTION_ALGO, espEncryptionKey := PX_ESP_ENCR_KEY/*f_createSecretKey()*/, Loading @@ -820,12 +821,15 @@ group ipSecFns { espIntegrityKey := PX_INTEGRITY_KEY/*f_createSecretKey()*/, espIntegrKeyLen := omit, espIntegrBlockSize := v_espIntegrBlockSize, espIcvLen := f_getIcvLen(PX_INTEGRITY_ALGO), // Combined mode //espCombinedModeAlgo := PX_COMBINED_MODE_ALGO, //espCombinedModeKey := PX_COMBINED_MODE_KEY/*f_createSecretKey()*/, // Protocol mode ipSecProtocolMode := PX_IP_SEC_PROTOCOL_MODE, extentedSequenceNumbers := e_extentedSequenceNumbersNo extentedSequenceNumbers := e_extentedSequenceNumbersNo, tsInitiator := omit, tsResponder := omit } // SAD-IN Loading @@ -836,8 +840,8 @@ group ipSecFns { ahIntegrityAlgo := PX_INTEGRITY_ALGO, ahIntegrityKey := PX_INTEGRITY_KEY/*f_createSecretKey()*/, ahIntegrKeyLen := omit, icvLen := f_getIcvLen(PX_INTEGRITY_ALGO), icvPadLen := f_getIcvPadLen(PX_INTEGRITY_ALGO), ahIcvLen := f_getIcvLen(PX_INTEGRITY_ALGO), ahIcvPadLen := f_getIcvPadLen(PX_INTEGRITY_ALGO), // ESP encryption espEncryptionAlgo := PX_ENCRYPTION_ALGO, espEncryptionKey := PX_ESP_ENCR_KEY/*f_createSecretKey()*/, Loading @@ -849,12 +853,15 @@ group ipSecFns { espIntegrityKey := PX_INTEGRITY_KEY/*f_createSecretKey()*/, espIntegrKeyLen := omit, espIntegrBlockSize := v_espIntegrBlockSize, espIcvLen := f_getIcvLen(PX_INTEGRITY_ALGO), // Combined mode //espCombinedModeAlgo := PX_COMBINED_MODE_ALGO, //espCombinedModeKey := PX_COMBINED_MODE_KEY/*f_createSecretKey()*/, // Protocol mode ipSecProtocolMode := PX_IP_SEC_PROTOCOL_MODE, extentedSequenceNumbers := e_extentedSequenceNumbersNo extentedSequenceNumbers := e_extentedSequenceNumbersNo, tsInitiator := omit, tsResponder := omit } // SAD-OUT Loading @@ -865,8 +872,8 @@ group ipSecFns { ahIntegrityAlgo := PX_INTEGRITY_ALGO, ahIntegrityKey := PX_INTEGRITY_KEY/*f_createSecretKey()*/, ahIntegrKeyLen := omit, icvLen := f_getIcvLen(PX_INTEGRITY_ALGO), icvPadLen := f_getIcvPadLen(PX_INTEGRITY_ALGO), ahIcvLen := f_getIcvLen(PX_INTEGRITY_ALGO), ahIcvPadLen := f_getIcvPadLen(PX_INTEGRITY_ALGO), // ESP encryption espEncryptionAlgo := PX_ENCRYPTION_ALGO, espEncryptionKey := PX_ESP_ENCR_KEY/*f_createSecretKey()*/, Loading @@ -878,12 +885,15 @@ group ipSecFns { espIntegrityKey := PX_INTEGRITY_KEY/*f_createSecretKey()*/, espIntegrKeyLen := omit, espIntegrBlockSize := v_espIntegrBlockSize, espIcvLen := f_getIcvLen(PX_INTEGRITY_ALGO), // Combined mode //espCombinedModeAlgo := PX_COMBINED_MODE_ALGO, //espCombinedModeKey := PX_COMBINED_MODE_KEY/*f_createSecretKey()*/, // Protocol mode ipSecProtocolMode := PX_IP_SEC_PROTOCOL_MODE, extentedSequenceNumbers := e_extentedSequenceNumbersNo extentedSequenceNumbers := e_extentedSequenceNumbersNo, tsInitiator := omit, tsResponder := omit } // SAD-IN Loading @@ -894,8 +904,8 @@ group ipSecFns { ahIntegrityAlgo := PX_INTEGRITY_ALGO, ahIntegrityKey := PX_INTEGRITY_KEY/*f_createSecretKey()*/, ahIntegrKeyLen := omit, icvLen := f_getIcvLen(PX_INTEGRITY_ALGO), icvPadLen := f_getIcvPadLen(PX_INTEGRITY_ALGO), ahIcvLen := f_getIcvLen(PX_INTEGRITY_ALGO), ahIcvPadLen := f_getIcvPadLen(PX_INTEGRITY_ALGO), // ESP encryption espEncryptionAlgo := PX_ENCRYPTION_ALGO, espEncryptionKey := PX_ESP_ENCR_KEY/*f_createSecretKey()*/, Loading @@ -907,12 +917,15 @@ group ipSecFns { espIntegrityKey := PX_INTEGRITY_KEY/*f_createSecretKey()*/, espIntegrKeyLen := omit, espIntegrBlockSize := v_espIntegrBlockSize, espIcvLen := f_getIcvLen(PX_INTEGRITY_ALGO), // Combined mode //espCombinedModeAlgo := PX_COMBINED_MODE_ALGO, //espCombinedModeKey := PX_COMBINED_MODE_KEY/*f_createSecretKey()*/, // Protocol mode ipSecProtocolMode := PX_IP_SEC_PROTOCOL_MODE, extentedSequenceNumbers := e_extentedSequenceNumbersNo extentedSequenceNumbers := e_extentedSequenceNumbersNo, tsInitiator := omit, tsResponder := omit } // SAD-OUT Loading @@ -923,8 +936,8 @@ group ipSecFns { ahIntegrityAlgo := PX_INTEGRITY_ALGO, ahIntegrityKey := PX_INTEGRITY_KEY/*f_createSecretKey()*/, ahIntegrKeyLen := omit, icvLen := f_getIcvLen(PX_INTEGRITY_ALGO), icvPadLen := f_getIcvPadLen(PX_INTEGRITY_ALGO), ahIcvLen := f_getIcvLen(PX_INTEGRITY_ALGO), ahIcvPadLen := f_getIcvPadLen(PX_INTEGRITY_ALGO), // ESP encryption espEncryptionAlgo := PX_ENCRYPTION_ALGO, espEncryptionKey := PX_ESP_ENCR_KEY/*f_createSecretKey()*/, Loading @@ -936,12 +949,15 @@ group ipSecFns { espIntegrityKey := PX_INTEGRITY_KEY/*f_createSecretKey()*/, espIntegrKeyLen := omit, espIntegrBlockSize := v_espIntegrBlockSize, espIcvLen := f_getIcvLen(PX_INTEGRITY_ALGO), // Combined mode //espCombinedModeAlgo := PX_COMBINED_MODE_ALGO, //espCombinedModeKey := PX_COMBINED_MODE_KEY/*f_createSecretKey()*/, // Protocol mode ipSecProtocolMode := PX_IP_SEC_PROTOCOL_MODE, extentedSequenceNumbers := e_extentedSequenceNumbersNo extentedSequenceNumbers := e_extentedSequenceNumbersNo, tsInitiator := omit, tsResponder := omit } // SAD-IN Loading @@ -952,8 +968,8 @@ group ipSecFns { ahIntegrityAlgo := PX_INTEGRITY_ALGO, ahIntegrityKey := PX_INTEGRITY_KEY/*f_createSecretKey()*/, ahIntegrKeyLen := omit, icvLen := f_getIcvLen(PX_INTEGRITY_ALGO), icvPadLen := f_getIcvPadLen(PX_INTEGRITY_ALGO), ahIcvLen := f_getIcvLen(PX_INTEGRITY_ALGO), ahIcvPadLen := f_getIcvPadLen(PX_INTEGRITY_ALGO), // ESP encryption espEncryptionAlgo := PX_ENCRYPTION_ALGO, espEncryptionKey := PX_ESP_ENCR_KEY/*f_createSecretKey()*/, Loading @@ -965,12 +981,15 @@ group ipSecFns { espIntegrityKey := PX_INTEGRITY_KEY/*f_createSecretKey()*/, espIntegrKeyLen := omit, espIntegrBlockSize := v_espIntegrBlockSize, espIcvLen := f_getIcvLen(PX_INTEGRITY_ALGO), // Combined mode //espCombinedModeAlgo := PX_COMBINED_MODE_ALGO, //espCombinedModeKey := PX_COMBINED_MODE_KEY/*f_createSecretKey()*/, // Protocol mode ipSecProtocolMode := PX_IP_SEC_PROTOCOL_MODE, extentedSequenceNumbers := e_extentedSequenceNumbersNo extentedSequenceNumbers := e_extentedSequenceNumbersNo, tsInitiator := omit, tsResponder := omit } return v_ret; Loading ttcn3/EtsiLibrary/LibIpv6/LibCommonRfcs/LibIpv6_Interface_Functions.ttcn +7 −7 Original line number Diff line number Diff line Loading @@ -269,29 +269,29 @@ group rfc2460Root_Functions { //Set Dummy ICV of correct length v_spi := v_activeIpv6Packet.extHdrList[v_authHdrIndex].authHeader.securityParametersIndex; if (vc_sad[v_spi].icvLen == 0) { if (vc_sad[v_spi].ahIcvLen == 0) { v_activeIpv6Packet.extHdrList[v_authHdrIndex].authHeader.icv := omit; } else { v_activeIpv6Packet.extHdrList[v_authHdrIndex].authHeader.icv := int2oct(0, vc_sad[v_spi].icvLen); v_activeIpv6Packet.extHdrList[v_authHdrIndex].authHeader.icv := int2oct(0, vc_sad[v_spi].ahIcvLen); } // Check ICV padding if (vc_sad[v_spi].icvPadLen == 0) { if (vc_sad[v_spi].ahIcvPadLen == 0) { v_activeIpv6Packet.extHdrList[v_authHdrIndex].authHeader.icvPadding := omit; } else { v_activeIpv6Packet.extHdrList[v_authHdrIndex].authHeader.icvPadding := int2oct(0, vc_sad[v_spi].icvPadLen); v_activeIpv6Packet.extHdrList[v_authHdrIndex].authHeader.icvPadding := int2oct(0, vc_sad[v_spi].ahIcvPadLen); } // Update AuthHeader payloadLen v_activeIpv6Packet.extHdrList[v_authHdrIndex].authHeader.payloadLen := (12 + vc_sad[v_spi].icvLen + vc_sad[v_spi].icvPadLen) / 4 - 2; v_activeIpv6Packet.extHdrList[v_authHdrIndex].authHeader.payloadLen := (12 + vc_sad[v_spi].ahIcvLen + vc_sad[v_spi].ahIcvPadLen) / 4 - 2; //Update IPv6 payload based on the calculated ICV + padding v_activeIpv6Packet.ipv6Hdr.payloadLength := fx_payloadLength (p_ipv6Packet); //compute icv if (vc_sad[v_spi].icvLen != 0) { if (vc_sad[v_spi].ahIcvLen != 0) { // work on a temporary copy in order to be able to zero mutable fields v_tempIpv6Packet := v_activeIpv6Packet; Loading ttcn3/EtsiLibrary/LibIpv6/LibSec/LibIpv6_Rfc4306Ikev2_Functions.ttcn +173 −109 Original line number Diff line number Diff line Loading @@ -435,7 +435,7 @@ module LibIpv6_Rfc4306Ikev2_Functions { in template Ipv6Address p_dst) runs on LibIpv6Node return FncRetCode { var FncRetCode v_ret; var FncRetCode v_ret := e_success; var FncRetCode v_ret_local; var Ipv6Packet v_ipv6Packet; // next payload from IKE header Loading Loading @@ -560,7 +560,7 @@ module LibIpv6_Rfc4306Ikev2_Functions { function f_analyzeIkeAuthReq(in template Ipv6Packet p_ipv6Packet, out UInt8 p_protocolId) runs on LibIpv6Node return FncRetCode { var FncRetCode v_ret; var FncRetCode v_ret := e_success; var FncRetCode v_ret_local; var Ipv6Packet v_ipv6Packet := valueof(p_ipv6Packet); // next payload from IKE header Loading @@ -584,13 +584,17 @@ module LibIpv6_Rfc4306Ikev2_Functions { // get Traffic selector initiator payload data v_ret_local := f_getPayload(v_ikePayloadList,v_nextPayload,c_tsInitiatorPL,v_ikePayload); if (v_ret_local == e_error) if (v_ret_local == e_success) { vc_sad[c_saIn].tsInitiator := v_ikePayload.tsInitiator.trafficSelectorList[0];} else { log("**** f_analyzeIkeAuthReq: ERROR: No Traffic selector initiator payload in payload list **** "); v_ret := e_error;} // get Traffic selector responder payload data v_ret_local := f_getPayload(v_ikePayloadList,v_nextPayload,c_tsResponderPL,v_ikePayload); if (v_ret_local == e_error) if (v_ret_local == e_success) { vc_sad[c_saIn].tsResponder := v_ikePayload.tsResponder.trafficSelectorList[0];} else { log("**** f_analyzeIkeAuthReq: ERROR: No Traffic selector responder payload in payload list **** "); v_ret := e_error;} Loading Loading @@ -926,7 +930,7 @@ module LibIpv6_Rfc4306Ikev2_Functions { function f_analyzeIkeAuthRsp(in template Ipv6Packet p_ipv6Packet) runs on LibIpv6Node return FncRetCode { var FncRetCode v_ret; var FncRetCode v_ret := e_success; var FncRetCode v_ret_local; var Ipv6Packet v_ipv6Packet := valueof (p_ipv6Packet); // next payload from IKE header Loading Loading @@ -974,7 +978,7 @@ module LibIpv6_Rfc4306Ikev2_Functions { { v_protocolId := v_ikePayload.securityAssociation.saProposalList[0].protocolId; // put data from first proposal into vc_Sad vc_sad[c_saIn].spi := oct2int(v_ikePayload.securityAssociation.saProposalList[0].spi); vc_sad[c_saOut].spi := oct2int(v_ikePayload.securityAssociation.saProposalList[0].spi); if (v_protocolId == c_protocolEsp) { Loading @@ -982,13 +986,13 @@ module LibIpv6_Rfc4306Ikev2_Functions { v_ret_local := f_getTransformOfType(v_ikePayload.securityAssociation.saProposalList, c_transformTypeEncr,v_saTransform); if (v_ret_local == e_success) { if (vc_sad[c_saIn].espEncryptionAlgo != v_saTransform.transformId.encryptionAlgo) { if (vc_sad[c_saOut].espEncryptionAlgo != v_saTransform.transformId.encryptionAlgo) {log("**** f_analyzeIkeAuthRsp: ERROR: Security Association payload indicates wrong encryption algorithm **** "); v_ret := e_error;} // check attribute key length, if present in vc_sad if (ispresent(vc_sad[c_saIn].espEncrKeyLen)) if (ispresent(vc_sad[c_saOut].espEncrKeyLen)) { if (ispresent(v_saTransform.saTransformAttributeList)) { if(vc_sad[c_saIn].espEncrKeyLen != v_saTransform.saTransformAttributeList[0].keyLength.attributeValue) { if(vc_sad[c_saOut].espEncrKeyLen != v_saTransform.saTransformAttributeList[0].keyLength.attributeValue) { log("**** f_analyzeIkeAuthRsp: ERROR: Security Association payload indicates wrong encryption algorithm attribute length **** "); v_ret := e_error;}} else Loading @@ -1001,17 +1005,17 @@ module LibIpv6_Rfc4306Ikev2_Functions { v_ret := e_error;} // check optional ESP integrity algorithm, if present if (ispresent(vc_sad[c_saIn].espIntegrityAlgo)) if (ispresent(vc_sad[c_saOut].espIntegrityAlgo)) {v_ret_local := f_getTransformOfType(v_ikePayload.securityAssociation.saProposalList, c_transformTypeInteg,v_saTransform); if (v_ret_local == e_success) { if(vc_sad[c_saIn].espIntegrityAlgo != v_saTransform.transformId.integAlgorithms) { if(vc_sad[c_saOut].espIntegrityAlgo != v_saTransform.transformId.integAlgorithms) {log("**** f_analyzeIkeAuthRsp: ERROR: Security Association payload indicates wrong ESP integrity algorithm **** "); v_ret := e_error;} // check attribute key length, if present in vc_sad if (ispresent(vc_sad[c_saIn].espIntegrKeyLen)) if (ispresent(vc_sad[c_saOut].espIntegrKeyLen)) { if (ispresent(v_saTransform.saTransformAttributeList)) { if(vc_sad[c_saIn].espIntegrKeyLen != v_saTransform.saTransformAttributeList[0].keyLength.attributeValue) { if(vc_sad[c_saOut].espIntegrKeyLen != v_saTransform.saTransformAttributeList[0].keyLength.attributeValue) { log("**** f_analyzeIkeAuthRsp: ERROR: Security Association payload indicates wrong ESP integrity algorithm attribute length **** "); v_ret := e_error;}} else Loading @@ -1030,13 +1034,13 @@ module LibIpv6_Rfc4306Ikev2_Functions { v_ret_local := f_getTransformOfType(v_ikePayload.securityAssociation.saProposalList, c_transformTypeInteg,v_saTransform); if (v_ret_local == e_success) { if(vc_sad[c_saIn].ahIntegrityAlgo != v_saTransform.transformId.integAlgorithms) { if(vc_sad[c_saOut].ahIntegrityAlgo != v_saTransform.transformId.integAlgorithms) {log("**** f_analyzeIkeAuthRsp: ERROR: Security Association payload indicates wrong AH integrity algorithm **** "); v_ret := e_error;} // check attribute key length, if present in vc_sad if (ispresent(vc_sad[c_saIn].ahIntegrKeyLen)) if (ispresent(vc_sad[c_saOut].ahIntegrKeyLen)) { if (ispresent(v_saTransform.saTransformAttributeList)) { if(vc_sad[c_saIn].ahIntegrKeyLen != v_saTransform.saTransformAttributeList[0].keyLength.attributeValue) { if(vc_sad[c_saOut].ahIntegrKeyLen != v_saTransform.saTransformAttributeList[0].keyLength.attributeValue) { log("**** f_analyzeIkeAuthRsp: ERROR: Security Association payload indicates wrong AH integrity algorithm attribute length **** "); v_ret := e_error;}} else Loading @@ -1053,7 +1057,7 @@ module LibIpv6_Rfc4306Ikev2_Functions { v_ret_local := f_getTransformOfType(v_ikePayload.securityAssociation.saProposalList, c_transformTypeEsn,v_saTransform); if (v_ret_local == e_success) { if (vc_sad[c_saIn].extentedSequenceNumbers != v_saTransform.transformId.extentedSequenceNumbers) { if (vc_sad[c_saOut].extentedSequenceNumbers != v_saTransform.transformId.extentedSequenceNumbers) {log("**** f_analyzeIkeAuthRsp: ERROR: Security Association payload indicates wrong extented sequence numbers **** "); v_ret := e_error;} } Loading Loading @@ -1291,14 +1295,20 @@ group sendRequests { function f_createAndSendAuthReq( template Ipv6Address p_addrTn, template Ipv6Address p_addrIut template Ipv6Address p_addrIut, UInt8 protocolId ) runs on LibIpv6Node return FncRetCode { var FncRetCode v_ret := e_error; var IkePayload v_securityAssociationPL; var SaTransform v_saTransformEncr; var SaTransform v_saTransformEncr := valueof ( if (protocolId == c_protocolId_esp) { // Build Security Association payload for ESP v_saTransformEncr := valueof ( m_saTransform ( c_moreTransform, c_transformTypeEncr, Loading @@ -1321,6 +1331,64 @@ group sendRequests { ); } // Security Association payload for ESP v_securityAssociationPL := valueof (m_securityAssociationPL( c_tsInitiatorPL, m_saProposalIke( c_lastProposal, c_proposalNr1, c_protocolId_esp, c_spiSize4, c_2Transforms, int2oct(vc_sad[c_saOut].spi,c_spiSize4), m_saTransformList_3Elem ( v_saTransformEncr, m_saTransform ( c_moreTransform, c_transformTypeInteg, m_transformId_integ(vc_sad[c_saOut].espIntegrityAlgo), omit//Attribute ), m_saTransform ( c_lastTransform, c_transformTypeEsn, m_transformId_esn(vc_sad[c_saOut].extentedSequenceNumbers), omit//Attribute ) ) ) )); } else { // Build Security Association payload for AH v_securityAssociationPL := valueof (m_securityAssociationPL( c_tsInitiatorPL, m_saProposalIke( c_lastProposal, c_proposalNr1, c_protocolId_ah, c_spiSize4, c_2Transforms, int2oct(vc_sad[c_saOut].spi,c_spiSize4), m_saTransformList_2Elem ( m_saTransform ( c_moreTransform, c_transformTypeInteg, m_transformId_integ(vc_sad[c_saOut].ahIntegrityAlgo), omit//Attribute ), m_saTransform ( c_lastTransform, c_transformTypeEsn, m_transformId_esn(vc_sad[c_saOut].extentedSequenceNumbers), omit//Attribute ) ) ) )); } // Transport mode, Notify payload requesting 'UseTransportMode' is included in IKE_AUTH request if(vc_sad[c_saOut].ipSecProtocolMode == e_transportMode) { Loading Loading @@ -1351,26 +1419,7 @@ group sendRequests { c_saPL, f_calculateAUTH(vc_ikeSad[0],c_initiator) ), m_securityAssociationPL( c_tsInitiatorPL, m_saProposalIke( c_lastProposal, c_proposalNr1, c_protocolId_esp, c_spiSize4, c_2Transforms, int2oct(vc_sad[c_saOut].spi,c_spiSize4), m_saTransformList_2Elem ( v_saTransformEncr, m_saTransform ( c_lastTransform, c_transformTypeInteg, m_transformId_integ(vc_sad[c_saOut].espIntegrityAlgo), omit//Attribute ) ) ) ), v_securityAssociationPL, m_tsInitiatorPL( c_tsResponderPL, m_trafficSelectorList_1Elem ( Loading Loading @@ -1425,26 +1474,7 @@ group sendRequests { c_saPL, f_calculateAUTH(vc_ikeSad[0],c_initiator) ), m_securityAssociationPL( c_tsInitiatorPL, m_saProposalIke( c_lastProposal, c_proposalNr1, c_protocolId_esp, c_spiSize4, c_2Transforms, int2oct(vc_sad[c_saOut].spi,c_spiSize4), m_saTransformList_2Elem ( v_saTransformEncr, m_saTransform ( c_lastTransform, c_transformTypeInteg, m_transformId_integ(vc_sad[c_saOut].espIntegrityAlgo), omit//Attribute ) ) ) ), v_securityAssociationPL, m_tsInitiatorPL( c_tsResponderPL, m_trafficSelectorList_1Elem ( Loading Loading @@ -1474,8 +1504,6 @@ group sendRequests { ); } if (v_ret != e_success) { return v_ret;} return v_ret ; }//end f_createAndSendAuthReq Loading Loading @@ -1675,13 +1703,13 @@ group sendResponses { 0, //c_protocolId_none, c_notifyUseTransportMode ), m_idInitiatorPL ( m_idResponderPL ( c_authenticationPL, p_addrTn p_addrIut ), m_authPL ( c_saPL, f_calculateAUTH(vc_ikeSad[0],c_initiator) f_calculateAUTH(vc_ikeSad[0],c_responder) ), m_securityAssociationPL( c_tsInitiatorPL, Loading @@ -1692,13 +1720,19 @@ group sendResponses { c_spiSize4, c_2Transforms, int2oct(vc_sad[c_saIn].spi,c_spiSize4), m_saTransformList_2Elem ( m_saTransformList_3Elem ( v_saTransformEncr, m_saTransform ( c_lastTransform, c_moreTransform, c_transformTypeInteg, m_transformId_integ(vc_sad[c_saIn].espIntegrityAlgo), omit//Attribute ), m_saTransform ( c_lastTransform, c_transformTypeEsn, m_transformId_esn(vc_sad[c_saIn].extentedSequenceNumbers), omit//Attribute ) ) ) Loading @@ -1706,23 +1740,13 @@ group sendResponses { m_tsInitiatorPL( c_tsResponderPL, m_trafficSelectorList_1Elem ( m_icmpv6Ts( oct2int(int2oct(c_echoRequestMsg,2) & int2oct(c_icmpCode0,2)), oct2int(int2oct(c_echoRequestMsg,2) & int2oct(c_icmpCode0,2)), p_addrTn, p_addrTn ) vc_sad[c_saIn].tsInitiator ) ), m_tsResponderPL( c_noNextPL, m_trafficSelectorList_1Elem ( m_icmpv6Ts( oct2int(int2oct(c_echoRequestMsg,2) & int2oct(c_icmpCode0,2)), oct2int(int2oct(c_echoRequestMsg,2) & int2oct(c_icmpCode0,2)), p_addrIut, p_addrIut ) vc_sad[c_saIn].tsResponder ) ) ) Loading @@ -1730,7 +1754,6 @@ group sendResponses { ) ) ); if (v_ret != e_success) { return v_ret;} return v_ret ; }//end f_createAndSendAuthRsp Loading Loading @@ -1813,7 +1836,8 @@ group establishSAFns_active { v_ret := f_createAndSendAuthReq( p_addrTn, p_addrIut p_addrIut, c_protocolId_esp ); if (v_ret != e_success) { return v_ret;} Loading Loading @@ -1843,6 +1867,46 @@ group establishSAFns_active { }//end f_sndAuthReqAndWaitForRsp_forEsp function f_sndAuthReqAndWaitForRsp_forAh( template Ipv6Address p_addrTn, template Ipv6Address p_addrIut ) runs on LibIpv6Node return FncRetCode { var FncRetCode v_ret := e_error; v_ret := f_createAndSendAuthReq( p_addrTn, p_addrIut, c_protocolId_ah ); if (v_ret != e_success) { return v_ret;} // wait for IKE_AUTH response v_ret := f_waitForIkeAuthRsp(p_addrIut, p_addrTn); if (v_ret != e_success) { return v_ret;} //fill keyLen vc_sad[c_saOut].espEncrKeyLen := 0; v_ret := f_getEncrKeyLen(vc_sad[c_saOut].espEncryptionAlgo, vc_sad[c_saOut].espEncrKeyLen); if (v_ret != e_success) { return v_ret;} vc_sad[c_saOut].espIntegrKeyLen := 0; v_ret := f_getIntegrKeyLen(vc_sad[c_saOut].espIntegrityAlgo, vc_sad[c_saOut].espIntegrKeyLen); if (v_ret != e_success) { return v_ret;} //fill iv and block sizes v_ret := f_getIv(vc_sad[c_saOut].espEncryptionAlgo, vc_sad[c_saOut].espIv); if (v_ret != e_success) { return v_ret;} v_ret := f_getEncrBlockSize(vc_sad[c_saOut].espEncryptionAlgo, vc_sad[c_saOut].espEncrBlockSize); if (v_ret != e_success) { return v_ret;} v_ret := f_getIntegrBlockSize(vc_sad[c_saOut].espIntegrityAlgo, vc_sad[c_saOut].espIntegrBlockSize); if (v_ret != e_success) { return v_ret;} v_ret := fx_setSecurityParameters(vc_sad); return v_ret; }//end f_sndAuthReqAndWaitForRsp_forAh }//end establishSAFns_active group establishSAFns_passive { Loading ttcn3/EtsiLibrary/LibIpv6/LibSec/LibIpv6_Rfc4306Ikev2_Templates.ttcn +32 −0 Original line number Diff line number Diff line Loading @@ -464,6 +464,20 @@ group transformTmplts { p_saTransform2 } /* * @param p_ikePayload1 First element in SaTransformList * @param p_ikePayload2 Second element in SaTransformList * @param p_ikePayload3 Third element in SaTransformList */ template SaTransformList m_saTransformList_3Elem( template SaTransform p_saTransform1, template SaTransform p_saTransform2, template SaTransform p_saTransform3) := { p_saTransform1, p_saTransform2, p_saTransform3 } /* * @param p_ikePayload1 First element in SaTransformList * @param p_ikePayload2 Second element in SaTransformList Loading Loading @@ -512,6 +526,10 @@ group transformTmplts { diffieHellman := p_diffieHellmanGroup } template TransformId m_transformId_esn(ExtentedSequenceNumbers p_esn) := { extentedSequenceNumbers := p_esn } }//end group transformTmplts group payloadTemplates { Loading Loading @@ -767,6 +785,20 @@ group identificationPLTmplts { } } template IkePayload m_idResponderPL( UInt8 p_nextPayload, template octetstring p_data) := { idResponder := { nextPayload := p_nextPayload, criticalFlag := 0, reserved1 := c_uInt7Zero, payloadLength := lengthof(valueof(p_data)) + 8, idType := c_identificationIpv6Addr, reserved2 := c_uInt24Zero, data := p_data } } }//end identificationPLTmplts group authPLTmplts { Loading ttcn3/EtsiLibrary/LibIpv6/LibSec/LibIpv6_Rfc4306Ikev2_TypesAndValues.ttcn +7 −3 Original line number Diff line number Diff line Loading @@ -1037,8 +1037,8 @@ IntegrityAlgo ahIntegrityAlgo, octetstring ahIntegrityKey, UInt16 ahIntegrKeyLen optional, UInt8 icvLen, UInt icvPadLen, UInt8 ahIcvLen, UInt ahIcvPadLen, EncryptionAlgo espEncryptionAlgo, octetstring espEncryptionKey, UInt16 espEncrKeyLen optional, Loading @@ -1048,10 +1048,13 @@ octetstring espIntegrityKey, UInt16 espIntegrKeyLen optional, UInt8 espIntegrBlockSize, UInt8 espIcvLen, //CombinedModeAlgo espCombinedModeAlgo, //octetstring espCombinedModeKey, IpSecProtocolMode ipSecProtocolMode, ExtentedSequenceNumbers extentedSequenceNumbers ExtentedSequenceNumbers extentedSequenceNumbers, TsTrafficSelector tsInitiator optional, TsTrafficSelector tsResponder optional } with { //variant "use=com.testingtech.ttcn.tci.*;"; Loading Loading @@ -1109,6 +1112,7 @@ //octetstring ikeIntegrityKey, UInt16 ikeIntegrKeyLen optional, UInt8 ikeIntegrBlockSize, UInt8 ikeIcvLen, DiffieHellmanGroup diffieHellmanGroup, octetstring diffieHellmanPrivKey, octetstring diffieHellmanSharedSecret, Loading Loading
ttcn3/EtsiLibrary/LibIpv6/LibCommonRfcs/LibIpv6_CommonRfcs_Functions.ttcn +37 −18 Original line number Diff line number Diff line Loading @@ -774,6 +774,7 @@ group ipSecFns { //ikeIntegrityKey := PX_IKE_INT_KEY, ikeIntegrKeyLen := omit, ikeIntegrBlockSize := 0, ikeIcvLen := f_getIcvLen(PX_IKE_INTALGO), diffieHellmanGroup := PX_IKE_DIFFIEHELLMAN_GROUP, diffieHellmanPrivKey := PX_IKE_DIFFIEHELLMAN_PRIVKEY, diffieHellmanSharedSecret := '00'O, Loading Loading @@ -807,8 +808,8 @@ group ipSecFns { ahIntegrityAlgo := PX_INTEGRITY_ALGO, ahIntegrityKey := PX_INTEGRITY_KEY/*f_createSecretKey()*/, ahIntegrKeyLen := omit, icvLen := f_getIcvLen(PX_INTEGRITY_ALGO), icvPadLen := f_getIcvPadLen(PX_INTEGRITY_ALGO), ahIcvLen := f_getIcvLen(PX_INTEGRITY_ALGO), ahIcvPadLen := f_getIcvPadLen(PX_INTEGRITY_ALGO), // ESP encryption espEncryptionAlgo := PX_ENCRYPTION_ALGO, espEncryptionKey := PX_ESP_ENCR_KEY/*f_createSecretKey()*/, Loading @@ -820,12 +821,15 @@ group ipSecFns { espIntegrityKey := PX_INTEGRITY_KEY/*f_createSecretKey()*/, espIntegrKeyLen := omit, espIntegrBlockSize := v_espIntegrBlockSize, espIcvLen := f_getIcvLen(PX_INTEGRITY_ALGO), // Combined mode //espCombinedModeAlgo := PX_COMBINED_MODE_ALGO, //espCombinedModeKey := PX_COMBINED_MODE_KEY/*f_createSecretKey()*/, // Protocol mode ipSecProtocolMode := PX_IP_SEC_PROTOCOL_MODE, extentedSequenceNumbers := e_extentedSequenceNumbersNo extentedSequenceNumbers := e_extentedSequenceNumbersNo, tsInitiator := omit, tsResponder := omit } // SAD-IN Loading @@ -836,8 +840,8 @@ group ipSecFns { ahIntegrityAlgo := PX_INTEGRITY_ALGO, ahIntegrityKey := PX_INTEGRITY_KEY/*f_createSecretKey()*/, ahIntegrKeyLen := omit, icvLen := f_getIcvLen(PX_INTEGRITY_ALGO), icvPadLen := f_getIcvPadLen(PX_INTEGRITY_ALGO), ahIcvLen := f_getIcvLen(PX_INTEGRITY_ALGO), ahIcvPadLen := f_getIcvPadLen(PX_INTEGRITY_ALGO), // ESP encryption espEncryptionAlgo := PX_ENCRYPTION_ALGO, espEncryptionKey := PX_ESP_ENCR_KEY/*f_createSecretKey()*/, Loading @@ -849,12 +853,15 @@ group ipSecFns { espIntegrityKey := PX_INTEGRITY_KEY/*f_createSecretKey()*/, espIntegrKeyLen := omit, espIntegrBlockSize := v_espIntegrBlockSize, espIcvLen := f_getIcvLen(PX_INTEGRITY_ALGO), // Combined mode //espCombinedModeAlgo := PX_COMBINED_MODE_ALGO, //espCombinedModeKey := PX_COMBINED_MODE_KEY/*f_createSecretKey()*/, // Protocol mode ipSecProtocolMode := PX_IP_SEC_PROTOCOL_MODE, extentedSequenceNumbers := e_extentedSequenceNumbersNo extentedSequenceNumbers := e_extentedSequenceNumbersNo, tsInitiator := omit, tsResponder := omit } // SAD-OUT Loading @@ -865,8 +872,8 @@ group ipSecFns { ahIntegrityAlgo := PX_INTEGRITY_ALGO, ahIntegrityKey := PX_INTEGRITY_KEY/*f_createSecretKey()*/, ahIntegrKeyLen := omit, icvLen := f_getIcvLen(PX_INTEGRITY_ALGO), icvPadLen := f_getIcvPadLen(PX_INTEGRITY_ALGO), ahIcvLen := f_getIcvLen(PX_INTEGRITY_ALGO), ahIcvPadLen := f_getIcvPadLen(PX_INTEGRITY_ALGO), // ESP encryption espEncryptionAlgo := PX_ENCRYPTION_ALGO, espEncryptionKey := PX_ESP_ENCR_KEY/*f_createSecretKey()*/, Loading @@ -878,12 +885,15 @@ group ipSecFns { espIntegrityKey := PX_INTEGRITY_KEY/*f_createSecretKey()*/, espIntegrKeyLen := omit, espIntegrBlockSize := v_espIntegrBlockSize, espIcvLen := f_getIcvLen(PX_INTEGRITY_ALGO), // Combined mode //espCombinedModeAlgo := PX_COMBINED_MODE_ALGO, //espCombinedModeKey := PX_COMBINED_MODE_KEY/*f_createSecretKey()*/, // Protocol mode ipSecProtocolMode := PX_IP_SEC_PROTOCOL_MODE, extentedSequenceNumbers := e_extentedSequenceNumbersNo extentedSequenceNumbers := e_extentedSequenceNumbersNo, tsInitiator := omit, tsResponder := omit } // SAD-IN Loading @@ -894,8 +904,8 @@ group ipSecFns { ahIntegrityAlgo := PX_INTEGRITY_ALGO, ahIntegrityKey := PX_INTEGRITY_KEY/*f_createSecretKey()*/, ahIntegrKeyLen := omit, icvLen := f_getIcvLen(PX_INTEGRITY_ALGO), icvPadLen := f_getIcvPadLen(PX_INTEGRITY_ALGO), ahIcvLen := f_getIcvLen(PX_INTEGRITY_ALGO), ahIcvPadLen := f_getIcvPadLen(PX_INTEGRITY_ALGO), // ESP encryption espEncryptionAlgo := PX_ENCRYPTION_ALGO, espEncryptionKey := PX_ESP_ENCR_KEY/*f_createSecretKey()*/, Loading @@ -907,12 +917,15 @@ group ipSecFns { espIntegrityKey := PX_INTEGRITY_KEY/*f_createSecretKey()*/, espIntegrKeyLen := omit, espIntegrBlockSize := v_espIntegrBlockSize, espIcvLen := f_getIcvLen(PX_INTEGRITY_ALGO), // Combined mode //espCombinedModeAlgo := PX_COMBINED_MODE_ALGO, //espCombinedModeKey := PX_COMBINED_MODE_KEY/*f_createSecretKey()*/, // Protocol mode ipSecProtocolMode := PX_IP_SEC_PROTOCOL_MODE, extentedSequenceNumbers := e_extentedSequenceNumbersNo extentedSequenceNumbers := e_extentedSequenceNumbersNo, tsInitiator := omit, tsResponder := omit } // SAD-OUT Loading @@ -923,8 +936,8 @@ group ipSecFns { ahIntegrityAlgo := PX_INTEGRITY_ALGO, ahIntegrityKey := PX_INTEGRITY_KEY/*f_createSecretKey()*/, ahIntegrKeyLen := omit, icvLen := f_getIcvLen(PX_INTEGRITY_ALGO), icvPadLen := f_getIcvPadLen(PX_INTEGRITY_ALGO), ahIcvLen := f_getIcvLen(PX_INTEGRITY_ALGO), ahIcvPadLen := f_getIcvPadLen(PX_INTEGRITY_ALGO), // ESP encryption espEncryptionAlgo := PX_ENCRYPTION_ALGO, espEncryptionKey := PX_ESP_ENCR_KEY/*f_createSecretKey()*/, Loading @@ -936,12 +949,15 @@ group ipSecFns { espIntegrityKey := PX_INTEGRITY_KEY/*f_createSecretKey()*/, espIntegrKeyLen := omit, espIntegrBlockSize := v_espIntegrBlockSize, espIcvLen := f_getIcvLen(PX_INTEGRITY_ALGO), // Combined mode //espCombinedModeAlgo := PX_COMBINED_MODE_ALGO, //espCombinedModeKey := PX_COMBINED_MODE_KEY/*f_createSecretKey()*/, // Protocol mode ipSecProtocolMode := PX_IP_SEC_PROTOCOL_MODE, extentedSequenceNumbers := e_extentedSequenceNumbersNo extentedSequenceNumbers := e_extentedSequenceNumbersNo, tsInitiator := omit, tsResponder := omit } // SAD-IN Loading @@ -952,8 +968,8 @@ group ipSecFns { ahIntegrityAlgo := PX_INTEGRITY_ALGO, ahIntegrityKey := PX_INTEGRITY_KEY/*f_createSecretKey()*/, ahIntegrKeyLen := omit, icvLen := f_getIcvLen(PX_INTEGRITY_ALGO), icvPadLen := f_getIcvPadLen(PX_INTEGRITY_ALGO), ahIcvLen := f_getIcvLen(PX_INTEGRITY_ALGO), ahIcvPadLen := f_getIcvPadLen(PX_INTEGRITY_ALGO), // ESP encryption espEncryptionAlgo := PX_ENCRYPTION_ALGO, espEncryptionKey := PX_ESP_ENCR_KEY/*f_createSecretKey()*/, Loading @@ -965,12 +981,15 @@ group ipSecFns { espIntegrityKey := PX_INTEGRITY_KEY/*f_createSecretKey()*/, espIntegrKeyLen := omit, espIntegrBlockSize := v_espIntegrBlockSize, espIcvLen := f_getIcvLen(PX_INTEGRITY_ALGO), // Combined mode //espCombinedModeAlgo := PX_COMBINED_MODE_ALGO, //espCombinedModeKey := PX_COMBINED_MODE_KEY/*f_createSecretKey()*/, // Protocol mode ipSecProtocolMode := PX_IP_SEC_PROTOCOL_MODE, extentedSequenceNumbers := e_extentedSequenceNumbersNo extentedSequenceNumbers := e_extentedSequenceNumbersNo, tsInitiator := omit, tsResponder := omit } return v_ret; Loading
ttcn3/EtsiLibrary/LibIpv6/LibCommonRfcs/LibIpv6_Interface_Functions.ttcn +7 −7 Original line number Diff line number Diff line Loading @@ -269,29 +269,29 @@ group rfc2460Root_Functions { //Set Dummy ICV of correct length v_spi := v_activeIpv6Packet.extHdrList[v_authHdrIndex].authHeader.securityParametersIndex; if (vc_sad[v_spi].icvLen == 0) { if (vc_sad[v_spi].ahIcvLen == 0) { v_activeIpv6Packet.extHdrList[v_authHdrIndex].authHeader.icv := omit; } else { v_activeIpv6Packet.extHdrList[v_authHdrIndex].authHeader.icv := int2oct(0, vc_sad[v_spi].icvLen); v_activeIpv6Packet.extHdrList[v_authHdrIndex].authHeader.icv := int2oct(0, vc_sad[v_spi].ahIcvLen); } // Check ICV padding if (vc_sad[v_spi].icvPadLen == 0) { if (vc_sad[v_spi].ahIcvPadLen == 0) { v_activeIpv6Packet.extHdrList[v_authHdrIndex].authHeader.icvPadding := omit; } else { v_activeIpv6Packet.extHdrList[v_authHdrIndex].authHeader.icvPadding := int2oct(0, vc_sad[v_spi].icvPadLen); v_activeIpv6Packet.extHdrList[v_authHdrIndex].authHeader.icvPadding := int2oct(0, vc_sad[v_spi].ahIcvPadLen); } // Update AuthHeader payloadLen v_activeIpv6Packet.extHdrList[v_authHdrIndex].authHeader.payloadLen := (12 + vc_sad[v_spi].icvLen + vc_sad[v_spi].icvPadLen) / 4 - 2; v_activeIpv6Packet.extHdrList[v_authHdrIndex].authHeader.payloadLen := (12 + vc_sad[v_spi].ahIcvLen + vc_sad[v_spi].ahIcvPadLen) / 4 - 2; //Update IPv6 payload based on the calculated ICV + padding v_activeIpv6Packet.ipv6Hdr.payloadLength := fx_payloadLength (p_ipv6Packet); //compute icv if (vc_sad[v_spi].icvLen != 0) { if (vc_sad[v_spi].ahIcvLen != 0) { // work on a temporary copy in order to be able to zero mutable fields v_tempIpv6Packet := v_activeIpv6Packet; Loading
ttcn3/EtsiLibrary/LibIpv6/LibSec/LibIpv6_Rfc4306Ikev2_Functions.ttcn +173 −109 Original line number Diff line number Diff line Loading @@ -435,7 +435,7 @@ module LibIpv6_Rfc4306Ikev2_Functions { in template Ipv6Address p_dst) runs on LibIpv6Node return FncRetCode { var FncRetCode v_ret; var FncRetCode v_ret := e_success; var FncRetCode v_ret_local; var Ipv6Packet v_ipv6Packet; // next payload from IKE header Loading Loading @@ -560,7 +560,7 @@ module LibIpv6_Rfc4306Ikev2_Functions { function f_analyzeIkeAuthReq(in template Ipv6Packet p_ipv6Packet, out UInt8 p_protocolId) runs on LibIpv6Node return FncRetCode { var FncRetCode v_ret; var FncRetCode v_ret := e_success; var FncRetCode v_ret_local; var Ipv6Packet v_ipv6Packet := valueof(p_ipv6Packet); // next payload from IKE header Loading @@ -584,13 +584,17 @@ module LibIpv6_Rfc4306Ikev2_Functions { // get Traffic selector initiator payload data v_ret_local := f_getPayload(v_ikePayloadList,v_nextPayload,c_tsInitiatorPL,v_ikePayload); if (v_ret_local == e_error) if (v_ret_local == e_success) { vc_sad[c_saIn].tsInitiator := v_ikePayload.tsInitiator.trafficSelectorList[0];} else { log("**** f_analyzeIkeAuthReq: ERROR: No Traffic selector initiator payload in payload list **** "); v_ret := e_error;} // get Traffic selector responder payload data v_ret_local := f_getPayload(v_ikePayloadList,v_nextPayload,c_tsResponderPL,v_ikePayload); if (v_ret_local == e_error) if (v_ret_local == e_success) { vc_sad[c_saIn].tsResponder := v_ikePayload.tsResponder.trafficSelectorList[0];} else { log("**** f_analyzeIkeAuthReq: ERROR: No Traffic selector responder payload in payload list **** "); v_ret := e_error;} Loading Loading @@ -926,7 +930,7 @@ module LibIpv6_Rfc4306Ikev2_Functions { function f_analyzeIkeAuthRsp(in template Ipv6Packet p_ipv6Packet) runs on LibIpv6Node return FncRetCode { var FncRetCode v_ret; var FncRetCode v_ret := e_success; var FncRetCode v_ret_local; var Ipv6Packet v_ipv6Packet := valueof (p_ipv6Packet); // next payload from IKE header Loading Loading @@ -974,7 +978,7 @@ module LibIpv6_Rfc4306Ikev2_Functions { { v_protocolId := v_ikePayload.securityAssociation.saProposalList[0].protocolId; // put data from first proposal into vc_Sad vc_sad[c_saIn].spi := oct2int(v_ikePayload.securityAssociation.saProposalList[0].spi); vc_sad[c_saOut].spi := oct2int(v_ikePayload.securityAssociation.saProposalList[0].spi); if (v_protocolId == c_protocolEsp) { Loading @@ -982,13 +986,13 @@ module LibIpv6_Rfc4306Ikev2_Functions { v_ret_local := f_getTransformOfType(v_ikePayload.securityAssociation.saProposalList, c_transformTypeEncr,v_saTransform); if (v_ret_local == e_success) { if (vc_sad[c_saIn].espEncryptionAlgo != v_saTransform.transformId.encryptionAlgo) { if (vc_sad[c_saOut].espEncryptionAlgo != v_saTransform.transformId.encryptionAlgo) {log("**** f_analyzeIkeAuthRsp: ERROR: Security Association payload indicates wrong encryption algorithm **** "); v_ret := e_error;} // check attribute key length, if present in vc_sad if (ispresent(vc_sad[c_saIn].espEncrKeyLen)) if (ispresent(vc_sad[c_saOut].espEncrKeyLen)) { if (ispresent(v_saTransform.saTransformAttributeList)) { if(vc_sad[c_saIn].espEncrKeyLen != v_saTransform.saTransformAttributeList[0].keyLength.attributeValue) { if(vc_sad[c_saOut].espEncrKeyLen != v_saTransform.saTransformAttributeList[0].keyLength.attributeValue) { log("**** f_analyzeIkeAuthRsp: ERROR: Security Association payload indicates wrong encryption algorithm attribute length **** "); v_ret := e_error;}} else Loading @@ -1001,17 +1005,17 @@ module LibIpv6_Rfc4306Ikev2_Functions { v_ret := e_error;} // check optional ESP integrity algorithm, if present if (ispresent(vc_sad[c_saIn].espIntegrityAlgo)) if (ispresent(vc_sad[c_saOut].espIntegrityAlgo)) {v_ret_local := f_getTransformOfType(v_ikePayload.securityAssociation.saProposalList, c_transformTypeInteg,v_saTransform); if (v_ret_local == e_success) { if(vc_sad[c_saIn].espIntegrityAlgo != v_saTransform.transformId.integAlgorithms) { if(vc_sad[c_saOut].espIntegrityAlgo != v_saTransform.transformId.integAlgorithms) {log("**** f_analyzeIkeAuthRsp: ERROR: Security Association payload indicates wrong ESP integrity algorithm **** "); v_ret := e_error;} // check attribute key length, if present in vc_sad if (ispresent(vc_sad[c_saIn].espIntegrKeyLen)) if (ispresent(vc_sad[c_saOut].espIntegrKeyLen)) { if (ispresent(v_saTransform.saTransformAttributeList)) { if(vc_sad[c_saIn].espIntegrKeyLen != v_saTransform.saTransformAttributeList[0].keyLength.attributeValue) { if(vc_sad[c_saOut].espIntegrKeyLen != v_saTransform.saTransformAttributeList[0].keyLength.attributeValue) { log("**** f_analyzeIkeAuthRsp: ERROR: Security Association payload indicates wrong ESP integrity algorithm attribute length **** "); v_ret := e_error;}} else Loading @@ -1030,13 +1034,13 @@ module LibIpv6_Rfc4306Ikev2_Functions { v_ret_local := f_getTransformOfType(v_ikePayload.securityAssociation.saProposalList, c_transformTypeInteg,v_saTransform); if (v_ret_local == e_success) { if(vc_sad[c_saIn].ahIntegrityAlgo != v_saTransform.transformId.integAlgorithms) { if(vc_sad[c_saOut].ahIntegrityAlgo != v_saTransform.transformId.integAlgorithms) {log("**** f_analyzeIkeAuthRsp: ERROR: Security Association payload indicates wrong AH integrity algorithm **** "); v_ret := e_error;} // check attribute key length, if present in vc_sad if (ispresent(vc_sad[c_saIn].ahIntegrKeyLen)) if (ispresent(vc_sad[c_saOut].ahIntegrKeyLen)) { if (ispresent(v_saTransform.saTransformAttributeList)) { if(vc_sad[c_saIn].ahIntegrKeyLen != v_saTransform.saTransformAttributeList[0].keyLength.attributeValue) { if(vc_sad[c_saOut].ahIntegrKeyLen != v_saTransform.saTransformAttributeList[0].keyLength.attributeValue) { log("**** f_analyzeIkeAuthRsp: ERROR: Security Association payload indicates wrong AH integrity algorithm attribute length **** "); v_ret := e_error;}} else Loading @@ -1053,7 +1057,7 @@ module LibIpv6_Rfc4306Ikev2_Functions { v_ret_local := f_getTransformOfType(v_ikePayload.securityAssociation.saProposalList, c_transformTypeEsn,v_saTransform); if (v_ret_local == e_success) { if (vc_sad[c_saIn].extentedSequenceNumbers != v_saTransform.transformId.extentedSequenceNumbers) { if (vc_sad[c_saOut].extentedSequenceNumbers != v_saTransform.transformId.extentedSequenceNumbers) {log("**** f_analyzeIkeAuthRsp: ERROR: Security Association payload indicates wrong extented sequence numbers **** "); v_ret := e_error;} } Loading Loading @@ -1291,14 +1295,20 @@ group sendRequests { function f_createAndSendAuthReq( template Ipv6Address p_addrTn, template Ipv6Address p_addrIut template Ipv6Address p_addrIut, UInt8 protocolId ) runs on LibIpv6Node return FncRetCode { var FncRetCode v_ret := e_error; var IkePayload v_securityAssociationPL; var SaTransform v_saTransformEncr; var SaTransform v_saTransformEncr := valueof ( if (protocolId == c_protocolId_esp) { // Build Security Association payload for ESP v_saTransformEncr := valueof ( m_saTransform ( c_moreTransform, c_transformTypeEncr, Loading @@ -1321,6 +1331,64 @@ group sendRequests { ); } // Security Association payload for ESP v_securityAssociationPL := valueof (m_securityAssociationPL( c_tsInitiatorPL, m_saProposalIke( c_lastProposal, c_proposalNr1, c_protocolId_esp, c_spiSize4, c_2Transforms, int2oct(vc_sad[c_saOut].spi,c_spiSize4), m_saTransformList_3Elem ( v_saTransformEncr, m_saTransform ( c_moreTransform, c_transformTypeInteg, m_transformId_integ(vc_sad[c_saOut].espIntegrityAlgo), omit//Attribute ), m_saTransform ( c_lastTransform, c_transformTypeEsn, m_transformId_esn(vc_sad[c_saOut].extentedSequenceNumbers), omit//Attribute ) ) ) )); } else { // Build Security Association payload for AH v_securityAssociationPL := valueof (m_securityAssociationPL( c_tsInitiatorPL, m_saProposalIke( c_lastProposal, c_proposalNr1, c_protocolId_ah, c_spiSize4, c_2Transforms, int2oct(vc_sad[c_saOut].spi,c_spiSize4), m_saTransformList_2Elem ( m_saTransform ( c_moreTransform, c_transformTypeInteg, m_transformId_integ(vc_sad[c_saOut].ahIntegrityAlgo), omit//Attribute ), m_saTransform ( c_lastTransform, c_transformTypeEsn, m_transformId_esn(vc_sad[c_saOut].extentedSequenceNumbers), omit//Attribute ) ) ) )); } // Transport mode, Notify payload requesting 'UseTransportMode' is included in IKE_AUTH request if(vc_sad[c_saOut].ipSecProtocolMode == e_transportMode) { Loading Loading @@ -1351,26 +1419,7 @@ group sendRequests { c_saPL, f_calculateAUTH(vc_ikeSad[0],c_initiator) ), m_securityAssociationPL( c_tsInitiatorPL, m_saProposalIke( c_lastProposal, c_proposalNr1, c_protocolId_esp, c_spiSize4, c_2Transforms, int2oct(vc_sad[c_saOut].spi,c_spiSize4), m_saTransformList_2Elem ( v_saTransformEncr, m_saTransform ( c_lastTransform, c_transformTypeInteg, m_transformId_integ(vc_sad[c_saOut].espIntegrityAlgo), omit//Attribute ) ) ) ), v_securityAssociationPL, m_tsInitiatorPL( c_tsResponderPL, m_trafficSelectorList_1Elem ( Loading Loading @@ -1425,26 +1474,7 @@ group sendRequests { c_saPL, f_calculateAUTH(vc_ikeSad[0],c_initiator) ), m_securityAssociationPL( c_tsInitiatorPL, m_saProposalIke( c_lastProposal, c_proposalNr1, c_protocolId_esp, c_spiSize4, c_2Transforms, int2oct(vc_sad[c_saOut].spi,c_spiSize4), m_saTransformList_2Elem ( v_saTransformEncr, m_saTransform ( c_lastTransform, c_transformTypeInteg, m_transformId_integ(vc_sad[c_saOut].espIntegrityAlgo), omit//Attribute ) ) ) ), v_securityAssociationPL, m_tsInitiatorPL( c_tsResponderPL, m_trafficSelectorList_1Elem ( Loading Loading @@ -1474,8 +1504,6 @@ group sendRequests { ); } if (v_ret != e_success) { return v_ret;} return v_ret ; }//end f_createAndSendAuthReq Loading Loading @@ -1675,13 +1703,13 @@ group sendResponses { 0, //c_protocolId_none, c_notifyUseTransportMode ), m_idInitiatorPL ( m_idResponderPL ( c_authenticationPL, p_addrTn p_addrIut ), m_authPL ( c_saPL, f_calculateAUTH(vc_ikeSad[0],c_initiator) f_calculateAUTH(vc_ikeSad[0],c_responder) ), m_securityAssociationPL( c_tsInitiatorPL, Loading @@ -1692,13 +1720,19 @@ group sendResponses { c_spiSize4, c_2Transforms, int2oct(vc_sad[c_saIn].spi,c_spiSize4), m_saTransformList_2Elem ( m_saTransformList_3Elem ( v_saTransformEncr, m_saTransform ( c_lastTransform, c_moreTransform, c_transformTypeInteg, m_transformId_integ(vc_sad[c_saIn].espIntegrityAlgo), omit//Attribute ), m_saTransform ( c_lastTransform, c_transformTypeEsn, m_transformId_esn(vc_sad[c_saIn].extentedSequenceNumbers), omit//Attribute ) ) ) Loading @@ -1706,23 +1740,13 @@ group sendResponses { m_tsInitiatorPL( c_tsResponderPL, m_trafficSelectorList_1Elem ( m_icmpv6Ts( oct2int(int2oct(c_echoRequestMsg,2) & int2oct(c_icmpCode0,2)), oct2int(int2oct(c_echoRequestMsg,2) & int2oct(c_icmpCode0,2)), p_addrTn, p_addrTn ) vc_sad[c_saIn].tsInitiator ) ), m_tsResponderPL( c_noNextPL, m_trafficSelectorList_1Elem ( m_icmpv6Ts( oct2int(int2oct(c_echoRequestMsg,2) & int2oct(c_icmpCode0,2)), oct2int(int2oct(c_echoRequestMsg,2) & int2oct(c_icmpCode0,2)), p_addrIut, p_addrIut ) vc_sad[c_saIn].tsResponder ) ) ) Loading @@ -1730,7 +1754,6 @@ group sendResponses { ) ) ); if (v_ret != e_success) { return v_ret;} return v_ret ; }//end f_createAndSendAuthRsp Loading Loading @@ -1813,7 +1836,8 @@ group establishSAFns_active { v_ret := f_createAndSendAuthReq( p_addrTn, p_addrIut p_addrIut, c_protocolId_esp ); if (v_ret != e_success) { return v_ret;} Loading Loading @@ -1843,6 +1867,46 @@ group establishSAFns_active { }//end f_sndAuthReqAndWaitForRsp_forEsp function f_sndAuthReqAndWaitForRsp_forAh( template Ipv6Address p_addrTn, template Ipv6Address p_addrIut ) runs on LibIpv6Node return FncRetCode { var FncRetCode v_ret := e_error; v_ret := f_createAndSendAuthReq( p_addrTn, p_addrIut, c_protocolId_ah ); if (v_ret != e_success) { return v_ret;} // wait for IKE_AUTH response v_ret := f_waitForIkeAuthRsp(p_addrIut, p_addrTn); if (v_ret != e_success) { return v_ret;} //fill keyLen vc_sad[c_saOut].espEncrKeyLen := 0; v_ret := f_getEncrKeyLen(vc_sad[c_saOut].espEncryptionAlgo, vc_sad[c_saOut].espEncrKeyLen); if (v_ret != e_success) { return v_ret;} vc_sad[c_saOut].espIntegrKeyLen := 0; v_ret := f_getIntegrKeyLen(vc_sad[c_saOut].espIntegrityAlgo, vc_sad[c_saOut].espIntegrKeyLen); if (v_ret != e_success) { return v_ret;} //fill iv and block sizes v_ret := f_getIv(vc_sad[c_saOut].espEncryptionAlgo, vc_sad[c_saOut].espIv); if (v_ret != e_success) { return v_ret;} v_ret := f_getEncrBlockSize(vc_sad[c_saOut].espEncryptionAlgo, vc_sad[c_saOut].espEncrBlockSize); if (v_ret != e_success) { return v_ret;} v_ret := f_getIntegrBlockSize(vc_sad[c_saOut].espIntegrityAlgo, vc_sad[c_saOut].espIntegrBlockSize); if (v_ret != e_success) { return v_ret;} v_ret := fx_setSecurityParameters(vc_sad); return v_ret; }//end f_sndAuthReqAndWaitForRsp_forAh }//end establishSAFns_active group establishSAFns_passive { Loading
ttcn3/EtsiLibrary/LibIpv6/LibSec/LibIpv6_Rfc4306Ikev2_Templates.ttcn +32 −0 Original line number Diff line number Diff line Loading @@ -464,6 +464,20 @@ group transformTmplts { p_saTransform2 } /* * @param p_ikePayload1 First element in SaTransformList * @param p_ikePayload2 Second element in SaTransformList * @param p_ikePayload3 Third element in SaTransformList */ template SaTransformList m_saTransformList_3Elem( template SaTransform p_saTransform1, template SaTransform p_saTransform2, template SaTransform p_saTransform3) := { p_saTransform1, p_saTransform2, p_saTransform3 } /* * @param p_ikePayload1 First element in SaTransformList * @param p_ikePayload2 Second element in SaTransformList Loading Loading @@ -512,6 +526,10 @@ group transformTmplts { diffieHellman := p_diffieHellmanGroup } template TransformId m_transformId_esn(ExtentedSequenceNumbers p_esn) := { extentedSequenceNumbers := p_esn } }//end group transformTmplts group payloadTemplates { Loading Loading @@ -767,6 +785,20 @@ group identificationPLTmplts { } } template IkePayload m_idResponderPL( UInt8 p_nextPayload, template octetstring p_data) := { idResponder := { nextPayload := p_nextPayload, criticalFlag := 0, reserved1 := c_uInt7Zero, payloadLength := lengthof(valueof(p_data)) + 8, idType := c_identificationIpv6Addr, reserved2 := c_uInt24Zero, data := p_data } } }//end identificationPLTmplts group authPLTmplts { Loading
ttcn3/EtsiLibrary/LibIpv6/LibSec/LibIpv6_Rfc4306Ikev2_TypesAndValues.ttcn +7 −3 Original line number Diff line number Diff line Loading @@ -1037,8 +1037,8 @@ IntegrityAlgo ahIntegrityAlgo, octetstring ahIntegrityKey, UInt16 ahIntegrKeyLen optional, UInt8 icvLen, UInt icvPadLen, UInt8 ahIcvLen, UInt ahIcvPadLen, EncryptionAlgo espEncryptionAlgo, octetstring espEncryptionKey, UInt16 espEncrKeyLen optional, Loading @@ -1048,10 +1048,13 @@ octetstring espIntegrityKey, UInt16 espIntegrKeyLen optional, UInt8 espIntegrBlockSize, UInt8 espIcvLen, //CombinedModeAlgo espCombinedModeAlgo, //octetstring espCombinedModeKey, IpSecProtocolMode ipSecProtocolMode, ExtentedSequenceNumbers extentedSequenceNumbers ExtentedSequenceNumbers extentedSequenceNumbers, TsTrafficSelector tsInitiator optional, TsTrafficSelector tsResponder optional } with { //variant "use=com.testingtech.ttcn.tci.*;"; Loading Loading @@ -1109,6 +1112,7 @@ //octetstring ikeIntegrityKey, UInt16 ikeIntegrKeyLen optional, UInt8 ikeIntegrBlockSize, UInt8 ikeIcvLen, DiffieHellmanGroup diffieHellmanGroup, octetstring diffieHellmanPrivKey, octetstring diffieHellmanSharedSecret, Loading
