Receipt of responses (IKE_SA_INIT & IKE_AUTJ) added (75a8570e) · Commits · TTCN-3 Libraries / LibIPv6

ttcn3/EtsiLibrary/LibIpv6/LibCommonRfcs/LibIpv6_CommonRfcs_Functions.ttcn

+2 −2

Original line number	Diff line number	Diff line
		@@ -446,8 +446,8 @@ group ipSecFns {
		nI := int2oct(float2int(int2float(20000-5000)*rnd())+5000, 16),
		nR := int2oct(float2int(int2float(20000-5000)*rnd())+5000, 16),
		proposalNr := 1,//smu not needed anymore delete
		udpSourcePort := PX_UDP_PORT_IUT_1,
		udpDestPort := PX_UDP_PORT_HS02,
		udpTnPort := PX_UDP_PORT_IUT_1,
		udpIutPort := PX_UDP_PORT_HS02,
		iDi := PX_IDENTIFICATION_DATA, //new ps identification initiator
		iDr := PX_IDENTIFICATION_DATA //new ps identification responder
		}

ttcn3/EtsiLibrary/LibIpv6/LibSec/LibIpv6_Rfc4306Ikev2_Functions.ttcn

+177 −31

Original line number	Diff line number	Diff line
		@@ -451,9 +451,10 @@ module LibIpv6_Rfc4306Ikev2_Functions {
		{
		tc_wait.stop;

		vc_ikeSad[0].udpSourcePort := v_ipv6Packet.ipv6Payload.ikeMsg.sourcePort;
		vc_ikeSad[0].udpDestPort := v_ipv6Packet.ipv6Payload.ikeMsg.destPort;
		vc_ikeSad[0].udpTnPort := v_ipv6Packet.ipv6Payload.ikeMsg.destPort;
		vc_ikeSad[0].udpIutPort := v_ipv6Packet.ipv6Payload.ikeMsg.sourcePort;
		vc_ikeSad[0].spiInitiator := v_ipv6Packet.ipv6Payload.ikeMsg.ikev2Header.initiatorSpi;
		vc_ikeSad[0].messageID := vc_ikeSad[0].messageID + 1;
		v_nextPayload := v_ipv6Packet.ipv6Payload.ikeMsg.ikev2Header.nextPayload;
		v_ikePayloadList := v_ipv6Packet.ipv6Payload.ikeMsg.payloadList;

		@@ -557,10 +558,16 @@ module LibIpv6_Rfc4306Ikev2_Functions {
		alt {
		[] ipPort.receive(mw_ikeAuthReq( p_src,
		p_dst,
		vc_ikeSad[0].udpIutPort,
		vc_ikeSad[0].udpTnPort,
		vc_ikeSad[0].spiInitiator,
		vc_ikeSad[0].spiResponder,
		vc_ikeSad[0].messageID,
		mw_encryptedPLL(mw_ikeAuthReqPLL))) -> value v_ipv6Packet
		{
		tc_wait.stop;

		vc_ikeSad[0].messageID := vc_ikeSad[0].messageID + 1;
		v_nextPayload := v_ipv6Packet.ipv6Payload.ikeMsg.payloadList[0].encrypted.nextPayload;
		v_ikePayloadList := v_ipv6Packet.ipv6Payload.ikeMsg.payloadList[0].encrypted.payloadList;

		@@ -646,6 +653,11 @@ module LibIpv6_Rfc4306Ikev2_Functions {
		group receiveResponses

		{
		/*
		* @desc Test Node waits for IKE_SA_INIT response
		* @param p_src address of IUT
		* @param p_dst address of test node
		*/
		function f_waitForIkeSaInitres( in template Ipv6Address p_src,
		in template Ipv6Address p_dst)
		runs on LibIpv6Node
		@@ -662,86 +674,95 @@ module LibIpv6_Rfc4306Ikev2_Functions {

		tc_wait.start;
		alt {
		[] ipPort.receive(mw_ikeSaInitReq( p_src,
		[] ipPort.receive(mw_ikeSaInitRes( p_src,
		p_dst,

		mw_ikeSaInitReqPLL)) -> value v_ipv6Packet
		vc_ikeSad[0].udpIutPort,
		vc_ikeSad[0].udpTnPort,
		vc_ikeSad[0].spiInitiator,
		vc_ikeSad[0].messageID,
		mw_ikeSaInitResPLL)) -> value v_ipv6Packet
		{
		tc_wait.stop;

		vc_ikeSad[0].udpSourcePort := v_ipv6Packet.ipv6Payload.ikeMsg.sourcePort;
		vc_ikeSad[0].udpDestPort := v_ipv6Packet.ipv6Payload.ikeMsg.destPort;
		vc_ikeSad[0].spiInitiator := v_ipv6Packet.ipv6Payload.ikeMsg.ikev2Header.initiatorSpi;
		vc_ikeSad[0].messageID := vc_ikeSad[0].messageID + 1;
		vc_ikeSad[0].spiResponder := v_ipv6Packet.ipv6Payload.ikeMsg.ikev2Header.responderSpi;
		v_nextPayload := v_ipv6Packet.ipv6Payload.ikeMsg.ikev2Header.nextPayload;
		v_ikePayloadList := v_ipv6Packet.ipv6Payload.ikeMsg.payloadList;

		// get Nonce payload data
		v_ret := f_getPayload(v_ikePayloadList,v_nextPayload,c_noncePL,v_ikePayload);
		if (v_ret == e_success)
		{ vc_ikeSad[0].nI := v_ikePayload.nonce.data; }
		{ vc_ikeSad[0].nR := v_ikePayload.nonce.data; }
		else
		{ log("** f_waitForIkeSaInitreq: ERROR: No Nonce payload in payload list ** "); }
		{ log("** f_waitForIkeSaInitres: ERROR: No Nonce payload in payload list ** "); }

		// get Key exchange payload data
		// get and check Key exchange payload data
		v_ret := f_getPayload(v_ikePayloadList,v_nextPayload,c_keyExchangePL,v_ikePayload);
		if (v_ret == e_success)
		{ vc_ikeSad[0].diffieHellmanGroup := v_ikePayload.keyExchange.dhGroup;
		// calculate shared Diffie-Hellman secret
		vc_ikeSad[0].diffieHellmanSharedSecret := fx_dHSharedSecret(vc_ikeSad[0].diffieHellmanGroup,
		PX_IKE_DIFFIEHELLMAN_PRIVKEY,
		v_ikePayload.keyExchange.data);
		{ if (vc_ikeSad[0].diffieHellmanGroup != v_ikePayload.keyExchange.dhGroup)
		{ v_ret := e_error;
		log("** f_waitForIkeSaInitres: ERROR: Key Exchange payload indicates wrong Diffie-Hellman group ** "); }
		}
		else
		{ log("** f_waitForIkeSaInitreq: ERROR: No Key Exchange payload in payload list ** "); }
		{ log("** f_waitForIkeSaInitres: ERROR: No Key Exchange payload in payload list ** "); }

		// get Security Association payload proposal data
		v_ret := f_getPayload(v_ikePayloadList,v_nextPayload,c_saPL,v_ikePayload);
		if (v_ret == e_success)
		// put data from first proposal into vc_ikeSad
		// store encryption algorithm
		// check encryption algorithm
		{
		v_ret := f_getTransformOfType(v_ikePayload.securityAssociation.saProposalList,
		c_transformTypeEncr,v_saTransform);
		if (v_ret == e_success)
		{vc_ikeSad[0].ikeEncryptionAlgo := v_saTransform.transformId.encryptionAlgo; }
		{ if (vc_ikeSad[0].ikeEncryptionAlgo != v_saTransform.transformId.encryptionAlgo)
		{ log("** f_waitForIkeSaInitres: ERROR: Security Association payload indicates wrong encryption algorithm ** ");
		return e_error;}
		}
		else
		{ log("** f_waitForIkeSaInitreq: ERROR: No encryption algorithm transform in 1st proposal of Security Association payload ** "); }
		{ log("** f_waitForIkeSaInitres: ERROR: No encryption algorithm transform in 1st proposal of Security Association payload ** "); }

		// store pseudo random function
		// check pseudo random function
		v_ret := f_getTransformOfType(v_ikePayload.securityAssociation.saProposalList,
		c_transformTypePrf,v_saTransform);
		if (v_ret == e_success)
		{vc_ikeSad[0].ikePseudoRandomFunction := v_saTransform.transformId.pseudoRandomFunction; }
		{ if (vc_ikeSad[0].ikePseudoRandomFunction != v_saTransform.transformId.pseudoRandomFunction)
		{ log("** f_waitForIkeSaInitres: ERROR: Security Association payload indicates wrong pseudo random function ** ");
		return e_error;}
		}
		else
		{ log("** f_waitForIkeSaInitreq: ERROR: No pseudo random function transform in 1st proposal of Security Association payload ** "); }
		{ log("** f_waitForIkeSaInitres: ERROR: No pseudo random function transform in 1st proposal of Security Association payload ** "); }

		// store integrity algorithm
		// check integrity algorithm
		v_ret := f_getTransformOfType(v_ikePayload.securityAssociation.saProposalList,
		c_transformTypeInteg,v_saTransform);
		if (v_ret == e_success)
		{vc_ikeSad[0].ikeIntegrityAlgo := v_saTransform.transformId.integAlgorithms; }
		{ if (vc_ikeSad[0].ikeIntegrityAlgo != v_saTransform.transformId.integAlgorithms)
		{ log("** f_waitForIkeSaInitres: ERROR: Security Association payload indicates wrong integrity algorithm ** ");
		return e_error;}
		}
		else
		{ log("** f_waitForIkeSaInitreq: ERROR: No integrity algorithm transform in 1st proposal of Security Association payload ** "); }
		{ log("** f_waitForIkeSaInitres: ERROR: No integrity algorithm transform in 1st proposal of Security Association payload ** "); }

		// check Diffie-Hellman group
		v_ret := f_getTransformOfType(v_ikePayload.securityAssociation.saProposalList,
		c_transformTypeDh,v_saTransform);
		if (v_ret == e_success)
		{if(vc_ikeSad[0].diffieHellmanGroup != v_saTransform.transformId.diffieHellman)
		{log("** f_waitForIkeSaInitreq: ERROR: Diffie-Hellman transform carries value different to value from Key Exchange payload ** ");
		{log("** f_waitForIkeSaInitres: ERROR: Security Association payload indicates wrong Diffie-Hellman group ** ");
		return e_error;}}
		else
		{ log("** f_waitForIkeSaInitreq: ERROR: No Diffie-Hellman transform in 1st proposal of Security Association payload ** "); }
		{ log("** f_waitForIkeSaInitres: ERROR: No Diffie-Hellman transform in 1st proposal of Security Association payload ** "); }
		}
		else
		{ log("** f_waitForIkeSaInitreq: ERROR: No Security Association payload in payload list ** ") }
		{ log("** f_waitForIkeSaInitres: ERROR: No Security Association payload in payload list ** ") }

		}

		[] tc_wait.timeout
		{
		v_ret := e_timeout;
		log("** f_waitForIkeSaInitreq: ERROR: tc_wait.timeout ** ");
		log("** f_waitForIkeSaInitres: ERROR: tc_wait.timeout ** ");
		return v_ret;
		}
		} // end alt
		@@ -749,6 +770,131 @@ module LibIpv6_Rfc4306Ikev2_Functions {
		return v_ret;

		} //end f_waitForIkeSaInitreq

		/*
		* @desc Test Node waits for IKE_AUTH response
		* @param p_src address of IUT
		* @param p_dst address of test node
		*/
		function f_waitForIkeAuthres( in template Ipv6Address p_src,
		in template Ipv6Address p_dst)
		runs on LibIpv6Node
		return FncRetCode {
		var FncRetCode v_ret;
		var Ipv6Packet v_ipv6Packet;
		// next payload from IKE header
		var UInt8 v_nextPayload;
		// list of payloads
		var IkePayloadList v_ikePayloadList;
		var IkePayload v_ikePayload;
		// SA protoocol ID
		var UInt8 v_protocolId;
		// transform
		var SaTransform v_saTransform;

		tc_wait.start;
		alt {
		[] ipPort.receive(mw_ikeAuthRes( p_src,
		p_dst,
		vc_ikeSad[0].udpIutPort,
		vc_ikeSad[0].udpTnPort,
		vc_ikeSad[0].spiInitiator,
		vc_ikeSad[0].spiResponder,
		vc_ikeSad[0].messageID,
		mw_encryptedPLL(mw_ikeAuthResPLL))) -> value v_ipv6Packet
		{
		tc_wait.stop;

		vc_ikeSad[0].messageID := vc_ikeSad[0].messageID + 1;
		v_nextPayload := v_ipv6Packet.ipv6Payload.ikeMsg.payloadList[0].encrypted.nextPayload;
		v_ikePayloadList := v_ipv6Packet.ipv6Payload.ikeMsg.payloadList[0].encrypted.payloadList;

		// get Identification payload data
		v_ret := f_getPayload(v_ikePayloadList,v_nextPayload,c_idResponderPL,v_ikePayload);
		if (v_ret == e_success)
		{ vc_ikeSad[0].iDr := v_ikePayload.idInitiator.data; }
		else
		{ log("** f_waitForAurhreq: ERROR: No Identification payload in payload list ** "); }

		// get Traffic selector initiator payload data
		v_ret := f_getPayload(v_ikePayloadList,v_nextPayload,c_tsInitiatorPL,v_ikePayload);
		if (v_ret == e_error)
		{ log("** f_waitForIkeAuthreq: ERROR: No Traffic selector initiator payload in payload list ** "); }

		// get Traffic selector responder payload data
		v_ret := f_getPayload(v_ikePayloadList,v_nextPayload,c_tsResponderPL,v_ikePayload);
		if (v_ret == e_error)
		{ log("** f_waitForIkeAuthreq: ERROR: No Traffic selector responder payload in payload list ** "); }

		// get Authentication payload data
		v_ret := f_getPayload(v_ikePayloadList,v_nextPayload,c_authenticationPL,v_ikePayload);
		if (v_ret == e_error)
		{ log("** f_waitForIkeAuthreq: ERROR: No Authentication payload in payload list ** "); }

		// get Security Association payload proposal data
		v_ret := f_getPayload(v_ikePayloadList,v_nextPayload,c_saPL,v_ikePayload);
		if (v_ret == e_success)
		{
		v_protocolId := v_ikePayload.securityAssociation.saProposalList[0].protocolId;
		// put data from first proposal into vc_Sad
		vc_sad[c_saIn].spi := oct2int(v_ikePayload.securityAssociation.saProposalList[0].spi);

		if (v_protocolId == c_protocolEsp)
		{
		// check encryption algorithm
		v_ret := f_getTransformOfType(v_ikePayload.securityAssociation.saProposalList,
		c_transformTypeEncr,v_saTransform);
		if (v_ret == e_success)
		{ if (vc_sad[c_saIn].espEncryptionAlgo != v_saTransform.transformId.encryptionAlgo)
		{log("** f_waitForIkeAuthres: ERROR: Security Association payload indicates wrong encryption algorithm ** ");
		return e_error;}
		}
		else
		{ log("** f_waitForIkeAuthtreq: ERROR: No encryption algorithm transform in 1st proposal of Security Association payload ** "); }
		}

		if (v_protocolId == c_protocolAh)
		{
		// check integrity algorithm
		v_ret := f_getTransformOfType(v_ikePayload.securityAssociation.saProposalList,
		c_transformTypeInteg,v_saTransform);
		if (v_ret == e_success)
		{ if(vc_sad[c_saIn].ahIntegrityAlgo != v_saTransform.transformId.integAlgorithms)
		{log("** f_waitForIkeAuthres: ERROR: Security Association payload indicates wrong integrity algorithm ** ");
		return e_error;}
		}
		else
		{ log("** f_waitForIkeAuthtreq: ERROR: No integrity algorithm transform in 1st proposal of Security Association payload ** "); }
		}

		// check extended sequence numbers
		v_ret := f_getTransformOfType(v_ikePayload.securityAssociation.saProposalList,
		c_transformTypeEsn,v_saTransform);
		if (v_ret == e_success)
		{ if (vc_sad[c_saIn].extentedSequenceNumbers != v_saTransform.transformId.extentedSequenceNumbers)
		{log("** f_waitForIkeAuthres: ERROR: Security Association payload indicates wrong extented sequence numbers ** ");
		return e_error;}
		}
		else
		{ log("** f_waitForIkeAuthtreq: ERROR: No extended sequence numbers transform in 1st proposal of Security Association payload ** "); }
		}

		else
		{ log("** f_waitForIkeAuthreq: ERROR: No Security Association payload in payload list ** "); }
		}

		[] tc_wait.timeout
		{
		v_ret := e_timeout;
		log("** f_waitForIkeAuthreq: ERROR: tc_wait.timeout ** ");
		return v_ret;
		}
		} // end alt

		return v_ret;

		} //end f_waitForIkeAuthres

		} // end group receiveResponses

		group sendRequests {

ttcn3/EtsiLibrary/LibIpv6/LibSec/LibIpv6_Rfc4306Ikev2_Templates.ttcn

+70 −17

Original line number	Diff line number	Diff line
		@@ -101,14 +101,16 @@

		template IkeSaInitResponse mw_ikeSaInitRes ( template Ipv6Address p_src,
		template Ipv6Address p_dst,
		UInt16 p_udpSourcePort,
		UInt16 p_udpDestPort,
		Oct8 p_initiatorSpi,
		UInt32 p_messageID,
		template IkePayloadList p_ikepayloads) := {
		ipv6Hdr := mw_ipHdr_nextHdr_srcDst(c_udpHdr, p_src, p_dst),
		extHdrList := omit,
		ipv6Payload := { ikeMsg := {
		sourcePort := (c_udpPort500,c_udpPort4500),
		destPort := (c_udpPort500,c_udpPort4500),
		sourcePort := p_udpSourcePort,
		destPort := p_udpDestPort,
		msgLength := ?,
		checksum := ?,
		padding := c_4ZeroBytes ifpresent,
		@@ -176,19 +178,24 @@

		template IkeAuthRequest mw_ikeAuthReq ( template Ipv6Address p_src,
		template Ipv6Address p_dst,
		UInt16 p_udpSourcePort,
		UInt16 p_udpDestPort,
		Oct8 p_initiatorSpi,
		Oct8 p_responderSpi,
		UInt32 p_messageID,
		template IkePayloadList p_ikepayloads) := {
		ipv6Hdr := mw_ipHdr_nextHdr_srcDst(c_udpHdr, p_src, p_dst),
		extHdrList := omit,
		ipv6Payload := { ikeMsg := {
		sourcePort := (c_udpPort500,c_udpPort4500),
		destPort := (c_udpPort500,c_udpPort4500),
		sourcePort := p_udpSourcePort,
		destPort := p_udpDestPort,
		msgLength := ?,
		checksum := ?,
		padding := c_4ZeroBytes ifpresent,
		// IKEv2 Header
		ikev2Header := {
		initiatorSpi := ?,
		responderSpi := c_zeroResponderSpi,
		initiatorSpi := p_initiatorSpi,
		responderSpi := p_responderSpi,
		nextPayload := ?,
		majorVersion := c_ikeMajorVersion2,
		minorVersion := c_ikeMinorVersion0,
		@@ -198,7 +205,7 @@
		vFlag := c_vFlag,
		iFlag := c_iFlagInitiator,
		threeXFlags := ?,
		messageID := c_uInt32Zero,
		messageID := p_messageID,
		messageLength := ?
		},
		// IKEv2 Payloads
		@@ -246,19 +253,65 @@
		}
		}

		}//end group payLoadListTemplates
		}//end group ikeAuthRequestTemplates

		group ikeAuthResponseTemplates {

		template IkeAuthResponse mw_ikeAuthRes (template Ipv6Address p_src,
		template Ipv6Address p_dst,
		UInt16 p_udpsourcePort,
		UInt16 p_udpdestPort,
		Oct8 p_initiatorSpi,
		Oct8 p_responderSpi,
		UInt32 p_messageID,
		template IkePayloadList p_ikepayloads) := {
		ipv6Hdr := mw_ipHdr_nextHdr_srcDst(c_udpHdr, p_src, p_dst),
		extHdrList := omit,
		ipv6Payload := { ikeMsg := {
		sourcePort := p_udpsourcePort,
		destPort := p_udpdestPort,
		msgLength := ?,
		checksum := ?,
		padding := c_4ZeroBytes ifpresent,
		// IKEv2 Header
		ikev2Header := {
		initiatorSpi := p_initiatorSpi,
		responderSpi := p_responderSpi,
		nextPayload := ?,
		majorVersion := c_ikeMajorVersion2,
		minorVersion := c_ikeMinorVersion0,
		exchangeType := c_ikeAuth,
		twoXFlags := ?,
		rFlag := c_rFlagResponse,
		vFlag := c_vFlag,
		iFlag := c_iFlagResponder,
		threeXFlags := ?,
		messageID := p_messageID,
		messageLength := ?
		},
		// IKEv2 Payloads
		payloadList := p_ikepayloads
		}}
		}
		}//end group ikeAuthResponseTemplates

		group payLoadListTemplates {

		template IkePayloadList mw_ikeSaInitReqPLL :=
		superset ( mw_securityAssociationIkePL, mw_noncePL, mw_keyExchangePL);

		template IkePayloadList mw_ikeSaInitResPLL :=
		superset ( mw_securityAssociationIkePL, mw_noncePL, mw_keyExchangePL);

		template IkePayloadList mw_encryptedPLL(template IkePayloadList p_ikepayloads) :=
		{ mw_encryptedPL(p_ikepayloads) };

		template IkePayloadList mw_ikeAuthReqPLL :=
		superset ( mw_securityAssociationPL, mw_identificationPL, mw_trafficSelectorPL, mw_trafficSelectorPL, mw_authPL);

		template IkePayloadList mw_ikeAuthResPLL :=
		superset ( mw_securityAssociationPL, mw_identificationPL, mw_trafficSelectorPL, mw_trafficSelectorPL, mw_authPL);

		}//end group payLoadListTemplates

		group ikeSecurityAssociationPayloadTemplates {

ttcn3/EtsiLibrary/LibIpv6/LibSec/LibIpv6_Rfc4306Ikev2_TypesAndValues.ttcn

+2 −2

Original line number	Diff line number	Diff line
		@@ -1100,8 +1100,8 @@
		octetstring nI,//new smu nonce
		octetstring nR,//new smu nonce
		UInt8 proposalNr,//new smu nonce
		UInt16 udpSourcePort,
		UInt16 udpDestPort,
		UInt16 udpTnPort, // UDP port of test node (TN)
		UInt16 udpIutPort, // UDP port of IUT
		octetstring iDi, //new ps identification initiator
		octetstring iDr //new ps identification responder
		}