Commit a36d5cb7 authored by schmitting's avatar schmitting
Browse files

AUTH calculation added

parent 0464419c

ttcn3/EtsiLibrary/LibIpv6/LibCommonRfcs/LibIpv6_ModuleParameters.ttcn

+5 −0
Original line number Diff line number Diff line
@@ -117,6 +117,11 @@ module LibIpv6_ModuleParameters { 
	*/

	modulepar {octetstring PX_IKE_DIFFIEHELLMAN_PRIVKEY := '0123456789ABCDEF'O}



	/*

	 * @desc Which pre-shared secret shall be used for calculating the AUTH value?

    */

	modulepar {octetstring PX_SHARED_SECRET := '0123456789ABCDEF'O}



	} // end group ikeSecurity



group udpPxts {

ttcn3/EtsiLibrary/LibIpv6/LibSec/LibIpv6_Rfc4306Ikev2_Functions.ttcn

+84 −46
Original line number Diff line number Diff line
@@ -320,7 +320,7 @@ module LibIpv6_Rfc4306Ikev2_Functions { 
							    p_saTransform);



		// transform was not found in first porposal but there is/are further proposal(s) with Id 1

		if (v_ret == e_error and p_saProposalList[0].lastProposal != c_uInt8Zero)

		if (v_ret == e_error and p_saProposalList[0].lastProposal != c_lastProposal)

			{ for(i := 1; (v_ret != e_success); i:= i + 1)

				{if (p_saProposalList[i].proposalNumber == 1)

					{v_ret := f_getTransform(p_saProposalList[i].saTransformList,
@@ -332,7 +332,7 @@ module LibIpv6_Rfc4306Ikev2_Functions { 
					return e_error;}}

			}

		// transform was not found in first porposal and there is no further proposal

		if (v_ret == e_error and p_saProposalList[0].lastProposal == c_uInt8Zero)

		if (v_ret == e_error and p_saProposalList[0].lastProposal == c_lastProposal)

			{return e_error;

			log("**** f_storeIKETransforms: ERROR: No transform of this type found in 1st proposal **** "); }
@@ -383,6 +383,59 @@ module LibIpv6_Rfc4306Ikev2_Functions { 


	} // end group handlePayloads



	group calculateSecurityData

	{

	/*

	 * @desc  Function that calculates the 7 secrets

 	 * @param p_IkeSa IKE Security Association data

	*/

	function f_calculateSevenSecrets(in IkeSa p_IkeSa)

	runs on LibIpv6Node

	return SevenSecrets {

		var octetstring v_sKYSEED;

		var SevenSecrets v_sevenSecrets;



		v_sKYSEED := fx_pseudoRandom(p_IkeSa.ikePseudoRandomFunction,

									 (p_IkeSa.nI & p_IkeSa.nR), // concatenated nonces -- check 2.14 for details!!!

									 p_IkeSa.diffieHellmanSharedSecret); 



		v_sevenSecrets := fx_pseudoRandomPlus(p_IkeSa.ikePseudoRandomFunction,

											  v_sKYSEED,

											  (p_IkeSa.nI & p_IkeSa.nR & // concatenated nonces -- check 2.14 for details!!!

											  p_IkeSa.spiInitiator & p_IkeSa.spiResponder));

		return v_sevenSecrets;

	} // end f_calculateSevenSecrets



	/*

	 * @desc  Function that calculates the AUTH value

 	 * @param p_IkeSa IKE Security Association data

	 * @param p_ikev2Header IKEv2 header

	 * @param p_ikePayloadList IKEv2 payload list

	 * @param p_nonceData data field of Nonce payload

	 * @param p_identificationData data field of Identification payload

	*/

	function f_calculateAUTH(in IkeSa p_IkeSa, in Ikev2Header p_ikev2Header, in IkePayloadList p_ikePayloadList,

							 in octetstring p_nonceData, octetstring p_identificationData)

	runs on LibIpv6Node

	return octetstring {

		var octetstring v_aUTH;



		v_aUTH := fx_pseudoRandom(p_IkeSa.ikePseudoRandomFunction,

								  fx_pseudoRandom(p_IkeSa.ikePseudoRandomFunction,

												  PX_SHARED_SECRET,

												  c_authString),

								  (fx_ikev2HeaderToOct(p_ikev2Header) & 

								   fx_ikePayloadListToOct(p_ikePayloadList) &

								   p_nonceData &

								   fx_pseudoRandom(p_IkeSa.ikePseudoRandomFunction,

									               p_IkeSa.sevenSecrets.sK_pr,

												   p_identificationData))); 



		return v_aUTH;

		} // end f_calculateAUTH



	} // end group calculateSecurityData



	group receiveRequests

	{

	/*
@@ -523,45 +576,40 @@ module LibIpv6_Rfc4306Ikev2_Functions { 
					v_nextPayload := v_ipv6Packet.ipv6Payload.ikeMsg.payloadList[0].encrypted.nextPayload;

					v_ikePayloadList := v_ipv6Packet.ipv6Payload.ikeMsg.payloadList[0].encrypted.payloadList;

					

					// get Nonce payload data

					v_ret := f_getPayload(v_ikePayloadList,v_nextPayload,c_noncePL,v_ikePayload);

					if (v_ret == e_success)

					{ vc_ikeSad[0].nI := v_ikePayload.nonce.data; }

					else

					{ log("**** f_waitForIkeSaInitreq: ERROR: No Nonce payload in payload list **** "); }

					// get Identification payload data

					v_ret := f_getPayload(v_ikePayloadList,v_nextPayload,c_idInitiatorPL,v_ikePayload);

					if (v_ret == e_error)

					{ log("**** f_waitForAurhreq: ERROR: No Identification payload in payload list **** "); }



					// get Key exchange payload data

					v_ret := f_getPayload(v_ikePayloadList,v_nextPayload,c_keyExchangePL,v_ikePayload);

					if (v_ret == e_success)

					{ vc_ikeSad[0].diffieHellmanGroup := v_ikePayload.keyExchange.dhGroup;

					  // calculate shared Diffie-Hellman secret

					  vc_ikeSad[0].diffieHellmanSharedSecret := fx_dHSharedSecret(vc_ikeSad[0].diffieHellmanGroup,

										  										  PX_IKE_DIFFIEHELLMAN_PRIVKEY,

										 										  v_ikePayload.keyExchange.data);

					}

					else

					{ log("**** f_waitForIkeSaInitreq: ERROR: No Key Exchange payload in payload list **** "); }

					// get Traffic selector initiator payload data

					v_ret := f_getPayload(v_ikePayloadList,v_nextPayload,c_tsInitiatorPL,v_ikePayload);

					if (v_ret == e_error)

					{ log("**** f_waitForIkeAuthreq: ERROR: No Traffic selector initiator payload in payload list **** "); }



					// get Traffic selector responder payload data

					v_ret := f_getPayload(v_ikePayloadList,v_nextPayload,c_tsResponderPL,v_ikePayload);

					if (v_ret == e_error)

					{ log("**** f_waitForIkeAuthreq: ERROR: No Traffic selector responder payload in payload list **** "); }



					// get Authentication payload data

					v_ret := f_getPayload(v_ikePayloadList,v_nextPayload,c_authenticationPL,v_ikePayload);

					if (v_ret == e_error)

					{ log("**** f_waitForIkeAuthreq: ERROR: No Authentication payload in payload list **** "); }



					// get Security Association payload proposal data

					v_ret := f_getPayload(v_ikePayloadList,v_nextPayload,c_saPL,v_ikePayload);

					if (v_ret == e_success)

					// put data from first proposal into vc_ikeSad

					// store encryption algorithm



					{ 	

						//v_ikePayload.saProposalList[0].protocolId

					// put data from first proposal into vc_Sad

					// store encryption algorithm

						v_ret := f_getTransformOfType(v_ikePayload.securityAssociation.saProposalList,

													  c_transformTypeEncr,v_saTransform);

						if (v_ret == e_success)

						{vc_ikeSad[0].ikeEncryptionAlgo := v_saTransform.transformId.ikeEncryptionAlgo; }

						else

						{ log("**** f_waitForIkeSaInitreq: ERROR: No encryption algorithm transform in 1st proposal of Security Association payload **** "); }



					// store pseudo random function

					 	v_ret := f_getTransformOfType(v_ikePayload.securityAssociation.saProposalList,

													  c_transformTypePrf,v_saTransform);

						if (v_ret == e_success)

						{vc_ikeSad[0].ikePseudoRandomFunction := v_saTransform.transformId.pseudoRandomFunctions; }

						else

						{ log("**** f_waitForIkeSaInitreq: ERROR: No pseudo random function transform in 1st proposal of Security Association payload **** "); }

						{ log("**** f_waitForIkeAuthtreq: ERROR: No encryption algorithm transform in 1st proposal of Security Association payload **** "); }



					// store integrity algorithm

					 	v_ret := f_getTransformOfType(v_ikePayload.securityAssociation.saProposalList,
@@ -569,27 +617,17 @@ module LibIpv6_Rfc4306Ikev2_Functions { 
						if (v_ret == e_success)

						{vc_ikeSad[0].ikeIntegrityAlgo := v_saTransform.transformId.integAlgorithms; }

						else

						{ log("**** f_waitForIkeSaInitreq: ERROR: No integrity algorithm transform in 1st proposal of Security Association payload **** "); }



					// check Diffie-Hellman group

					 	v_ret := f_getTransformOfType(v_ikePayload.securityAssociation.saProposalList,

													  c_transformTypeDh,v_saTransform);

						if (v_ret == e_success)

						{if(vc_ikeSad[0].diffieHellmanGroup != v_saTransform.transformId.diffieHellman)

							{log("**** f_waitForIkeSaInitreq: ERROR: Diffie-Hellman transform carries value different to value from Key Exchange payload **** ");

							 return e_error;}}

						else

						{ log("**** f_waitForIkeSaInitreq: ERROR: No Diffie-Hellman transform in 1st proposal of Security Association payload **** "); }

						{ log("**** f_waitForIkeAuthtreq: ERROR: No integrity algorithm transform in 1st proposal of Security Association payload **** "); }

					}

					else

					{ log("**** f_waitForIkeSaInitreq: ERROR: No Security Association payload in payload list **** ") }



					else

					{ log("**** f_waitForIkeAuthreq: ERROR: No Security Association payload in payload list **** "); }

				}



			[]	tc_wait.timeout

				{

					v_ret :=  e_timeout;

					log("**** f_waitForIkeSaInitreq: ERROR: tc_wait.timeout **** ");

					log("**** f_waitForIkeAuthreq: ERROR: tc_wait.timeout **** ");

					return v_ret;

				}		

		} // end alt

ttcn3/EtsiLibrary/LibIpv6/LibSec/LibIpv6_Rfc4306Ikev2_TypesAndValues.ttcn

+2 −0
Original line number Diff line number Diff line
@@ -47,6 +47,8 @@ 
		const UInt8 c_protocolId_ah := 2;

		const UInt8 c_protocolId_esp := 3;



		const octetstring c_authString := '4865792050414420466F72204948457632'O // ASCII coding for string 'Key Pad for IKEv2'



	} // end group IkeRfc4306CommonConstants

		

	group ikeRfc4306Packets {