Loading ttcn3/EtsiLibrary/LibIpv6/LibCommonRfcs/LibIpv6_CommonRfcs_Functions.ttcn +16 −34 Original line number Diff line number Diff line Loading @@ -430,7 +430,7 @@ group ipSecFns { //smu 2007 add check for prf vc_ikeSad[c_saOut] := { vc_ikeSad[0] := { spiInitiator := PX_IKE_SPI, spiResponder := PX_IKE_SPI, messageID := 0, Loading @@ -447,27 +447,9 @@ group ipSecFns { nR := int2oct(float2int(int2float(20000-5000)*rnd())+5000, 16), proposalNr := 1,//smu not needed anymore delete udpSourcePort := PX_UDP_PORT_IUT_1, udpDestPort := PX_UDP_PORT_HS02 } vc_ikeSad[c_saIn] := { spiInitiator := PX_IKE_SPI, spiResponder := PX_IKE_SPI, messageID := 0, ikeEncryptionAlgo := PX_IKE_ENCALGO, ikeEncryptionKey := PX_IKE_ENC_KEY, ikePseudoRandomFunction := PX_IKE_PSEUDORANDOM_FCT, ikeIntegrityAlgo := PX_IKE_INTALGO, ikeIntegrityKey := PX_IKE_INT_KEY, diffieHellmanGroup := PX_IKE_DIFFIEHELLMAN_GROUP, diffieHellmanPrivKey := PX_IKE_DIFFIEHELLMAN_PRIVKEY, diffieHellmanSharedSecret := '00'O, sevenSecrets := omit, nI := int2oct(float2int(int2float(20000-5000)*rnd())+5000, 16), nR := int2oct(float2int(int2float(20000-5000)*rnd())+5000, 16), proposalNr := 1,//smu not needed anymore delete udpSourcePort := PX_UDP_PORT_HS02, udpDestPort := PX_UDP_PORT_IUT_1 udpDestPort := PX_UDP_PORT_HS02, iDi := PX_IDENTIFICATION_DATA, //new ps identification initiator iDr := PX_IDENTIFICATION_DATA //new ps identification responder } //ESP - AH Loading Loading @@ -627,19 +609,19 @@ group ipSecFns { function f_initIkeSa() runs on LibIpv6Node { vc_ikeSad[c_saOut].spiInitiator := PX_IKE_SPI; vc_ikeSad[0].spiInitiator := PX_IKE_SPI; vc_ikeSad[0].spiResponder := PX_IKE_SPI; vc_ikeSad[c_saOut].messageID := 0; vc_ikeSad[c_saOut].ikeEncryptionAlgo := PX_IKE_ENCALGO; vc_ikeSad[c_saOut].ikeEncryptionKey := PX_IKE_ENC_KEY; vc_ikeSad[c_saOut].ikePseudoRandomFunction := PX_IKE_PSEUDORANDOM_FCT; vc_ikeSad[c_saOut].ikeIntegrityAlgo := PX_IKE_INTALGO; vc_ikeSad[c_saOut].ikeIntegrityKey := PX_IKE_INT_KEY; vc_ikeSad[c_saOut].diffieHellmanGroup := PX_IKE_DIFFIEHELLMAN_GROUP; vc_ikeSad[c_saOut].diffieHellmanPrivKey := PX_IKE_DIFFIEHELLMAN_PRIVKEY; vc_ikeSad[c_saOut].nI := int2oct(float2int(int2float(20000-5000)*rnd())+5000, 16); vc_ikeSad[c_saOut].nR := int2oct(float2int(int2float(20000-5000)*rnd())+5000, 16); vc_ikeSad[c_saOut].proposalNr := 1;//smu not needed anymore delete vc_ikeSad[0].messageID := 0; vc_ikeSad[0].ikeEncryptionAlgo := PX_IKE_ENCALGO; vc_ikeSad[0].ikeEncryptionKey := PX_IKE_ENC_KEY; vc_ikeSad[0].ikePseudoRandomFunction := PX_IKE_PSEUDORANDOM_FCT; vc_ikeSad[0].ikeIntegrityAlgo := PX_IKE_INTALGO; vc_ikeSad[0].ikeIntegrityKey := PX_IKE_INT_KEY; vc_ikeSad[0].diffieHellmanGroup := PX_IKE_DIFFIEHELLMAN_GROUP; vc_ikeSad[0].diffieHellmanPrivKey := PX_IKE_DIFFIEHELLMAN_PRIVKEY; vc_ikeSad[0].nI := int2oct(float2int(int2float(20000-5000)*rnd())+5000, 16); vc_ikeSad[0].nR := int2oct(float2int(int2float(20000-5000)*rnd())+5000, 16); vc_ikeSad[0].proposalNr := 1;//smu not needed anymore delete } // end f_fillIkeSaFromPIXIT SaProposal Loading ttcn3/EtsiLibrary/LibIpv6/LibCommonRfcs/LibIpv6_ModuleParameters.ttcn +5 −0 Original line number Diff line number Diff line Loading @@ -128,6 +128,11 @@ module LibIpv6_ModuleParameters { */ modulepar {octetstring PX_SHARED_SECRET := '0123456789ABCDEF'O} /* * @desc Which identification data (type = ID_IPV6_ADDR) shall be used for sending in Identification payloads? */ modulepar {octetstring PX_IDENTIFICATION_DATA := '00112233445566778899AABBCCDDEEFF'O} } // end group ikeSecurity group udpPxts { Loading ttcn3/EtsiLibrary/LibIpv6/LibSec/LibIpv6_Rfc4306Ikev2_Functions.ttcn +179 −43 Original line number Diff line number Diff line Loading @@ -30,6 +30,7 @@ module LibIpv6_Rfc4306Ikev2_Functions { group handlePayloads { /* Loading Loading @@ -387,10 +388,26 @@ module LibIpv6_Rfc4306Ikev2_Functions { * @param p_identificationData data field of Identification payload */ function f_calculateAUTH(in IkeSa p_IkeSa, in Ikev2Header p_ikev2Header, in IkePayloadList p_ikePayloadList, in octetstring p_nonceData, octetstring p_identificationData) in boolean p_initatorOrResponder) runs on LibIpv6Node return octetstring { var octetstring v_aUTH; var octetstring v_auxiliary; if(p_initatorOrResponder == c_initiator) // IUT acts as initiatorr { v_auxiliary := p_IkeSa.nR & fx_pseudoRandom(p_IkeSa.ikePseudoRandomFunction, p_IkeSa.sevenSecrets.sK_pi, p_IkeSa.iDi); } else // IUT acts as responder { v_auxiliary := p_IkeSa.nI & fx_pseudoRandom(p_IkeSa.ikePseudoRandomFunction, p_IkeSa.sevenSecrets.sK_pr, p_IkeSa.iDr); } v_aUTH := fx_pseudoRandom(p_IkeSa.ikePseudoRandomFunction, fx_pseudoRandom(p_IkeSa.ikePseudoRandomFunction, Loading @@ -398,10 +415,7 @@ module LibIpv6_Rfc4306Ikev2_Functions { c_authString), (fx_ikev2HeaderToOct(p_ikev2Header) & fx_ikePayloadListToOct(p_ikePayloadList) & p_nonceData & fx_pseudoRandom(p_IkeSa.ikePseudoRandomFunction, p_IkeSa.sevenSecrets.sK_pr, p_identificationData))); v_auxiliary)); return v_aUTH; } // end f_calculateAUTH Loading Loading @@ -438,24 +452,24 @@ module LibIpv6_Rfc4306Ikev2_Functions { tc_wait.stop; vc_ikeSad[0].udpSourcePort := v_ipv6Packet.ipv6Payload.ikeMsg.sourcePort; vc_ikeSad[0].udpDestPort := v_ipv6Packet.ipv6Payload.ikeMsg.destPort; vc_ikeSad[0].spiInitiator := v_ipv6Packet.ipv6Payload.ikeMsg.ikev2Header.initiatorSpi; vc_ikeSad[c_saIn].udpDestPort := v_ipv6Packet.ipv6Payload.ikeMsg.destPort; vc_ikeSad[c_saIn].spiInitiator := v_ipv6Packet.ipv6Payload.ikeMsg.ikev2Header.initiatorSpi; v_nextPayload := v_ipv6Packet.ipv6Payload.ikeMsg.ikev2Header.nextPayload; v_ikePayloadList := v_ipv6Packet.ipv6Payload.ikeMsg.payloadList; // get Nonce payload data v_ret := f_getPayload(v_ikePayloadList,v_nextPayload,c_noncePL,v_ikePayload); if (v_ret == e_success) { vc_ikeSad[0].nI := v_ikePayload.nonce.data; } { vc_ikeSad[c_saIn].nI := v_ikePayload.nonce.data; } else { log("**** f_waitForIkeSaInitreq: ERROR: No Nonce payload in payload list **** "); } // get Key exchange payload data v_ret := f_getPayload(v_ikePayloadList,v_nextPayload,c_keyExchangePL,v_ikePayload); if (v_ret == e_success) { vc_ikeSad[0].diffieHellmanGroup := v_ikePayload.keyExchange.dhGroup; { vc_ikeSad[c_saIn].diffieHellmanGroup := v_ikePayload.keyExchange.dhGroup; // calculate shared Diffie-Hellman secret vc_ikeSad[0].diffieHellmanSharedSecret := fx_dHSharedSecret(vc_ikeSad[0].diffieHellmanGroup, vc_ikeSad[c_saIn].diffieHellmanSharedSecret := fx_dHSharedSecret(vc_ikeSad[c_saIn].diffieHellmanGroup, PX_IKE_DIFFIEHELLMAN_PRIVKEY, v_ikePayload.keyExchange.data); } Loading Loading @@ -487,7 +501,7 @@ module LibIpv6_Rfc4306Ikev2_Functions { v_ret := f_getTransformOfType(v_ikePayload.securityAssociation.saProposalList, c_transformTypeInteg,v_saTransform); if (v_ret == e_success) {vc_ikeSad[0].ikeIntegrityAlgo := v_saTransform.transformId.integAlgorithms; } {vc_ikeSad[c_saIn].ikeIntegrityAlgo := v_saTransform.transformId.integAlgorithms; } else { log("**** f_waitForIkeSaInitreq: ERROR: No integrity algorithm transform in 1st proposal of Security Association payload **** "); } Loading @@ -495,7 +509,7 @@ module LibIpv6_Rfc4306Ikev2_Functions { v_ret := f_getTransformOfType(v_ikePayload.securityAssociation.saProposalList, c_transformTypeDh,v_saTransform); if (v_ret == e_success) {if(vc_ikeSad[0].diffieHellmanGroup != v_saTransform.transformId.diffieHellman) {if(vc_ikeSad[c_saIn].diffieHellmanGroup != v_saTransform.transformId.diffieHellman) {log("**** f_waitForIkeSaInitreq: ERROR: Diffie-Hellman transform carries value different to value from Key Exchange payload **** "); return e_error;}} else Loading Loading @@ -534,6 +548,8 @@ module LibIpv6_Rfc4306Ikev2_Functions { // list of payloads var IkePayloadList v_ikePayloadList; var IkePayload v_ikePayload; // SA protoocol ID var UInt8 v_protocolId; // transform var SaTransform v_saTransform; Loading @@ -550,7 +566,9 @@ module LibIpv6_Rfc4306Ikev2_Functions { // get Identification payload data v_ret := f_getPayload(v_ikePayloadList,v_nextPayload,c_idInitiatorPL,v_ikePayload); if (v_ret == e_error) if (v_ret == e_success) { vc_ikeSad[c_saIn].iDi := v_ikePayload.idInitiator.data; } else { log("**** f_waitForAurhreq: ERROR: No Identification payload in payload list **** "); } // get Traffic selector initiator payload data Loading @@ -571,27 +589,42 @@ module LibIpv6_Rfc4306Ikev2_Functions { // get Security Association payload proposal data v_ret := f_getPayload(v_ikePayloadList,v_nextPayload,c_saPL,v_ikePayload); if (v_ret == e_success) { //v_ikePayload.saProposalList[0].protocolId v_protocolId := v_ikePayload.securityAssociation.saProposalList[0].protocolId; // put data from first proposal into vc_Sad /* vc_sad[c_saIn].spi := v_ikePayload.securityAssociation.saProposalList[0].spi; if (v_protocolId == c_protocolEsp) { // store encryption algorithm v_ret := f_getTransformOfType(v_ikePayload.securityAssociation.saProposalList, c_transformTypeEncr,v_saTransform); if (v_ret == e_success) {vc_ikeSad[0].ikeEncryptionAlgo := v_saTransform.transformId.encryptionAlgo; } {vc_sad[c_saIn].espEncryptionAlgo := v_saTransform.transformId.ikeEncryptionAlgo; } else { log("**** f_waitForIkeAuthtreq: ERROR: No encryption algorithm transform in 1st proposal of Security Association payload **** "); } } if (v_protocolId == c_protocolAh) { // store integrity algorithm v_ret := f_getTransformOfType(v_ikePayload.securityAssociation.saProposalList, c_transformTypeInteg,v_saTransform); if (v_ret == e_success) {vc_ikeSad[0].ikeIntegrityAlgo := v_saTransform.transformId.integAlgorithms; } {vc_sad[c_saIn].ahIntegrityAlgo := v_saTransform.transformId.integAlgorithms; } else { log("**** f_waitForIkeAuthtreq: ERROR: No integrity algorithm transform in 1st proposal of Security Association payload **** "); } } // store extended sequence numbers v_ret := f_getTransformOfType(v_ikePayload.securityAssociation.saProposalList, c_transformTypeEsn,v_saTransform); if (v_ret == e_success) {vc_sad[c_saIn].espEncryptionAlgo := v_saTransform.transformId.extentedSequenceNumbers; } else { log("**** f_waitForIkeAuthtreq: ERROR: No extended sequence numbers transform in 1st proposal of Security Association payload **** "); } */ } else { log("**** f_waitForIkeAuthreq: ERROR: No Security Association payload in payload list **** "); } } Loading @@ -611,7 +644,110 @@ module LibIpv6_Rfc4306Ikev2_Functions { } // end group receiveRequests group receiveResponses { function f_waitForIkeSaInitres( in template Ipv6Address p_src, in template Ipv6Address p_dst) runs on LibIpv6Node return FncRetCode { var FncRetCode v_ret; var Ipv6Packet v_ipv6Packet; // next payload from IKE header var UInt8 v_nextPayload; // list of payloads var IkePayloadList v_ikePayloadList; var IkePayload v_ikePayload; // transform var SaTransform v_saTransform; tc_wait.start; alt { [] ipPort.receive(mw_ikeSaInitReq( p_src, p_dst, mw_ikeSaInitReqPLL)) -> value v_ipv6Packet { tc_wait.stop; vc_ikeSad[c_saIn].udpSourcePort := v_ipv6Packet.ipv6Payload.ikeMsg.sourcePort; vc_ikeSad[c_saIn].udpDestPort := v_ipv6Packet.ipv6Payload.ikeMsg.destPort; vc_ikeSad[c_saIn].spiInitiator := v_ipv6Packet.ipv6Payload.ikeMsg.ikev2Header.initiatorSpi; v_nextPayload := v_ipv6Packet.ipv6Payload.ikeMsg.ikev2Header.nextPayload; v_ikePayloadList := v_ipv6Packet.ipv6Payload.ikeMsg.payloadList; // get Nonce payload data v_ret := f_getPayload(v_ikePayloadList,v_nextPayload,c_noncePL,v_ikePayload); if (v_ret == e_success) { vc_ikeSad[c_saIn].nI := v_ikePayload.nonce.data; } else { log("**** f_waitForIkeSaInitreq: ERROR: No Nonce payload in payload list **** "); } // get Key exchange payload data v_ret := f_getPayload(v_ikePayloadList,v_nextPayload,c_keyExchangePL,v_ikePayload); if (v_ret == e_success) { vc_ikeSad[c_saIn].diffieHellmanGroup := v_ikePayload.keyExchange.dhGroup; // calculate shared Diffie-Hellman secret vc_ikeSad[c_saIn].diffieHellmanSharedSecret := fx_dHSharedSecret(vc_ikeSad[c_saIn].diffieHellmanGroup, PX_IKE_DIFFIEHELLMAN_PRIVKEY, v_ikePayload.keyExchange.data); } else { log("**** f_waitForIkeSaInitreq: ERROR: No Key Exchange payload in payload list **** "); } // get Security Association payload proposal data v_ret := f_getPayload(v_ikePayloadList,v_nextPayload,c_saPL,v_ikePayload); if (v_ret == e_success) // put data from first proposal into vc_ikeSad // store encryption algorithm { v_ret := f_getTransformOfType(v_ikePayload.securityAssociation.saProposalList, c_transformTypeEncr,v_saTransform); if (v_ret == e_success) {vc_ikeSad[c_saIn].ikeEncryptionAlgo := v_saTransform.transformId.encryptionAlgo; } else { log("**** f_waitForIkeSaInitreq: ERROR: No encryption algorithm transform in 1st proposal of Security Association payload **** "); } // store pseudo random function v_ret := f_getTransformOfType(v_ikePayload.securityAssociation.saProposalList, c_transformTypePrf,v_saTransform); if (v_ret == e_success) {vc_ikeSad[c_saIn].ikePseudoRandomFunction := v_saTransform.transformId.pseudoRandomFunction; } else { log("**** f_waitForIkeSaInitreq: ERROR: No pseudo random function transform in 1st proposal of Security Association payload **** "); } // store integrity algorithm v_ret := f_getTransformOfType(v_ikePayload.securityAssociation.saProposalList, c_transformTypeInteg,v_saTransform); if (v_ret == e_success) {vc_ikeSad[c_saIn].ikeIntegrityAlgo := v_saTransform.transformId.integAlgorithms; } else { log("**** f_waitForIkeSaInitreq: ERROR: No integrity algorithm transform in 1st proposal of Security Association payload **** "); } // check Diffie-Hellman group v_ret := f_getTransformOfType(v_ikePayload.securityAssociation.saProposalList, c_transformTypeDh,v_saTransform); if (v_ret == e_success) {if(vc_ikeSad[c_saIn].diffieHellmanGroup != v_saTransform.transformId.diffieHellman) {log("**** f_waitForIkeSaInitreq: ERROR: Diffie-Hellman transform carries value different to value from Key Exchange payload **** "); return e_error;}} else { log("**** f_waitForIkeSaInitreq: ERROR: No Diffie-Hellman transform in 1st proposal of Security Association payload **** "); } } else { log("**** f_waitForIkeSaInitreq: ERROR: No Security Association payload in payload list **** ") } } [] tc_wait.timeout { v_ret := e_timeout; log("**** f_waitForIkeSaInitreq: ERROR: tc_wait.timeout **** "); return v_ret; } } // end alt return v_ret; } //end f_waitForIkeSaInitreq } // end group receiveResponses group sendRequests { Loading Loading @@ -652,7 +788,7 @@ group sendRequests { //send ipPort.send(v_ipPkt); vc_ikeSad[c_saOut].messageID := vc_ikeSad[c_saOut].messageID + 1; vc_ikeSad[0].messageID := vc_ikeSad[0].messageID + 1; return e_success; Loading Loading @@ -698,7 +834,7 @@ group sendRequests { //send ipPort.send(v_ipPkt); vc_ikeSad[c_saOut].messageID := vc_ikeSad[c_saOut].messageID + 1; vc_ikeSad[0].messageID := vc_ikeSad[0].messageID + 1; return e_success; Loading Loading @@ -755,9 +891,9 @@ group establishSAFns { p_dst, PX_UDP_PORT_HS02, PX_UDP_PORT_IUT_1, vc_ikeSad[c_saOut].spiInitiator, vc_ikeSad[0].spiInitiator, c_saPL, vc_ikeSad[c_saOut].messageID, vc_ikeSad[0].messageID, m_ikePlList_3Elem( m_securityAssociationPL( c_keyExchangePL, Loading @@ -772,25 +908,25 @@ group establishSAFns { m_saTransform ( c_moreTransform, c_transformTypeEncr, m_transformId_encr(vc_ikeSad[c_saOut].ikeEncryptionAlgo), m_transformId_encr(vc_ikeSad[0].ikeEncryptionAlgo), omit//Attribute SMU check needed to add key ), m_saTransform ( c_moreTransform, c_transformTypeInteg, m_transformId_integ(vc_ikeSad[c_saOut].ikeIntegrityAlgo), m_transformId_integ(vc_ikeSad[0].ikeIntegrityAlgo), omit//Attribute ), m_saTransform ( c_moreTransform, c_transformTypePrf, m_transformId_prf(vc_ikeSad[c_saOut].ikePseudoRandomFunction), m_transformId_prf(vc_ikeSad[0].ikePseudoRandomFunction), omit//Attribute ), m_saTransform ( c_lastTransform, c_transformTypeDh, m_transformId_dh(vc_ikeSad[c_saOut].diffieHellmanGroup), m_transformId_dh(vc_ikeSad[0].diffieHellmanGroup), omit//Attribute ) ) Loading @@ -798,15 +934,15 @@ group establishSAFns { ), m_keyExchangePL ( c_noncePL, vc_ikeSad[c_saOut].diffieHellmanGroup, vc_ikeSad[0].diffieHellmanGroup, fx_dHKeyToSend( vc_ikeSad[c_saOut].diffieHellmanGroup, vc_ikeSad[c_saOut].diffieHellmanPrivKey vc_ikeSad[0].diffieHellmanGroup, vc_ikeSad[0].diffieHellmanPrivKey ) ), m_noncePL ( c_noNextPL, vc_ikeSad[c_saOut].nI vc_ikeSad[0].nI ) ) ) Loading @@ -828,10 +964,10 @@ group establishSAFns { p_dst, PX_UDP_PORT_HS02, PX_UDP_PORT_IUT_1, vc_ikeSad[c_saOut].spiInitiator, vc_ikeSad[c_saOut].spiResponder, vc_ikeSad[0].spiInitiator, vc_ikeSad[0].spiResponder, c_encryptedPL, vc_ikeSad[c_saOut].messageID, vc_ikeSad[0].messageID, m_ikePlList_1Elem( m_encryptedPL( c_idInitiatorPL, Loading ttcn3/EtsiLibrary/LibIpv6/LibSec/LibIpv6_Rfc4306Ikev2_Templates.ttcn +4 −4 Original line number Diff line number Diff line Loading @@ -22,7 +22,6 @@ group ikeSaInitRequestTemplates { template IkeSaInitRequest mw_ikeSaInitReq ( template Ipv6Address p_src, template Ipv6Address p_dst, template IkePayloadList p_ikepayloads) := { Loading Loading @@ -102,6 +101,7 @@ template IkeSaInitResponse mw_ikeSaInitRes ( template Ipv6Address p_src, template Ipv6Address p_dst, Oct8 p_initiatorSpi, UInt32 p_messageID, template IkePayloadList p_ikepayloads) := { ipv6Hdr := mw_ipHdr_nextHdr_srcDst(c_udpHdr, p_src, p_dst), extHdrList := omit, Loading @@ -124,7 +124,7 @@ vFlag := c_vFlag, iFlag := c_iFlagResponder, threeXFlags := ?, messageID := 1, messageID := p_messageID, messageLength := ? }, // IKEv2 Payloads Loading Loading @@ -323,7 +323,7 @@ proposalLength := ?, proposalNumber := ?, protocolId := c_protocolIke, spiSize := c_uInt8Zero, spiSize := c_spiSize0, numberOfTransforms := ?, spi := omit, saTransformList := ? Loading ttcn3/EtsiLibrary/LibIpv6/LibSec/LibIpv6_Rfc4306Ikev2_TypesAndValues.ttcn +6 −2 Original line number Diff line number Diff line Loading @@ -47,6 +47,8 @@ const UInt8 c_protocolId_ah := 2; const UInt8 c_protocolId_esp := 3; const boolean c_initiator := true; const boolean c_responder := true; const octetstring c_authString := '4865792050414420466F72204948457632'O // ASCII coding for string 'Key Pad for IKEv2' } // end group IkeRfc4306CommonConstants Loading Loading @@ -1088,7 +1090,9 @@ octetstring nR,//new smu nonce UInt8 proposalNr,//new smu nonce UInt16 udpSourcePort, UInt16 udpDestPort UInt16 udpDestPort, octetstring iDi, //new ps identification initiator octetstring iDr //new ps identification responder } with { variant "TODO"; Loading Loading
ttcn3/EtsiLibrary/LibIpv6/LibCommonRfcs/LibIpv6_CommonRfcs_Functions.ttcn +16 −34 Original line number Diff line number Diff line Loading @@ -430,7 +430,7 @@ group ipSecFns { //smu 2007 add check for prf vc_ikeSad[c_saOut] := { vc_ikeSad[0] := { spiInitiator := PX_IKE_SPI, spiResponder := PX_IKE_SPI, messageID := 0, Loading @@ -447,27 +447,9 @@ group ipSecFns { nR := int2oct(float2int(int2float(20000-5000)*rnd())+5000, 16), proposalNr := 1,//smu not needed anymore delete udpSourcePort := PX_UDP_PORT_IUT_1, udpDestPort := PX_UDP_PORT_HS02 } vc_ikeSad[c_saIn] := { spiInitiator := PX_IKE_SPI, spiResponder := PX_IKE_SPI, messageID := 0, ikeEncryptionAlgo := PX_IKE_ENCALGO, ikeEncryptionKey := PX_IKE_ENC_KEY, ikePseudoRandomFunction := PX_IKE_PSEUDORANDOM_FCT, ikeIntegrityAlgo := PX_IKE_INTALGO, ikeIntegrityKey := PX_IKE_INT_KEY, diffieHellmanGroup := PX_IKE_DIFFIEHELLMAN_GROUP, diffieHellmanPrivKey := PX_IKE_DIFFIEHELLMAN_PRIVKEY, diffieHellmanSharedSecret := '00'O, sevenSecrets := omit, nI := int2oct(float2int(int2float(20000-5000)*rnd())+5000, 16), nR := int2oct(float2int(int2float(20000-5000)*rnd())+5000, 16), proposalNr := 1,//smu not needed anymore delete udpSourcePort := PX_UDP_PORT_HS02, udpDestPort := PX_UDP_PORT_IUT_1 udpDestPort := PX_UDP_PORT_HS02, iDi := PX_IDENTIFICATION_DATA, //new ps identification initiator iDr := PX_IDENTIFICATION_DATA //new ps identification responder } //ESP - AH Loading Loading @@ -627,19 +609,19 @@ group ipSecFns { function f_initIkeSa() runs on LibIpv6Node { vc_ikeSad[c_saOut].spiInitiator := PX_IKE_SPI; vc_ikeSad[0].spiInitiator := PX_IKE_SPI; vc_ikeSad[0].spiResponder := PX_IKE_SPI; vc_ikeSad[c_saOut].messageID := 0; vc_ikeSad[c_saOut].ikeEncryptionAlgo := PX_IKE_ENCALGO; vc_ikeSad[c_saOut].ikeEncryptionKey := PX_IKE_ENC_KEY; vc_ikeSad[c_saOut].ikePseudoRandomFunction := PX_IKE_PSEUDORANDOM_FCT; vc_ikeSad[c_saOut].ikeIntegrityAlgo := PX_IKE_INTALGO; vc_ikeSad[c_saOut].ikeIntegrityKey := PX_IKE_INT_KEY; vc_ikeSad[c_saOut].diffieHellmanGroup := PX_IKE_DIFFIEHELLMAN_GROUP; vc_ikeSad[c_saOut].diffieHellmanPrivKey := PX_IKE_DIFFIEHELLMAN_PRIVKEY; vc_ikeSad[c_saOut].nI := int2oct(float2int(int2float(20000-5000)*rnd())+5000, 16); vc_ikeSad[c_saOut].nR := int2oct(float2int(int2float(20000-5000)*rnd())+5000, 16); vc_ikeSad[c_saOut].proposalNr := 1;//smu not needed anymore delete vc_ikeSad[0].messageID := 0; vc_ikeSad[0].ikeEncryptionAlgo := PX_IKE_ENCALGO; vc_ikeSad[0].ikeEncryptionKey := PX_IKE_ENC_KEY; vc_ikeSad[0].ikePseudoRandomFunction := PX_IKE_PSEUDORANDOM_FCT; vc_ikeSad[0].ikeIntegrityAlgo := PX_IKE_INTALGO; vc_ikeSad[0].ikeIntegrityKey := PX_IKE_INT_KEY; vc_ikeSad[0].diffieHellmanGroup := PX_IKE_DIFFIEHELLMAN_GROUP; vc_ikeSad[0].diffieHellmanPrivKey := PX_IKE_DIFFIEHELLMAN_PRIVKEY; vc_ikeSad[0].nI := int2oct(float2int(int2float(20000-5000)*rnd())+5000, 16); vc_ikeSad[0].nR := int2oct(float2int(int2float(20000-5000)*rnd())+5000, 16); vc_ikeSad[0].proposalNr := 1;//smu not needed anymore delete } // end f_fillIkeSaFromPIXIT SaProposal Loading
ttcn3/EtsiLibrary/LibIpv6/LibCommonRfcs/LibIpv6_ModuleParameters.ttcn +5 −0 Original line number Diff line number Diff line Loading @@ -128,6 +128,11 @@ module LibIpv6_ModuleParameters { */ modulepar {octetstring PX_SHARED_SECRET := '0123456789ABCDEF'O} /* * @desc Which identification data (type = ID_IPV6_ADDR) shall be used for sending in Identification payloads? */ modulepar {octetstring PX_IDENTIFICATION_DATA := '00112233445566778899AABBCCDDEEFF'O} } // end group ikeSecurity group udpPxts { Loading
ttcn3/EtsiLibrary/LibIpv6/LibSec/LibIpv6_Rfc4306Ikev2_Functions.ttcn +179 −43 Original line number Diff line number Diff line Loading @@ -30,6 +30,7 @@ module LibIpv6_Rfc4306Ikev2_Functions { group handlePayloads { /* Loading Loading @@ -387,10 +388,26 @@ module LibIpv6_Rfc4306Ikev2_Functions { * @param p_identificationData data field of Identification payload */ function f_calculateAUTH(in IkeSa p_IkeSa, in Ikev2Header p_ikev2Header, in IkePayloadList p_ikePayloadList, in octetstring p_nonceData, octetstring p_identificationData) in boolean p_initatorOrResponder) runs on LibIpv6Node return octetstring { var octetstring v_aUTH; var octetstring v_auxiliary; if(p_initatorOrResponder == c_initiator) // IUT acts as initiatorr { v_auxiliary := p_IkeSa.nR & fx_pseudoRandom(p_IkeSa.ikePseudoRandomFunction, p_IkeSa.sevenSecrets.sK_pi, p_IkeSa.iDi); } else // IUT acts as responder { v_auxiliary := p_IkeSa.nI & fx_pseudoRandom(p_IkeSa.ikePseudoRandomFunction, p_IkeSa.sevenSecrets.sK_pr, p_IkeSa.iDr); } v_aUTH := fx_pseudoRandom(p_IkeSa.ikePseudoRandomFunction, fx_pseudoRandom(p_IkeSa.ikePseudoRandomFunction, Loading @@ -398,10 +415,7 @@ module LibIpv6_Rfc4306Ikev2_Functions { c_authString), (fx_ikev2HeaderToOct(p_ikev2Header) & fx_ikePayloadListToOct(p_ikePayloadList) & p_nonceData & fx_pseudoRandom(p_IkeSa.ikePseudoRandomFunction, p_IkeSa.sevenSecrets.sK_pr, p_identificationData))); v_auxiliary)); return v_aUTH; } // end f_calculateAUTH Loading Loading @@ -438,24 +452,24 @@ module LibIpv6_Rfc4306Ikev2_Functions { tc_wait.stop; vc_ikeSad[0].udpSourcePort := v_ipv6Packet.ipv6Payload.ikeMsg.sourcePort; vc_ikeSad[0].udpDestPort := v_ipv6Packet.ipv6Payload.ikeMsg.destPort; vc_ikeSad[0].spiInitiator := v_ipv6Packet.ipv6Payload.ikeMsg.ikev2Header.initiatorSpi; vc_ikeSad[c_saIn].udpDestPort := v_ipv6Packet.ipv6Payload.ikeMsg.destPort; vc_ikeSad[c_saIn].spiInitiator := v_ipv6Packet.ipv6Payload.ikeMsg.ikev2Header.initiatorSpi; v_nextPayload := v_ipv6Packet.ipv6Payload.ikeMsg.ikev2Header.nextPayload; v_ikePayloadList := v_ipv6Packet.ipv6Payload.ikeMsg.payloadList; // get Nonce payload data v_ret := f_getPayload(v_ikePayloadList,v_nextPayload,c_noncePL,v_ikePayload); if (v_ret == e_success) { vc_ikeSad[0].nI := v_ikePayload.nonce.data; } { vc_ikeSad[c_saIn].nI := v_ikePayload.nonce.data; } else { log("**** f_waitForIkeSaInitreq: ERROR: No Nonce payload in payload list **** "); } // get Key exchange payload data v_ret := f_getPayload(v_ikePayloadList,v_nextPayload,c_keyExchangePL,v_ikePayload); if (v_ret == e_success) { vc_ikeSad[0].diffieHellmanGroup := v_ikePayload.keyExchange.dhGroup; { vc_ikeSad[c_saIn].diffieHellmanGroup := v_ikePayload.keyExchange.dhGroup; // calculate shared Diffie-Hellman secret vc_ikeSad[0].diffieHellmanSharedSecret := fx_dHSharedSecret(vc_ikeSad[0].diffieHellmanGroup, vc_ikeSad[c_saIn].diffieHellmanSharedSecret := fx_dHSharedSecret(vc_ikeSad[c_saIn].diffieHellmanGroup, PX_IKE_DIFFIEHELLMAN_PRIVKEY, v_ikePayload.keyExchange.data); } Loading Loading @@ -487,7 +501,7 @@ module LibIpv6_Rfc4306Ikev2_Functions { v_ret := f_getTransformOfType(v_ikePayload.securityAssociation.saProposalList, c_transformTypeInteg,v_saTransform); if (v_ret == e_success) {vc_ikeSad[0].ikeIntegrityAlgo := v_saTransform.transformId.integAlgorithms; } {vc_ikeSad[c_saIn].ikeIntegrityAlgo := v_saTransform.transformId.integAlgorithms; } else { log("**** f_waitForIkeSaInitreq: ERROR: No integrity algorithm transform in 1st proposal of Security Association payload **** "); } Loading @@ -495,7 +509,7 @@ module LibIpv6_Rfc4306Ikev2_Functions { v_ret := f_getTransformOfType(v_ikePayload.securityAssociation.saProposalList, c_transformTypeDh,v_saTransform); if (v_ret == e_success) {if(vc_ikeSad[0].diffieHellmanGroup != v_saTransform.transformId.diffieHellman) {if(vc_ikeSad[c_saIn].diffieHellmanGroup != v_saTransform.transformId.diffieHellman) {log("**** f_waitForIkeSaInitreq: ERROR: Diffie-Hellman transform carries value different to value from Key Exchange payload **** "); return e_error;}} else Loading Loading @@ -534,6 +548,8 @@ module LibIpv6_Rfc4306Ikev2_Functions { // list of payloads var IkePayloadList v_ikePayloadList; var IkePayload v_ikePayload; // SA protoocol ID var UInt8 v_protocolId; // transform var SaTransform v_saTransform; Loading @@ -550,7 +566,9 @@ module LibIpv6_Rfc4306Ikev2_Functions { // get Identification payload data v_ret := f_getPayload(v_ikePayloadList,v_nextPayload,c_idInitiatorPL,v_ikePayload); if (v_ret == e_error) if (v_ret == e_success) { vc_ikeSad[c_saIn].iDi := v_ikePayload.idInitiator.data; } else { log("**** f_waitForAurhreq: ERROR: No Identification payload in payload list **** "); } // get Traffic selector initiator payload data Loading @@ -571,27 +589,42 @@ module LibIpv6_Rfc4306Ikev2_Functions { // get Security Association payload proposal data v_ret := f_getPayload(v_ikePayloadList,v_nextPayload,c_saPL,v_ikePayload); if (v_ret == e_success) { //v_ikePayload.saProposalList[0].protocolId v_protocolId := v_ikePayload.securityAssociation.saProposalList[0].protocolId; // put data from first proposal into vc_Sad /* vc_sad[c_saIn].spi := v_ikePayload.securityAssociation.saProposalList[0].spi; if (v_protocolId == c_protocolEsp) { // store encryption algorithm v_ret := f_getTransformOfType(v_ikePayload.securityAssociation.saProposalList, c_transformTypeEncr,v_saTransform); if (v_ret == e_success) {vc_ikeSad[0].ikeEncryptionAlgo := v_saTransform.transformId.encryptionAlgo; } {vc_sad[c_saIn].espEncryptionAlgo := v_saTransform.transformId.ikeEncryptionAlgo; } else { log("**** f_waitForIkeAuthtreq: ERROR: No encryption algorithm transform in 1st proposal of Security Association payload **** "); } } if (v_protocolId == c_protocolAh) { // store integrity algorithm v_ret := f_getTransformOfType(v_ikePayload.securityAssociation.saProposalList, c_transformTypeInteg,v_saTransform); if (v_ret == e_success) {vc_ikeSad[0].ikeIntegrityAlgo := v_saTransform.transformId.integAlgorithms; } {vc_sad[c_saIn].ahIntegrityAlgo := v_saTransform.transformId.integAlgorithms; } else { log("**** f_waitForIkeAuthtreq: ERROR: No integrity algorithm transform in 1st proposal of Security Association payload **** "); } } // store extended sequence numbers v_ret := f_getTransformOfType(v_ikePayload.securityAssociation.saProposalList, c_transformTypeEsn,v_saTransform); if (v_ret == e_success) {vc_sad[c_saIn].espEncryptionAlgo := v_saTransform.transformId.extentedSequenceNumbers; } else { log("**** f_waitForIkeAuthtreq: ERROR: No extended sequence numbers transform in 1st proposal of Security Association payload **** "); } */ } else { log("**** f_waitForIkeAuthreq: ERROR: No Security Association payload in payload list **** "); } } Loading @@ -611,7 +644,110 @@ module LibIpv6_Rfc4306Ikev2_Functions { } // end group receiveRequests group receiveResponses { function f_waitForIkeSaInitres( in template Ipv6Address p_src, in template Ipv6Address p_dst) runs on LibIpv6Node return FncRetCode { var FncRetCode v_ret; var Ipv6Packet v_ipv6Packet; // next payload from IKE header var UInt8 v_nextPayload; // list of payloads var IkePayloadList v_ikePayloadList; var IkePayload v_ikePayload; // transform var SaTransform v_saTransform; tc_wait.start; alt { [] ipPort.receive(mw_ikeSaInitReq( p_src, p_dst, mw_ikeSaInitReqPLL)) -> value v_ipv6Packet { tc_wait.stop; vc_ikeSad[c_saIn].udpSourcePort := v_ipv6Packet.ipv6Payload.ikeMsg.sourcePort; vc_ikeSad[c_saIn].udpDestPort := v_ipv6Packet.ipv6Payload.ikeMsg.destPort; vc_ikeSad[c_saIn].spiInitiator := v_ipv6Packet.ipv6Payload.ikeMsg.ikev2Header.initiatorSpi; v_nextPayload := v_ipv6Packet.ipv6Payload.ikeMsg.ikev2Header.nextPayload; v_ikePayloadList := v_ipv6Packet.ipv6Payload.ikeMsg.payloadList; // get Nonce payload data v_ret := f_getPayload(v_ikePayloadList,v_nextPayload,c_noncePL,v_ikePayload); if (v_ret == e_success) { vc_ikeSad[c_saIn].nI := v_ikePayload.nonce.data; } else { log("**** f_waitForIkeSaInitreq: ERROR: No Nonce payload in payload list **** "); } // get Key exchange payload data v_ret := f_getPayload(v_ikePayloadList,v_nextPayload,c_keyExchangePL,v_ikePayload); if (v_ret == e_success) { vc_ikeSad[c_saIn].diffieHellmanGroup := v_ikePayload.keyExchange.dhGroup; // calculate shared Diffie-Hellman secret vc_ikeSad[c_saIn].diffieHellmanSharedSecret := fx_dHSharedSecret(vc_ikeSad[c_saIn].diffieHellmanGroup, PX_IKE_DIFFIEHELLMAN_PRIVKEY, v_ikePayload.keyExchange.data); } else { log("**** f_waitForIkeSaInitreq: ERROR: No Key Exchange payload in payload list **** "); } // get Security Association payload proposal data v_ret := f_getPayload(v_ikePayloadList,v_nextPayload,c_saPL,v_ikePayload); if (v_ret == e_success) // put data from first proposal into vc_ikeSad // store encryption algorithm { v_ret := f_getTransformOfType(v_ikePayload.securityAssociation.saProposalList, c_transformTypeEncr,v_saTransform); if (v_ret == e_success) {vc_ikeSad[c_saIn].ikeEncryptionAlgo := v_saTransform.transformId.encryptionAlgo; } else { log("**** f_waitForIkeSaInitreq: ERROR: No encryption algorithm transform in 1st proposal of Security Association payload **** "); } // store pseudo random function v_ret := f_getTransformOfType(v_ikePayload.securityAssociation.saProposalList, c_transformTypePrf,v_saTransform); if (v_ret == e_success) {vc_ikeSad[c_saIn].ikePseudoRandomFunction := v_saTransform.transformId.pseudoRandomFunction; } else { log("**** f_waitForIkeSaInitreq: ERROR: No pseudo random function transform in 1st proposal of Security Association payload **** "); } // store integrity algorithm v_ret := f_getTransformOfType(v_ikePayload.securityAssociation.saProposalList, c_transformTypeInteg,v_saTransform); if (v_ret == e_success) {vc_ikeSad[c_saIn].ikeIntegrityAlgo := v_saTransform.transformId.integAlgorithms; } else { log("**** f_waitForIkeSaInitreq: ERROR: No integrity algorithm transform in 1st proposal of Security Association payload **** "); } // check Diffie-Hellman group v_ret := f_getTransformOfType(v_ikePayload.securityAssociation.saProposalList, c_transformTypeDh,v_saTransform); if (v_ret == e_success) {if(vc_ikeSad[c_saIn].diffieHellmanGroup != v_saTransform.transformId.diffieHellman) {log("**** f_waitForIkeSaInitreq: ERROR: Diffie-Hellman transform carries value different to value from Key Exchange payload **** "); return e_error;}} else { log("**** f_waitForIkeSaInitreq: ERROR: No Diffie-Hellman transform in 1st proposal of Security Association payload **** "); } } else { log("**** f_waitForIkeSaInitreq: ERROR: No Security Association payload in payload list **** ") } } [] tc_wait.timeout { v_ret := e_timeout; log("**** f_waitForIkeSaInitreq: ERROR: tc_wait.timeout **** "); return v_ret; } } // end alt return v_ret; } //end f_waitForIkeSaInitreq } // end group receiveResponses group sendRequests { Loading Loading @@ -652,7 +788,7 @@ group sendRequests { //send ipPort.send(v_ipPkt); vc_ikeSad[c_saOut].messageID := vc_ikeSad[c_saOut].messageID + 1; vc_ikeSad[0].messageID := vc_ikeSad[0].messageID + 1; return e_success; Loading Loading @@ -698,7 +834,7 @@ group sendRequests { //send ipPort.send(v_ipPkt); vc_ikeSad[c_saOut].messageID := vc_ikeSad[c_saOut].messageID + 1; vc_ikeSad[0].messageID := vc_ikeSad[0].messageID + 1; return e_success; Loading Loading @@ -755,9 +891,9 @@ group establishSAFns { p_dst, PX_UDP_PORT_HS02, PX_UDP_PORT_IUT_1, vc_ikeSad[c_saOut].spiInitiator, vc_ikeSad[0].spiInitiator, c_saPL, vc_ikeSad[c_saOut].messageID, vc_ikeSad[0].messageID, m_ikePlList_3Elem( m_securityAssociationPL( c_keyExchangePL, Loading @@ -772,25 +908,25 @@ group establishSAFns { m_saTransform ( c_moreTransform, c_transformTypeEncr, m_transformId_encr(vc_ikeSad[c_saOut].ikeEncryptionAlgo), m_transformId_encr(vc_ikeSad[0].ikeEncryptionAlgo), omit//Attribute SMU check needed to add key ), m_saTransform ( c_moreTransform, c_transformTypeInteg, m_transformId_integ(vc_ikeSad[c_saOut].ikeIntegrityAlgo), m_transformId_integ(vc_ikeSad[0].ikeIntegrityAlgo), omit//Attribute ), m_saTransform ( c_moreTransform, c_transformTypePrf, m_transformId_prf(vc_ikeSad[c_saOut].ikePseudoRandomFunction), m_transformId_prf(vc_ikeSad[0].ikePseudoRandomFunction), omit//Attribute ), m_saTransform ( c_lastTransform, c_transformTypeDh, m_transformId_dh(vc_ikeSad[c_saOut].diffieHellmanGroup), m_transformId_dh(vc_ikeSad[0].diffieHellmanGroup), omit//Attribute ) ) Loading @@ -798,15 +934,15 @@ group establishSAFns { ), m_keyExchangePL ( c_noncePL, vc_ikeSad[c_saOut].diffieHellmanGroup, vc_ikeSad[0].diffieHellmanGroup, fx_dHKeyToSend( vc_ikeSad[c_saOut].diffieHellmanGroup, vc_ikeSad[c_saOut].diffieHellmanPrivKey vc_ikeSad[0].diffieHellmanGroup, vc_ikeSad[0].diffieHellmanPrivKey ) ), m_noncePL ( c_noNextPL, vc_ikeSad[c_saOut].nI vc_ikeSad[0].nI ) ) ) Loading @@ -828,10 +964,10 @@ group establishSAFns { p_dst, PX_UDP_PORT_HS02, PX_UDP_PORT_IUT_1, vc_ikeSad[c_saOut].spiInitiator, vc_ikeSad[c_saOut].spiResponder, vc_ikeSad[0].spiInitiator, vc_ikeSad[0].spiResponder, c_encryptedPL, vc_ikeSad[c_saOut].messageID, vc_ikeSad[0].messageID, m_ikePlList_1Elem( m_encryptedPL( c_idInitiatorPL, Loading
ttcn3/EtsiLibrary/LibIpv6/LibSec/LibIpv6_Rfc4306Ikev2_Templates.ttcn +4 −4 Original line number Diff line number Diff line Loading @@ -22,7 +22,6 @@ group ikeSaInitRequestTemplates { template IkeSaInitRequest mw_ikeSaInitReq ( template Ipv6Address p_src, template Ipv6Address p_dst, template IkePayloadList p_ikepayloads) := { Loading Loading @@ -102,6 +101,7 @@ template IkeSaInitResponse mw_ikeSaInitRes ( template Ipv6Address p_src, template Ipv6Address p_dst, Oct8 p_initiatorSpi, UInt32 p_messageID, template IkePayloadList p_ikepayloads) := { ipv6Hdr := mw_ipHdr_nextHdr_srcDst(c_udpHdr, p_src, p_dst), extHdrList := omit, Loading @@ -124,7 +124,7 @@ vFlag := c_vFlag, iFlag := c_iFlagResponder, threeXFlags := ?, messageID := 1, messageID := p_messageID, messageLength := ? }, // IKEv2 Payloads Loading Loading @@ -323,7 +323,7 @@ proposalLength := ?, proposalNumber := ?, protocolId := c_protocolIke, spiSize := c_uInt8Zero, spiSize := c_spiSize0, numberOfTransforms := ?, spi := omit, saTransformList := ? Loading
ttcn3/EtsiLibrary/LibIpv6/LibSec/LibIpv6_Rfc4306Ikev2_TypesAndValues.ttcn +6 −2 Original line number Diff line number Diff line Loading @@ -47,6 +47,8 @@ const UInt8 c_protocolId_ah := 2; const UInt8 c_protocolId_esp := 3; const boolean c_initiator := true; const boolean c_responder := true; const octetstring c_authString := '4865792050414420466F72204948457632'O // ASCII coding for string 'Key Pad for IKEv2' } // end group IkeRfc4306CommonConstants Loading Loading @@ -1088,7 +1090,9 @@ octetstring nR,//new smu nonce UInt8 proposalNr,//new smu nonce UInt16 udpSourcePort, UInt16 udpDestPort UInt16 udpDestPort, octetstring iDi, //new ps identification initiator octetstring iDr //new ps identification responder } with { variant "TODO"; Loading
