Skip to content

Commit

Permalink
Updated Diameter FW with GSMA AVP codes
Browse files Browse the repository at this point in the history
  • Loading branch information
@p1-martin
p1-martin committed Sep 4, 2019
1 parent 0361bf3 commit e9d0d87
Show file tree
Hide file tree
Showing 3 changed files with 27 additions and 41 deletions.
58 changes: 22 additions & 36 deletions sigfw/sigfw.sigfw/src/main/java/diameterfw/DiameterFirewall.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -326,22 +326,23 @@ private static void configLog4j() {

static final private String persistDir = "XmlDiameterFirewall";

// proprietary autodiscovery used for asymetric encryption
// not according to IANA and GSMA FS.19
static final private int CC_AUTO_ENCRYPTION = 999;
static final private int AVP_AUTO_ENCRYPTION_CAPABILITIES = 1101;
static final private int AVP_AUTO_ENCRYPTION_REALM = 1102;
static final private int AVP_AUTO_ENCRYPTION_PUBLIC_KEY = 1103;
static final private int AVP_AUTO_ENCRYPTION_PUBLIC_KEY_TYPE = 1104;
static final public int AVP_DESS_SIGNING_REALM = 1105;
//

// Command Code for DatagramOverDiameterPacket
static final private int AI_DESS_INTERFACE = 16777360;
static final public int VENDOR_ID = 46304;
static final private int CC_DTLS_HANDSHAKE_CLIENT = 8388737; // DTLS handshake messages
static final private int CC_DTLS_HANDSHAKE_SERVER = 8388738; // DTLS handshake messages
//static final private int CC_DTLS_HANDSHAKE_REQUESTED = 1112; // handshake requested by server
static final private int AVP_DTLS_DATA = 1112;
static final private int AVP_ENCRYPTED_GROUPED_DTLS = 1115;

static final private int AVP_DESS_ENCRYPTED = 2000;
static final private int AVP_DESS_DTLS_DATA = 2001;

/**
* Reset Unit Testing Flags
*/
Expand Down Expand Up @@ -1179,21 +1180,6 @@ public void run() {
&& cc != CC_DTLS_HANDSHAKE_CLIENT && cc != CC_DTLS_HANDSHAKE_SERVER) {
// ------------- Diameter verify --------------
if (DiameterFirewallConfig.origin_realm_verify.containsKey(orig_realm)) {
/*if (msg.getAvps().getAvp(AVP_DESS_SIGNING_REALM) == null) {
// Missing AVP_DESS_SIGNING_REALM, message dropped
firewallMessage(asctn, pd.getPayloadProtocolId(), pd.getStreamNumber(), msg, "Missing AVP_DESS_SIGNING_REALM, message dropped", lua_hmap);
return;
}
String signing_realm;
try {
signing_realm = new String(msg.getAvps().getAvp(AVP_DESS_SIGNING_REALM).getOctetString());
} catch (AvpDataException ex) {
//java.util.logging.Logger.getLogger(DiameterFirewall.class.getName()).log(Level.SEVERE, null, ex);
firewallMessage(asctn, pd.getPayloadProtocolId(), pd.getStreamNumber(), msg, "Decoding error with AVP_DESS_SIGNING_REALM, message dropped", lua_hmap);
return;
}
PublicKey publicKey = DiameterFirewallConfig.origin_realm_verify_signing_realm.get(orig_realm + ":" + signing_realm);
*/
String r = crypto.diameterVerify(msg, DiameterFirewallConfig.origin_realm_verify_signing_realm);
if (!r.equals("")) {
firewallMessage(asctn, pd.getPayloadProtocolId(), pd.getStreamNumber(), msg, r, lua_hmap);
Expand Down Expand Up @@ -1234,7 +1220,7 @@ public void run() {
}
}
// No DTLS engine, but recieved DTLS encrypted data
else if (msg.getAvps().getAvp(AVP_ENCRYPTED_GROUPED_DTLS, VENDOR_ID) != null) {
else if (msg.getAvps().getAvp(AVP_DESS_ENCRYPTED, VENDOR_ID) != null) {
needDTLSHandshakeReason = "needDTLSHandshake indicated, because no DTLS engine, but recieved Request with DTLS encrypted data from realm: " + orig_realm;

needDTLSHandshake = true;
Expand Down Expand Up @@ -1275,7 +1261,7 @@ else if (!msg.isRequest()) {
}
}
// No DTLS engine, but recieved DTLS encrypted data
else if (msg.getAvps().getAvp(AVP_ENCRYPTED_GROUPED_DTLS, VENDOR_ID) != null) {
else if (msg.getAvps().getAvp(AVP_DESS_ENCRYPTED, VENDOR_ID) != null) {
needDTLSHandshake = true;

needDTLSHandshakeReason = "needDTLSHandshake indicated, because no DTLS engine, but recieved Answer with DTLS encrypted data from realm: " + orig_realm;
Expand Down Expand Up @@ -1583,7 +1569,7 @@ public void run() {
// process only requests
if (msg.isRequest()) {
if (msg.getAvps() != null) {
if (msg.getAvps().getAvp(AVP_DTLS_DATA, VENDOR_ID) != null) {
if (msg.getAvps().getAvp(AVP_DESS_DTLS_DATA, VENDOR_ID) != null) {

logger.info("Received DTLS handshake message from realm: " + orig_realm);

Expand All @@ -1596,7 +1582,7 @@ public void run() {
datagramOverDiameterSocket_inbound_server.put(orig_realm, new ConcurrentLinkedQueue<DatagramOverDiameterPacket>());
}

datagramOverDiameterSocket_inbound_server.get(orig_realm).add(new DatagramOverDiameterPacket(orig_realm, new DatagramPacket(msg.getAvps().getAvp(AVP_DTLS_DATA, VENDOR_ID).getOctetString(), msg.getAvps().getAvp(AVP_DTLS_DATA, VENDOR_ID).getOctetString().length)));
datagramOverDiameterSocket_inbound_server.get(orig_realm).add(new DatagramOverDiameterPacket(orig_realm, new DatagramPacket(msg.getAvps().getAvp(AVP_DESS_DTLS_DATA, VENDOR_ID).getOctetString(), msg.getAvps().getAvp(AVP_DESS_DTLS_DATA, VENDOR_ID).getOctetString().length)));


boolean needHandshake = false;
Expand Down Expand Up @@ -1678,7 +1664,7 @@ else if (cc == CC_DTLS_HANDSHAKE_SERVER) {
datagramOverDiameterSocket_inbound_client.put(orig_realm, new ConcurrentLinkedQueue<DatagramOverDiameterPacket>());
}

datagramOverDiameterSocket_inbound_client.get(orig_realm).add(new DatagramOverDiameterPacket(orig_realm, new DatagramPacket(msg.getAvps().getAvp(AVP_DTLS_DATA, VENDOR_ID).getOctetString(), msg.getAvps().getAvp(AVP_DTLS_DATA, VENDOR_ID).getOctetString().length)));
datagramOverDiameterSocket_inbound_client.get(orig_realm).add(new DatagramOverDiameterPacket(orig_realm, new DatagramPacket(msg.getAvps().getAvp(AVP_DESS_DTLS_DATA, VENDOR_ID).getOctetString(), msg.getAvps().getAvp(AVP_DESS_DTLS_DATA, VENDOR_ID).getOctetString().length)));

}

Expand Down Expand Up @@ -2531,7 +2517,7 @@ void dtls_sendDatagramOverDiameter(Association asctn, String _peer_realm, Datagr
message.getAvps().addAvp(Avp.DESTINATION_HOST, _peer_realm, true, false, true);
message.getAvps().addAvp(Avp.ORIGIN_REALM, DiameterFirewallConfig.hplmn_realms.firstKey(), true, false, true);
message.getAvps().addAvp(Avp.ORIGIN_HOST, DiameterFirewallConfig.hplmn_realms.firstKey(), true, false, true);
message.getAvps().addAvp(AVP_DTLS_DATA, p.getP().getData(), VENDOR_ID, false, false);
message.getAvps().addAvp(AVP_DESS_DTLS_DATA, p.getP().getData(), VENDOR_ID, false, false);

//message.setHeaderApplicationId(AI_DESS_INTERFACE);

Expand Down Expand Up @@ -2636,7 +2622,7 @@ public boolean _diameterDTLSEncrypt(Message message, SSLEngine engine) {

AvpSet avps = message.getAvps();

AvpSet erAvp = avps.addGroupedAvp(AVP_ENCRYPTED_GROUPED_DTLS, VENDOR_ID, false, true);
AvpSet erAvp = avps.addGroupedAvp(AVP_DESS_ENCRYPTED, VENDOR_ID, false, true);

for (int i = 0; i < avps.size(); i++) {
Avp a = avps.getAvpByIndex(i);
Expand All @@ -2652,7 +2638,7 @@ public boolean _diameterDTLSEncrypt(Message message, SSLEngine engine) {
a.getCode() != Avp.ROUTE_RECORD &&
a.getCode() != Crypto.AVP_ENCRYPTED &&
a.getCode() != Crypto.AVP_ENCRYPTED_GROUPED &&
a.getCode() != AVP_ENCRYPTED_GROUPED_DTLS
a.getCode() != AVP_DESS_ENCRYPTED
) {
erAvp.addAvp(a.getCode(), a.getRawData(), a.getVendorId(), a.isMandatory(), a.isEncrypted());
avps.removeAvpByIndex(i);
Expand Down Expand Up @@ -2690,8 +2676,8 @@ public boolean _diameterDTLSEncrypt(Message message, SSLEngine engine) {
cipherTextBuffer.get(cipherText);

//logger.debug("Add AVP Grouped Encrypted. Current index");
avps.removeAvp(AVP_ENCRYPTED_GROUPED_DTLS, VENDOR_ID);
avps.addAvp(AVP_ENCRYPTED_GROUPED_DTLS, cipherText, VENDOR_ID, false, true);
avps.removeAvp(AVP_DESS_ENCRYPTED, VENDOR_ID);
avps.addAvp(AVP_DESS_ENCRYPTED, cipherText, VENDOR_ID, false, true);

} catch (Exception ex) {
java.util.logging.Logger.getLogger(DiameterFirewall.class.getName()).log(Level.SEVERE, null, ex);
Expand Down Expand Up @@ -2726,7 +2712,7 @@ public boolean _diameterDTLSDecrypt(Message message, SSLEngine engine) {

//logger.debug("AVP[" + i + "] Code = " + a.getCode());

if (a.getCode() == AVP_ENCRYPTED_GROUPED_DTLS && a.isVendorId() && a.getVendorId() == VENDOR_ID) {
if (a.getCode() == AVP_DESS_ENCRYPTED && a.isVendorId() && a.getVendorId() == VENDOR_ID) {
AvpSetImpl _avps;
try {
logger.debug("Diameter Decryption of Grouped Encrypted DTLS AVP");
Expand Down Expand Up @@ -2838,7 +2824,7 @@ public boolean diameterDTLSEncrypt(Message message, SSLEngine engine) {
// cloned AVPs
AvpSet avps = ((Message) ((IMessage) message).clone()).getAvps();

AvpSet erAvp = avps.addGroupedAvp(AVP_ENCRYPTED_GROUPED_DTLS, VENDOR_ID, false, true);
AvpSet erAvp = avps.addGroupedAvp(AVP_DESS_ENCRYPTED, VENDOR_ID, false, true);

// Fill the AVP_ENCRYPTED_GROUPED_DTLS with cloned AVPs
for (int i = 0; i <_avps.size(); i++) {
Expand All @@ -2855,7 +2841,7 @@ public boolean diameterDTLSEncrypt(Message message, SSLEngine engine) {
a.getCode() != Avp.ROUTE_RECORD &&
a.getCode() != Crypto.AVP_ENCRYPTED &&
a.getCode() != Crypto.AVP_ENCRYPTED_GROUPED &&
a.getCode() != AVP_ENCRYPTED_GROUPED_DTLS
a.getCode() != AVP_DESS_ENCRYPTED
) {
erAvp.addAvp(a.getCode(), a.getRawData(), a.getVendorId(), a.isMandatory(), a.isEncrypted());
//avps.removeAvpByIndex(i);
Expand Down Expand Up @@ -2901,7 +2887,7 @@ public boolean diameterDTLSEncrypt(Message message, SSLEngine engine) {

//logger.debug("Add AVP Grouped Encrypted. Current index");
//_avps.removeAvp(AVP_ENCRYPTED_GROUPED_DTLS);
_avps.addAvp(AVP_ENCRYPTED_GROUPED_DTLS, cipherText, VENDOR_ID, false, true);
_avps.addAvp(AVP_DESS_ENCRYPTED, cipherText, VENDOR_ID, false, true);

} catch (Exception ex) {
java.util.logging.Logger.getLogger(DiameterFirewall.class.getName()).log(Level.SEVERE, null, ex);
Expand Down Expand Up @@ -2937,7 +2923,7 @@ public boolean diameterDTLSDecrypt(Message message, SSLEngine engine) {

//logger.debug("AVP[" + i + "] Code = " + a.getCode());

if (a.getCode() == AVP_ENCRYPTED_GROUPED_DTLS && a.isVendorId() && a.getVendorId() == VENDOR_ID) {
if (a.getCode() == AVP_DESS_ENCRYPTED && a.isVendorId() && a.getVendorId() == VENDOR_ID) {
AvpSetImpl _avps;
try {
logger.debug("Diameter Decryption of Grouped Encrypted DTLS AVP");
Expand Down Expand Up @@ -3015,7 +3001,7 @@ public boolean diameterDTLSDecrypt(Message message, SSLEngine engine) {
avps.removeAvpByIndex(i + _avps.size());*/

mergeAVPLists(avps, _avps);
avps.removeAvp(AVP_ENCRYPTED_GROUPED_DTLS, VENDOR_ID);
avps.removeAvp(AVP_DESS_ENCRYPTED, VENDOR_ID);

} catch (IOException ex) {
java.util.logging.Logger.getLogger(DiameterFirewall.class.getName()).log(Level.SEVERE, null, ex);
Expand Down
2 changes: 1 addition & 1 deletion sigfw/sigfw.sigfw/src/main/java/sigfw/common/Crypto.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,6 @@

import com.p1sec.sigfw.SigFW_interface.CryptoInterface;
import diameterfw.DiameterFirewall;
import static diameterfw.DiameterFirewall.AVP_DESS_SIGNING_REALM;
import static diameterfw.DiameterFirewall.VENDOR_ID;
import diameterfw.DiameterFirewallConfig;
import java.io.IOException;
Expand Down Expand Up @@ -108,6 +107,7 @@ public class Crypto implements CryptoInterface {
static final public int AVP_DESS_SIGNATURE = 1000;
static final public int AVP_DESS_DIGITAL_SIGNATURE = 1001;
static final public int AVP_DESS_SYSTEM_TIME = 1002;
static final public int AVP_DESS_SIGNING_REALM = 1003;

static final private Long OC_SIGNATURE = 100L;

Expand Down
8 changes: 4 additions & 4 deletions sigfw/sigfw.sigfw/wireshark_diameter_custom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@

<vendor vendor-id="GSMA-DESS" code="46304" name="GSMA-DESS"/>

<!-- NOTE the Application ID is not assigned by IANA http://www.iana.org/assignments/aaa-parameters/aaa-parameters.xml -->
<!-- NOTE the Application ID and Command Codes are assigned by IANA https://www.iana.org/assignments/aaa-parameters/aaa-parameters.xhtml -->
<application id="16777360" name="GSMA DESS interface" uri="none">

<command name="DESS-DTLS-Handshake-Client-Request/Response" code="8388737" vendor-id="GSMA-DESS"/>
Expand All @@ -29,7 +29,7 @@
<type type-name="OctetString"/>
</avp>

<avp name="DESS-SIGNING-REALM" code="1105" mandatory="mustnot" protected="may" vendor-bit="must" vendor-id="GSMA-DESS" may-encrypt="yes">
<avp name="DESS-SIGNING-REALM" code="1003" mandatory="mustnot" protected="may" vendor-bit="must" vendor-id="GSMA-DESS" may-encrypt="yes">
<type type-name="DiameterIdentity"/>
</avp>

Expand All @@ -41,11 +41,11 @@
</grouped>
</avp>

<avp name="DESS-DTLS-DATA" code="1112" mandatory="mustnot" protected="may" vendor-bit="must" vendor-id="GSMA-DESS" may-encrypt="yes">
<avp name="DESS-DTLS-DATA" code="2001" mandatory="mustnot" protected="may" vendor-bit="must" vendor-id="GSMA-DESS" may-encrypt="yes">
<type type-name="OctetString"/>
</avp>

<avp name="ENCRYPTED-GROUPED-DTLS" code="1115" mandatory="mustnot" protected="may" vendor-bit="must" vendor-id="GSMA-DESS" may-encrypt="yes">
<avp name="DESS-ENCRYPTED" code="2000" mandatory="mustnot" protected="may" vendor-bit="must" vendor-id="GSMA-DESS" may-encrypt="yes">
<type type-name="OctetString"/>
</avp>

Expand Down

0 comments on commit e9d0d87

Please sign in to comment.