Skip to content

Commit e9d0d87

Browse files
p1-martinp1-martin
committed
Updated Diameter FW with GSMA AVP codes
1 parent 0361bf3 commit e9d0d87

File tree

3 files changed

+27
-41
lines changed

3 files changed

+27
-41
lines changed

sigfw/sigfw.sigfw/src/main/java/diameterfw/DiameterFirewall.java

+22-36
Original file line numberDiff line numberDiff line change
@@ -326,22 +326,23 @@ private static void configLog4j() {
326326

327327
static final private String persistDir = "XmlDiameterFirewall";
328328

329+
// proprietary autodiscovery used for asymetric encryption
330+
// not according to IANA and GSMA FS.19
329331
static final private int CC_AUTO_ENCRYPTION = 999;
330332
static final private int AVP_AUTO_ENCRYPTION_CAPABILITIES = 1101;
331333
static final private int AVP_AUTO_ENCRYPTION_REALM = 1102;
332334
static final private int AVP_AUTO_ENCRYPTION_PUBLIC_KEY = 1103;
333335
static final private int AVP_AUTO_ENCRYPTION_PUBLIC_KEY_TYPE = 1104;
334-
static final public int AVP_DESS_SIGNING_REALM = 1105;
336+
//
335337

336338
// Command Code for DatagramOverDiameterPacket
337339
static final private int AI_DESS_INTERFACE = 16777360;
338340
static final public int VENDOR_ID = 46304;
339341
static final private int CC_DTLS_HANDSHAKE_CLIENT = 8388737; // DTLS handshake messages
340342
static final private int CC_DTLS_HANDSHAKE_SERVER = 8388738; // DTLS handshake messages
341-
//static final private int CC_DTLS_HANDSHAKE_REQUESTED = 1112; // handshake requested by server
342-
static final private int AVP_DTLS_DATA = 1112;
343-
static final private int AVP_ENCRYPTED_GROUPED_DTLS = 1115;
344-
343+
static final private int AVP_DESS_ENCRYPTED = 2000;
344+
static final private int AVP_DESS_DTLS_DATA = 2001;
345+
345346
/**
346347
* Reset Unit Testing Flags
347348
*/
@@ -1179,21 +1180,6 @@ public void run() {
11791180
&& cc != CC_DTLS_HANDSHAKE_CLIENT && cc != CC_DTLS_HANDSHAKE_SERVER) {
11801181
// ------------- Diameter verify --------------
11811182
if (DiameterFirewallConfig.origin_realm_verify.containsKey(orig_realm)) {
1182-
/*if (msg.getAvps().getAvp(AVP_DESS_SIGNING_REALM) == null) {
1183-
// Missing AVP_DESS_SIGNING_REALM, message dropped
1184-
firewallMessage(asctn, pd.getPayloadProtocolId(), pd.getStreamNumber(), msg, "Missing AVP_DESS_SIGNING_REALM, message dropped", lua_hmap);
1185-
return;
1186-
}
1187-
String signing_realm;
1188-
try {
1189-
signing_realm = new String(msg.getAvps().getAvp(AVP_DESS_SIGNING_REALM).getOctetString());
1190-
} catch (AvpDataException ex) {
1191-
//java.util.logging.Logger.getLogger(DiameterFirewall.class.getName()).log(Level.SEVERE, null, ex);
1192-
firewallMessage(asctn, pd.getPayloadProtocolId(), pd.getStreamNumber(), msg, "Decoding error with AVP_DESS_SIGNING_REALM, message dropped", lua_hmap);
1193-
return;
1194-
}
1195-
PublicKey publicKey = DiameterFirewallConfig.origin_realm_verify_signing_realm.get(orig_realm + ":" + signing_realm);
1196-
*/
11971183
String r = crypto.diameterVerify(msg, DiameterFirewallConfig.origin_realm_verify_signing_realm);
11981184
if (!r.equals("")) {
11991185
firewallMessage(asctn, pd.getPayloadProtocolId(), pd.getStreamNumber(), msg, r, lua_hmap);
@@ -1234,7 +1220,7 @@ public void run() {
12341220
}
12351221
}
12361222
// No DTLS engine, but recieved DTLS encrypted data
1237-
else if (msg.getAvps().getAvp(AVP_ENCRYPTED_GROUPED_DTLS, VENDOR_ID) != null) {
1223+
else if (msg.getAvps().getAvp(AVP_DESS_ENCRYPTED, VENDOR_ID) != null) {
12381224
needDTLSHandshakeReason = "needDTLSHandshake indicated, because no DTLS engine, but recieved Request with DTLS encrypted data from realm: " + orig_realm;
12391225

12401226
needDTLSHandshake = true;
@@ -1275,7 +1261,7 @@ else if (!msg.isRequest()) {
12751261
}
12761262
}
12771263
// No DTLS engine, but recieved DTLS encrypted data
1278-
else if (msg.getAvps().getAvp(AVP_ENCRYPTED_GROUPED_DTLS, VENDOR_ID) != null) {
1264+
else if (msg.getAvps().getAvp(AVP_DESS_ENCRYPTED, VENDOR_ID) != null) {
12791265
needDTLSHandshake = true;
12801266

12811267
needDTLSHandshakeReason = "needDTLSHandshake indicated, because no DTLS engine, but recieved Answer with DTLS encrypted data from realm: " + orig_realm;
@@ -1583,7 +1569,7 @@ public void run() {
15831569
// process only requests
15841570
if (msg.isRequest()) {
15851571
if (msg.getAvps() != null) {
1586-
if (msg.getAvps().getAvp(AVP_DTLS_DATA, VENDOR_ID) != null) {
1572+
if (msg.getAvps().getAvp(AVP_DESS_DTLS_DATA, VENDOR_ID) != null) {
15871573

15881574
logger.info("Received DTLS handshake message from realm: " + orig_realm);
15891575

@@ -1596,7 +1582,7 @@ public void run() {
15961582
datagramOverDiameterSocket_inbound_server.put(orig_realm, new ConcurrentLinkedQueue<DatagramOverDiameterPacket>());
15971583
}
15981584

1599-
datagramOverDiameterSocket_inbound_server.get(orig_realm).add(new DatagramOverDiameterPacket(orig_realm, new DatagramPacket(msg.getAvps().getAvp(AVP_DTLS_DATA, VENDOR_ID).getOctetString(), msg.getAvps().getAvp(AVP_DTLS_DATA, VENDOR_ID).getOctetString().length)));
1585+
datagramOverDiameterSocket_inbound_server.get(orig_realm).add(new DatagramOverDiameterPacket(orig_realm, new DatagramPacket(msg.getAvps().getAvp(AVP_DESS_DTLS_DATA, VENDOR_ID).getOctetString(), msg.getAvps().getAvp(AVP_DESS_DTLS_DATA, VENDOR_ID).getOctetString().length)));
16001586

16011587

16021588
boolean needHandshake = false;
@@ -1678,7 +1664,7 @@ else if (cc == CC_DTLS_HANDSHAKE_SERVER) {
16781664
datagramOverDiameterSocket_inbound_client.put(orig_realm, new ConcurrentLinkedQueue<DatagramOverDiameterPacket>());
16791665
}
16801666

1681-
datagramOverDiameterSocket_inbound_client.get(orig_realm).add(new DatagramOverDiameterPacket(orig_realm, new DatagramPacket(msg.getAvps().getAvp(AVP_DTLS_DATA, VENDOR_ID).getOctetString(), msg.getAvps().getAvp(AVP_DTLS_DATA, VENDOR_ID).getOctetString().length)));
1667+
datagramOverDiameterSocket_inbound_client.get(orig_realm).add(new DatagramOverDiameterPacket(orig_realm, new DatagramPacket(msg.getAvps().getAvp(AVP_DESS_DTLS_DATA, VENDOR_ID).getOctetString(), msg.getAvps().getAvp(AVP_DESS_DTLS_DATA, VENDOR_ID).getOctetString().length)));
16821668

16831669
}
16841670

@@ -2531,7 +2517,7 @@ void dtls_sendDatagramOverDiameter(Association asctn, String _peer_realm, Datagr
25312517
message.getAvps().addAvp(Avp.DESTINATION_HOST, _peer_realm, true, false, true);
25322518
message.getAvps().addAvp(Avp.ORIGIN_REALM, DiameterFirewallConfig.hplmn_realms.firstKey(), true, false, true);
25332519
message.getAvps().addAvp(Avp.ORIGIN_HOST, DiameterFirewallConfig.hplmn_realms.firstKey(), true, false, true);
2534-
message.getAvps().addAvp(AVP_DTLS_DATA, p.getP().getData(), VENDOR_ID, false, false);
2520+
message.getAvps().addAvp(AVP_DESS_DTLS_DATA, p.getP().getData(), VENDOR_ID, false, false);
25352521

25362522
//message.setHeaderApplicationId(AI_DESS_INTERFACE);
25372523

@@ -2636,7 +2622,7 @@ public boolean _diameterDTLSEncrypt(Message message, SSLEngine engine) {
26362622

26372623
AvpSet avps = message.getAvps();
26382624

2639-
AvpSet erAvp = avps.addGroupedAvp(AVP_ENCRYPTED_GROUPED_DTLS, VENDOR_ID, false, true);
2625+
AvpSet erAvp = avps.addGroupedAvp(AVP_DESS_ENCRYPTED, VENDOR_ID, false, true);
26402626

26412627
for (int i = 0; i < avps.size(); i++) {
26422628
Avp a = avps.getAvpByIndex(i);
@@ -2652,7 +2638,7 @@ public boolean _diameterDTLSEncrypt(Message message, SSLEngine engine) {
26522638
a.getCode() != Avp.ROUTE_RECORD &&
26532639
a.getCode() != Crypto.AVP_ENCRYPTED &&
26542640
a.getCode() != Crypto.AVP_ENCRYPTED_GROUPED &&
2655-
a.getCode() != AVP_ENCRYPTED_GROUPED_DTLS
2641+
a.getCode() != AVP_DESS_ENCRYPTED
26562642
) {
26572643
erAvp.addAvp(a.getCode(), a.getRawData(), a.getVendorId(), a.isMandatory(), a.isEncrypted());
26582644
avps.removeAvpByIndex(i);
@@ -2690,8 +2676,8 @@ public boolean _diameterDTLSEncrypt(Message message, SSLEngine engine) {
26902676
cipherTextBuffer.get(cipherText);
26912677

26922678
//logger.debug("Add AVP Grouped Encrypted. Current index");
2693-
avps.removeAvp(AVP_ENCRYPTED_GROUPED_DTLS, VENDOR_ID);
2694-
avps.addAvp(AVP_ENCRYPTED_GROUPED_DTLS, cipherText, VENDOR_ID, false, true);
2679+
avps.removeAvp(AVP_DESS_ENCRYPTED, VENDOR_ID);
2680+
avps.addAvp(AVP_DESS_ENCRYPTED, cipherText, VENDOR_ID, false, true);
26952681

26962682
} catch (Exception ex) {
26972683
java.util.logging.Logger.getLogger(DiameterFirewall.class.getName()).log(Level.SEVERE, null, ex);
@@ -2726,7 +2712,7 @@ public boolean _diameterDTLSDecrypt(Message message, SSLEngine engine) {
27262712

27272713
//logger.debug("AVP[" + i + "] Code = " + a.getCode());
27282714

2729-
if (a.getCode() == AVP_ENCRYPTED_GROUPED_DTLS && a.isVendorId() && a.getVendorId() == VENDOR_ID) {
2715+
if (a.getCode() == AVP_DESS_ENCRYPTED && a.isVendorId() && a.getVendorId() == VENDOR_ID) {
27302716
AvpSetImpl _avps;
27312717
try {
27322718
logger.debug("Diameter Decryption of Grouped Encrypted DTLS AVP");
@@ -2838,7 +2824,7 @@ public boolean diameterDTLSEncrypt(Message message, SSLEngine engine) {
28382824
// cloned AVPs
28392825
AvpSet avps = ((Message) ((IMessage) message).clone()).getAvps();
28402826

2841-
AvpSet erAvp = avps.addGroupedAvp(AVP_ENCRYPTED_GROUPED_DTLS, VENDOR_ID, false, true);
2827+
AvpSet erAvp = avps.addGroupedAvp(AVP_DESS_ENCRYPTED, VENDOR_ID, false, true);
28422828

28432829
// Fill the AVP_ENCRYPTED_GROUPED_DTLS with cloned AVPs
28442830
for (int i = 0; i <_avps.size(); i++) {
@@ -2855,7 +2841,7 @@ public boolean diameterDTLSEncrypt(Message message, SSLEngine engine) {
28552841
a.getCode() != Avp.ROUTE_RECORD &&
28562842
a.getCode() != Crypto.AVP_ENCRYPTED &&
28572843
a.getCode() != Crypto.AVP_ENCRYPTED_GROUPED &&
2858-
a.getCode() != AVP_ENCRYPTED_GROUPED_DTLS
2844+
a.getCode() != AVP_DESS_ENCRYPTED
28592845
) {
28602846
erAvp.addAvp(a.getCode(), a.getRawData(), a.getVendorId(), a.isMandatory(), a.isEncrypted());
28612847
//avps.removeAvpByIndex(i);
@@ -2901,7 +2887,7 @@ public boolean diameterDTLSEncrypt(Message message, SSLEngine engine) {
29012887

29022888
//logger.debug("Add AVP Grouped Encrypted. Current index");
29032889
//_avps.removeAvp(AVP_ENCRYPTED_GROUPED_DTLS);
2904-
_avps.addAvp(AVP_ENCRYPTED_GROUPED_DTLS, cipherText, VENDOR_ID, false, true);
2890+
_avps.addAvp(AVP_DESS_ENCRYPTED, cipherText, VENDOR_ID, false, true);
29052891

29062892
} catch (Exception ex) {
29072893
java.util.logging.Logger.getLogger(DiameterFirewall.class.getName()).log(Level.SEVERE, null, ex);
@@ -2937,7 +2923,7 @@ public boolean diameterDTLSDecrypt(Message message, SSLEngine engine) {
29372923

29382924
//logger.debug("AVP[" + i + "] Code = " + a.getCode());
29392925

2940-
if (a.getCode() == AVP_ENCRYPTED_GROUPED_DTLS && a.isVendorId() && a.getVendorId() == VENDOR_ID) {
2926+
if (a.getCode() == AVP_DESS_ENCRYPTED && a.isVendorId() && a.getVendorId() == VENDOR_ID) {
29412927
AvpSetImpl _avps;
29422928
try {
29432929
logger.debug("Diameter Decryption of Grouped Encrypted DTLS AVP");
@@ -3015,7 +3001,7 @@ public boolean diameterDTLSDecrypt(Message message, SSLEngine engine) {
30153001
avps.removeAvpByIndex(i + _avps.size());*/
30163002

30173003
mergeAVPLists(avps, _avps);
3018-
avps.removeAvp(AVP_ENCRYPTED_GROUPED_DTLS, VENDOR_ID);
3004+
avps.removeAvp(AVP_DESS_ENCRYPTED, VENDOR_ID);
30193005

30203006
} catch (IOException ex) {
30213007
java.util.logging.Logger.getLogger(DiameterFirewall.class.getName()).log(Level.SEVERE, null, ex);

sigfw/sigfw.sigfw/src/main/java/sigfw/common/Crypto.java

+1-1
Original file line numberDiff line numberDiff line change
@@ -26,7 +26,6 @@
2626

2727
import com.p1sec.sigfw.SigFW_interface.CryptoInterface;
2828
import diameterfw.DiameterFirewall;
29-
import static diameterfw.DiameterFirewall.AVP_DESS_SIGNING_REALM;
3029
import static diameterfw.DiameterFirewall.VENDOR_ID;
3130
import diameterfw.DiameterFirewallConfig;
3231
import java.io.IOException;
@@ -108,6 +107,7 @@ public class Crypto implements CryptoInterface {
108107
static final public int AVP_DESS_SIGNATURE = 1000;
109108
static final public int AVP_DESS_DIGITAL_SIGNATURE = 1001;
110109
static final public int AVP_DESS_SYSTEM_TIME = 1002;
110+
static final public int AVP_DESS_SIGNING_REALM = 1003;
111111

112112
static final private Long OC_SIGNATURE = 100L;
113113

sigfw/sigfw.sigfw/wireshark_diameter_custom.xml

+4-4
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@
1414

1515
<vendor vendor-id="GSMA-DESS" code="46304" name="GSMA-DESS"/>
1616

17-
<!-- NOTE the Application ID is not assigned by IANA http://www.iana.org/assignments/aaa-parameters/aaa-parameters.xml -->
17+
<!-- NOTE the Application ID and Command Codes are assigned by IANA https://www.iana.org/assignments/aaa-parameters/aaa-parameters.xhtml -->
1818
<application id="16777360" name="GSMA DESS interface" uri="none">
1919

2020
<command name="DESS-DTLS-Handshake-Client-Request/Response" code="8388737" vendor-id="GSMA-DESS"/>
@@ -29,7 +29,7 @@
2929
<type type-name="OctetString"/>
3030
</avp>
3131

32-
<avp name="DESS-SIGNING-REALM" code="1105" mandatory="mustnot" protected="may" vendor-bit="must" vendor-id="GSMA-DESS" may-encrypt="yes">
32+
<avp name="DESS-SIGNING-REALM" code="1003" mandatory="mustnot" protected="may" vendor-bit="must" vendor-id="GSMA-DESS" may-encrypt="yes">
3333
<type type-name="DiameterIdentity"/>
3434
</avp>
3535

@@ -41,11 +41,11 @@
4141
</grouped>
4242
</avp>
4343

44-
<avp name="DESS-DTLS-DATA" code="1112" mandatory="mustnot" protected="may" vendor-bit="must" vendor-id="GSMA-DESS" may-encrypt="yes">
44+
<avp name="DESS-DTLS-DATA" code="2001" mandatory="mustnot" protected="may" vendor-bit="must" vendor-id="GSMA-DESS" may-encrypt="yes">
4545
<type type-name="OctetString"/>
4646
</avp>
4747

48-
<avp name="ENCRYPTED-GROUPED-DTLS" code="1115" mandatory="mustnot" protected="may" vendor-bit="must" vendor-id="GSMA-DESS" may-encrypt="yes">
48+
<avp name="DESS-ENCRYPTED" code="2000" mandatory="mustnot" protected="may" vendor-bit="must" vendor-id="GSMA-DESS" may-encrypt="yes">
4949
<type type-name="OctetString"/>
5050
</avp>
5151

0 commit comments

Comments
 (0)