#!/usr/bin/perl
#
# Copyright (C) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006 Yokogawa Electric Corporation.
# All rights reserved.
#
# Redistribution and use of this software in source and binary
# forms, with or without modification, are permitted provided that
# the following conditions and disclaimer are agreed and accepted
# by the user:
#
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
#
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in
# the documentation and/or other materials provided with
# the distribution.
#
# 3. Neither the names of the copyrighters, the name of the project
# which is related to this software (hereinafter referred to as
# "project") nor the names of the contributors may be used to
# endorse or promote products derived from this software without
# specific prior written permission.
#
# 4. No merchantable use may be permitted without prior written
# notification to the copyrighters.
#
# 5. The copyrighters, the project and the contributors may prohibit
# the use of this software at any time.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHTERS, THE PROJECT AND
# CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING
# BUT NOT LIMITED THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
# FOR A PARTICULAR PURPOSE, ARE DISCLAIMED. IN NO EVENT SHALL THE
# COPYRIGHTERS, THE PROJECT OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
# INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
# STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
# IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.
#
# $TAHI: ct-dhcpv6/dhcpv6.tahi/auth/S_RFC3315_21.4.1_DelayedAuthProto.seq,v 1.13 2006/03/14 01:16:32 mnaoki Exp $
########################################################################
BEGIN { $V6evalTool::TestVersion = '$Name: DHCPv6_1_0 $';
push(@INC, '..');
}
use strict;
use V6evalTool;
use DHCPv6_common;
use Server_pktdesc;
dhcpExitNS if ChkFuncSupport('AUTHENTICATION');
#--------------------------------------------------------------#
# Initialization
#--------------------------------------------------------------#
vLogHTML('==== NUT Initialization ====
');
my $IF0 = "Link0";
#initial NUT config parameters,
# Configure authentication parametor
vLogHTML("Authentication Information
");
my $auth_realm = "DHCPv6.TEST.EXAMPLE.COM";
my $hex_auth_realm = Ascii2Hex($auth_realm);
my $auth_key_id = "1";
my $auth_sharedsecretkey = "TAHITEST_VALID12";
vLogHTML(" REALM: $auth_realm
");
vLogHTML(" Key ID: $auth_key_id
");
vLogHTML(" Shared Secret Key: $auth_sharedsecretkey");
my $SHARED_SECRET_KEY_TYPE = ChkConfig('SHARED_SECRET_KEY_TYPE');
my $enc_auth_sharedsecretkey = SharedSecretKeyCheck($SHARED_SECRET_KEY_TYPE, $auth_sharedsecretkey);
vLogHTML(" Device's Key Type: $SHARED_SECRET_KEY_TYPE, Encoded value: $enc_auth_sharedsecretkey
");
my %NUT_Server_Config = (
'if_nut0'=> "$V6evalTool::NutDef{Link0_device}",
'init_opcode' => "vRemote(\"dhcp6s.rmt\", \"start\" , \"authentication=delayed\", \"auth_realm=$auth_realm\", \"auth_keyid=$auth_key_id\", \"auth_sharedsecretkey=$enc_auth_sharedsecretkey\", \"link0=$V6evalTool::NutDef{Link0_device}\",\"startaddr=3ffe:ffff:100::10\",\"endaddr=3ffe:ffff:100::11\")",
);
dhcpSvrInit(\%NUT_Server_Config);
#--------------------------------------------------------------#
# Main Procedure
#--------------------------------------------------------------#
vLogHTML('==== DHCP Client-Initiated Configuration Exchange using Delayed Authentication Protocol ====
');
my $cpp = undef;
# This is requried when Authentication option is used, otherwise not required.
$AUTH_OPTION_REQUIRED = $TRUE;
# 1. send DHCPv6 Solicit Message
$CID_OPTION = "opt_CID_LLT_client1";
$IA_NA_OPTION = "opt_IA_NA";
$Authentication_OPTION = "opt_Auth";
$cpp = "-DAUTH_COUNTER=hexstr\\\(\\\"0000000000000000\\\",8\\\) ";
$cpp .= "-DNO_AUTH_INFO ";
my ($ret1, %sol1) = send_solicit($IF0, "solicit_client1_to_alldhcp", $cpp);
if (0 != $ret1){
dhcpExitFail();
}
# 2.wait for DHCPv6 Advertise Message
my ($ret2, %adv2) = wait_for_advertise($IF0, 5);
if (0 != $ret2){
dhcpExitFail("Can't receive correct DHCPv6 Advertise message");
}
# check options in Advertise Message
if (0 != options_exist(\%adv2, ($CMP_CID|$CMP_SID|$CMP_AUTH))){
dhcpExitError("Do not include necessary options!");
}
# compare Options
if (0 != compare_options(\%sol1, \%adv2, ($CMP_CID|$CMP_TRANS_ID))){
dhcpExitError("Option Error");
}
# Increment replay detection field (64bit)
my $auth_counter = undef;
$auth_counter = ReplayDetectCounter($adv2{'Recv_ReplayDetection'});
#check Authenticator
my $retauth = check_Auth_MD5(\%adv2,$auth_sharedsecretkey);
if($retauth != 0){
dhcpExitFail("Authenticator does not match");
}
# 3.send DHCPv6 Request Message
$CID_OPTION = "opt_CID_LLT_client1";
$IA_NA_OPTION = "opt_IA_NA";
$SID_OPTION = "opt_SID_ANY";
$Authentication_OPTION = "opt_Auth";
$cpp = "-DAUTH_COUNTER=hexstr\\\(\\\"$auth_counter\\\",8\\\) ";
$cpp .= "-DAUTH_REALM=hexstr\\\(\\\"$hex_auth_realm\\\"\\\) ";
$cpp .= "-DAUTH_KEY_ID=$auth_key_id ";
$cpp .= "-DAUTH_KEY_VALUE=\\\"$auth_sharedsecretkey\\\" ";
my ($ret3, %req3) = send_request($IF0, "request_client1_to_alldhcp", \%adv2, $cpp);
if (0 != $ret3) {
dhcpExitFail();
}
# 4.wait for DHCPv6 Reply Message
my ($ret4, %rep4) = wait_for_reply($IF0, 5);
if (0 != $ret4){
dhcpExitFail("Can't receive correct DHCPv6 Reply message");
}
# check options in Reply Message
if (0 != options_exist(\%rep4, ($CMP_IA_NA|$CMP_CID|$CMP_SID|$CMP_AUTH))){
dhcpExitError("Do not include necessary options!");
}
# compare Client ID Options
if (0 != compare_options(\%req3, \%rep4, ( $CMP_CID|$CMP_TRANS_ID))){
dhcpExitError("The client ID option in Reply Msg is error!");
}
#check Authenticator
$retauth = undef;
$retauth = check_Auth_MD5(\%rep4,$auth_sharedsecretkey);
if($retauth != 0){
dhcpExitFail("Authenticator does not match");
}
#-------------------------------------------------------------------
vLogHTML('DHCP Client-Initiated Configuration Exchange using Delayed Authentication Protocol is correct
');
#-------------------------------------------------------------------
dhcpExitPass;
#NOTREACHED
########################################################################
__END__
=head1 NAME
S_RFC3315_21.4.1_DelayedAuthProto.seq - Checking Delayed Authentication Protocol for Server
=head1 TARGET
Server
=head1 SYNOPSIS
=begin html
S_RFC3315_21.4.1_DelayedAuthProto.seq [-tooloption ...]
-pkt S_RFC3315_21.4.1_DelayedAuthProto.def
-tooloption: v6eval tool option. See also DHCPv6.def
=head1 INITIALIZATION
=begin html
TN(Client1)
|
Link0 -------+-----------+--------------- 3ffe:501:ffff:100::/64
|
NUT(Server1)
To validate an incoming message, the receiver first checks that the
value in the replay detection field is acceptable according to the
replay detection method specified by the RDM field. Next, the
receiver computes the MAC as described in [8]. The entire DHCP
message (setting the MAC field of the authentication option to 0) is
used as input to the HMAC-MD5 computation function. If the MAC
computed by the receiver does not match the MAC contained in the
authentication option, the receiver MUST discard the DHCP message.
After receiving a Solicit message that contains an Authentication
option, the server selects a key for the client, based on the
client's DUID and key selection policies with which the server has
been configured. The server identifies the selected key in the
Advertise message and uses the key to validate subsequent messages
between the client and the server.
If the message passes the validation test, the server responds to the
specific message as described in section 18.2. The server MUST
include authentication information generated using the key identified
in the received message, as specified in section 21.4.
- Configuration
Enable Delayed Authenticaion Protocol Service
Authenticaion parameter
- DHCP realm: DHCPv6.TEST.EXAMPLE.COM
- Client DUID: 00:01:00:01:00:04:93:e0:00:00:00:00:a2:a2
- Key id: 1
- Shared secret key: TAHITEST_VALID12
| Device Name |
Device Type |
I/F |
Assigned Prefix |
Link Local Addr |
MAC Addr |
| Server1 |
NUT |
Link0 |
3ffe:501:ffff:100::/64 |
NUT's Linklocal address |
NUT's MAC address |
| Client1 |
TN |
Link0 |
3ffe:501:ffff:100::/64 |
fe80::200:ff:fe00:a2a2 |
00:00:00:00:a2:a2 |
=end html
=head1 TEST PROCEDURE
=begin html
NUT TN
| |
| | initialize NUT (as a DHCPv6 Server)
| |
| <---- | Solicit w/ Authtication Option
| ----> | Advertise w/ Authtication Option
| <---- | Request w/ Authtication Option
| ----> | Reply(*1) w/ Authtication Option
| |
=end html
=head1 JUDGEMENT
=begin html
(*1) PASS:The Solicit & Advertise & Request message must exchanged correctly.
NUT will respond with Reply message. The Reply message must include
Server ID option, Client ID and Authentication option, and check its
'msg-type' and 'transaction ID' OK.
=end html
=head1 TERMINATION
N/A
=head1 REFERENCE
=begin html
see also RFC3315
21.4.5 Server Considerations for Delayed Authentication protocol
22.11 Authentication Option
=end html
=head1 SEE ALSO
perldoc V6evalTool
=cut