#!/usr/bin/perl
#
# Copyright (C) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009
# Yokogawa Electric Corporation.
# All rights reserved.
#
# Redistribution and use of this software in source and binary
# forms, with or without modification, are permitted provided that
# the following conditions and disclaimer are agreed and accepted
# by the user:
#
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
#
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in
# the documentation and/or other materials provided with
# the distribution.
#
# 3. Neither the names of the copyrighters, the name of the project
# which is related to this software (hereinafter referred to as
# "project") nor the names of the contributors may be used to
# endorse or promote products derived from this software without
# specific prior written permission.
#
# 4. No merchantable use may be permitted without prior written
# notification to the copyrighters.
#
# 5. The copyrighters, the project and the contributors may prohibit
# the use of this software at any time.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHTERS, THE PROJECT AND
# CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING
# BUT NOT LIMITED THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
# FOR A PARTICULAR PURPOSE, ARE DISCLAIMED. IN NO EVENT SHALL THE
# COPYRIGHTERS, THE PROJECT OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
# INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
# STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
# IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.
#
# $Id: IKEv2-EN-I-1-1-9-1-D.seq,v 1.3 2008/11/28 10:16:18 doo Exp $
#
################################################################
BEGIN
{
push(@INC, '..');
}
END {}
use IKEv2;
use strict;
my $remote = 'common_remote_index';
my $selector = 'common_selector_index_outbound';
my $session = undef;
my $ike_sa_init_req_param = undef;
my $ike_sa_init_resp_param = undef;
my $ike_auth_req_param = undef;
my $material = undef;
my $str = undef;
my @local_ike_auth_req = undef;
kLogHTML('TEST SETUP');
#------------------------------#
# register IKEv2.pm #
#------------------------------#
unless(IKEv2initialize('EN', 'EN')) {
IKEv2exitFatal('IKEv2 module initializing failure');
}
#------------------------------#
# change configuration #
#------------------------------#
my $conf = {
'my_id.ipaddr' => [
],
'my_id.keyid' => [
'id_key_id',
],
};
unless (IKEv2customize($conf)) {
IKEv2exitFatal('IKEv2 configuration failure');
}
#------------------------------#
# configure TN #
#------------------------------#
unless(IKEv2setupTN()) {
IKEv2exitFatal('TN setup failure');
}
#------------------------------#
# configure NUT #
#------------------------------#
unless(IKEv2setupNUT()) {
IKEv2exitFatal('NUT setup failure');
}
kLogHTML('TEST PROCEDURE');
#------------------------------#
# prepare session handler #
#------------------------------#
$session = IKEv2create_session($remote);
unless(defined($session)) {
IKEv2exitFatal('IKEv2 session creation failure');
}
$str = '';
$str .= " (I) (R)\n";
$str .= " NUT TN1\n";
$str .= " | |\n";
$str .= " |-------------->| IKE_SA_INIT request (HDR, SAi1, KEi, Ni)\n";
$str .= " | |\n";
$str .= " V V";
$str .= '
';
kLogHTML($str);
#--------------------------------------#
# invoke IKE_SA_INIT request #
#--------------------------------------#
unless(IKEv2initiateNUT($selector)) {
IKEv2exitFatal('NUT initiation failure');
}
#--------------------------------------#
# receive IKE_SA_INIT request #
#--------------------------------------#
$ike_sa_init_req_param = devel_IKEv2receive_IKE_SA_INIT_request($session, $remote);
unless(defined($ike_sa_init_req_param)) {
kLogHTML(kDump_Common_Error());
kLogHTML('Can\'t observe IKE_SA_INIT request.');
IKEv2exitFail();
}
$str = '';
$str .= " (I) (R)\n";
$str .= " NUT TN1\n";
$str .= " | |\n";
$str .= " |<--------------| IKE_SA_INIT response (HDR, SAr1, KEr, Nr)\n";
$str .= " | |\n";
$str .= " V V";
$str .= '
';
kLogHTML($str);
#--------------------------------------#
# send IKE_SA_INIT response #
#--------------------------------------#
$ike_sa_init_resp_param = devel_IKEv2send_IKE_SA_INIT_response($session,
$remote,
$ike_sa_init_req_param);
unless(defined($ike_sa_init_resp_param)) {
kLogHTML(kDump_Common_Error());
IKEv2exitFatal('Can\'t send IKE_SA_INIT response.');
}
#--------------------------------------#
# generate keying material #
#--------------------------------------#
$material = devel_IKEv2gen_keymat(0, $ike_sa_init_req_param, $ike_sa_init_resp_param);
unless(defined($material)) {
kLogHTML(kDump_Common_Error());
IKEv2exitFatal('Can\'t generate keying material.');
}
#--------------------------------------------------#
# prepare receive packet for IKE_AUTH request #
# including IDi payload #
#--------------------------------------------------#
my $common_exp_ike_auth_req = $exp_ike_auth_req->{'common_remote_index'};
my @local_ike_auth_req = @{$common_exp_ike_auth_req};
# change ID payload
for (my $i = 0; $i < scalar(@local_ike_auth_req); $i++) {
my $payload = $local_ike_auth_req[$i];
if ($payload->{'self'} eq 'E') {
for (my $j = 0; $j < scalar(@{$payload->{'innerPayloads'}}); $j++) {
my $inner = @{$payload->{'innerPayloads'}}[$j];
if ($inner->{'self'} eq 'IDi') {
$inner->{'type'} = 'KEY_ID';
$inner->{'length'} = '13';
$inner->{'value'} = pack('H*', 'id_key_id');
last;
}
}
}
}
$exp_ike_auth_req->{'EN-I-1-1-9-1-D.1'} = \@local_ike_auth_req;
#--------------------------------------#
# receive IKE_AUTH request #
#--------------------------------------#
$str = '';
$str .= " (I) (R)\n";
$str .= " NUT TN1\n";
$str .= " | |\n";
$str .= " |-------------->| IKE_AUTH request (HDR, SK {IDi, AUTH, N(USE_TRANSPORT_MODE), SAi2, TSi, TSr})\n";
$str .= " | |\n";
$str .= " V V";
$str .= '';
kLogHTML($str);
$ike_auth_req_param = devel_IKEv2receive_IKE_AUTH_request($session,
'EN-I-1-1-9-1-D.1',
$ike_sa_init_req_param,
$ike_sa_init_resp_param,
$material);
unless(defined($ike_auth_req_param)) {
kLogHTML(kDump_Common_Error());
kLogHTML('Can\'t observe IKE_AUTH request.');
IKEv2exitFail();
}
#--------------------------------------#
# exit with cleanup #
#--------------------------------------#
IKEv2exitPass();
#
# perldoc
#
########################################################################
__END__
=head1 Title
Test IKEv2.EN.I.1.1.9.1: Sending IDi Payload
Part D: ID_KEY_ID (BASIC)
=head1 Purpose
To verify an IKEv2 device transmits IDi payload properly.
=head1 References
* [RFC 4306] - Sections 3.5
=head1 Test Setup
* Network Topology
Connect the devices according to the Common Topology.
* Configuration
In each part, configure the devices according to the following configuration.
=begin html
|
IDi payload which NUT sends to TN1 |
| ID Type |
Identification Data |
| Part D |
ID_KEY_ID (11) |
"id_key_id" |
=end html
* Pre-Sequence and Cleanup Sequence
IKEv2 on the NUT is disabled after each part.
=head1 Procedure
=begin html
NUT TN1
(End-Node) (End-Node)
| |
|------------------->| IKE_SA_INIT request (HDR, SAi1, KEi, Ni)
| | (Judgement #1)
|<-------------------| IKE_SA_INIT Response (HDR, SAr1, KEr, Nr)
| | (Packet #1)
| |
|------------------->| IKE_AUTH request (HDR, SK {IDi, AUTH, N, SAi2, TSi, TSr})
| | (Judgement #2)
| |
V V
N: USE_TRANSPORT_MODE
| Packet #1 |
See Common Packet #2 |
=end html
Part D: ID_KEY_ID (BASIC)
13. NUT starts to negotiate with TN1 by sending IKE_SA_INIT request.
14. Observe the messages transmitted on Link A.
15. After reception of IKE_SA_INIT request from the NUT, TN1 responds with an
IKE_SA_INIT response to the NUT.
16. Observe the messages transmitted on Link A.
=head1 Observable Result
Part D
Step 14: Judgment #1
The NUT transmits an IKE_SA_INIT request including "ENCR_3DES",
"PRF_HMAC_SHA1", "AUTH_HMAC_SHA1_96" and "D-H group 2" as proposed
algorithms.
Step 16: Judgment #2
The NUT transmits an IKE_AUTH request including an ID payload which contains the value
specified as above table.
=head1 Possible Problems
* None.
=cut