DHCPv6 server (reply) authtoken must be in hex form to be accepted by dhcpcd; dhcpcd should also accept text notation

[moviuro]

Hi,

I'm trying to continue where this email thread left off.

Just as Mattieu then, I'm trying to have dhcpcd request and IPv6 from Orange France. I have a known-good, working value for the auth that can be generated with this script:

#!/bin/sh
# /etc/dhclient.conf does *MOST* of what we need. (IPv4)
# only option-90 is problematic

# Heavily inspired by https://lafibre.info/remplacer-livebox/tuto-remplacer-la-livebox-par-un-routeur-dd-wrt-internet-tv/

: "${FTI_USER?"Missing mandatory variable"}"
: "${FTI_PASS?"Missing mandatory variable"}"

if ! command -v md5 >/dev/null 2>&1; then
  md5() {
    md5sum | cut -c 1-32
  }
fi

# translates individual characters to their hex counterpart and prefixes each
# with `:`
# __tohex foo
# > :66:6f:6f
__tohex() {
  printf '%s' "$1" | hexdump -ve '1/1 ":%.2x"'
}

case "$FTI_USER" in
  fti/*) : ;;
  *) FTI_USER="fti/$FTI_USER" ;;
esac

# random strings
# let's hope this never changes, because if Orange starts using "predictable"
# strings, we're in deep (think: TOTP)
: "${_r:="$(openssl rand -base64 12)"}"
: "${_c:="$(openssl rand -base64 1 | cut -c 1)"}"
# "header"
_o90="00:00:00:00:00:00:00:00:00:00:00:1a:09:00:00:05:58:01:03:41"
_o90="$_o90:01:0d$(__tohex "$FTI_USER")"
_o90="$_o90:3c:12$(__tohex "$_r")"
_o90="$_o90:03:13$(__tohex "$_c")"
_o90="$_o90$(printf '%s' "$_c$FTI_PASS$_r" | md5 | sed 's/\(..\)/:\1/g')"

cat << EOO
# Generated on $(date) with
# r = $_r
# c = $_c
  send option-90 $_o90 ;
EOO

The issue of course is that the output of this script does not map to ASCII only characters. To use dhcpcd, I need to pass a hex stream starting with 1a:09:00:00:05:58:01:03:41:... as an authtoken. Following stuff I tried and which does not work:

• hex edit the config file so that it holds the exact hex data I need. dhcpcd fails with authtoken requies an expiry date dhcp6_makemessage: vlan832: dhcp_auth_encode: Invalid argument
• authtoken 0x123 "" 0 0x1a09... this sends 0x1a09... as text
• authtoken 0x123 "" 0 1a:09:... fails with token_len: No buffer space available dhcp6_makemessage: vlan832: dhcp_auth_encode: Invalid argument

Nota: I got a DHCP client to work by passing it that hex stream, but said client is getting discontinued (isc-dhclient) and my OS (OpenBSD) does not ship with a DHCPv6 client.

FWIW my dhcpcd.conf:

noipv6rs
ipv6only
nohook resolv.conf hostname ntp.conf
allowinterfaces vlan832
debug

# https://blog.brimbelle.org/index.php/2018/04/30/fibre-orange-ipv6-et-dhcpcd/
interface vlan832
        #For CLIENT_ID (option 1), confirmed working:
        # 0003001<MAC_ADDRESS> in /var/db/dhcpcd/duid
        # no other option necessary here
        iaid    022e5cd4
        ia_pd   022e5cd4
        # ^ ia_pd should send 2 timestamps at ffff, but using `leasetime -1` does not work
        # ^ ia_pd however sends the correct iaid
        # This below only works with dhcpcd (it prepends 00:2b)
        userclass FSVDSL_livebox.Internet.softathome.Livebox4
        vendclass 1038 sagem
        # TODO : review auth
        # XXX
        option auth

[moviuro]

Nota: this bug happens on OpenBSD's dhcpcd v9.4.1v0, but it looks like it doesn't happen on master (see #101 ). This is very promising.

The following dhcpcd works with the master version (4627c5d80fd677531878a819d30ad9f6d385b50b), but there is a consistency issue with it:

noipv6rs
ipv6only
nohook resolv.conf hostname ntp.conf
allowinterfaces vlan832
debug

# https://blog.brimbelle.org/index.php/2018/04/30/fibre-orange-ipv6-et-dhcpcd/
interface vlan832
        #For CLIENT_ID (option 1), confirmed working:
        # 0003001<MAC_ADDRESS> in /var/db/dhcpcd/duid
        # no other option necessary here
        #ia_na  1
        iaid    022e5cd4
        ia_pd   022e5cd4
        # ^ ia_pd should send 2 timestamps at ffff, but using `leasetime -1` does not work
        # ^ia_pd however sends the correct iaid
        #ia_pd  1//64   vlan49/0/64
        # This below only works with dhcpcd (it prepends 00:2b)
        userclass FSVDSL_livebox.Internet.softathome.Livebox4
        vendclass 1038 sagem
        authprotocol token 0x123/0x456
        authtoken 0x123 "" forever 1a:09:00:00:05:58:01:xx:xx:...:xx
        #authtoken 0x456 "" forever dhcpliveboxfr250
        # ^ this should work but it doesn't!
        # v this works but it really shouldn't be different from the line above
        authtoken 0x456 "" forever 64:68:63:70:6c:69:76:65:62:6f:78:66:72:32:35:30
        option auth

dhcpcd should accept both authtoken 0x456 "" forever 64:68:63:70:6c:69:76:65:62:6f:78:66:72:32:35:30 and authtoken 0x456 "" forever dhcpliveboxfr250 as the same. Using the text version throws:

# dhcpcd -dB vlan832                                                                                                                                                                                                                                                                                                                                
dhcpcd-9.99.0 starting                                                                     
spawned privileged proxy on PID 58528                                                      
spawned network proxy on PID 1708                                                                                                                                                     
spawned controller proxy on PID 44893                                                      
DUID xx:xx:...:xx                                                                                                                                                    
authtoken needs a key                                                                      
vlan832: spawned DHCP6 proxy fe80::xx:xx...xx on PID 69736
vlan832: executing: /libexec/dhcpcd-run-hooks PREINIT
vlan832: executing: /libexec/dhcpcd-run-hooks CARRIER
vlan832: IAID xx:xx:xx:xx
vlan832: reading lease: /var/db/dhcpcd/vlan832.lease6
vlan832: soliciting a DHCPv6 lease
vlan832: delaying SOLICIT6 (xid 0x260400), next in 1.0 seconds
vlan832: multicasting SOLICIT6 (xid 0x260400), next in 1.0 seconds
vlan832: authentication failed from fe80::ba0:bab: No such process     <<<<<<<<<<<<<<<<<<<<
vlan832: multicasting SOLICIT6 (xid 0x260400), next in 1.9 seconds
vlan832: authentication failed from fe80::ba0:bab: No such process     <<<<<<<<<<<<<<<<<<<<

[rsmarples]

Fixed in 6797c08b662e9a1ffb475f2b189603e88fc2f3cc