On 06/10/2013 08:17 PM, Michael Rash wrote:
> On Jun 09, 2013, Blair Zajac wrote:
>
>> On 6/9/13 9:45 PM, Blair Zajac wrote:
>>> On 6/9/13 7:20 PM, Michael Rash wrote:
>>>> On Jun 09, 2013, Michael Rash wrote:
>>>>
>>>>> On Jun 09, 2013, Blair Zajac wrote:
>>>>>
>>>>>> On 6/9/13 3:29 PM, Blair Zajac wrote:
>>>>>>> I recalled that PPC is big endian so hacked the below patch in and was
>>>>>>> able to get fwknop to work. I wouldn't use the patch for a good
>>>>>>> commit,
>>>>>>> as it doesn't support 64-bit PPC systems and its duplicated across two
>>>>>>> files.
>>>>>>
>>>>>> BTW, this is on Mac OS X 10.5.8 and the OS doesn't define BYTEORDER
>>>>>> in a
>>>>>> standard header (I don't count ffi/*.h as standard headers):
>>>>>>
>>>>>> $ find /usr/include -type f | xargs grep BYTEORDER
>>>>>> /usr/include/ffi/fficonfig.h:# define BYTEORDER 1234
>>>>>> /usr/include/ffi/fficonfig.h:# define BYTEORDER 1234
>>>>>> /usr/include/ffi/fficonfig.h:# define BYTEORDER 4321
>>>>>> /usr/include/ffi/fficonfig.h:# define BYTEORDER 4321
>>>>>> /usr/include/libkern/_OSByteOrder.h:#ifndef _OS__OSBYTEORDER_H
>>>>>> /usr/include/libkern/_OSByteOrder.h:#define _OS__OSBYTEORDER_H
>>>>>> /usr/include/libkern/_OSByteOrder.h:#endif /* ! _OS__OSBYTEORDER_H */
>>>>>> /usr/include/libkern/i386/_OSByteOrder.h:#ifndef _OS__OSBYTEORDERI386_H
>>>>>> /usr/include/libkern/i386/_OSByteOrder.h:#define _OS__OSBYTEORDERI386_H
>>>>>> /usr/include/libkern/i386/_OSByteOrder.h:#endif /* !
>>>>>> _OS__OSBYTEORDERI386_H */
>>>>>> /usr/include/libkern/i386/OSByteOrder.h:#ifndef _OS_OSBYTEORDERI386_H
>>>>>> /usr/include/libkern/i386/OSByteOrder.h:#define _OS_OSBYTEORDERI386_H
>>>>>> /usr/include/libkern/i386/OSByteOrder.h:#endif /* !
>>>>>> _OS_OSBYTEORDERI386_H */
>>>>>> /usr/include/libkern/machine/OSByteOrder.h:#ifndef
>>>>>> _OS_OSBYTEORDERMACHINE_H
>>>>>> /usr/include/libkern/machine/OSByteOrder.h:#define
>>>>>> _OS_OSBYTEORDERMACHINE_H
>>>>>> /usr/include/libkern/machine/OSByteOrder.h:#endif /* !
>>>>>> _OS_OSBYTEORDERMACHINE_H */
>>>>>> /usr/include/libkern/OSByteOrder.h:#ifndef _OS_OSBYTEORDER_H
>>>>>> /usr/include/libkern/OSByteOrder.h:#define _OS_OSBYTEORDER_H
>>>>>> /usr/include/libkern/OSByteOrder.h:#endif /* ! _OS_OSBYTEORDER_H */
>>>>>> /usr/include/libkern/ppc/OSByteOrder.h:#ifndef _OS_OSBYTEORDERPPC_H
>>>>>> /usr/include/libkern/ppc/OSByteOrder.h:#define _OS_OSBYTEORDERPPC_H
>>>>>> /usr/include/libkern/ppc/OSByteOrder.h:#endif /* !
>>>>>> _OS_OSBYTEORDERPPC_H */
>>>>>> /usr/include/sys/sysctl.h:#define HW_BYTEORDER 4 /* int: machine byte
>>>>>> order */
>>>>>
>>>>> Interesting, and thanks for the bug report for PPC systems. Seems like
>>>>> fwknop could have a more generic way of making a guess for an endian
>>>>> value. There is a section of code in lib/fko_common.h that does some of
>>>>> this, but I think it could be extended:
>>>>>
>>>>> http://www.cipherdyne.org/cgi-bin/gitweb.cgi?p=fwknop.git;a=blob;f=lib/fko_common.h;h=24bb14c1bbc18d44c1927f1af440bf473d533269;hb=refs/heads/master#l91
>>>>>
>>>>>
>>>>> For example, does your system have either _BIG_ENDIAN or __BIG_ENDIAN__
>>>>> defined? If so, would the following patch work (which only defines
>>>>> BYTEORDER if all other current measures have failed and then forces a
>>>>> compile warning if this also fails)?:
>>>
>>> Yes, either __BIG_ENDIAN__ or __LITTLE_ENDIAN__ is defined by the
>>> compiler with no include files. The following prints either BIG or
>>> LITTLE if run through `gcc -E`
>>>
>>> #ifdef __BIG_ENDIAN__
>>> BIG
>>> #endif
>>>
>>> #ifdef __LITTLE_ENDIAN__
>>> LITTLE
>>> #endif
>>>
>>>> Or, a bit more elegantly:
>>>>
>>>> diff --git a/lib/fko_common.h b/lib/fko_common.h
>>>> index 24bb14c..40f1c5b 100644
>>>> --- a/lib/fko_common.h
>>>> +++ b/lib/fko_common.h
>>>> @@ -103,6 +103,12 @@
>>>> #else
>>>> #error unable to determine BYTEORDER
>>>> #endif
>>>> +#elif defined(_BIG_ENDIAN) || defined(__BIG_ENDIAN__)
>>>> + #define BYTEORDER 4321
>>>> +#elif defined(_LITTLE_ENDIAN) || defined(__LITTLE_ENDIAN__)
>>>> + #define BYTEORDER 1234
>>>> +#else
>>>> + #error unable to determine BYTEORDER
>>>
>>> This presumes a 32- bit architecture though, since there's code in
>>> lib/sha1.c that checks if BTYEORDER is 12345678 or 87654321. I think one
>>> could check for __ppc__ and __i386__ for 32-bit and __ppc64__ and
>>> __x86_64__ for 64-bit. If you don't have any of __ppc__, __i386__,
>>> __ppc64__ or __x86_64__ defined then one could error.
>>
>> Odd thing is, on my 1-year old Linux box, BYTEORDER is 1234 instead of
>> 12345678, so maybe what I'm saying isn't correct.
>>
>> In any case, I was thinking of something like this before I found that,
>> no need to have multiple #error's.
>>
>> --- lib/fko_common.h.orig 2013-06-09 21:58:24.000000000 -0700
>> +++ lib/fko_common.h 2013-06-09 22:02:07.000000000 -0700
>> @@ -100,9 +100,23 @@
>> #define BYTEORDER 4321
>> #elif defined(_LITTLE_ENDIAN)
>> #define BYTEORDER 1234
>> - #else
>> - #error unable to determine BYTEORDER
>> #endif
>> +#elif defined(_BIG_ENDIAN) || defined(__BIG_ENDIAN__)
>> + #if defined(__i386__) || defined(__ppc__)
>> + #define BYTEORDER 4321
>> + #elif defined(__x86_64__) || defined(__ppc64)
>> + #define BYTEORDER 87654321
>> + #endif
>> +#elif defined(_LITTLE_ENDIAN) || defined(__LITTLE_ENDIAN__)
>> + #if defined(__i386__) || defined(__ppc__)
>> + #define BYTEORDER 1234
>> + #elif defined(__x86_64__) || defined(__ppc64)
>> + #define BYTEORDER 12345678
>> + #endif
>> +#endif
>> +
>> +#ifndef BYTEORDER
>> + #error unable to determine BYTEORDER
>> #endif
>>
>> #ifdef WIN32
>
> I've applied your patch for fwknop-2.5-pre2. One thing that would be
> very interesting is to see whether the backwards compatibility tests
> work on your PPC system since I think this will help to validate the
> patch above:
>
> - After fwknop has been compiled:
>
> # cd fwknop-2.5-pre2/test
> # ./test-fwknop.pl --include "backwards"
On my 10.5.8 system:
root@powerbook:/tmp/blair/fwknop-2.5-pre2/test# cat xxa
[+] Starting the fwknop test suite...
args: --include backwards
Saved results from previous run to: output.last/
[+] Total test buckets to execute: 8
[Rijndael] [client->server backwards compatibility] v2.0............fail (1)
[Rijndael] [client->server backwards compatibility] v2.0.1..........fail (2)
[Rijndael] [client->server backwards compatibility] v2.0.2..........fail (3)
[Rijndael] [client->server backwards compatibility] v2.0.3..........fail (4)
[Rijndael] [client->server backwards compat.] v2.0.3 dual keys......fail (5)
[Rijndael] [client->server backwards compatibility] v2.0.4..........fail (6)
[Rijndael] [client->server backwards compat.] v2.0.4 dual keys......fail (7)
[Rijndael] [client->server backwards compat.] v2.0.4 truncated key..fail (8)
Run time: 1.93 minutes
[+] 0/8/8 test buckets passed/failed/executed
$ cat output/1.test
[+] TEST: [Rijndael] [client->server backwards compatibility] v2.0
[.] start_fwknopd() found 'main event loop' string
[+] send_packets(): Sending the following packets...
$VAR1 = [
{
'proto' => 'udp',
'data' =>
'9ptGrLs8kVGVludcXFy17opvThEYzTeaT7RVlCN66W/G9QZs9BBevEQ0xxI8eCnKPDM+Bu9g0XwmCEVxxg+4jwBwtbCxVt9t5aSR29EVWZ6UAOwLkunK3t4FYBy1tL55krFt+1B2TtNSAH005kyDEZEOIGoY9Q/iU',
'port' => 62201,
'dst_ip' => '127.0.0.1'
}
];
[.] send_packets() looking for fwknopd to receive packet, try: 0
[.] send_packets() looking for fwknopd to receive packet, try: 1
[.] send_packets() looking for fwknopd to receive packet, try: 2
[.] send_packets() looking for fwknopd to receive packet, try: 3
[.] send_packets() looking for fwknopd to receive packet, try: 4
[.] send_packets() looking for fwknopd to receive packet, try: 5
[.] send_packets() looking for fwknopd to receive packet, try: 6
[.] send_packets() looking for fwknopd to receive packet, try: 7
[.] send_packets() looking for fwknopd to receive packet, try: 8
[.] send_packets() looking for fwknopd to receive packet, try: 9
Tue Jun 11 05:20:14 2013 CMD: LD_LIBRARY_PATH=../lib/.libs
../server/.libs/fwknopd -c conf/default_fwknopd.conf -a
conf/default_access.conf -d run/digest.cache -p run/fwknopd.pid
--fw-list | grep -v "# DISABLED" |grep _exp_
Error 256 from cmd:'/sbin/ipfw -d -S -T list | grep 'set 1'':
Error 256 from cmd:'/sbin/ipfw -d -S -T list | grep 'set 2'':
[.] new fw rule does not exist.
Tue Jun 11 05:20:15 2013 CMD: LD_LIBRARY_PATH=../lib/.libs
../server/.libs/fwknopd -c conf/default_fwknopd.conf -a
conf/default_access.conf -d run/digest.cache -p run/fwknopd.pid
--fw-list | grep -v "# DISABLED" |grep _exp_
Error 256 from cmd:'/sbin/ipfw -d -S -T list | grep 'set 1'':
Error 256 from cmd:'/sbin/ipfw -d -S -T list | grep 'set 2'':
[.] new fw rule does not exist.
Tue Jun 11 05:20:16 2013 CMD: LD_LIBRARY_PATH=../lib/.libs
../server/.libs/fwknopd -c conf/default_fwknopd.conf -a
conf/default_access.conf -d run/digest.cache -p run/fwknopd.pid
--fw-list | grep -v "# DISABLED" |grep _exp_
Error 256 from cmd:'/sbin/ipfw -d -S -T list | grep 'set 1'':
Error 256 from cmd:'/sbin/ipfw -d -S -T list | grep 'set 2'':
[.] new fw rule does not exist.
Tue Jun 11 05:20:16 2013 CMD: LD_LIBRARY_PATH=../lib/.libs
../server/.libs/fwknopd -c conf/default_fwknopd.conf -a
conf/default_access.conf -d run/digest.cache -p run/fwknopd.pid --status
Detected fwknopd is running (pid=77271).
[+] stop_fwknopd() fwknopd is running, pid: 77271
Tue Jun 11 05:20:16 2013 CMD: LD_LIBRARY_PATH=../lib/.libs
../server/.libs/fwknopd -c conf/default_fwknopd.conf -a
conf/default_access.conf -d run/digest.cache -p run/fwknopd.pid -K
Killed fwknopd (pid=77271)
Tue Jun 11 05:20:16 2013 CMD: LD_LIBRARY_PATH=../lib/.libs
../server/.libs/fwknopd -c conf/default_fwknopd.conf -a
conf/default_access.conf -d run/digest.cache -p run/fwknopd.pid -K
Killed fwknopd (pid=77271)
[.] stop_fwknopd() looking for fwknopd receiving SIGTERM, try: 0
[-] fw_rule_created=0 but new rule required, setting rv=0
[-] fw_rule_removed=0 but new rule removal requied, setting rv=0
[-] server_positive_output_matches not met, setting rv=0
[.] client_server_interaction() rv: 0, server_was_stopped: 1,
fw_rule_created: 0, fw_rule_removed: 0
[-] new fw rule not created.
cat output/1_fwknopd.test
[+] TEST: [Rijndael] [client->server backwards compatibility] v2.0
Tue Jun 11 05:20:04 2013 CMD: LD_LIBRARY_PATH=../lib/.libs
../server/.libs/fwknopd -c conf/disable_aging_fwknopd.conf -a
conf/legacy_iv_access.conf -d run/digest.cache -p run/fwknopd.pid -i lo0
--foreground --verbose --verbose
Error trying to open PID file: : No such file or directory
[+] Writing my PID (77271) to the lock file: run/fwknopd.pid
Starting fwknopd
Current fwknopd config settings:
0. CONFIG_FILE = 'conf/disable_aging_fwknopd.conf'
1. OVERRIDE_CONFIG = 'conf/disable_aging_fwknopd.conf'
2. PCAP_INTF = 'lo0'
3. PCAP_FILE = '<not set>'
4. ENABLE_PCAP_PROMISC = 'N'
5. PCAP_FILTER = 'udp port 62201'
6. PCAP_DISPATCH_COUNT = '0'
7. PCAP_LOOP_SLEEP = '100000'
8. ENABLE_PCAP_ANY_DIRECTION = '<not set>'
9. MAX_SNIFF_BYTES = '1500'
10. ENABLE_SPA_PACKET_AGING = 'N'
11. MAX_SPA_PACKET_AGE = '120'
12. ENABLE_DIGEST_PERSISTENCE = 'Y'
13. CMD_EXEC_TIMEOUT = '<not set>'
14. ENABLE_SPA_OVER_HTTP = 'N'
15. ENABLE_TCP_SERVER = 'N'
16. TCPSERV_PORT = '62201'
17. LOCALE = '<not set>'
18. SYSLOG_IDENTITY = 'fwknopd'
19. SYSLOG_FACILITY = 'LOG_DAEMON'
20. FLUSH_IPFW_AT_INIT = 'Y'
21. FLUSH_IPFW_AT_EXIT = 'Y'
22. IPFW_START_RULE_NUM = '10000'
23. IPFW_MAX_RULES = '65535'
24. IPFW_ACTIVE_SET_NUM = '1'
25. IPFW_EXPIRE_SET_NUM = '2'
26. IPFW_EXPIRE_PURGE_INTERVAL = '30'
27. IPFW_ADD_CHECK_STATE = 'N'
28. FWKNOP_RUN_DIR = '/tmp/f2.5p2/var/run/fwknop'
29. FWKNOP_CONF_DIR = '/tmp/f2.5p2/etc/fwknop'
30. ACCESS_FILE = 'conf/legacy_iv_access.conf'
31. FWKNOP_PID_FILE = 'run/fwknopd.pid'
32. DIGEST_FILE = 'run/digest.cache'
33. GPG_HOME_DIR = '/root/.gnupg'
34. FIREWALL_EXE = '/sbin/ipfw'
Current fwknopd access settings:
SOURCE (1): ANY
==============================================================
OPEN_PORTS: <not set>
RESTRICT_PORTS: <not set>
KEY: <see the access.conf file>
KEY_BASE64: <not set>
KEY_LEN: 10
HMAC_KEY: <not set>
HMAC_KEY_BASE64: <not set>
HMAC_KEY_LEN: 0
FW_ACCESS_TIMEOUT: 3
ENABLE_CMD_EXEC: No
CMD_EXEC_USER: <not set>
REQUIRE_USERNAME: <not set>
REQUIRE_SOURCE_ADDRESS: No
FORCE_NAT (ip): <not set>
FORCE_NAT (proto): <not set>
FORCE_NAT (port): 0
ACCESS_EXPIRE: <not set>
GPG_HOME_DIR: <not set>
GPG_DECRYPT_ID: <not set>
GPG_DECRYPT_PW: <not set>
GPG_REQUIRE_SIG: No
GPG_IGNORE_SIG_VERIFY_ERROR: No
GPG_REMOTE_ID: <not set>
Using Digest Cache: 'run/digest.cache' (entry count = 0)
ipfw_set_exists() CMD: '/sbin/ipfw -S list | grep 'set 1'' (res: 0)
fw_initialize() CMD: '/sbin/ipfw set disable 2' (res: 0, err: )
Set ipfw expire set 2 to disabled.
fw_initialize() CMD: '/sbin/ipfw -S list | grep 'set 2'' (res: 0)
RULES LIST:
Sniffing interface: lo0
PCAP filter is: 'udp port 62201'
Starting fwknopd main event loop.
Gracefully leaving the fwknopd event loop.
Got SIGTERM. Exiting...
Shutting Down fwknopd.
ipfw_set_exists() CMD: '/sbin/ipfw -S list | grep 'set 1'' (res: 0)
[.] file_find_regex() Matched '(?-xism:Got\sSIGTERM)' with line: Got
SIGTERM. Exiting...
[.] file_find_regex() Did not match regex '(?-xism:with expire time)'
from regexs: '(?-xism:with expire time)' within file: output/1_fwknopd.test
Blair
------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:
Build for Windows Store.
http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Fwknop-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
