On 6/10/13 8:17 PM, Michael Rash wrote:
On Jun 09, 2013, Blair Zajac wrote:
On 6/9/13 9:45 PM, Blair Zajac wrote:
On 6/9/13 7:20 PM, Michael Rash wrote:
On Jun 09, 2013, Michael Rash wrote:
On Jun 09, 2013, Blair Zajac wrote:
On 6/9/13 3:29 PM, Blair Zajac wrote:
I recalled that PPC is big endian so hacked the below patch in and was
able to get fwknop to work. I wouldn't use the patch for a good
commit,
as it doesn't support 64-bit PPC systems and its duplicated across two
files.
BTW, this is on Mac OS X 10.5.8 and the OS doesn't define BYTEORDER
in a
standard header (I don't count ffi/*.h as standard headers):
$ find /usr/include -type f | xargs grep BYTEORDER
/usr/include/ffi/fficonfig.h:# define BYTEORDER 1234
/usr/include/ffi/fficonfig.h:# define BYTEORDER 1234
/usr/include/ffi/fficonfig.h:# define BYTEORDER 4321
/usr/include/ffi/fficonfig.h:# define BYTEORDER 4321
/usr/include/libkern/_OSByteOrder.h:#ifndef _OS__OSBYTEORDER_H
/usr/include/libkern/_OSByteOrder.h:#define _OS__OSBYTEORDER_H
/usr/include/libkern/_OSByteOrder.h:#endif /* ! _OS__OSBYTEORDER_H */
/usr/include/libkern/i386/_OSByteOrder.h:#ifndef _OS__OSBYTEORDERI386_H
/usr/include/libkern/i386/_OSByteOrder.h:#define _OS__OSBYTEORDERI386_H
/usr/include/libkern/i386/_OSByteOrder.h:#endif /* !
_OS__OSBYTEORDERI386_H */
/usr/include/libkern/i386/OSByteOrder.h:#ifndef _OS_OSBYTEORDERI386_H
/usr/include/libkern/i386/OSByteOrder.h:#define _OS_OSBYTEORDERI386_H
/usr/include/libkern/i386/OSByteOrder.h:#endif /* !
_OS_OSBYTEORDERI386_H */
/usr/include/libkern/machine/OSByteOrder.h:#ifndef
_OS_OSBYTEORDERMACHINE_H
/usr/include/libkern/machine/OSByteOrder.h:#define
_OS_OSBYTEORDERMACHINE_H
/usr/include/libkern/machine/OSByteOrder.h:#endif /* !
_OS_OSBYTEORDERMACHINE_H */
/usr/include/libkern/OSByteOrder.h:#ifndef _OS_OSBYTEORDER_H
/usr/include/libkern/OSByteOrder.h:#define _OS_OSBYTEORDER_H
/usr/include/libkern/OSByteOrder.h:#endif /* ! _OS_OSBYTEORDER_H */
/usr/include/libkern/ppc/OSByteOrder.h:#ifndef _OS_OSBYTEORDERPPC_H
/usr/include/libkern/ppc/OSByteOrder.h:#define _OS_OSBYTEORDERPPC_H
/usr/include/libkern/ppc/OSByteOrder.h:#endif /* !
_OS_OSBYTEORDERPPC_H */
/usr/include/sys/sysctl.h:#define HW_BYTEORDER 4 /* int: machine byte
order */
Interesting, and thanks for the bug report for PPC systems. Seems like
fwknop could have a more generic way of making a guess for an endian
value. There is a section of code in lib/fko_common.h that does some of
this, but I think it could be extended:
http://www.cipherdyne.org/cgi-bin/gitweb.cgi?p=fwknop.git;a=blob;f=lib/fko_common.h;h=24bb14c1bbc18d44c1927f1af440bf473d533269;hb=refs/heads/master#l91
For example, does your system have either _BIG_ENDIAN or __BIG_ENDIAN__
defined? If so, would the following patch work (which only defines
BYTEORDER if all other current measures have failed and then forces a
compile warning if this also fails)?:
Yes, either __BIG_ENDIAN__ or __LITTLE_ENDIAN__ is defined by the
compiler with no include files. The following prints either BIG or
LITTLE if run through `gcc -E`
#ifdef __BIG_ENDIAN__
BIG
#endif
#ifdef __LITTLE_ENDIAN__
LITTLE
#endif
Or, a bit more elegantly:
diff --git a/lib/fko_common.h b/lib/fko_common.h
index 24bb14c..40f1c5b 100644
--- a/lib/fko_common.h
+++ b/lib/fko_common.h
@@ -103,6 +103,12 @@
#else
#error unable to determine BYTEORDER
#endif
+#elif defined(_BIG_ENDIAN) || defined(__BIG_ENDIAN__)
+ #define BYTEORDER 4321
+#elif defined(_LITTLE_ENDIAN) || defined(__LITTLE_ENDIAN__)
+ #define BYTEORDER 1234
+#else
+ #error unable to determine BYTEORDER
This presumes a 32- bit architecture though, since there's code in
lib/sha1.c that checks if BTYEORDER is 12345678 or 87654321. I think one
could check for __ppc__ and __i386__ for 32-bit and __ppc64__ and
__x86_64__ for 64-bit. If you don't have any of __ppc__, __i386__,
__ppc64__ or __x86_64__ defined then one could error.
Odd thing is, on my 1-year old Linux box, BYTEORDER is 1234 instead of
12345678, so maybe what I'm saying isn't correct.
In any case, I was thinking of something like this before I found that,
no need to have multiple #error's.
--- lib/fko_common.h.orig 2013-06-09 21:58:24.000000000 -0700
+++ lib/fko_common.h 2013-06-09 22:02:07.000000000 -0700
@@ -100,9 +100,23 @@
#define BYTEORDER 4321
#elif defined(_LITTLE_ENDIAN)
#define BYTEORDER 1234
- #else
- #error unable to determine BYTEORDER
#endif
+#elif defined(_BIG_ENDIAN) || defined(__BIG_ENDIAN__)
+ #if defined(__i386__) || defined(__ppc__)
+ #define BYTEORDER 4321
+ #elif defined(__x86_64__) || defined(__ppc64)
+ #define BYTEORDER 87654321
+ #endif
+#elif defined(_LITTLE_ENDIAN) || defined(__LITTLE_ENDIAN__)
+ #if defined(__i386__) || defined(__ppc__)
+ #define BYTEORDER 1234
+ #elif defined(__x86_64__) || defined(__ppc64)
+ #define BYTEORDER 12345678
+ #endif
+#endif
+
+#ifndef BYTEORDER
+ #error unable to determine BYTEORDER
#endif
#ifdef WIN32
I've applied your patch for fwknop-2.5-pre2. One thing that would be
very interesting is to see whether the backwards compatibility tests
work on your PPC system since I think this will help to validate the
patch above:
- After fwknop has been compiled:
# cd fwknop-2.5-pre2/test
# ./test-fwknop.pl --include "backwards"
Trying this with pre3 gets the following:
/tmp/blair/fwknop-fwknop-2.5-pre3/test# ./test-fwknop.pl --include
"backwards"
[+] Starting the fwknop test suite...
args: --include backwards
Saved results from previous run to: output.last/
[+] Total test buckets to execute: 8
[Rijndael] [client->server backwards compatibility] v2.0............fail (1)
[Rijndael] [client->server backwards compatibility] v2.0.1..........fail (2)
[Rijndael] [client->server backwards compatibility] v2.0.2..........fail (3)
[Rijndael] [client->server backwards compatibility] v2.0.3..........fail (4)
[Rijndael] [client->server backwards compat.] v2.0.3 dual keys......fail (5)
[Rijndael] [client->server backwards compatibility] v2.0.4..........fail (6)
[Rijndael] [client->server backwards compat.] v2.0.4 dual keys......fail (7)
[Rijndael] [client->server backwards compat.] v2.0.4 truncated key..fail (8)
Run time: 1.95 minutes
[+] 0/8/8 test buckets passed/failed/executed
I've attached the output from a single test. Since this is running on
my client PowerBook, what do you suggest for testing?
Blair
[+] TEST: [Rijndael] [client->server backwards compatibility] v2.0
[.] start_fwknopd() looking for 'main event loop' string, try: 0
[+] send_packets(): Sending the following packets...
$VAR1 = [
{
'proto' => 'udp',
'data' =>
'9ptGrLs8kVGVludcXFy17opvThEYzTeaT7RVlCN66W/G9QZs9BBevEQ0xxI8eCnKPDM+Bu9g0XwmCEVxxg+4jwBwtbCxVt9t5aSR29EVWZ6UAOwLkunK3t4FYBy1tL55krFt+1B2TtNSAH005kyDEZEOIGoY9Q/iU',
'port' => 62201,
'dst_ip' => '127.0.0.1'
}
];
[.] send_packets() looking for fwknopd to receive packet, try: 0
[.] send_packets() looking for fwknopd to receive packet, try: 1
[.] send_packets() looking for fwknopd to receive packet, try: 2
[.] send_packets() looking for fwknopd to receive packet, try: 3
[.] send_packets() looking for fwknopd to receive packet, try: 4
[.] send_packets() looking for fwknopd to receive packet, try: 5
[.] send_packets() looking for fwknopd to receive packet, try: 6
[.] send_packets() looking for fwknopd to receive packet, try: 7
[.] send_packets() looking for fwknopd to receive packet, try: 8
[.] send_packets() looking for fwknopd to receive packet, try: 9
Wed Jul 3 18:26:54 2013 CMD: LD_LIBRARY_PATH=../lib/.libs
../server/.libs/fwknopd -c conf/default_fwknopd.conf -a
conf/default_access.conf -d run/digest.cache -p run/fwknopd.pid --fw-list |
grep -v "# DISABLED" |grep _exp_
Error 256 from cmd:'/sbin/ipfw -d -S -T list | grep 'set 1'':
Error 256 from cmd:'/sbin/ipfw -d -S -T list | grep 'set 2'':
[.] new fw rule does not exist.
Wed Jul 3 18:26:55 2013 CMD: LD_LIBRARY_PATH=../lib/.libs
../server/.libs/fwknopd -c conf/default_fwknopd.conf -a
conf/default_access.conf -d run/digest.cache -p run/fwknopd.pid --fw-list |
grep -v "# DISABLED" |grep _exp_
Error 256 from cmd:'/sbin/ipfw -d -S -T list | grep 'set 1'':
Error 256 from cmd:'/sbin/ipfw -d -S -T list | grep 'set 2'':
[.] new fw rule does not exist.
Wed Jul 3 18:26:56 2013 CMD: LD_LIBRARY_PATH=../lib/.libs
../server/.libs/fwknopd -c conf/default_fwknopd.conf -a
conf/default_access.conf -d run/digest.cache -p run/fwknopd.pid --fw-list |
grep -v "# DISABLED" |grep _exp_
Error 256 from cmd:'/sbin/ipfw -d -S -T list | grep 'set 1'':
Error 256 from cmd:'/sbin/ipfw -d -S -T list | grep 'set 2'':
[.] new fw rule does not exist.
Wed Jul 3 18:26:56 2013 CMD: LD_LIBRARY_PATH=../lib/.libs
../server/.libs/fwknopd -c conf/default_fwknopd.conf -a
conf/default_access.conf -d run/digest.cache -p run/fwknopd.pid --status
Detected fwknopd is running (pid=20031).
[+] stop_fwknopd() fwknopd is running, pid: 20031
Wed Jul 3 18:26:57 2013 CMD: LD_LIBRARY_PATH=../lib/.libs
../server/.libs/fwknopd -c conf/default_fwknopd.conf -a
conf/default_access.conf -d run/digest.cache -p run/fwknopd.pid -K
Killed fwknopd (pid=20031)
Wed Jul 3 18:26:57 2013 CMD: LD_LIBRARY_PATH=../lib/.libs
../server/.libs/fwknopd -c conf/default_fwknopd.conf -a
conf/default_access.conf -d run/digest.cache -p run/fwknopd.pid -K
Killed fwknopd (pid=20031)
[.] stop_fwknopd() looking for fwknopd receiving SIGTERM, try: 0
[-] fw_rule_created=0 but new rule required, setting rv=0
[-] fw_rule_removed=0 but new rule removal requied, setting rv=0
[-] server_positive_output_matches not met, setting rv=0
[.] client_server_interaction() rv: 0, server_was_stopped: 1, fw_rule_created:
0, fw_rule_removed: 0
[-] new fw rule not created.
[+] TEST: [Rijndael] [client->server backwards compatibility] v2.0
Wed Jul 3 18:26:44 2013 CMD: LD_LIBRARY_PATH=../lib/.libs
../server/.libs/fwknopd -c conf/disable_aging_fwknopd.conf -a
conf/legacy_iv_access.conf -d run/digest.cache -p run/fwknopd.pid -i lo0
--foreground --verbose --verbose
Run directory: /tmp/f25-3/var/run/fwknop does not exist. Attempting to create
it.
Successfully created Run directory: /tmp/f25-3/var/run/fwknop
Warning: REQUIRE_SOURCE_ADDRESS not enabled for access stanza source: 'ANY'
Error trying to open PID file: : No such file or directory
[+] Writing my PID (20031) to the lock file: run/fwknopd.pid
Starting fwknopd
Current fwknopd config settings:
0. CONFIG_FILE = 'conf/disable_aging_fwknopd.conf'
1. OVERRIDE_CONFIG = 'conf/disable_aging_fwknopd.conf'
2. PCAP_INTF = 'lo0'
3. PCAP_FILE = '<not set>'
4. ENABLE_PCAP_PROMISC = 'N'
5. PCAP_FILTER = 'udp port 62201'
6. PCAP_DISPATCH_COUNT = '0'
7. PCAP_LOOP_SLEEP = '100000'
8. ENABLE_PCAP_ANY_DIRECTION = '<not set>'
9. MAX_SNIFF_BYTES = '1500'
10. ENABLE_SPA_PACKET_AGING = 'N'
11. MAX_SPA_PACKET_AGE = '120'
12. ENABLE_DIGEST_PERSISTENCE = 'Y'
13. CMD_EXEC_TIMEOUT = '<not set>'
14. ENABLE_SPA_OVER_HTTP = 'N'
15. ENABLE_TCP_SERVER = 'N'
16. TCPSERV_PORT = '62201'
17. LOCALE = '<not set>'
18. SYSLOG_IDENTITY = 'fwknopd'
19. SYSLOG_FACILITY = 'LOG_DAEMON'
20. FLUSH_IPFW_AT_INIT = 'Y'
21. FLUSH_IPFW_AT_EXIT = 'Y'
22. IPFW_START_RULE_NUM = '10000'
23. IPFW_MAX_RULES = '65535'
24. IPFW_ACTIVE_SET_NUM = '1'
25. IPFW_EXPIRE_SET_NUM = '2'
26. IPFW_EXPIRE_PURGE_INTERVAL = '30'
27. IPFW_ADD_CHECK_STATE = 'N'
28. FWKNOP_RUN_DIR = '/tmp/f25-3/var/run/fwknop'
29. FWKNOP_CONF_DIR = '/tmp/f25-3/etc/fwknop'
30. ACCESS_FILE = 'conf/legacy_iv_access.conf'
31. FWKNOP_PID_FILE = 'run/fwknopd.pid'
32. DIGEST_FILE = 'run/digest.cache'
33. GPG_HOME_DIR = '/root/.gnupg'
34. FIREWALL_EXE = '/sbin/ipfw'
35. VERBOSE = '<not set>'
Current fwknopd access settings:
SOURCE (1): ANY
==============================================================
OPEN_PORTS: <not set>
RESTRICT_PORTS: <not set>
KEY: <see the access.conf file>
KEY_BASE64: <not set>
KEY_LEN: 10
HMAC_KEY: <not set>
HMAC_KEY_BASE64: <not set>
HMAC_KEY_LEN: 0
FW_ACCESS_TIMEOUT: 3
ENABLE_CMD_EXEC: No
CMD_EXEC_USER: <not set>
REQUIRE_USERNAME: <not set>
REQUIRE_SOURCE_ADDRESS: No
FORCE_NAT (ip): <not set>
FORCE_NAT (proto): <not set>
FORCE_NAT (port): 0
ACCESS_EXPIRE: <not set>
GPG_HOME_DIR: <not set>
GPG_DECRYPT_ID: <not set>
GPG_DECRYPT_PW: <not set>
GPG_REQUIRE_SIG: No
GPG_IGNORE_SIG_VERIFY_ERROR: No
GPG_REMOTE_ID: <not set>
Using Digest Cache: 'run/digest.cache' (entry count = 0)
ipfw_set_exists() CMD: '/sbin/ipfw -S list | grep 'set 1'' (res: 0)
fw_initialize() CMD: '/sbin/ipfw set disable 2' (res: 0, err: )
Set ipfw expire set 2 to disabled.
fw_initialize() CMD: '/sbin/ipfw -S list | grep 'set 2'' (res: 0)
RULES LIST:
Sniffing interface: lo0
PCAP filter is: 'udp port 62201'
Starting fwknopd main event loop.
Gracefully leaving the fwknopd event loop.
Got SIGTERM. Exiting...
Shutting Down fwknopd.
ipfw_set_exists() CMD: '/sbin/ipfw -S list | grep 'set 1'' (res: 0)
[.] file_find_regex() Matched '(?-xism:Got\sSIGTERM)' with line: Got SIGTERM.
Exiting...
[.] file_find_regex() Did not match regex '(?-xism:with expire time)' from
regexs: '(?-xism:with expire time)' within file: output/1_fwknopd.test
------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:
Build for Windows Store.
http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Fwknop-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
