On 25.10.2011, at 15:24, Diego Biurrun wrote:
> On Tue, Oct 25, 2011 at 02:28:06PM +0200, René Hummen wrote:
>> On 20.10.2011, at 14:15, Diego Biurrun wrote:
>>> On Wed, Oct 19, 2011 at 01:17:30PM +0000, René Hummen wrote:
>>>
>>>> --- Makefile.am 2011-10-17 18:14:10 +0000
>>>> +++ Makefile.am 2011-10-19 13:13:48 +0000
>>>> @@ -253,7 +256,7 @@
>>>>
>>>> -test_check_firewall_LDFLAGS = -ldl
>>>> +test_check_firewall_LDFLAGS = -ldl -z muldefs
>>>
>>> We have solved this differently elsewhere by #including the .c file to
>>> unit-test static functions.
>>
>> This has been discussed previously on the list:
>> http://www.freelists.org/post/hipl-dev/Mock-functions-for-hipl-unit-tests
>
> But we currently don't favor that solution. If that needs changing,
> it's a topic for a separate merge request and would need to be changed
> in all places.
The change was necessary in order to comply with our unit-test for new code policy as unit-tests would otherwise not link correctly. The only other option I see right now is to merge the code without unit-tests.
>>>> - if (!hip_fw_verify_packet(common, tuple)) {
>>>> + if (!hipfw_midauth_verify_challenge(ctx, other_dir->midauth_nonce)) {
>>>> + HIP_ERROR("failed to verify midauth challenge\n");
>>>> + return 0;
>>>> + }
>>>
>>> 0 is returned in case of error?
>>
>> Yes, firewall/conntrack.c does not use the same semantics for return
>> values compared to the rest of the code.
>
> Then fix conntrack.c and don't make the code consistently inconsistent,
> cf. the boyscout rule.
This would further increase the (already huge) merge request. It's definitely out of focus of this branch.
>>>> --- firewall/firewall.c 2011-08-16 07:49:25 +0000
>>>> +++ firewall/firewall.c 2011-10-19 13:13:48 +0000
>>>> @@ -76,12 +76,13 @@
>>>> #include "lib/core/prefix.h"
>>>> #include "lib/core/util.h"
>>>> #include "hipd/hipd.h"
>>>> -#include "config.h"
>>>> #include "cache.h"
>>>> #include "common_types.h"
>>>> +#include "config.h"
>>>> #include "conntrack.h"
>>>> #include "esp_prot_api.h"
>>>> #include "esp_prot_conntrack.h"
>>>> +#include "firewall.h"
>>>> #include "firewall_control.h"
>>>> #include "firewall_defines.h"
>>>> #include "helpers.h"
>>>> @@ -90,9 +91,9 @@
>>>> #include "pisa.h"
>>>> #include "port_bindings.h"
>>>> #include "reinject.h"
>>>> +#include "rewrite.h"
>>>> #include "rule_management.h"
>>>> #include "user_ipsec_api.h"
>>>> -#include "firewall.h"
>>>
>>> The ordering is actually done on purpose. config.h is not in the same
>>> directory, same as the other #includes with directory prefixes and
>>> firewall.h directly "belongs" to firewall.c, so it made sense at the
>>> time to put it last and list all dependencies before. I have this
>>> feeling in the back of my head that the latter solved some real issue.
>>
>> 'make alltests' runs successfully. So, what exactly is your suggestion?
>
> My suggestion is not to change the #include ordering.
If the order of the includes is relevant, then there probably is some other problem in the header files. Everything is compiling nicely now. So I don't know what kind of issue you are talking about. How should header files generally be ordered in your opinion?
>>>> @@ -74,6 +81,8 @@
>>>> int modified;
>>>> };
>>>>
>>>> +#include "midauth.h"
>>>
>>> Why the peculiar placement of this #include?
>>
>> There is a cyclic redundancy between firewall/midauth.h (requires
>> definition of struct hip_fw_context) and firewall/firewall_defines.h
>> (requires definition of MIDAUTH_DEFAULT_NONCE_LENGTH). This helps
>> mitigating the problem.
>
> So fix the cyclic redundancy, don't add more workarounds.
I already tried moving the struct definition to firewall.h, but that only moved the problem somewhere else. The only solution I can see right now would be a file like firewall_defines2.h where I could move the struct. However, then I prefer the way it is implemented right now.
>>>> + if (!found) {
>>>> + HIP_ERROR("CHALLENGE_RESPONSE found, but no matching nonce\n");
>>>> + return ignore_missing_challenge_response ? 1 : 0;
>>>> + }
>>>> +
>>>> + return found ? 1 : 0;
>>>
>>> You just checked found, no need to do it again.
>>
>> I guess that this has been done to ensure correct type conversion from
>> bool to int.
>
> Read the code again, it's nonsense, "found" is initialized once and
> never set again.
On 25.10.2011, at 15:24, Diego Biurrun wrote: firewall_ LDFLAGS = -ldl firewall_ LDFLAGS = -ldl -z muldefs www.freelists. org/post/ hipl-dev/ Mock-functions- for-hipl- unit-tests
> On Tue, Oct 25, 2011 at 02:28:06PM +0200, René Hummen wrote:
>> On 20.10.2011, at 14:15, Diego Biurrun wrote:
>>> On Wed, Oct 19, 2011 at 01:17:30PM +0000, René Hummen wrote:
>>>
>>>> --- Makefile.am 2011-10-17 18:14:10 +0000
>>>> +++ Makefile.am 2011-10-19 13:13:48 +0000
>>>> @@ -253,7 +256,7 @@
>>>>
>>>> -test_check_
>>>> +test_check_
>>>
>>> We have solved this differently elsewhere by #including the .c file to
>>> unit-test static functions.
>>
>> This has been discussed previously on the list:
>> http://
>
> But we currently don't favor that solution. If that needs changing,
> it's a topic for a separate merge request and would need to be changed
> in all places.
The change was necessary in order to comply with our unit-test for new code policy as unit-tests would otherwise not link correctly. The only other option I see right now is to merge the code without unit-tests.
>>>> - if (!hip_fw_ verify_ packet( common, tuple)) { midauth_ verify_ challenge( ctx, other_dir- >midauth_ nonce)) { conntrack. c does not use the same semantics for return
>>>> + if (!hipfw_
>>>> + HIP_ERROR("failed to verify midauth challenge\n");
>>>> + return 0;
>>>> + }
>>>
>>> 0 is returned in case of error?
>>
>> Yes, firewall/
>> values compared to the rest of the code.
>
> Then fix conntrack.c and don't make the code consistently inconsistent,
> cf. the boyscout rule.
This would further increase the (already huge) merge request. It's definitely out of focus of this branch.
>>>> --- firewall/firewall.c 2011-08-16 07:49:25 +0000 conntrack. h" control. h" defines. h"
>>>> +++ firewall/firewall.c 2011-10-19 13:13:48 +0000
>>>> @@ -76,12 +76,13 @@
>>>> #include "lib/core/prefix.h"
>>>> #include "lib/core/util.h"
>>>> #include "hipd/hipd.h"
>>>> -#include "config.h"
>>>> #include "cache.h"
>>>> #include "common_types.h"
>>>> +#include "config.h"
>>>> #include "conntrack.h"
>>>> #include "esp_prot_api.h"
>>>> #include "esp_prot_
>>>> +#include "firewall.h"
>>>> #include "firewall_
>>>> #include "firewall_
>>>> #include "helpers.h"
>>>> @@ -90,9 +91,9 @@
>>>> #include "pisa.h"
>>>> #include "port_bindings.h"
>>>> #include "reinject.h"
>>>> +#include "rewrite.h"
>>>> #include "rule_management.h"
>>>> #include "user_ipsec_api.h"
>>>> -#include "firewall.h"
>>>
>>> The ordering is actually done on purpose. config.h is not in the same
>>> directory, same as the other #includes with directory prefixes and
>>> firewall.h directly "belongs" to firewall.c, so it made sense at the
>>> time to put it last and list all dependencies before. I have this
>>> feeling in the back of my head that the latter solved some real issue.
>>
>> 'make alltests' runs successfully. So, what exactly is your suggestion?
>
> My suggestion is not to change the #include ordering.
If the order of the includes is relevant, then there probably is some other problem in the header files. Everything is compiling nicely now. So I don't know what kind of issue you are talking about. How should header files generally be ordered in your opinion?
>>>> @@ -74,6 +81,8 @@ firewall_ defines. h DEFAULT_ NONCE_LENGTH) . This helps
>>>> int modified;
>>>> };
>>>>
>>>> +#include "midauth.h"
>>>
>>> Why the peculiar placement of this #include?
>>
>> There is a cyclic redundancy between firewall/midauth.h (requires
>> definition of struct hip_fw_context) and firewall/
>> (requires definition of MIDAUTH_
>> mitigating the problem.
>
> So fix the cyclic redundancy, don't add more workarounds.
I already tried moving the struct definition to firewall.h, but that only moved the problem somewhere else. The only solution I can see right now would be a file like firewall_defines2.h where I could move the struct. However, then I prefer the way it is implemented right now.
>>>> + if (!found) { "CHALLENGE_ RESPONSE found, but no matching nonce\n"); missing_ challenge_ response ? 1 : 0;
>>>> + HIP_ERROR(
>>>> + return ignore_
>>>> + }
>>>> +
>>>> + return found ? 1 : 0;
>>>
>>> You just checked found, no need to do it again.
>>
>> I guess that this has been done to ensure correct type conversion from
>> bool to int.
>
> Read the code again, it's nonsense, "found" is initialized once and
> never set again.
You're right. I removed it and changed it to
>>>> return ignore_ missing_ challenge_ response ? 1 : 0;
-- www.comsys. rwth-aachen. de/team/ rene-hummen/
Dipl.-Inform. Rene Hummen, Ph.D. Student
Chair of Communication and Distributed Systems
RWTH Aachen University, Germany
tel: +49 241 80 20772
web: http://