Merge lp:~midauth-pisa-devs/hipl/midauth-firewall into lp:hipl

 review needs-fixing

On Wed, Oct 19, 2011 at 01:17:30PM +0000, René Hummen wrote:
>
> For more details, see:
> https://code.launchpad.net/~midauth-pisa-devs/hipl/midauth-firewall/+merge/79811
>
> This branch re-implements the hipfw-related part of http://tools.ietf.org/html/draft-heer-hip-middle-auth-02.
>
> Short intro to HIP middlebox authentication:
> 1) The firewall intercepts R1, I2, U1 and U2 messages and adds a nonce that needs to be echoed back to the firewall by the respective end-host in the signed part of the reply. This enables the firewall to evaluate the freshness of the exchange.
> 2) In order to mitigate DoS attacks targeting the signature verification at the firewall, the nonce is additionally used as the input for a puzzle that the end-host needs to solve and send back to the firewall in the reply as well.
> --
> https://code.launchpad.net/~midauth-pisa-devs/hipl/midauth-firewall/+merge/79811
> Your team HIPL core team is requested to review the proposed merge of lp:~midauth-pisa-devs/hipl/midauth-firewall into lp:hipl.

> --- Makefile.am 2011-10-17 18:14:10 +0000
> +++ Makefile.am 2011-10-19 13:13:48 +0000
> @@ -253,7 +256,7 @@
>
> -test_check_firewall_LDFLAGS = -ldl
> +test_check_firewall_LDFLAGS = -ldl -z muldefs

We have solved this differently elsewhere by #including the .c file to
unit-test static functions.

> --- firewall/conntrack.c 2011-10-19 09:51:41 +0000
> +++ firewall/conntrack.c 2011-10-19 13:13:48 +0000
> @@ -998,7 +998,7 @@
> *
> * @param common the hip packet to be verified
> * @param tuple the corresponding connection tuple
> - * @return 1 for valid packets, 0 otherwise
> + * @return 0 for valid packets, 1 otherwise
> */
> static int hip_fw_verify_packet(struct hip_common *const common,
> const struct tuple *const tuple)

This looks like a change that could be separated.

> @@ -1526,14 +1565,28 @@
>
> } else if (esp_info && seq && ack) {
> - if (!tuple) {
> + if (tuple && tuple->direction == ORIGINAL_DIR) {
> + other_dir = &tuple->connection->reply;
> + } else if (tuple) {
> + other_dir = &tuple->connection->original;
> + } else {
> HIP_ERROR("Insufficient stored state to process UPDATE\n");
> return 0;
> }

tuple is checked twice.

> - if (!hip_fw_verify_packet(common, tuple)) {
> + if (!hipfw_midauth_verify_challenge(ctx, other_dir->midauth_nonce)) {
> + HIP_ERROR("failed to verify midauth challenge\n");
> + return 0;
> + }

0 is returned in case of error?

> @@ -1543,14 +1596,29 @@
> } else if (ack) {
> - if (!tuple) {
> + if (tuple && tuple->direction == ORIGINAL_DIR) {
> + other_dir = &tuple->connection->reply;
> + } else if (tuple) {
> + other_dir = &tuple->connection->original;
> + } else {
> HIP_ERROR("Insufficient stored state to process UPDATE\n");
> return 0;
> }

another redundant check

Oh, this code seems to be completely duplicated.

> @@ -1842,7 +1910,7 @@
>
> -#ifdef CONFIG_HIP_MIDAUTH
...

On Tue, Oct 25, 2011 at 02:28:06PM +0200, René Hummen wrote:
> On 20.10.2011, at 14:15, Diego Biurrun wrote:
> > On Wed, Oct 19, 2011 at 01:17:30PM +0000, René Hummen wrote:
> >
> >> --- Makefile.am 2011-10-17 18:14:10 +0000
> >> +++ Makefile.am 2011-10-19 13:13:48 +0000
> >> @@ -253,7 +256,7 @@
> >>
> >> -test_check_firewall_LDFLAGS = -ldl
> >> +test_check_firewall_LDFLAGS = -ldl -z muldefs
> >
> > We have solved this differently elsewhere by #including the .c file to
> > unit-test static functions.
>
> This has been discussed previously on the list:
> http://www.freelists.org/post/hipl-dev/Mock-functions-for-hipl-unit-tests

But we currently don't favor that solution. If that needs changing,
it's a topic for a separate merge request and would need to be changed
in all places.

> >> @@ -1526,14 +1565,28 @@
> >>
> >> } else if (esp_info && seq && ack) {
> >> - if (!tuple) {
> >> + if (tuple && tuple->direction == ORIGINAL_DIR) {
> >> + other_dir = &tuple->connection->reply;
> >> + } else if (tuple) {
> >> + other_dir = &tuple->connection->original;
> >> + } else {
> >> HIP_ERROR("Insufficient stored state to process UPDATE\n");
> >> return 0;
> >> }
> >
> > tuple is checked twice.
>
> Yes, but I need to be sure that tuple exists when accessing its
> members in the body of the else if.

So? That does not imply you need to check "tuple" twice, just nest the
ifs, witness:

  if (tuple) {
      if (tuple->direction == ORIGINAL_DIR) {
          other_dir = &tuple->connection->reply;
      } else {
          other_dir = &tuple->connection->original;
  } else {
     HIP_ERROR("Insufficient stored state to process UPDATE\n");
     return 0;
 }

> >> - if (!hip_fw_verify_packet(common, tuple)) {
> >> + if (!hipfw_midauth_verify_challenge(ctx, other_dir->midauth_nonce)) {
> >> + HIP_ERROR("failed to verify midauth challenge\n");
> >> + return 0;
> >> + }
> >
> > 0 is returned in case of error?
>
> Yes, firewall/conntrack.c does not use the same semantics for return
> values compared to the rest of the code.

Then fix conntrack.c and don't make the code consistently inconsistent,
cf. the boyscout rule.

> >> @@ -1543,14 +1596,29 @@
> >> } else if (ack) {
> >> - if (!tuple) {
> >> + if (tuple && tuple->direction == ORIGINAL_DIR) {
> >> + other_dir = &tuple->connection->reply;
> >> + } else if (tuple) {
> >> + other_dir = &tuple->connection->original;
> >> + } else {
> >> HIP_ERROR("Insufficient stored state to process UPDATE\n");
> >> return 0;
> >> }
> >
> > another redundant check
> >
> > Oh, this code seems to be completely duplicated.
>
> Yes, but I didn't see the need for a new function as this code is
> specific for updates and only used twice.

There is no such thing as "only" used twice, code duplication
is code duplication is code duplication :)

> >> --- firewall/firewall.c 2011-08-16 07:49:25 +0000
> >> +++ firewall/firewall.c 2011-10-19 13:13:48 +0000
> >> @@ -76,12 +76,13 @@
> >> #include "lib...

On 25.10.2011, at 15:24, Diego Biurrun wrote:
> On Tue, Oct 25, 2011 at 02:28:06PM +0200, René Hummen wrote:
>> On 20.10.2011, at 14:15, Diego Biurrun wrote:
>>> On Wed, Oct 19, 2011 at 01:17:30PM +0000, René Hummen wrote:
>>>
>>>> --- Makefile.am 2011-10-17 18:14:10 +0000
>>>> +++ Makefile.am 2011-10-19 13:13:48 +0000
>>>> @@ -253,7 +256,7 @@
>>>>
>>>> -test_check_firewall_LDFLAGS = -ldl
>>>> +test_check_firewall_LDFLAGS = -ldl -z muldefs
>>>
>>> We have solved this differently elsewhere by #including the .c file to
>>> unit-test static functions.
>>
>> This has been discussed previously on the list:
>> http://www.freelists.org/post/hipl-dev/Mock-functions-for-hipl-unit-tests
>
> But we currently don't favor that solution. If that needs changing,
> it's a topic for a separate merge request and would need to be changed
> in all places.

The change was necessary in order to comply with our unit-test for new code policy as unit-tests would otherwise not link correctly. The only other option I see right now is to merge the code without unit-tests.

>>>> - if (!hip_fw_verify_packet(common, tuple)) {
>>>> + if (!hipfw_midauth_verify_challenge(ctx, other_dir->midauth_nonce)) {
>>>> + HIP_ERROR("failed to verify midauth challenge\n");
>>>> + return 0;
>>>> + }
>>>
>>> 0 is returned in case of error?
>>
>> Yes, firewall/conntrack.c does not use the same semantics for return
>> values compared to the rest of the code.
>
> Then fix conntrack.c and don't make the code consistently inconsistent,
> cf. the boyscout rule.

This would further increase the (already huge) merge request. It's definitely out of focus of this branch.

>>>> --- firewall/firewall.c 2011-08-16 07:49:25 +0000
>>>> +++ firewall/firewall.c 2011-10-19 13:13:48 +0000
>>>> @@ -76,12 +76,13 @@
>>>> #include "lib/core/prefix.h"
>>>> #include "lib/core/util.h"
>>>> #include "hipd/hipd.h"
>>>> -#include "config.h"
>>>> #include "cache.h"
>>>> #include "common_types.h"
>>>> +#include "config.h"
>>>> #include "conntrack.h"
>>>> #include "esp_prot_api.h"
>>>> #include "esp_prot_conntrack.h"
>>>> +#include "firewall.h"
>>>> #include "firewall_control.h"
>>>> #include "firewall_defines.h"
>>>> #include "helpers.h"
>>>> @@ -90,9 +91,9 @@
>>>> #include "pisa.h"
>>>> #include "port_bindings.h"
>>>> #include "reinject.h"
>>>> +#include "rewrite.h"
>>>> #include "rule_management.h"
>>>> #include "user_ipsec_api.h"
>>>> -#include "firewall.h"
>>>
>>> The ordering is actually done on purpose. config.h is not in the same
>>> directory, same as the other #includes with directory prefixes and
>>> firewall.h directly "belongs" to firewall.c, so it made sense at the
>>> time to put it last and list all dependencies before. I have this
>>> feeling in the back of my head that the latter solved some real issue.
>>
>> 'make alltests' runs successfully. So, what exactly is your suggestion?
>
> My suggestion is not to change the #include ordering.

If the order of the includes is relevant, then there probably is some other problem in the header files. Everything is compiling nicely now. So I don't know what kind of issue you are tal...

On Tue, Oct 25, 2011 at 02:35:31PM +0000, René Hummen wrote:
> On 25.10.2011, at 15:24, Diego Biurrun wrote:
> > On Tue, Oct 25, 2011 at 02:28:06PM +0200, René Hummen wrote:
> >> On 20.10.2011, at 14:15, Diego Biurrun wrote:
> >>> On Wed, Oct 19, 2011 at 01:17:30PM +0000, René Hummen wrote:
> >>>
> >>>> --- Makefile.am 2011-10-17 18:14:10 +0000
> >>>> +++ Makefile.am 2011-10-19 13:13:48 +0000
> >>>> @@ -253,7 +256,7 @@
> >>>>
> >>>> -test_check_firewall_LDFLAGS = -ldl
> >>>> +test_check_firewall_LDFLAGS = -ldl -z muldefs
> >>>
> >>> We have solved this differently elsewhere by #including the .c file to
> >>> unit-test static functions.
> >>
> >> This has been discussed previously on the list:
> >> http://www.freelists.org/post/hipl-dev/Mock-functions-for-hipl-unit-tests
> >
> > But we currently don't favor that solution. If that needs changing,
> > it's a topic for a separate merge request and would need to be changed
> > in all places.
>
> The change was necessary in order to comply with our unit-test for new
> code policy as unit-tests would otherwise not link correctly. The only
> other option I see right now is to merge the code without unit-tests.

No, the change is not necessary. As I said before, we have solved this
differently elsewhere by #including the .c file to unit-test static
functions. Changing this is outside the scope of this merge request
and it is not at all clear that a GNU-specific linker flag is the
better solution.

> >>>> - if (!hip_fw_verify_packet(common, tuple)) {
> >>>> + if (!hipfw_midauth_verify_challenge(ctx, other_dir->midauth_nonce)) {
> >>>> + HIP_ERROR("failed to verify midauth challenge\n");
> >>>> + return 0;
> >>>> + }
> >>>
> >>> 0 is returned in case of error?
> >>
> >> Yes, firewall/conntrack.c does not use the same semantics for return
> >> values compared to the rest of the code.
> >
> > Then fix conntrack.c and don't make the code consistently inconsistent,
> > cf. the boyscout rule.
>
> This would further increase the (already huge) merge request. It's
> definitely out of focus of this branch.

Nobody claims it has to be done as part of this merge request; it's
easy enough to fix separately. If you are worried about the size of
this merge request, that's all the more reason not to make unrelated
changes to conntrack.c.

> >>>> --- firewall/firewall.c 2011-08-16 07:49:25 +0000
> >>>> +++ firewall/firewall.c 2011-10-19 13:13:48 +0000
> >>>> @@ -76,12 +76,13 @@
> >>>> #include "lib/core/prefix.h"
> >>>> #include "lib/core/util.h"
> >>>> #include "hipd/hipd.h"
> >>>> -#include "config.h"
> >>>> #include "cache.h"
> >>>> #include "common_types.h"
> >>>> +#include "config.h"
> >>>> #include "conntrack.h"
> >>>> #include "esp_prot_api.h"
> >>>> #include "esp_prot_conntrack.h"
> >>>> +#include "firewall.h"
> >>>> #include "firewall_control.h"
> >>>> #include "firewall_defines.h"
> >>>> #include "helpers.h"
> >>>> @@ -90,9 +91,9 @@
> >>>> #include "pisa.h"
> >>>> #include "port_bindings.h"
> >>>> #include "reinject.h"
> >>>> +#include "rewrite.h"
> >>>> #include "rule_management.h"
> >>>> #include "user_ipsec_api.h"
> >>>> -#i...

On 25.10.2011 16:35, René Hummen wrote:
>>>>> + if (!found) {
>>>>> + HIP_ERROR("CHALLENGE_RESPONSE found, but no matching nonce\n");
>>>>> + return ignore_missing_challenge_response ? 1 : 0;
>>>>> + }
>>>>> +
>>>>> + return found ? 1 : 0;
>>>>
>>>> You just checked found, no need to do it again.
>>>
>>> I guess that this has been done to ensure correct type conversion from
>>> bool to int.
>>
>> Read the code again, it's nonsense, "found" is initialized once and
>> never set again.
>
> You're right. I removed it and changed it to
>
>>>>> return ignore_missing_challenge_response ? 1 : 0;

This doesn't look correct... you signal failure even though the
CHALLENGE_RESPONSE was found? I think Diego meant to simply write

return 1;

Because we know that found is true at this point.

On 25.10.2011 23:02, Diego Biurrun wrote:
> On Tue, Oct 25, 2011 at 02:35:31PM +0000, René Hummen wrote:
>> On 25.10.2011, at 15:24, Diego Biurrun wrote:
>>> On Tue, Oct 25, 2011 at 02:28:06PM +0200, René Hummen wrote:
>>>> On 20.10.2011, at 14:15, Diego Biurrun wrote:
>>>>> On Wed, Oct 19, 2011 at 01:17:30PM +0000, René Hummen wrote:
>>>>>
>>>>>> --- Makefile.am 2011-10-17 18:14:10 +0000
>>>>>> +++ Makefile.am 2011-10-19 13:13:48 +0000
>>>>>> @@ -253,7 +256,7 @@
>>>>>>
>>>>>> -test_check_firewall_LDFLAGS = -ldl
>>>>>> +test_check_firewall_LDFLAGS = -ldl -z muldefs
>>>>>
>>>>> We have solved this differently elsewhere by #including the .c file to
>>>>> unit-test static functions.
>>>>
>>>> This has been discussed previously on the list:
>>>> http://www.freelists.org/post/hipl-dev/Mock-functions-for-hipl-unit-tests
>>>
>>> But we currently don't favor that solution. If that needs changing,
>>> it's a topic for a separate merge request and would need to be changed
>>> in all places.
>>
>> The change was necessary in order to comply with our unit-test for new
>> code policy as unit-tests would otherwise not link correctly. The only
>> other option I see right now is to merge the code without unit-tests.
>
> No, the change is not necessary. As I said before, we have solved
> this differently elsewhere by #including the .c file to unit-test
> static functions.

Including the .c file allows you to access static identifiers in unit
tests, but the libipq problem (see referenced thread) is a different one.
Apparently, Hendrik already tried to mimic the other (working) tests
already without success.

> Changing this is outside the scope of this merge request and it is not
> at all clear that a GNU-specific linker flag is the better solution.

I'd really appreciate a hint... the best I could come up with was the
LD_PRELOAD solution (see referenced thread), which AFAIK was invented
for cases like these: The need to intercept library calls.

You'd have to build a separate shared object to be linked with the tests
at runtime though, which is no rocket science but would require changes
and debugging in the build system nevertheless.

If anybody is willing to implement it anyway, I'd happily elaborate on
that idea as it would allow us to constrain the mock functions to those
tests actually using them.

On Tue, Oct 25, 2011 at 11:43:43PM +0200, Christof Mroz wrote:
> On 25.10.2011 23:02, Diego Biurrun wrote:
> >On Tue, Oct 25, 2011 at 02:35:31PM +0000, René Hummen wrote:
> >>On 25.10.2011, at 15:24, Diego Biurrun wrote:
> >>>On Tue, Oct 25, 2011 at 02:28:06PM +0200, René Hummen wrote:
> >>>>On 20.10.2011, at 14:15, Diego Biurrun wrote:
> >>>>>On Wed, Oct 19, 2011 at 01:17:30PM +0000, René Hummen wrote:
> >>>>>
> >>>>>>--- Makefile.am 2011-10-17 18:14:10 +0000
> >>>>>>+++ Makefile.am 2011-10-19 13:13:48 +0000
> >>>>>>@@ -253,7 +256,7 @@
> >>>>>>
> >>>>>>-test_check_firewall_LDFLAGS = -ldl
> >>>>>>+test_check_firewall_LDFLAGS = -ldl -z muldefs
> >>>>>
> >>>>>We have solved this differently elsewhere by #including the .c file to
> >>>>>unit-test static functions.
> >>>>
> >>>>This has been discussed previously on the list:
> >>>> http://www.freelists.org/post/hipl-dev/Mock-functions-for-hipl-unit-tests
> >>>
> >>>But we currently don't favor that solution. If that needs changing,
> >>>it's a topic for a separate merge request and would need to be changed
> >>>in all places.
> >>
> >>The change was necessary in order to comply with our unit-test for new
> >>code policy as unit-tests would otherwise not link correctly. The only
> >>other option I see right now is to merge the code without unit-tests.
> >
> >No, the change is not necessary. As I said before, we have solved
> >this differently elsewhere by #including the .c file to unit-test
> >static functions.
>
> Including the .c file allows you to access static identifiers in
> unit tests, but the libipq problem (see referenced thread) is a
> different one.
> Apparently, Hendrik already tried to mimic the other (working) tests
> already without success.

I'd like to know what is failing exactly and how before making
a judgement here.

Diego

Forgot to CC launchpad.

-------- Original Message --------
Subject: [hipl-dev] Re: [Merge]
lp:~midauth-pisa-devs/hipl/midauth-firewall into lp:hipl
Date: Wed, 26 Oct 2011 23:16:18 +0200
From: Christof Mroz <email address hidden>
Reply-To: <email address hidden>
To: <email address hidden>

On 26.10.2011 22:57, Diego Biurrun wrote:
> On Tue, Oct 25, 2011 at 11:43:43PM +0200, Christof Mroz wrote:
>> On 25.10.2011 23:02, Diego Biurrun wrote:
>>> On Tue, Oct 25, 2011 at 02:35:31PM +0000, René Hummen wrote:
>>>> On 25.10.2011, at 15:24, Diego Biurrun wrote:
>>>>> On Tue, Oct 25, 2011 at 02:28:06PM +0200, René Hummen wrote:
>>>>>> On 20.10.2011, at 14:15, Diego Biurrun wrote:
>>>>>>> On Wed, Oct 19, 2011 at 01:17:30PM +0000, René Hummen wrote:
>>>>>>>
>>>>>>>> --- Makefile.am 2011-10-17 18:14:10 +0000
>>>>>>>> +++ Makefile.am 2011-10-19 13:13:48 +0000
>>>>>>>> @@ -253,7 +256,7 @@
>>>>>>>>
>>>>>>>> -test_check_firewall_LDFLAGS = -ldl
>>>>>>>> +test_check_firewall_LDFLAGS = -ldl -z muldefs
>>>>>>>
>>>>>>> We have solved this differently elsewhere by #including the .c file to
>>>>>>> unit-test static functions.
>>>>>>
>>>>>> This has been discussed previously on the list:
>>>>>> http://www.freelists.org/post/hipl-dev/Mock-functions-for-hipl-unit-tests
>>>>>
>>>>> But we currently don't favor that solution. If that needs changing,
>>>>> it's a topic for a separate merge request and would need to be changed
>>>>> in all places.
>>>>
>>>> The change was necessary in order to comply with our unit-test for new
>>>> code policy as unit-tests would otherwise not link correctly. The only
>>>> other option I see right now is to merge the code without unit-tests.
>>>
>>> No, the change is not necessary. As I said before, we have solved
>>> this differently elsewhere by #including the .c file to unit-test
>>> static functions.
>>
>> Including the .c file allows you to access static identifiers in
>> unit tests, but the libipq problem (see referenced thread) is a
>> different one.
>> Apparently, Hendrik already tried to mimic the other (working) tests
>> already without success.
>
> I'd like to know what is failing exactly and how before making
> a judgement here.

See the referenced thread for details, but essentially we need to mock
ipq_get_packet() which is usually provided by linking -lipq.
Strangely, while our usual approach (simply exporting a function with
exact same signature in an object file) works for libc, it does fail
with a "multiple definition" error for explicitly linked-in libs like
libipq.
Making libipq just as "magic" as libc would solve the problem, if that's
possible.

On Sat, Oct 22, 2011 at 02:44:31PM +0200, Christof Mroz wrote:
> On 22.10.2011 13:36, Diego Biurrun wrote:
> >>>>+static void *rebase(const void *const field,
> >>>>+ const void *const old,
> >>>>+ void *const new)
> >>>>+{
> >>>>+ return (char *) new + ((const char *) field - (const char *) old);
> >>>
> >>>pointless parentheses
> >>
> >>(field - old) is usually a low "number", if we treat pointers
> >>numerically, while (new + field) is usually big. Could even be
> >>bigger than the machine pointer size, especially considering the
> >>gamut of devices we support. Are you sure the compiler will do the
> >>right thing here if we drop the parentheses?
> >
> >I do not believe that parentheses work in the way you hope for here.
> >I would assume that the compiler is free to evaluate the operations
> >in arbitrary order. Have you verified that the behavior you seem to
> >be relying on is actually implemented like you expect?
>
> Good question. Admittedly I didn't know about the details so far
> either, so I dug around a bit and Example 6 in section 5.1.2.3 of
> [1] (page 15) seems to answer our question. It states:
> >On a machine in which overflow silently generates some value and where
> >positive and negative overflows cancel, the above expression statement
> >can be rewritten by the implementation in any of the above ways
> >because the same result will occur.
> This is the case on x86 for example, meaning that we could safely
> overflow around as long as we don't care about the bits outside our
> machine word, on this platform. I can show an example if you don't
> believe me.
>
> On the other hand, it is stated that (in reference to an example
> involving addition/subtraction):
> >On a machine in which overflows produce an explicit trap and in which
> >the range of values representable by an int is [32768, +32767], the
> >implementation cannot rewrite this expression as [...]
> So by keeping the parentheses, we can ensure that our code runs on
> this kind of platform too, right?
>
> [1] http://www.open-std.org/JTC1/SC22/WG14/www/docs/n1256.pdf

The standard is quoted - we're taking this to a whole new level :)

I would suggest a comment to explain the parentheses in this case.
Very few people working on HIPL will be aware of why they might be
needed.

> >>>>+ while ((current = hip_get_next_param_readwrite(hip, current))) {
> >>>>+ if (hip_get_param_type(current)>= param_type) {
> >>>>+ uint8_t *const splice = (uint8_t *const) current;
> >>>>+
> >>>>+ memmove(splice + param_len, splice, end - splice);
> >>>>+ out = splice;
> >>>>+ break;
> >>>
> >>>The splice variable looks unnecessary.
> >>
> >>Personally, I found the number of casts distracting.
> >
> >If I did not misread the code, then no casts should be necessary.
>
> It's true that memmove() accepts void*, but current must be
> re-interpreted as a uint8_t buffer for the pointer arithmetic to
> work correctly (since param_len is given as a byte count).

Whatever you prefer then.

Diego

On Wed, Oct 26, 2011 at 11:16:18PM +0200, Christof Mroz wrote:
> On 26.10.2011 22:57, Diego Biurrun wrote:
> >On Tue, Oct 25, 2011 at 11:43:43PM +0200, Christof Mroz wrote:
> >>On 25.10.2011 23:02, Diego Biurrun wrote:
> >>>On Tue, Oct 25, 2011 at 02:35:31PM +0000, René Hummen wrote:
> >>>>On 25.10.2011, at 15:24, Diego Biurrun wrote:
> >>>>>On Tue, Oct 25, 2011 at 02:28:06PM +0200, René Hummen wrote:
> >>>>>>On 20.10.2011, at 14:15, Diego Biurrun wrote:
> >>>>>>>On Wed, Oct 19, 2011 at 01:17:30PM +0000, René Hummen wrote:
> >>>>>>>
> >>>>>>>>--- Makefile.am 2011-10-17 18:14:10 +0000
> >>>>>>>>+++ Makefile.am 2011-10-19 13:13:48 +0000
> >>>>>>>>@@ -253,7 +256,7 @@
> >>>>>>>>
> >>>>>>>>-test_check_firewall_LDFLAGS = -ldl
> >>>>>>>>+test_check_firewall_LDFLAGS = -ldl -z muldefs
> >>>>>>>
> >>>>>>>We have solved this differently elsewhere by #including the .c file to
> >>>>>>>unit-test static functions.
> >>>>>>
> >>>>>>This has been discussed previously on the list:
> >>>>>> http://www.freelists.org/post/hipl-dev/Mock-functions-for-hipl-unit-tests
> >>>>>
> >>>>>But we currently don't favor that solution. If that needs changing,
> >>>>>it's a topic for a separate merge request and would need to be changed
> >>>>>in all places.
> >>>>
> >>>>The change was necessary in order to comply with our unit-test for new
> >>>>code policy as unit-tests would otherwise not link correctly. The only
> >>>>other option I see right now is to merge the code without unit-tests.
> >>>
> >>>No, the change is not necessary. As I said before, we have solved
> >>>this differently elsewhere by #including the .c file to unit-test
> >>>static functions.
> >>
> >>Including the .c file allows you to access static identifiers in
> >>unit tests, but the libipq problem (see referenced thread) is a
> >>different one.
> >>Apparently, Hendrik already tried to mimic the other (working) tests
> >>already without success.
> >
> >I'd like to know what is failing exactly and how before making
> >a judgement here.
>
> See the referenced thread for details, but essentially we need to
> mock ipq_get_packet() which is usually provided by linking -lipq.

What I don't get is the reason why we need to mock that function
in the first place. Probably I am missing something totally
obvious.

Diego

On 27.10.2011 00:20, Diego Biurrun wrote:
>> See the referenced thread for details, but essentially we need to
>> mock ipq_get_packet() which is usually provided by linking -lipq.
>
> What I don't get is the reason why we need to mock that function
> in the first place. Probably I am missing something totally
> obvious.

Looking at the patch and judging from my memory, I think it's called by
hipfw_init_context().
On the one hand, much of the firewall code makes heavy direct use of ipq
structures (they're even part of the context structure itself), but now
that you mention it... maybe hipfw_init_context() could still be split
into two functions such that you can just hand it a fake ipq_packet pointer.
What do you think, René?

This would just postpone a more general problem of course, but maybe I
can look into it more thoroughly when the lectures are over.

Begin forwarded message:
> From: René Hummen <email address hidden>
> Date: 2. November 2011 17:57:02 MEZ
> To: <email address hidden>
> Subject: Re: [hipl-dev] Re: [Merge] lp:~midauth-pisa-devs/hipl/midauth-firewall into lp:hipl
>
> On 25.10.2011, at 23:15, Christof Mroz wrote:
>> On 25.10.2011 16:35, René Hummen wrote:
>>>>>>> + if (!found) {
>>>>>>> + HIP_ERROR("CHALLENGE_RESPONSE found, but no matching nonce\n");
>>>>>>> + return ignore_missing_challenge_response ? 1 : 0;
>>>>>>> + }
>>>>>>> +
>>>>>>> + return found ? 1 : 0;
>>>>>>
>>>>>> You just checked found, no need to do it again.
>>>>>
>>>>> I guess that this has been done to ensure correct type conversion from
>>>>> bool to int.
>>>>
>>>> Read the code again, it's nonsense, "found" is initialized once and
>>>> never set again.
>>>
>>> You're right. I removed it and changed it to
>>>
>>>>>>> return ignore_missing_challenge_response ? 1 : 0;
>>
>> This doesn't look correct... you signal failure even though the CHALLENGE_RESPONSE was found? I think Diego meant to simply write
>>
>> return 1;
>>
>> Because we know that found is true at this point.
>
> found was always false before I removed the variable. Hence, !found evaluates to true. As this would be the path that the original code would follow, I decided to mimic it. Furthermore, if a correct response is found the while loop returns to the caller.

Begin forwarded message:
> From: René Hummen <email address hidden>
> Date: 2. November 2011 18:44:49 MEZ
> To: <email address hidden>
> Subject: Re: [hipl-dev] Re: [Merge] lp:~midauth-pisa-devs/hipl/midauth-firewall into lp:hipl
>
> On 27.10.2011, at 00:50, Christof Mroz wrote:
>> On 27.10.2011 00:20, Diego Biurrun wrote:
>>>> See the referenced thread for details, but essentially we need to
>>>> mock ipq_get_packet() which is usually provided by linking -lipq.
>>>
>>> What I don't get is the reason why we need to mock that function
>>> in the first place. Probably I am missing something totally
>>> obvious.
>>
>> Looking at the patch and judging from my memory, I think it's called by hipfw_init_context().
>> On the one hand, much of the firewall code makes heavy direct use of ipq structures (they're even part of the context structure itself), but now that you mention it... maybe hipfw_init_context() could still be split into two functions such that you can just hand it a fake ipq_packet pointer.
>> What do you think, René?
>
> I already thought about splitting up the code when implementing the unit test. But then I realized that mocking of the ipq functionality actually worked and decided to keep hip_fw_init_context() as it is. It's no problem to split up functionality though. Just one thing: Does anybody have a simple way to convert HIP_HEXDUMP output to char values like "\x00\x30\xF9\x16\x00\x88\xFF\xFF\x00". Last time I did that manually and realized that this was a bad idea. It would be perfect if we could specify the line length of the converted output in order to prevent long lines. If we have such a script, it's definitely worth adding it to our repository.
>
>> This would just postpone a more general problem of course, but maybe I can look into it more thoroughly when the lectures are over.
>
> Thanks, that would be great.

On 25.10.2011, at 23:04, Diego Biurrun wrote:
> On Tue, Oct 25, 2011 at 02:35:31PM +0000, René Hummen wrote:
>> On 25.10.2011, at 15:24, Diego Biurrun wrote:
>>> On Tue, Oct 25, 2011 at 02:28:06PM +0200, René Hummen wrote:
>>>> On 20.10.2011, at 14:15, Diego Biurrun wrote:
>>>>> On Wed, Oct 19, 2011 at 01:17:30PM +0000, René Hummen wrote:
>
>>>>>> - if (!hip_fw_verify_packet(common, tuple)) {
>>>>>> + if (!hipfw_midauth_verify_challenge(ctx, other_dir->midauth_nonce)) {
>>>>>> + HIP_ERROR("failed to verify midauth challenge\n");
>>>>>> + return 0;
>>>>>> + }
>>>>>
>>>>> 0 is returned in case of error?
>>>>
>>>> Yes, firewall/conntrack.c does not use the same semantics for return
>>>> values compared to the rest of the code.
>>>
>>> Then fix conntrack.c and don't make the code consistently inconsistent,
>>> cf. the boyscout rule.
>>
>> This would further increase the (already huge) merge request. It's
>> definitely out of focus of this branch.
>
> Nobody claims it has to be done as part of this merge request; it's
> easy enough to fix separately. If you are worried about the size of
> this merge request, that's all the more reason not to make unrelated
> changes to conntrack.c.

I still changed the return values of hip_fw_verify_and_store_host_id() because some calling functions actually expect non-zero values in case of an error. So I either need to change the caller or the callee. I'll directly apply this change to trunk though.

--
Dipl.-Inform. Rene Hummen, Ph.D. Student
Chair of Communication and Distributed Systems
RWTH Aachen University, Germany
tel: +49 241 80 20772
web: http://www.comsys.rwth-aachen.de/team/rene-hummen/

On 02.11.2011 18:44, René Hummen wrote:
> Just one thing: Does anybody have a simple way to convert HIP_HEXDUMP
> output to char values like "\x00\x30\xF9\x16\x00\x88\xFF\xFF\x00".
> Last time I did that manually and realized that this was a bad idea.
> It would be perfect if we could specify the line length of the
> converted output in order to prevent long lines. If we have such a
> script, it's definitely worth adding it to our repository.

It would probably be simpler if HIP_HEXDUMP could read e.g. an
environment variable which specifies the desired output format. Since it
affects the, debug build only it doesn't need to be documented to the
end user and such.

On 27.10.2011, at 00:53, Diego Biurrun wrote:
> On Wed, Oct 26, 2011 at 11:16:18PM +0200, Christof Mroz wrote:
>> On 26.10.2011 22:57, Diego Biurrun wrote:
>>> On Tue, Oct 25, 2011 at 11:43:43PM +0200, Christof Mroz wrote:
>>>> On 25.10.2011 23:02, Diego Biurrun wrote:
>>>>> On Tue, Oct 25, 2011 at 02:35:31PM +0000, René Hummen wrote:
>>>>>> On 25.10.2011, at 15:24, Diego Biurrun wrote:
>>>>>>> On Tue, Oct 25, 2011 at 02:28:06PM +0200, René Hummen wrote:
>>>>>>>> On 20.10.2011, at 14:15, Diego Biurrun wrote:
>>>>>>>>> On Wed, Oct 19, 2011 at 01:17:30PM +0000, René Hummen wrote:
>>>>>>>>>
>>>>>>>>>> --- Makefile.am 2011-10-17 18:14:10 +0000
>>>>>>>>>> +++ Makefile.am 2011-10-19 13:13:48 +0000
>>>>>>>>>> @@ -253,7 +256,7 @@
>>>>>>>>>>
>>>>>>>>>> -test_check_firewall_LDFLAGS = -ldl
>>>>>>>>>> +test_check_firewall_LDFLAGS = -ldl -z muldefs
>>>>>>>>>
>>>>>>>>> We have solved this differently elsewhere by #including the .c file to
>>>>>>>>> unit-test static functions.
>>>>>>>>
>>>>>>>> This has been discussed previously on the list:
>>>>>>>> http://www.freelists.org/post/hipl-dev/Mock-functions-for-hipl-unit-tests
>>>>>>>
>>>>>>> But we currently don't favor that solution. If that needs changing,
>>>>>>> it's a topic for a separate merge request and would need to be changed
>>>>>>> in all places.
>>>>>>
>>>>>> The change was necessary in order to comply with our unit-test for new
>>>>>> code policy as unit-tests would otherwise not link correctly. The only
>>>>>> other option I see right now is to merge the code without unit-tests.
>>>>>
>>>>> No, the change is not necessary. As I said before, we have solved
>>>>> this differently elsewhere by #including the .c file to unit-test
>>>>> static functions.
>>>>
>>>> Including the .c file allows you to access static identifiers in
>>>> unit tests, but the libipq problem (see referenced thread) is a
>>>> different one.
>>>> Apparently, Hendrik already tried to mimic the other (working) tests
>>>> already without success.
>>>
>>> I'd like to know what is failing exactly and how before making
>>> a judgement here.
>>
>> See the referenced thread for details, but essentially we need to
>> mock ipq_get_packet() which is usually provided by linking -lipq.
>
> What I don't get is the reason why we need to mock that function
> in the first place. Probably I am missing something totally
> obvious.

We are calling fw_init_context() to derive a firewall context structure of an inbound HIP packet for unit-tests of midauth and rewrite functionality. fw_init_context() in turn calls ipq_get_packet(). The linker will complain about multiple definitions of ipq_get_packet() when compiling the unit tests with mocking of ipq_get_packet(). While this has not been a problem for other library functions so far, libipq behaves differently for some reason.

Anyway, I tried splitting up fw_init_context() into one function that calls ipq_get_packet() and another function that implements the setup of the firewall context struct - fw_setup_context(). This fixes the need for mocking ipq_get_packet(), so there should be no need for -z muldefs in the Makefile any more. However, now I am running ...

On Tue, Nov 08, 2011 at 06:49:23PM +0000, René Hummen wrote:
> On 27.10.2011, at 00:53, Diego Biurrun wrote:
> > On Wed, Oct 26, 2011 at 11:16:18PM +0200, Christof Mroz wrote:
> >> On 26.10.2011 22:57, Diego Biurrun wrote:
> >>> On Tue, Oct 25, 2011 at 11:43:43PM +0200, Christof Mroz wrote:
> >>>> On 25.10.2011 23:02, Diego Biurrun wrote:
> >>>>> On Tue, Oct 25, 2011 at 02:35:31PM +0000, René Hummen wrote:
> >>>>>> On 25.10.2011, at 15:24, Diego Biurrun wrote:
> >>>>>>> On Tue, Oct 25, 2011 at 02:28:06PM +0200, René Hummen wrote:
> >>>>>>>> On 20.10.2011, at 14:15, Diego Biurrun wrote:
> >>>>>>>>> On Wed, Oct 19, 2011 at 01:17:30PM +0000, René Hummen wrote:
> >>>>>>>>>
> >>>>>>>>>> --- Makefile.am 2011-10-17 18:14:10 +0000
> >>>>>>>>>> +++ Makefile.am 2011-10-19 13:13:48 +0000
> >>>>>>>>>> @@ -253,7 +256,7 @@
> >>>>>>>>>>
> >>>>>>>>>> -test_check_firewall_LDFLAGS = -ldl
> >>>>>>>>>> +test_check_firewall_LDFLAGS = -ldl -z muldefs
> >>>>>>>>>
> >>>>>>>>> We have solved this differently elsewhere by #including the .c file to
> >>>>>>>>> unit-test static functions.
> >>>>>>>>
> >>>>>>>> This has been discussed previously on the list:
> >>>>>>>> http://www.freelists.org/post/hipl-dev/Mock-functions-for-hipl-unit-tests
> >>>>>>>
> >>>>>>> But we currently don't favor that solution. If that needs changing,
> >>>>>>> it's a topic for a separate merge request and would need to be changed
> >>>>>>> in all places.
> >>>>>>
> >>>>>> The change was necessary in order to comply with our unit-test for new
> >>>>>> code policy as unit-tests would otherwise not link correctly. The only
> >>>>>> other option I see right now is to merge the code without unit-tests.
> >>>>>
> >>>>> No, the change is not necessary. As I said before, we have solved
> >>>>> this differently elsewhere by #including the .c file to unit-test
> >>>>> static functions.
> >>>>
> >>>> Including the .c file allows you to access static identifiers in
> >>>> unit tests, but the libipq problem (see referenced thread) is a
> >>>> different one.
> >>>> Apparently, Hendrik already tried to mimic the other (working) tests
> >>>> already without success.
> >>>
> >>> I'd like to know what is failing exactly and how before making
> >>> a judgement here.
> >>
> >> See the referenced thread for details, but essentially we need to
> >> mock ipq_get_packet() which is usually provided by linking -lipq.
> >
> > What I don't get is the reason why we need to mock that function
> > in the first place. Probably I am missing something totally
> > obvious.
>
> We are calling fw_init_context() to derive a firewall context
> structure of an inbound HIP packet for unit-tests of midauth
> and rewrite functionality. fw_init_context() in turn calls
> ipq_get_packet(). The linker will complain about multiple definitions
> of ipq_get_packet() when compiling the unit tests with mocking of
> ipq_get_packet(). While this has not been a problem for other library
> functions so far, libipq behaves differently for some reason.
>
> Anyway, I tried splitting up fw_init_context() into one function that
> calls ipq_get_packet() and another function that implements the setup
> of the firew...

Hi,

On 08/11/11 20:49, René Hummen wrote:
> On 27.10.2011, at 00:53, Diego Biurrun wrote:
>> On Wed, Oct 26, 2011 at 11:16:18PM +0200, Christof Mroz wrote:
>>> On 26.10.2011 22:57, Diego Biurrun wrote:
>>>> On Tue, Oct 25, 2011 at 11:43:43PM +0200, Christof Mroz wrote:
>>>>> On 25.10.2011 23:02, Diego Biurrun wrote:
>>>>>> On Tue, Oct 25, 2011 at 02:35:31PM +0000, René Hummen wrote:
>>>>>>> On 25.10.2011, at 15:24, Diego Biurrun wrote:
>>>>>>>> On Tue, Oct 25, 2011 at 02:28:06PM +0200, René Hummen wrote:
>>>>>>>>> On 20.10.2011, at 14:15, Diego Biurrun wrote:
>>>>>>>>>> On Wed, Oct 19, 2011 at 01:17:30PM +0000, René Hummen wrote:
>>>>>>>>>>
>>>>>>>>>>> --- Makefile.am 2011-10-17 18:14:10 +0000
>>>>>>>>>>> +++ Makefile.am 2011-10-19 13:13:48 +0000
>>>>>>>>>>> @@ -253,7 +256,7 @@
>>>>>>>>>>>
>>>>>>>>>>> -test_check_firewall_LDFLAGS = -ldl
>>>>>>>>>>> +test_check_firewall_LDFLAGS = -ldl -z muldefs
>>>>>>>>>>
>>>>>>>>>> We have solved this differently elsewhere by #including the .c file to
>>>>>>>>>> unit-test static functions.
>>>>>>>>>
>>>>>>>>> This has been discussed previously on the list:
>>>>>>>>> http://www.freelists.org/post/hipl-dev/Mock-functions-for-hipl-unit-tests
>>>>>>>>
>>>>>>>> But we currently don't favor that solution. If that needs changing,
>>>>>>>> it's a topic for a separate merge request and would need to be changed
>>>>>>>> in all places.
>>>>>>>
>>>>>>> The change was necessary in order to comply with our unit-test for new
>>>>>>> code policy as unit-tests would otherwise not link correctly. The only
>>>>>>> other option I see right now is to merge the code without unit-tests.
>>>>>>
>>>>>> No, the change is not necessary. As I said before, we have solved
>>>>>> this differently elsewhere by #including the .c file to unit-test
>>>>>> static functions.
>>>>>
>>>>> Including the .c file allows you to access static identifiers in
>>>>> unit tests, but the libipq problem (see referenced thread) is a
>>>>> different one.
>>>>> Apparently, Hendrik already tried to mimic the other (working) tests
>>>>> already without success.
>>>>
>>>> I'd like to know what is failing exactly and how before making
>>>> a judgement here.
>>>
>>> See the referenced thread for details, but essentially we need to
>>> mock ipq_get_packet() which is usually provided by linking -lipq.
>>
>> What I don't get is the reason why we need to mock that function
>> in the first place. Probably I am missing something totally
>> obvious.
>
> We are calling fw_init_context() to derive a firewall context structure of an inbound HIP packet for unit-tests of midauth and rewrite functionality. fw_init_context() in turn calls ipq_get_packet(). The linker will complain about multiple definitions of ipq_get_packet() when compiling the unit tests with mocking of ipq_get_packet(). While this has not been a problem for other library functions so far, libipq behaves differently for some reason.
>
> Anyway, I tried splitting up fw_init_context() into one function that calls ipq_get_packet() and another function that implements the setup of the firewall context struct - fw_setup_context(). This fixes the need for mocking ipq_get_packet(), so t...

Hi,

On 12/11/11 00:09, Miika Komu wrote:
> Hi,
>
> On 08/11/11 20:49, René Hummen wrote:
>> On 27.10.2011, at 00:53, Diego Biurrun wrote:
>>> On Wed, Oct 26, 2011 at 11:16:18PM +0200, Christof Mroz wrote:
>>>> On 26.10.2011 22:57, Diego Biurrun wrote:
>>>>> On Tue, Oct 25, 2011 at 11:43:43PM +0200, Christof Mroz wrote:
>>>>>> On 25.10.2011 23:02, Diego Biurrun wrote:
>>>>>>> On Tue, Oct 25, 2011 at 02:35:31PM +0000, René Hummen wrote:
>>>>>>>> On 25.10.2011, at 15:24, Diego Biurrun wrote:
>>>>>>>>> On Tue, Oct 25, 2011 at 02:28:06PM +0200, René Hummen wrote:
>>>>>>>>>> On 20.10.2011, at 14:15, Diego Biurrun wrote:
>>>>>>>>>>> On Wed, Oct 19, 2011 at 01:17:30PM +0000, René Hummen wrote:
>>>>>>>>>>>
>>>>>>>>>>>> --- Makefile.am 2011-10-17 18:14:10 +0000
>>>>>>>>>>>> +++ Makefile.am 2011-10-19 13:13:48 +0000
>>>>>>>>>>>> @@ -253,7 +256,7 @@
>>>>>>>>>>>>
>>>>>>>>>>>> -test_check_firewall_LDFLAGS = -ldl
>>>>>>>>>>>> +test_check_firewall_LDFLAGS = -ldl -z muldefs
>>>>>>>>>>>
>>>>>>>>>>> We have solved this differently elsewhere by #including the
>>>>>>>>>>> .c file to
>>>>>>>>>>> unit-test static functions.
>>>>>>>>>>
>>>>>>>>>> This has been discussed previously on the list:
>>>>>>>>>> http://www.freelists.org/post/hipl-dev/Mock-functions-for-hipl-unit-tests
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> But we currently don't favor that solution. If that needs
>>>>>>>>> changing,
>>>>>>>>> it's a topic for a separate merge request and would need to be
>>>>>>>>> changed
>>>>>>>>> in all places.
>>>>>>>>
>>>>>>>> The change was necessary in order to comply with our unit-test
>>>>>>>> for new
>>>>>>>> code policy as unit-tests would otherwise not link correctly.
>>>>>>>> The only
>>>>>>>> other option I see right now is to merge the code without
>>>>>>>> unit-tests.
>>>>>>>
>>>>>>> No, the change is not necessary. As I said before, we have solved
>>>>>>> this differently elsewhere by #including the .c file to unit-test
>>>>>>> static functions.
>>>>>>
>>>>>> Including the .c file allows you to access static identifiers in
>>>>>> unit tests, but the libipq problem (see referenced thread) is a
>>>>>> different one.
>>>>>> Apparently, Hendrik already tried to mimic the other (working) tests
>>>>>> already without success.
>>>>>
>>>>> I'd like to know what is failing exactly and how before making
>>>>> a judgement here.
>>>>
>>>> See the referenced thread for details, but essentially we need to
>>>> mock ipq_get_packet() which is usually provided by linking -lipq.
>>>
>>> What I don't get is the reason why we need to mock that function
>>> in the first place. Probably I am missing something totally
>>> obvious.
>>
>> We are calling fw_init_context() to derive a firewall context
>> structure of an inbound HIP packet for unit-tests of midauth and
>> rewrite functionality. fw_init_context() in turn calls
>> ipq_get_packet(). The linker will complain about multiple definitions
>> of ipq_get_packet() when compiling the unit tests with mocking of
>> ipq_get_packet(). While this has not been a problem for other library
>> functions so far, libipq behaves differently for some reason.
>>
>> Anyway, I tried splitting up fw_init_context() into one function that
>> calls ipq_get_...