2015年12月25日 星期五

Using Wireshark to analysis LTE traffic


Development - The Wireshark Wiki
https://wiki.wireshark.org/Development

Chapter 9. Packet dissection
https://www.wireshark.org/docs/wsdg_html_chunked/ChapterDissection.html
9.2. Adding a basic dissector
https://www.wireshark.org/docs/wsdg_html_chunked/ChDissectAdd.html

Creating Your Own Custom Wireshark Dissector - CodeProject
http://www.codeproject.com/Articles/19426/Creating-Your-Own-Custom-Wireshark-Dissector

6.2. Overview
https://www.wireshark.org/docs/wsdg_html_chunked/ChWorksOverview.html


6.4. Capture Files
https://www.wireshark.org/docs/wsdg_html_chunked/ChWorksCaptureFiles.html

HowToDissectAnything - The Wireshark Wiki
https://wiki.wireshark.org/HowToDissectAnything
User DLT (147~162)
od -Ax -tx1 -v /tmp/cnnheaders.txt | text2pcap -l 147 - httpresp.pcap
10.20. User DLTs protocol table
https://www.wireshark.org/docs/wsug_html_chunked/ChUserDLTsSection.html

IttiAnalyzer < OpenAirInterface < Institut Eurecom TWiki
https://twiki.eurecom.fr/twiki/bin/view/OpenAirInterface/IttiAnalyzer
An example of LTE packet dissection can be found oai_l2l3.pcap.
https://twiki.eurecom.fr/twiki/pub/OpenAirInterface/IttiAnalyzer/oai_l2l3.pcap

I was able to dissect oai_l2l3.pcap with Wireshark 1.10, but not 2.0.2.

[Edit] -> [Preferences] -> [Protocols] -> [UDP] -> Eanble [Try heuristic sub-dissectors first]
All the other heuristic settings in mac-lte/rlc-lte/pdcp-lte are removed.

But the UDP heuristic protocols are not enabled by default.
[Analyze] -> [Enabled Protocols] -> Enable:
  • MAC-LTE and mac_lte_udp
  • RLC and rlc_udp
  • RLC_LTE and rlc_lte_udp
  • PDCP-LTE and pdcp_lte-udp


Wireshark: Re: How to use lte_rrc in wireshark?http://seclists.org/wireshark/2010/Feb/476

[Wireshark] Contents of /trunk/epan/dissectors/packet-pdcp-lte.c
http://anonsvn.wireshark.org/viewvc/trunk/epan/dissectors/packet-pdcp-lte.c?revision=31661&view=markup

MAC-LTE - The Wireshark Wiki
https://wiki.wireshark.org/MAC-LTE

RLC-LTE - The Wireshark Wiki
https://wiki.wireshark.org/RLC-LTE

RLC - The Wireshark Wiki
https://wiki.wireshark.org/RLC

LTE RRC - The Wireshark Wiki
https://wiki.wireshark.org/LTE%20RRC

Wireshark解析MAC-LTE - 简书
http://www.jianshu.com/p/4f1991302d63


OpenAirInterface

OAI Objectives
http://www.openairinterface.org/docs/workshop/1_OAI_Workshop_20160122/OAI-obj2016.pdf

OAI License Model | OpenAirInterface
http://www.openairinterface.org/?page_id=101

OAI has
  • OAI soft UE (OpenAirInterface5G)
  • OAI soft eNB (OpenAirInterface5G)
  • OAI soft EPC (OpenairCN)
OpenAirInterface5G: https://gitlab.eurecom.fr/oai/openairinterface5g
OpenairCN: https://gitlab.eurecom.fr/oai/openair-cn

https://www.dropbox.com/home/oai5g_roadmap_seminar/session_1?preview=SYRTEM_ALCATEL_OAI_2nd_Workshop_%233L1-L2API_REV-.pdf
PHY-Openair1
MAC/RLC/PDCP: Openair2

https://gitlab.eurecom.fr/oai/openairinterface5g/blob/master/README.txt
├── openair1 : 3GPP LTE Rel-10 PHY layer + PHY RF simulation and a subset of Rel 12 Features.
├── openair2 :3GPP LTE Rel-10 RLC/MAC/PDCP/RRC/X2AP implementation. 
    ├── LAYER2/RLC/ with the following subdirectories: UM_v9.3.0, TM_v9.3.0, and AM_v9.3.0. 
    ├── LAYER2/PDCP/PDCP_v10.1.0. 
    ├── RRC/LITE
    ├── PHY_INTERFACE
    ├── X2AP
    ├── ENB_APP 
├── openair3: 3GPP LTE Rel10 for S1AP, NAS GTPV1-U for both ENB and UE.
    ├── GTPV1-U
    ├── NAS 
    ├── S1AP
    ├── SCTP
    ├── SECU
    ├── UDP
OpenAirInterface 5G Training
https://gitlab.eurecom.fr/oai/openairinterface5g/wikis/OpenAirDocumentation/Openair5GLab.pptx
openair2
https://gitlab.eurecom.fr/oai/openairinterface5g/wikis/OpenAir2CoreDev
https://gitlab.eurecom.fr/oai/openairinterface5g/wikis/OpenAir2CoreDev/oai_protocol_stack.png



ITTI: InterTask Interface

OpenAirInterface | 5G software alliance for democratising wireless innovation
http://www.openairinterface.org/

Getting Started | OpenAirInterface
http://www.openairinterface.org/?page_id=25

Home | Wiki | oai / openairinterface5G | GitLab
https://gitlab.eurecom.fr/oai/openairinterface5g/wikis/home
Openairusage | Wiki | oai / openairinterface5G | GitLab
https://gitlab.eurecom.fr/oai/openairinterface5g/wikis/OpenAirUsage

Towards Open Cellular Ecosystem | OpenAirInterface
http://www.openairinterface.org/?page_id=864

WebHome < OpenAirInterface < Institut Eurecom TWiki
https://twiki.eurecom.fr/twiki/bin/view/OpenAirInterface/WebHome

GetSources < OpenAirInterface < Institut Eurecom TWiki
https://twiki.eurecom.fr/twiki/bin/view/OpenAirInterface/GetSources

AutoBuild < OpenAirInterface < Institut Eurecom TWiki
https://twiki.eurecom.fr/twiki/bin/view/OpenAirInterface/AutoBuild

2nd OAI Workshop | OpenAirInterface
http://www.openairinterface.org/?page_id=1476

Meetingminutes | Wiki | oai / openairinterface5G | GitLab
https://gitlab.eurecom.fr/oai/openairinterface5g/wikis/MeetingMinutes

LTE spec

3GPP Releases
http://www.3gpp.org/specifications/67-releases

3GPP specification Release version matrix
http://www.3gpp.org/DynaReport/SpecReleaseMatrix.htm

Master Telecom Faster - Fast tracks into the LTE Specifications
http://www.mastertelecomfaster.com/index.php

Master LTE Faster - The SpecTool - LTE Protocols
http://www.masterltefaster.com/index.php

LTE/SAE Call Flow Diagrams @ GSM, SIP, H.323, ISUP and IMS Call Flows
http://www.eventhelix.com/realtimemantra/Telecom/#LTE_SAE_Call_Flow_Diagrams

Telecom • Networking • Software
http://www.eventhelix.com/RealtimeMantra/#.VnzvgjWkVC0

LTE (Long Term Evolution) Tutorials and Call Flows
http://www.eventhelix.com/lte/#.VnzxXDWkVC0

Networking Protocol Sequence Diagrams
http://www.eventhelix.com/Realtimemantra/Networking/#.VnzxQDWkVC2



PDCP
http://www.eventhelix.com/lte/presentations/3GPP-LTE-PDCP.pdf

2015年12月11日 星期五

Access SPI bus in u-boot and Linux


Serial Peripheral Interface Bus - Wikipedia, the free encyclopedia
https://en.wikipedia.org/wiki/Serial_Peripheral_Interface_Bus

U-boot SPI test tool

The u-boot command sspi Usage:

sspi - SPI utility command
Usage:
sspi [<bus>:]<cs>[.<mode>] <bit_len> <dout> - Send and receive bits
<bus> - Identifies the SPI bus
<cs> - Identifies the chip select
<mode> - Identifies the SPI mode to use
<bit_len> - Number of bits to send (base 10)
<dout> - Hexadecimal string that gets sent
<dout> is in hex but without the prefix "0x". All others are in decimal.

The following is SPI mode defined in u-boot/include/spi.h. But still depends on the mode that SPI controller/driver can handle:
/* SPI mode flags */
#define SPI_CPHA        0x01                    /* clock phase */
#define SPI_CPOL        0x02                    /* clock polarity */
#define SPI_MODE_0      (0|0)                   /* (original MicroWire) */
#define SPI_MODE_1      (0|SPI_CPHA)
#define SPI_MODE_2      (SPI_CPOL|0)
#define SPI_MODE_3      (SPI_CPOL|SPI_CPHA)
#define SPI_CS_HIGH     0x04                    /* CS active high */
#define SPI_LSB_FIRST   0x08                    /* per-word bits-on-wire */
#define SPI_3WIRE       0x10                    /* SI/SO signals shared */
#define SPI_LOOP        0x20                    /* loopback mode */
#define SPI_SLAVE       0x40                    /* slave mode */
#define SPI_PREAMBLE    0x80                    /* Skip preamble bytes */
It depends on the requirement of the device, as well as the data sent to the device as command. Says we require bus=0, CS=2, data len=32, data=0x51525354, the device require SPI_3WIRE, SPI_CPHA, SPI_CPOL=> mode=0x13 (19).
# sspi 0:2.19 32 51525354
51525354


Linux SPI test tool
Projet spi-tools « Christophe Blaess
http://www.blaess.fr/christophe/2014/08/12/projet-spi-tools/
https://github.com/cpb-/spi-tools
usage: ./spi-config options...
  options:
    -d --device=  use the given spi-dev character device.
    -q --query         print the current configuration.
    -m --mode=[0-3]    use the selected spi mode.
             0: low iddle level, sample on leading edge
             1: low iddle level, sample on trailing edge
             2: high iddle level, sample on leading edge
             3: high iddle level, sample on trailing edge
    -l --lsb={0,1}     LSB first (1) or MSB first (0)
    -b --bits=[7...]   bits per word
    -s --speed=   set the speed in Hz
    -h --help          this screen
    -v --version       display the version number
CPOL=1, idle state is high
CPHA=1, sample on falling
=>mode=3
But there's no 3WIRE related config, and don't know how to decide speed and lsb option.
spi-config -d /dev/spidev0.0 -m 3 -l 0 -b 8
spi-config -d /dev/spidev0.0 -q

2015年12月8日 星期二

Install Android Studio on Ubuntu 14.04.2 LTS

Ubuntu 14.04.2 LTS

sudo apt-get install default-jre

I got this when trying to install Android Studio:

JDK Required: 'tools.jar' seems to be not in Studio classpath.
Please ensure JAVA_HOME points to JDK rather than JRE.
It can be fixed by install JDK(I thought I already did? But I searched all the package installed but there's no tools.jar.) and export the JAVA_HOME.

Java SE Development Kit 7 - Downloads | Oracle Technology Network | Oracle
http://www.oracle.com/technetwork/java/javase/downloads/jdk7-downloads-1880260.html


Installing the JDK Software and Setting JAVA_HOME (Using the GlassFish ESB Installation CLI)
http://docs.oracle.com/cd/E19182-01/820-7851/inst_cli_jdk_javahome_t/

Download the JDK from Oracle.
mkdir -p  /usr/java;
cd /usr/java ;
sudo tar xf ~/Downloads/jdk-7u79-linux-x64.tar.gz ;
export JAVA_HOME=/usr/java/jdk1.7.0_79;

Using the Emulator | Android Developers
http://developer.android.com/tools/devices/emulator.html#vm-linux

Download Android Studio and SDK Tools | Android Developers
http://developer.android.com/sdk/index.html

Download Android Studio and unzipped, and enter the directory. Run the following command to start the installation of Android Studio:
cd bin;
./studio.sh

DragonBoard 410c: Module 3 Setting up Your Developing Environment
https://d396qusza40orc.cloudfront.net/phoenixassets/internet-of-things-history/C2M3-ExploringAndroidStudio.pdf



VIM plugin

史丹利部落格: Vim + Trinity + Source Explorer + Tag List + NERD_tree + ctags
闇月千瞳的部落格: 使用 SrcExpl 強化 VIM 的 Source Explorer 能力
http://yuanfarn.blogspot.tw/2013/02/srcexpl-vim-source-explorer.htmlJoe's Notepad: vim + ctags + cscope + taglist + Trinity + NERD_tree + Source Explorer
vim + ctags + cscope + taglist + Trinity + NERD_tree + Source Explorer 

Trinity - the Trinity of taglist, NERDtree and SrcExpl: an IDE works like "Source Insight" : vim online


Vim Taglist plugin
http://vim-taglist.sourceforge.net/

Ctags and Taglist: Convert Vim Editor to Beautiful Source Code Browser for Any Programming Language
http://www.thegeekstuff.com/2009/04/ctags-taglist-vi-vim-editor-as-sourece-code-browser/
:TlistOpen

minibufexpl.vim - Elegant buffer explorer - takes very little screen space : vim online
http://www.vim.org/scripts/script.php?script_id=159

MiniBufExplorer插件的使用 - - ITeye技术网站
http://suchj.iteye.com/blog/1169566
向前循环切换到每个buffer名上
向后循环切换到每个buffer名上
在打开光标所在的buffer
d 删除光标所在的buffer

2015年12月7日 星期一

VIM script


Vim - map shell command - Stack Overflow
http://stackoverflow.com/questions/9364040/vim-map-shell-command

Note some things:
  1. Don’t use map (without n and nore) unless you have a specific reason. I believe you don’t need this mapping for visual and operator-pending modes (leading n restricts mapping to normal mode only) and you also should not want this mapping to be remappable.
  2. Use to discard count you can occasionally type unless you do know you need it (third version uses two hacks that turn mapping to no-op with a side-effect and does not need ).
  3. Never forget to escape shell arguments.
  4. Version with silent ! (do not forget space after silent, this is why @David Pope’s answer does not work) has at the end. This is because using ! will always provide access to your terminal and thus redraw is needed after command has run.
  5. Versions with system() won’t work if you add an argument containing newline, it is a documented bug. If you don’t want to do so (expand('') won’t ever add newline) it is absolutely safe.
  6. t is a very useful motion. It is better to learn to use it then remap it to something. I suggest ,t as a lhs.
Mapping keys in Vim - Tutorial (Part 1) - Vim Tips Wiki - Wikia
http://vim.wikia.com/wiki/Mapping_keys_in_Vim_-_Tutorial_%28Part_1%29

Mapping key sequences
http://osr507doc.sco.com/en/OSUserG/_mapping_key_sequences.html

Vim documentation: help
http://vimdoc.sourceforge.net/htmldoc/help.html
Vim documentation: usr_41
http://vimdoc.sourceforge.net/htmldoc/usr_41.html
Vim documentation: map
http://vimdoc.sourceforge.net/htmldoc/map.html

Learn Vimscript the Hard Way
http://learnvimscriptthehardway.stevelosh.com/

2015年12月4日 星期五

C call graph with cscope

sudo apt-get install xdot
sudo apt-get install cscope

CallGraphviz—依據 cscope、Graphviz 以及 xdot 實作的 call graph visualizer - OpenFoundry
http://www.openfoundry.org/tw/tech-column/8352-callgraphviz-cscopegraphviz-xdot-call-graph-visualizer

git clone https://github.com/chihchun/callgraphviz.git
python visualizer.py
問題
  • 要一個一個symbol自己key進去
  • 無法刪除已key入的symbol
  • 無法Save成.dot檔案

toolchainguru: Bash: C Call Trees and Graphs
http://www.toolchainguru.com/2008/07/bash-c-call-trees-and-graphs.html
The bash script works for me with some modification.
https://github.com/mkl0301/callgraphviz/blob/master/calltree.sh

Functions supported:
  1. downstream X: functions called by X (callee)
  2. upstream X: functions that call X(caller)
  3. subgraph X Y: all code paths that lead from function X to function Y.
  4. related A, B, ... Z: all code paths between an arbitrary set of functions A, B, C, [...] Z
First you need to have your cscope.out generated. Second source the script calltree.sh:
. calltree.sh;
Then:
downstream FUNC1 LEVEL
upstream FUNC1 LEVEL
subgraph FUNC1 FUNC2
related FUNC1...FUNCn

FUNCx: Function name
LEVEL: levels to look into. 0: infinite
The latest script could take the Function name as the first parameter:
Call the built-in function by providing the function name as the first
    parameter:
        ./calltree.sh FUNC PARM1 PARM2...PARM8

Thus I could do the following directly:
./calltree.sh downstream FUNC1 LEVEL


CCTree - C Call-Tree Explorer -- Cscope based source-code browser; code flow analyzer : vim online
http://www.vim.org/scripts/script.php?script_id=2368
Vim CCTree -- Call-tree Explorer plugin
https://sites.google.com/site/vimcctree/
cctree help file
http://sites.google.com/site/vimcctree/cctree.txt
Copy cctree.vim to ~/.vim/plugins/

Load database
    :CCTreeLoadDB
(Please note that it might take a while depending on the  database size)

Save native Xref Db
   :CCTreeSaveXRefDB  cctree.out

Load native XRef Db~
    :CCTreeLoadXRefDB  cctree.out

Get reverse call tree for symbol  <C-\> <
    :CCTreeTraceReverse       
Get forward call tree for symbol
<C-\> >
    :CCTreeTraceForward
Increase depth of tree and update
<C-\> =
    :CCTreeRecurseDepthPlus     
Decrease depth of tree and update
<C-\>  -
    :CCTreeRecurseDepthMinus    



2015年12月3日 星期四

cscope

sudo apt-get install cscope
cat > ~/.vimrc << eof
if has('cscope')
  set cscopetag cscopeverbose

"  if has('quickfix')
"    set cscopequickfix=s-,c-,d-,i-,t-,e-
"  endif

  cnoreabbrev csa cs add
  cnoreabbrev csf cs find
  cnoreabbrev csk cs kill
  cnoreabbrev csr cs reset
  cnoreabbrev css cs show
  cnoreabbrev csh cs help

  command -nargs=0 Cscope cs add \$VIMSRC/src/cscope.out \$VIMSRC/src
endif
eof
cd ~/.vim/plugin/; wget http://cscope.sourceforge.net/cscope_maps.vim

I have the  cscope_maps.vim file(check turtoial [1]), and the .vimrc thing from Vim Tips Wiki [2], but removed the quick fix part, as suggested by the [3]. After removed the quick fix part, all duplicated symbol will ask for selection, even for tags!!!

cscope -Rbk -s XXXX
-R     Recurse subdirectories during search for source files.
-b     Build the cross-reference only.-q     Enable  fast  symbol  lookup  via an inverted index.
-k     ``Kernel Mode'', turns off the use of the  default  include  dir (usually  /usr/include) when building the database, since kernel source trees generally do not use it.
-sdir  Look in dir for additional source files. This option is  ignore if source files are given on the command line.
-q     Enable  fast  symbol  lookup  via an inverted index.

-C     Ignore letter case when searching.
-d     Do not update the cross-reference.
Cscope interactive
^d: Exit cscope.
: Alternate between the menu and the list of matching lines

Contrl-\+
       c: Find functions calling this function (caller)
       d: Find functions called by this function (callee)
       e: Find this egrep pattern
       f: Find this file
       g: Find this definition
       i: Find files #including this file
       s: Find this C symbol
       t: Find this text string




[1] Vim/Cscope tutorial
http://cscope.sourceforge.net/cscope_vim_tutorial.html

Vi with Cscope
http://web.missouri.edu/~hantx/Tools/vi/TonyViNotes/node11.html
  1. Building database for Cscope:
    $ cscope -Rb
    This command makes the Cscope parse all the subdirectories (-R option) and exit without entering awkward Cscope interface.
  2. List all the uses of the symbol under the cursor:
    Ctrl+\s
    That is Control-backslash and then 's'. Select one of items in the list and hit enter, you will jump to the that use. Ctrl+t jump back.
  3. Find functions that under the cursor
    Ctrl+\d
    That is Control-backslash and then 'd'.
  4. Open the file with filename under cursor
    Ctrl+\f
    That is Control-backslash and then 'f'.
  5. Jump back from most recent jumping-off point:
    Ctrl+t
[2] Cscope - Vim Tips Wiki - Wikia
http://vim.wikia.com/wiki/Cscope
A Collection of Vi Tips
http://users.nccs.gov/~fwang2/tools/vinotes.html
Cscope Tutorial
https://courses.cs.washington.edu/courses/cse451/12sp/tutorials/tutorial_cscope.html

[3] Vi + Cscope: using "cscope find c function" in vim, finds multiple results, how to go next - Stack Overflow
http://stackoverflow.com/questions/4399519/vi-cscope-using-cscope-find-c-function-in-vim-finds-multiple-results-how

linux - How to set vim as default cscope editor? - Stack Overflow
http://stackoverflow.com/questions/28121485/how-to-set-vim-as-default-cscope-editor

Using Cscope on large projects (example: the Linux kernel)
http://cscope.sourceforge.net/large_projects.html

2015年12月1日 星期二

BASH: invoked by sh enter POSIX mode

Bash Reference Manual: Bash POSIX Mode
http://www.gnu.org/software/bash/manual/html_node/Bash-POSIX-Mode.html

 invoked as sh, Bash enters POSIX mode after reading the startup files.

Execute the following script with bash and sh, which also links to sh, get the different result:
~$ cat a
#!/bin/bash
echo a

~$ cat test
#!/bin/bash
source a
echo b

~$ ls /bin/sh -alh
lrwxrwxrwx 1 root root 4 12月  1 16:30 /bin/sh -> bash

~$ bash test
a
b

~$ ./test
a
b

~$ sh test
test: line 2: source: a: file not found




2015年11月24日 星期二

NOR flash CFI and AMD/Fujitsu Standard Command Set


Common Flash Memory Interface - Wikipedia, the free encyclopedia
https://en.wikipedia.org/wiki/Common_Flash_Memory_Interface

Vendor Command Set & Control Interface ID Code Assignments

  1. Intel/Sharp Extended Command Set
  2. AMD/Fujitsu Standard Command Set
  3. Intel Standard Command Set
  4. AMD/Fujitsu Extended Command Set
SPANSION: Using CFI to Read and Debug Systems
https://www.spansion.com/Support/Application%20Notes/read_debug_using_CFI_an.pdf

SPANSION: S70GL256M00 256 Megabit (8 M x 32-Bit/16 M x 16-Bithttp://data.datasheetlib.com/pdf1/127/27/1272714/advanced-micro-devices-s70gl256m00_be0646f6ba.pdf
p.34 Table 10. Command Definitions (x32 Mode, WORD# = V IH )
p.35 Table 11. Command Definitions (x16 Mode, WORD# = V IL )


2015年11月22日 星期日

ALPN


I could got the following with openssl-1.0.2d. One strange thing is that the following command in red. They are the same command, the first says "ALPN h2-14", while the one after h2 says "no ALPN negotiated".
~ # (echo | openssl s_client -alpn h2-14 -connect google.com:443) | grep ALPN
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
ALPN protocol: h2-14
DONE
~ # (echo | openssl s_client -alpn h2 -connect google.com:443) | grep ALPN     
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA                     
verify error:num=20:unable to get local issuer certificate                     
DONE                                                                           
ALPN protocol: h2                                                              
~ # (echo | openssl s_client -alpn h2-14 -connect google.com:443) | grep ALPN  
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA                     
verify error:num=20:unable to get local issuer certificate                     
No ALPN negotiated                                                             
DONE                                                                           


[wiki] Application-Layer Protocol Negotiation - Wikipedia, the free encyclopedia
https://en.wikipedia.org/wiki/Application-Layer_Protocol_Negotiation

HTTP/2 tests Openlitespeed 1.3.8 which OpenSSL version used ? | OpenLiteSpeed Community and News
http://openlitespeed.com/threads/http-2-tests-openlitespeed-1-3-8-which-openssl-version-used.1172/

ALPN check reports No ALPN negotiated - ALPN is only supported in OpenSSL 1.0.2, so wonder if OpenLiteSpeed 1.3.8 bundled OpenSSL is <1 .0.2="" br="">
/opt/h2o_openssl/bin/openssl s_client -alpn h2-14 -host OPENLITESPEEDHOST.centminmod.com -port 8082

---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
NPN check reports that NPN extension is supported = Next protocol: (1) h2-14
/opt/h2o_openssl/bin/openssl s_client -nextprotoneg h2-14 -host OPENLITESPEEDHOST.centminmod.com -port 8082

---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
Next protocol: (1) h2-14
No ALPN negotiated 
Giuseppe Ciotta's Blog – Testing NGINX HTTP/2 support
https://giuseppeciotta.net/testing-nginx-http2-support.html
(echo | openssl s_client -alpn h2 -connect giuseppeciotta.net:443) | grep ALPN
...
ALPN protocol: h2

OpenSSL - Dev - [Patch] ALPN Implementation for OpenSSL
http://openssl.6102.n7.nabble.com/Patch-ALPN-Implementation-for-OpenSSL-td45509.html

Feature #9390: Support for the ALPN TLS extension - Ruby trunk - Ruby Issue Tracking System
https://bugs.ruby-lang.org/issues/9390


linux - How to detect if a server is using SPDY - Stack Overflow
http://stackoverflow.com/questions/23742928/how-to-detect-if-a-server-is-using-spdy
openssl s_client -connect google.com:443 -nextprotoneg ''
CONNECTED(00000003)
Protocols advertised by server: spdy/3.1, spdy/3, http/1.1

 

2015年11月13日 星期五

Synergy

Synergy - Mouse and keyboard sharing software
http://synergy-project.org/


v1.4.18 is still free version
http://synergy-project.org/download/free/

Nightly Build is also available to download
https://synergy-project.org/nightly

But the standard release require login:




2015年11月1日 星期日

LTE RACH

RACH: ShareTechnote
http://www.sharetechnote.com/html/RACH_LTE.html

3GPP Long Term Evolution (LTE): Random Access Procedure in LTE
http://4g-lte-world.blogspot.tw/2013/04/random-access-procedure-rach-in-lte.html

LTE bearer and protocol layer






Long Term Evolution Protocol Overview
https://www.freescale.com/files/wireless_comm/doc/white_paper/LTEPTCLOVWWP.pdf
Long-Term Evolution Protocol: How theStandard Impacts Media Access Control
http://www.freescale.com/files/training_presentation/TP_LTE_PHY_MAC.pdf

LTE attach procedure | LTE AND BEYOND | Tech-blog on 4G/LTE and beyond..
http://www.lteandbeyond.com/2012/01/lte-attach-procedure.html

2015年10月23日 星期五

Numonyx M29EW devices report incorrect write buffer


http://datasheet.octopart.com/PC28F256M29EWLA-Micron-datasheet-11738582.pdf
p.114, CFI query return data x16 offset 0x2A and 0x2B, both x16 and x8 return 1024,

For X16/X8 mode, the maximum buffer size is 1024 bytes/256 bytes respectively.
http://git.denx.de/?p=u-boot.git;a=commit;h=c502321c4a1bc8d859ecf19b22f9d0ce03954fd6
From c502321c4a1bc8d859ecf19b22f9d0ce03954fd6 Mon Sep 17 00:00:00 2001
From: Jagannadha Sutradharudu Teki
Date: Fri, 1 Mar 2013 16:54:26 +0530
Subject: [PATCH] mtd: cfi_flash: Write buffer size adjustment for M29EW
 Numonyx devices

This patch addjusted the write buffer size for M29EW devices those
are operated in 8-bit mode.

The M29EW devices seem to report the CFI information wrong when
it's in 8 bit mode.

There's an app note from Numonyx on this issue and there's a patch
in the open source as well for Linux, but it doesn't seem to be in mainline.

Signed-off-by: Jagannadha Sutradharudu Teki
Tested-by: Jagannadha Sutradharudu Teki

CFI doens't have info for read buffer size(page size in M29EW)

2015年10月22日 星期四

tshark: cannot save captured file to a file

Cannot capture packet in uaual user, while cannot save file in privilege mode
tshark -i 1 -a duration:10 -w x.pcap

tshark: Lua: Error during loading:
 [string "/usr/share/wireshark/init.lua"]:46: dofile has been disabled due to running Wireshark as superuser. See http://wiki.wireshark.org/CaptureSetup/CapturePrivileges for help in running Wireshark as an unprivileged user.
Running as user "root" and group "root". This could be dangerous.
Capturing on 'wlan0'
tshark: The file to which the capture would be saved ("x.pcap") could not be opened: Permission denied.

http://anonscm.debian.org/viewvc/collab-maint/ext-maint/wireshark/trunk/debian/README.Debian?view=markup
groupadd wireshark
useradd -G wireshark <username>
usermod -a -G wireshark
<username>
Always remember to reboot or logout to have the change take effect!!!

https://wiki.wireshark.org/CaptureSetup/CapturePrivileges
setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /usr/bin/dumpcap

2015年8月12日 星期三

Use loopback device in docker


"--privileged" works for me.


loopback device in a Linux container? - Server Fault
http://serverfault.com/questions/701384/loopback-device-in-a-linux-container

The quick answer
docker run --privileged=true ...
An alternative
sudo losetup /dev/loop0 test.img
mount /dev/loop0 /mnt
docker run -v /mnt:/mnt ...
linux - Is it possible to mount an ISO inside a docker container? - Stack Overflow
http://stackoverflow.com/questions/22028795/is-it-possible-to-mount-an-iso-inside-a-docker-container
To mount an ISO inside a container, you need two things:
  • access to loop devices,
  • permission to mount filesystems.
By default, Docker locks down both things; that's why you get that error message.
The easiest solution is to start the container in privileged mode (docker run -privileged ...).
A more fine-grained solution is to dive down into the devices cgroup and container capabilities to give the required permissions.
Note that you cannot execute privileged operations as part of a Dockerfile; i.e. if you need to mount that ISO in a Dockerfile, you won't be able to do it.


2015年8月10日 星期一

Sara的食食課課 |
http://blog.shishikeke.com.tw/

賴宇凡演講
https://www.youtube.com/watch?v=aDS6wXhCK8Y&feature=BFa&list=ULkPkaxt8WP5Q

科學人雜誌 - 怎樣吃最健康?
http://sa.ylib.com/MagCont.aspx?PageIdx=1&Unit=featurearticles&Cate=&id=176&year=

每天吃3顆蛋,竟可降壞膽固醇!你一定要知道的 5 個膽固醇新常識 - 非讀BOOK - 新知 - 良醫健康網 - 商業周刊(百大良醫)
http://health.businessweekly.com.tw/AArticle.aspx?id=ARTL000020471&utm_source=facebook.com&utm_medium=social&utm_content=health&utm_campaign=content



Re: [討論] 不吃澱粉?
https://www.ptt.cc/man/FITNESS/DE51/DE92/M.1344485698.A.38A.html

她倡健康飲食文 醫生斥:吐血謬論 | 即時新聞 | 20150723 | 蘋果日報
http://www.appledaily.com.tw/realtimenews/article/life/20150723/653428/

小黃醫師的隨手筆記: 快吐血的謬論,卻充斥台灣媒體
http://blog.huangrh.com/2015/07/blog-post_21.html

SARA 你知道你說的錯很大嗎?
血的90%是水?凝固得了嗎?

https://www.facebook.com/photo.php?fbid=10207644872186335&set=a.1259756060495.40582.1427463448&type=1&fref=nf

(3) 急診女醫師其實. - 只要句子寫的親切,讓一般人看得懂,好像覺得輕輕鬆鬆就可以擁有健康,就代表是正確的嗎?...
https://www.facebook.com/emergencygirl/posts/1663417513890383

2015年7月27日 星期一

Linux Timer

Create your own timer routine in Linux | My Linux and Telecom Experiences
https://madalanarayana.wordpress.com/2014/01/25/create-your-own-timer-routine-in-linux/

Userspace application

  • add signal handler for SIGALRM/SIGVTALRM/SIGPROF, depends on the type of timer used.
  • call setitimer() to install a periodic timer
When the timer expiry, system will send a signal (SIGALRM/SIGVTALRM/SIGPROF)


Timekeeping in Linux Userspace | ctrLinux
http://www.ctrlinux.com/blog/?p=52

Linux C/C++ Timer signal handler in userspace - Code - Help To User
http://www.helptouser.com/code/5437240-linux-c-c-timer-signal-handler-in-userspace.html
setitimer(2) is a good start, but do you really want to go asynchronous with signals? Otherwise, you could have a main loop with select(2) or poll(2) and an appropiate timeout.

A much safer alternative to setitimer (which POSIX 2008 marks OBSolete) would be to use POSIX timers, and have the timer expiration function run in a thread rather than a signal handler. This way you are not restricted to only using async-signal-safe functions. They're documented here:
http://pubs.opengroup.org/onlinepubs/9699919799/functions/V2_chap02.html#tag_15_08_05
If you don't like the POSIX timers API, you could instead create a thread that merely sleeps in a loop, and block the timer signal in all threads except that thread. Then you will be free to use whatever functions you like in the signal handler, since it will run in a separate thread and there is no danger of it interrupting an async-signal-unsafe function.
 

2015年7月9日 星期四

2015年6月22日 星期一

Linux kernel mtdparts


Documentation/kernel-parameters.txt
drivers/mtd/cmdlinepart.c

 * mtdparts=[; *   := :[,]
 * := [@][][ro][lk]
CN5700 EVB, openwrt image https://downloads.openwrt.org/snapshots/trunk/octeon/generic/, Linux 3.18.14.
For Cavium Octeon, mtd-id is phy_mapped_flash:
[   33.269307] phys_mapped_flash: Found 1 x16 devices at 0x0 in 8-bit bank. Manufacturer ID 0x000001 Chip ID 0x001001
This works for me:
mtdparts=phys_mapped_flash:2176k(U-Boot)ro,6008k(rootfs),8k(u-boot-env)ro

Managing flash storage with Linux
http://free-electrons.com/blog/managing-flash-storage-with-linux/
mtdparts=omap2-nand.0:128k(X-Loader)ro,256k(U-Boot)ro,128k(Environment),4m(Kernel)ro,32m(RootFS)ro,-(Data)

2015年6月16日 星期二

awk

 awk '/Tech/ && $1>200 {print $2, $4,$5}' e 

Awk Introduction Tutorial – 7 Awk Print Examples
http://www.thegeekstuff.com/2010/01/awk-introduction-tutorial-7-awk-print-examples/

linux shell awk 語法 @ 血落閣 :: 隨意窩 Xuite日誌
http://blog.xuite.net/mb1016.flying/linux/28111008-linux+shell+awk+%E8%AA%9E%E6%B3%95

Awk - A Tutorial and Introduction - by Bruce Barnett
http://www.grymoire.com/Unix/Awk.html

2015年6月15日 星期一

MIPS Exception


http://scc.ustc.edu.cn/zlsc/lxwycj/200910/W020100308600770617815.pdf
8 Coprocessor 0 Registers, p.73
8.1 Coprocessor 0 Register Summary, p73
8.22 Cause Register (CP0 Register 13, Select 0), p113
Table 8-25 Cause Register ExcCode Field, p116
8.18 Status Register (CP Register 12, Select 0), p98


15.5. MIPS Exception Handling
http://www.cs.uwm.edu/classes/cs315/Bacon/Lecture/HTML/ch15s05.html

MIPS 通用寄存器 + 指令 - gujing001的专栏 - 博客频道 - CSDN.NET
http://blog.csdn.net/gujing001/article/details/8476685

CPU Registers
https://www.doc.ic.ac.uk/lab/secondyear/spim/node10.html

http://bbs.csdn.net/topics/390067643

这是mips core 报异常了。也就是status的bit 1置位了。
在status的bit1(EXL) 置位的时候, coprocessor 0的某些寄存器可以帮助你分析具体出错的位置,以及原因。

一般,如果不是一些特别的error错误,看epc就可以找到引起kernel panic的位置,可以理解为引起exception的pc值,如果是某些比较特别的错误,就得看 errorepc了。

针对楼主这个问题, cause寄存器的值为 00800034, 看来使用的应该是VI模式的中断机制,其中,bit 2- 6 是 01101, 也 就是 13, 查一下mips的 coprocessor的手册,就会发现,其代表ExcCode, 也就是exception code,为13的 话,就是发生了trap异常。
结合epc,也就是 在 指令地址为 80010ed0 do_ade+0x388/0xa1c 的位置,有一条trap指令执行了。

How to Encrypt Your Bash Shell Script on Linux Using SHC

http://www.datsi.fi.upm.es/~frosal/
http://www.datsi.fi.upm.es/~frosal/sources/CHANGES
http://www.datsi.fi.upm.es/~frosal/sources/shc.html
http://www.datsi.fi.upm.es/~frosal/sources/shc-3.8.9.tgz

How to Encrypt Your Bash Shell Script on Linux Using SHC
http://www.thegeekstuff.com/2012/05/encrypt-bash-shell-script/

2015年6月12日 星期五

IPSec stateful failover

HighAvailability - strongSwan
https://wiki.strongswan.org/projects/1/wiki/HighAvailability

strongSwan ha Tests
https://www.strongswan.org/uml/testresults/ha/index.html

IpsecStandards - strongSwan
https://wiki.strongswan.org/projects/strongswan/wiki/IpsecStandards

Not Supported: RFC 6311: Protocol Support for High Availability of IKEv2/IPsec
[strongSwan] Automated test ha/both-active fails
https://lists.strongswan.org/pipermail/users/2012-July/003299.html
> Our HA solution works different and is not based on RFC 6311. In fact,
> we don't need any additional protocol support in IKEv2 between server
> and client, all the synchronization is done between the cluster nodes
> directly.




Cisco High Availability Solution: Stateful Failover for IPsec - Cisco
http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-ipsec/white_paper_c11_472859.html
Stateful Failover for IP Security (IPsec) allows a router to continue processing and forwarding IPsec packets after a planned or unplanned outage occurs. A backup (secondary) router automatically takes over the tasks of the active (primary) router if the active router loses connectivity for any reason. This process is transparent to the user and requires neither adjustment nor reconfiguration of any remote peer.

Stateful IPsec VPN High-Availability Alternatives - IPSec Virtual Private Network Fundamentals
http://flylib.com/books/en/2.45.1.50/1/
Recall that in stateless IPsec failover, there is a reconvergence delay directly attributable to rebuilding IPsec SAs with the redundant router upon failover.

Stateful IPsec HA builds the appropriate entries in the redundant VPN gateway's SADB in advance and employs a mechanism to accurately maintain state parity between the active and standby VPN gateways, thereby effectively precluding the need for IPsec to renegotiate Phase 1 and Phase 2 SAs upon failover
RFC 6311 - Protocol Support for High Availability of IKEv2/IPsec
https://tools.ietf.org/html/rfc6311

RFC 6027 - IPsec Cluster Problem Statement
https://tools.ietf.org/html/rfc6027

Proposed IPsec HA Cluster Protocol
http://www.ietf.org/proceedings/78/slides/ipsecme-3.pdf

2015年5月28日 星期四

Sending (replay) captured packets

Tools - The Wireshark Wiki
https://wiki.wireshark.org/Tools#Traffic_generators

Tcpreplay
http://tcpreplay.synfin.net/

sudo apt-get install tcpreplay
sudo tcpreplay -i eth0 ping.pcapng

2015年5月21日 星期四

Instantiating I2C device in Linux userspace


linux/Documentation/i2c/instantiating-devices

File new_device takes 2 parameters: the name of the I2C device (a string) and the address of the I2C device (a number, typically expressed in hexadecimal starting with 0x, but can also be expressed in decimal.)

File delete_device takes a single parameter: the address of the I2C device. As no two devices can live at the same address on a given I2C segment, the address is sufficient to uniquely identify the device to be
deleted.

Example:
# echo eeprom 0x50 > /sys/bus/i2c/devices/i2c-3/new_device
 
echo 24c64  0x51 > /sys/bus/i2c/devices/i2c-0/new_device
echo 0x51 > /sys/bus/i2c/devices/i2c-0/delete_device

2015年4月20日 星期一

Markdown


http://markdown.tw/

https://www.openfoundry.org/tw/resourcecatalog/Program-Development/Markup-Languages/markdown
技術寫作產能工具 | iThome
http://www.ithome.com.tw/voice/95002

ReText - Linux 支援 Markdown 的編輯器 - Tsung's Blog
http://blog.longwin.com.tw/2014/02/retext-linux-support-markdown-editor-2014/

Pandoc - 維基百科,自由的百科全書
http://zh.wikipedia.org/zh-tw/Pandoc

apt-get install retext pandoc
pandoc -o x.html README -f markdown


2015年4月13日 星期一

The Internals of "Hello World" Program

http://www.slideshare.net/jserv/helloworld-internals

2015年4月1日 星期三

Docker on Ubuntu 14.04 LTS


https://docs.docker.com/installation/
https://docs.docker.com/installation/ubuntulinux/
https://docs.docker.com/installation/ubuntulinux/#installing-docker-on-ubuntu

wget -qO- https://get.docker.com/ | sh

If you would like to use Docker as a non-root user, you should now consider
adding your user to the "docker" group with something like:

sudo usermod -aG docker test

(Reboot required)

sudo docker run hello-world


ERROR: when running "sudo docker run hello-world"
FATA[0000] Post http:///var/run/docker.sock/v1.17/containers/create: dial unix /var/run/docker.sock: no such file or directory. Are you trying to connect to a TLS-enabled daemon without TLS?
FIX: Reboot

https://docs.docker.com/userguide/
https://github.com/veggiemonk/awesome-docker
https://github.com/wsargent/docker-cheat-sheet

Network configuration
https://docs.docker.com/articles/networking/

Linking containers together
https://docs.docker.com/userguide/dockerlinks/

2015年3月10日 星期二

EJBCA with openSSL CMP


https://download.primekey.se/public/ejbcav6ce-vm.zip
EJBCA CE v6.2.0
v4.3.24 r98716 can import the ovf.


ERROR: Can only connect to localhost by: https://ejbca:8443/ejbca. Connect from other host result in ssl_error_bad_cert_alert.
FIX:
According to /home/ejbca/ejbca_ce_6_2_0/conf/web.properties.sample
The private port JBoss will listen on 8443 to https on, client cert required
https://ejbca:8443/ejbca/
https://ejbca:8443/ejbca/adminweb/

The public port JBoss will listen to http on 8080 (no SSL, no client cert)
http://ejbca:8080/ejbca/
http://ejbca:8080/ejbca/adminweb/ (Authorization faild, require client certificate)

The public port JBoss will listen to https on 8442, no client cert required
https://ejbca:8442/ejbca/
https://ejbca:8442/ejbca/adminweb/ (Authorization faild, require client certificate)

Admin Web always require  client cert.
Public Web can be connected at http(8080) or https(8442).



CMP - Admin Guide
http://ejbca.org/docs/adminguide.html#CMP


Build cmpclient as decribed here:
http://mkl-note.blogspot.tw/2015/03/cmpforopenssl.html

In ./cmpforopenssl-code/src/openssl/app
  1. Get CA cert (ManagementCA.pem)
    [EJBCA public Web] -> [Fetch CA certificates] -> [CA certificate: Download as PEM]
    cp ~/Downloads/ManagementCA.pem  .
    Or, (not sure if this link works for all)
    wget -O ManagementCA.pem "http://ejbca:8080/ejbca/publicweb/webdist/certdist?cmd=cacert&issuer=CN%3dManagementCA%2cO%3dEJBCA+Sample%2cC%3dSE&level=0"
  2. Prepare environment for openssl
    mkdir -p ../../../ssl; ln -s ../src/openssl/apps/openssl.cnf ssl

CMP for OpenSSL - Admin Guide
http://ejbca.org/docs/adminguide.html#CMP%20for%20OpenSSL

RA mode

  1. Generate private key
    openssl genrsa  -out key1.pem 2048
  2. Passed
    $ ./openssl cmp -cmd ir -server localhost:8080 -path ejbca/publicweb/cmp/opensslra -srvcert ManagementCA.pem -user NewUser -pass password -certout clcert1.pem -newkey key1.pem -keyfmt PEM -certfmt PEM -subject "/CN=NewUser/O=My Organization/C=SE"
    Using configuration from /home/ejbca/prj/cmpforopenssl-code/src/../ssl/openssl.cnf
    INFO: Sending Initialization Request
    SUCCESS: validating protection of incoming message
    INFO: Sending Certificate Confirm
    SUCCESS: validating protection of incoming message
    saving certificate to 'clcert1.pem'...


Client mode, HMAC password authentication

  1. Generate private key
    openssl genrsa  -out key2.pem 2048
  2.  Passed
    $ ./openssl cmp -cmd ir -server localhost:8080 -path ejbca/publicweb/cmp/opensslclient -srvcert ManagementCA.pem -user user1 -pass password -certout clcert2.pem -newkey key2.pem -keyfmt PEM -certfmt PEM -subject "/CN=user1/O=My Organization/C=SE"
    Using configuration from /home/ejbca/prj/cmpforopenssl-code/src/../ssl/openssl.cnf
    INFO: Sending Initialization Request
    SUCCESS: validating protection of incoming message
    INFO: Sending Certificate Confirm
    SUCCESS: validating protection of incoming message
    saving certificate to 'clcert2.pem'...
Client mode, client certificate authentication

  1. Generate private key
    openssl genrsa  -out key3.pem 2048
  2.  Failed
    $ ./openssl cmp -cmd ir -server localhost:8080 -path ejbca/publicweb/cmp/openssleec -srvcert ManagementCA.pem -cert clcert2.pem -key key2.pem -certout clcert3.pem -newkey key3.pem -keyfmt PEM -certfmt PEM -subject "/CN=user1/O=My Organization/C=SE"
    Using configuration from /home/ejbca/prj/cmpforopenssl-code/src/../ssl/openssl.cnf
    INFO: Sending Initialization Request
    140361658017440:error:3209608B:CMP routines:CMP_doInitialRequestSeq:pkibody error:cmp_ses.c:381:bodytype=23, error="PKIStatus: rejection, PKIFailureInfo: badRequest: Got request with status GENERATED (40), NEW, FAILED or INPROCESS required: user1."

  3. $ bin/ejbca.sh ra setclearpwd user1 password
    SETTING: --username as user1
    SETTING: --password as password
    Setting clear text password for user user1
    $ bin/ejbca.sh ra setendentitystatus user1 10
    SETTING: --username as user1
    SETTING: -S as 10
    New status for end entity user1 is 10
  4. Passed
    $ ./openssl cmp -cmd ir -server localhost:8080 -path ejbca/publicweb/cmp/openssleec -srvcert ManagementCA.pem -cert clcert2.pem -key key2.pem -certout clcert3.pem -newkey key3.pem -keyfmt PEM -certfmt PEM -subject "/CN=user1/O=My Organization/C=SE"
    Using configuration from /home/ejbca/prj/cmpforopenssl-code/src/../ssl/openssl.cnf
    INFO: Sending Initialization Request
    SUCCESS: validating protection of incoming message
    INFO: Sending Certificate Confirm
    SUCCESS: validating protection of incoming message
    saving certificate to 'clcert3.pem'...

Client mode, Vendor certificate authentication
Not tested, for it's EJBCA Enterprise only


Using Key Update Request instead of Initial Request
RA-Failed

openssl cmp -cmd kur -server $SERVER:8080 -path ejbca/publicweb/cmp/opensslra -srvcert $CACERT -user NewUser -pass password -cert $MYCERT -key $MYKEY -certout ${MYCERT}1 -newkey $MYKEY -keyfmt PEM -certfmt PEM -subject "/CN=NewUser/O=My Organization/C=SE"
WARNING: can't open config file: /home/prj/cmpforopenssl-code/src/../ssl/openssl.cnf
Using configuration from /home/prj/cmpforopenssl-code/src/../ssl/openssl.cnf
error loading the config file '/home/prj/cmpforopenssl-code/src/../ssl/openssl.cnf'
INFO: Sending Key Update Request
3075856008:error:3209708B:CMP routines:CMP_doKeyUpdateRequestSeq:pkibody error:cmp_ses.c:724:bodytype=23, error="PKIStatus: rejection, PKIFailureInfo: badRequest: EndEnityCertificate authentication module is not configured. For a KeyUpdate request to be authentication in RA mode, EndEntityCertificate authentication module has to be set and config
[CMP Configuration] -> [Edit CMP Alias: opensslra]
CMP Response Protection: pbe -> signature
CMP Authentication Module: enable EndEntityCertificate
Automatic Key Update: Allow

openssl cmp -cmd kur -server 192.168.110.120:8080 -srvcert /etc/ipsec.d/cacerts/cacert.pem -cert /etc/ipsec.d/certs/mycert.pem.old -key /etc/ipsec.d/private/mykey.pem -certout /etc/ipsec.d/certs/mycert.pem -newkey /etc/ipsec.d/private/mykey.pem -keyfmt PEM -certfmt PEM -subject "/CN=NewUser/O=My Organization/C=SE" -user NewUser -pass password -path ejbca/publicweb/cmp/opensslra                   
Using configuration from /usr/openssl.cnf                                      
INFO: Sending Key Update Request                                               
1099268871952:error:3209708B:CMP routines:CMP_doKeyUpdateRequestSeq:pkibody error:cmp_ses.c:714:bodytype=23, error="PKIStatus: rejection, PKIFailureInfo: badRequest: 'CN=NewUser,O=My Organization,C=SE' is not an authorized administrator."

Verifications in EndEntityCertificate Authentication Module: Omit

openssl cmp -cmd kur -server 192.168.110.120:8080 -srvcert /etc/ipsec.d/cacerts/cacert.pem -cert /etc/ipsec.d/certs/mycert.pem.old -key /etc/ipsec.d/private/mykey.pem -certout /etc/ipsec.d/certs/mycert.pem -newkey /etc/ipsec.d/private/mykey.pem -keyfmt PEM -certfmt PEM -subject "/CN=NewUser/O=My Organization/C=SE" -user NewUser -pass password -path ejbca/publicweb/cmp/opensslra                   
Using configuration from /usr/openssl.cnf                                      
INFO: Sending Key Update Request                                               
1099117520656:error:3209708B:CMP routines:CMP_doKeyUpdateRequestSeq:pkibody error:cmp_ses.c:714:bodytype=23, error="PKIStatus: rejection, PKIFailureInfo: badRequest: Omitting some verifications can only be accepted in RA mode and when the CMP request has already been authenticated, for example, through the use of NestedMessageContent"






2015年3月2日 星期一

Optical fiber



Optical fiber connector - Wikipedia, the free encyclopedia
http://en.wikipedia.org/wiki/Optical_fiber_connector

HP X120 1G SFP RJ45 T Transceiver - Transceivers - HP: JD089B
http://h30094.www3.hp.com/product.aspx?sku=10256625&pagemode=ca

10 Gigabit Ethernet - Wikipedia, the free encyclopedia
http://en.wikipedia.org/wiki/10_Gigabit_Ethernet#Physical_layer_modules

2015年3月1日 星期日

cmpforopenssl

http://sourceforge.net/projects/cmpforopenssl/
 
Forked at https://github.com/mkl0301/cmpforopenssl/

sudo apt-get install libidn11-dev
make cmpclient

sudo apt-get install libpcre3-dev libsqlite3-dev libcurl4-openssl-dev unixODBC-dev
make



Running Server
sudo apt-get install unixodbc unixodbc-bin libmyodbc mysql-server

MySQL 新增使用者與權限設定 (筆記)
http://blog.toright.com/posts/1214/mysql-%E6%96%B0%E5%A2%9E%E4%BD%BF%E7%94%A8%E8%80%85%E8%88%87%E6%AC%8A%E9%99%90%E8%A8%AD%E5%AE%9A-%E7%AD%86%E8%A8%98.html
mysql的重要語法
http://mail.hmes.kh.edu.tw/~jona/redhat/mysqlphp/mysqlsyntax.htm

mysql -uroot -p
use mysql;
INSERT INTO user(host,user,password) VALUES('%','odbc',password('odbcpwd'));
GRANT ALL ON *.* TO 'odbc'@localhost IDENTIFIED BY 'odbcpwd' WITH GRANT OPTION;
FLUSH PRIVILEGES;

CREATE DATABASE odbc;
Check the path of the libmyodbc.so:
# dpkg-query -L libmyodbc
(..................)
/usr/lib/i386-linux-gnu/odbc/libmyodbc.so

Edit /etc/odbc.ini, add the following with the driver path from previous step:
[myodbc]
Driver       = /usr/lib/i386-linux-gnu/odbc/libmyodbc.so
Description  = MySQL ODBC 2.50 Driver DSN
SERVER       = localhost
PORT         = 3306
USER         = odbc
Password     = odbcpwd
Database     = odbc
OPTION       = 3
SOCKET       =
# ./srv_create_ca_cert.sh
./../bin/cmpserver-cl --createcert --cacert ./../certs/ca_cert.der --key ./../certs/ca_key.p15 --country DE --organization NSN --unit PG RDE 3 --commonname Martin's CA
SUCCESS init
SUCCESS add random
SUCCESS open keyset
SUCCESS creating Context
SUCCESS setting Attribute CRYPT_CTXINFO_LABEL
SUCCESS generating Key
SUCCESS creating the certificate
SUCCESS setting the CRYPT_CERTINFO_SUBJECTPUBLICKEYINFO attribute
SUCCESS setting the CRYPT_CERTINFO_COUNTRYNAME attribute
SUCCESS setting the CRYPT_CERTINFO_ORGANIZATIONNAME attribute
SUCCESS setting the CRYPT_CERTINFO_ORGANIZATIONALUNITNAME attribute
SUCCESS setting the CRYPT_CERTINFO_COMMONNAME attribute
SUCCESS setting the validity
SUCCESS setting the CRYPT_CERTINFO_SELFSIGNED attribute
SUCCESS setting the CRYPT_CERTINFO_CA attribute
SUCCESS signing the certificate
SUCCESS storing the private key
SUCCESS setting Certificat to be trusted
SUCCESS storing the public key
SUCCESS export Certificate - checking certMaxLength
SUCCESS export Certificate
SUCCESS Destroying the certificate
SUCCESS destroying context
SUCCESS close keyset
SUCCESS shutting down cryptlib
HINT:
  Don't forget to copy "./../certs/ca_cert.der" to the certs-directory
  of the client if it is different from this installation!

# ./srv_add_pki_usr.sh
./../bin/cmpserver-cl --createuser --country DE --organization NSN --unit PG RDE 312280 --commonname Martin Peylo
SUCCESS init
SUCCESS add random
SUCCESS open certstore
INFO: Creating PKI User COUNTRY:"DE" ORG:"NSN" UNIT:"PG RDE 319273" CN:"Martin Peylo"
SUCCESS creating certificate
SUCCESS storing the PKI User
User= CUF8T-BY2NY-WDB34
Password= VSZQH-3JZ8S-8FYJD-95V5H
RevPW= 7PCRB-2USY6-CFXGZ-NVGCX
DECODED, HEX: User= 8BE886D865A830E740
Password= 2EE3E517F43C5B207FDCF670
RevPW= 44F0E250B7045A9AEC998550
SUCCESS destroying certificate
SUCCESS close certstore
SUCCESS shutting down cryptlib

# ./srv_run_daemon.sh
./../bin/cmpserver-cl --daemon --server 192.168.1.107 --port 4711 --cacert ./../certs/ca_cert.der --key ./../certs/ca_key.p15
SUCCESS init
SUCCESS add random
SUCCESS open certstore
SUCCESS open keyset
INFO: Starting CMP Server, serverName=192.168.1.107, serverPort=4711
SUCCESS get the private Key
SUCCESS create CMP Server
SUCCESS set attribute for certStore
SUCCESS set attribute for private Key
SUCCESS set attribute for server Address
SUCCESS set attribute for server Port


Error: Segmentation fault while running srv_add_pki_usr.sh
64-bit Ubuntu 14.04.2,
$ ./srv_add_pki_usr.sh
./../bin/cmpserver-cl --createuser --country DE --organization NSN --unit PG RDE 327804 --commonname Martin Peylo
SUCCESS init
SUCCESS add random
SUCCESS open certstore
INFO: Creating PKI User COUNTRY:"DE" ORG:"NSN" UNIT:"PG RDE 39791" CN:"Martin Peylo"
SUCCESS creating certificate
./srv_add_pki_usr.sh: line 13: 24173 Segmentation fault      (core dumped) ${CMPSERVER} --createuser --country "${COUNTRY}" --organization "${ORG}" --unit "${UNIT}$RANDOM" --commonname "${CN}"
FIX: this issue didn't happen on 32-bit Ubuntu 12.04.3. It's likely that the root cause is 64-bit.

ERROR: User ID provided by client isn't a cryptlib user ID

# ./do_ossl_ir.sh CUF8T-BY2NY-WDB34 VSZQH-3JZ8S-8FYJD-95V5H
+ ./../bin/cmpclient --ir --server 192.168.1.107 --port 4711 --srvcert ./../certs/ca_cert.der --newkey ./../certs/cl_key.pem --newkeypass password --newclcert ./../certs/cl_cert.der --user CUF8T-BY2NY-WDB34 --password VSZQH-3JZ8S-8FYJD-95V5H
INFO: Reading DER Certificate from File ./../certs/ca_cert.der
SUCCESS: BIO_new
INFO: Using existing key file "./../certs/cl_key.pem"
INFO: Reading Public Key from File ./../certs/cl_key.pem
INFO: the passphrase is "password"...
SUCCESS: Reading PKEY
INFO: Sending Initialization Request
ERROR: received no initial Client Certificate. FILE cmpclient.c, LINE 394
3075692168:error:33080064:CRMF routines:CRMF_CERTREQMSG_set1_subject:crmferror:crmf_lib.c:509:
3075692168:error:3209608B:CMP routines:CMP_doInitialRequestSeq:pkibody error:cmp_ses.c:381:bodytype=23, error="PKIStatus: rejection, PKIFailureInfo: signerNotTrusted"
+ set +x
And server shows:
ERROR set attribute CMP session active  - in FILE: cmpserver-cl.c, LINE 365, status=-22
trying to get the Errorstring:
get errorStringLength:
The ErrorStringLength:51
get errorString:
The ErrorString: User ID provided by client isn't a cryptlib user ID
SUCCESS destroy private Key
SUCCESS destroy session
INFO: Starting CMP Server, serverName=192.168.1.107, serverPort=4711
SUCCESS get the private Key
SUCCESS create CMP Server
SUCCESS set attribute for certStore
SUCCESS set attribute for private Key
SUCCESS set attribute for server Address
SUCCESS set attribute for server Port
Neither does "/do_ossl_ir.sh CUF8T-BY2NY-WDB34 VSZQH-3JZ8S-8FYJD-95V5H" work.
FIX:

cryptlib-340/session/cmp_rd.c, updateUserID(), protocolInfo->userIDsize should be 9.

Use the "DECODED" hex string and encode the hex string to binary string, for example:
./do_ossl_ir.sh $(echo -en '\xD5\x79\xE9\x07\x16\xAD\x06\x42\x60') $(echo -en '\x57\x06\x2E\x02\xEA\x2A\x4E\x85\xFA\xEE\x52\xE0')
https://github.com/mkl0301/cmpforopenssl/commit/b7c446f264b402074aa9c6af8c7d8842be3ff24c


Error: Server core dump again...

# ./do_ossl_ir.sh 8BE886D865A830E740 2EE3E517F43C5B207FDCF670
+ ./../bin/cmpclient --ir --server 192.168.1.107 --port 4711 --srvcert ./../certs/ca_cert.der --newkey ./../certs/cl_key.pem --newkeypass password --newclcert ./../certs/cl_cert.der --user $'\213\350\206\330e\2500\347@' --password '.�� �<[ ��p'
INFO: Reading DER Certificate from File ./../certs/ca_cert.der
SUCCESS: BIO_new
INFO: Using existing key file "./../certs/cl_key.pem"
INFO: Reading Public Key from File ./../certs/cl_key.pem
INFO: the passphrase is "password"...
SUCCESS: Reading PKEY
INFO: Sending Initialization Request
ERROR: received no initial Client Certificate. FILE cmpclient.c, LINE 394
3075499656:error:33080064:CRMF routines:CRMF_CERTREQMSG_set1_subject:crmferror:crmf_lib.c:509:
3075499656:error:3209608B:CMP routines:CMP_doInitialRequestSeq:pkibody error:cmp_ses.c:381:bodytype=23, error="PKIStatus: rejection, PKIFailureInfo: duplicateCertReq"
+ set +x
And server core dumped(cryptlib debug enabled):
SVR: Reading message type 26.
SVR: Read new userID.
SVR: Read initial transID.
SVR: Read initial MAC params with salt, 500 iterations.
SVR: Writing message body type 1.
SVR: Writing MAC params with salt, 500 iterations.
SVR: Writing MAC params with salt, 500 iterations.
SVR: Writing userID.
SVR: Writing message body type 5.
SVR: Writing userID.
keyset/odbc.c:getErrorInfo:397: Couldn't read error information from database backend.
cmpserver-cl: keyset/odbc.c:398: getErrorInfo: Assertion `0' failed.
./srv_run_daemon.sh: line 12: 13306 Aborted                 (core dumped) ${CMPSERVER} --daemon --server ${SERVER} --port ${PORT} --cacert ${CACERT} --key ${CAKEY}
FIX:
I just think of that the libmyodbc installed by Ubuntu 12.04 is of version 5.1.10-1. And the README uses libmyodbc3.so. So I decided to rebuild libmyodbc3.

sudo apt-get install libmysqlclient-dev
(for libmyodbc3 require mysql_config)

http://cdn.mysql.com/Downloads/Connector-ODBC/3.51/mysql-connector-odbc-3.51.30-src.tar.gz
./configure --enable-test=no
make

Change the /etc/odbc.ini:
Driver       = /path/to/mysql-connector-odbc-3.51.30-src/driver/.libs/libmyodbc3.so
Purge the database and run again, than this issue is gone!! (but another issue await...)

ERROR:
# ./do_ossl_ir.sh 250660288E8F818C80 DD1574745262358B34341A70
+ ./../bin/cmpclient --ir --server 192.168.1.107 --port 4711 --srvcert ./../certs/ca_cert.der --newkey ./../certs/cl_key.pem --newkeypass password --newclcert ./../certs/cl_cert.der --user '% `(���' --password $'\335\025ttRb5\21344\032p'
INFO: Reading DER Certificate from File ./../certs/ca_cert.der
SUCCESS: BIO_new
INFO: Using existing key file "./../certs/cl_key.pem"
INFO: Reading Public Key from File ./../certs/cl_key.pem
INFO: the passphrase is "password"...
SUCCESS: Reading PKEY
INFO: Sending Initialization Request
SUCCESS: validating protection of incoming message
INFO: Sending Certificate Confirm

ERROR: received no initial Client Certificate. FILE cmpclient.c, LINE 394
3075491464:error:33080064:CRMF routines:CRMF_CERTREQMSG_set1_subject:crmferror:crmf_lib.c:509:
3075491464:error:3209D090:CMP routines:CMP_PKIMESSAGE_http_perform:server not reachable:cmp_http.c:893:56:Failure when receiving data from the peer:unable to send certConf
+ set +x
And server reported(cryptlib debug enabled):
SVR: Reading message type 26.
SVR: Read new userID.
SVR: Read initial transID.
SVR: Read initial MAC params with salt, 500 iterations.
SVR: Writing message body type 1.
SVR: Writing MAC params with salt, 500 iterations.
SVR: Writing MAC params with salt, 500 iterations.
SVR: Writing userID.
SVR: Writing message body type 5.
SVR: Writing userID.
ERROR set attribute CMP session active  - in FILE: cmpserver-cl.c, LINE 365, status=-41
trying to get the Errorstring:
get errorStringLength:
The ErrorStringLength:78
get errorString:
The ErrorString: No data was read because the remote system closed the connection (recv() == 0)
Facts:
  1. The first IR (type0/26 stands for any) and IP(type1) is sent and received successfully.
  2. client has sent the certConf
  3. ??server CANNOT receive anything??
  4. ??From server side message, server sent another type 5(CMPBODY_ERROR), but nothing reached wire??
  5. ??server actively close the socket (FIN is sent by server)?? 

Server side failed at cryptlib-340/session/cmp_svr.c: serverTransact() while reading data of CTAG_PB_CERTCONF, but nothing is received. I tried to use a while loop but nothing can be received. From packet captured, server had received the certConf, and ACKed, and even FINed. But nothing received in software.

 (Stuck)




ftp://ftp.franken.de/pub/crypt/cryptlib/manual.pdf
cryptlib uses a standard format for the user ID and password that follows the style used for software registration codes and serial numbers. The user ID is in the form XXXXX-XXXXX-XXXXX and the password is in the form XXXXX-XXXXX-XXXXX-XXXXX. Characters that might cause confusion (for example O and 0 or 1 and l) aren’t present, and the data contains a checksum which is used to catch typing errors when the user enters the information.

Error in running openssl cmp client
http://ejbca-develop.narkive.com/GiMkYheS/error-in-running-openssl-cmp-client
/root/sriram/cmpforopenssl-code/src/openssl-1.0.1e-cmp/apps/openssl cmp -cmd ir -server 10.206.1.3:8080 -path ejbca/publicweb/cmp -srvcert certs/ManagementCA.pem -user cmptest -pass CMP-pwd -newkey certs/cl_key.pem -certout certs/cl_cert.pem -subject "/CN=cmptest"
Getting error using CMP client with EJBCA
http://comments.gmane.org/gmane.comp.java.ejbca.devel/4541
ejbca:~/cmpforopenssl-code-766/src/openssl-client$ ./cmpclient --server localhost --port 8080 --path ejbca/public/cmp --srvcert ManagementCA.cacert.pem --ir --user vmware --password vmware --newclcert user1.der --newkey user_key.pem --subject "CN=vmware,C=SC"

2015年1月23日 星期五

Save password in Subversion


Enable the following options in ~/.subversion/config and /etc/.subversion/config:

store-passwords = yes
store-auth-creds = yes
And ~/.subversion/server and /etc/.subversion/config:
store-passwords = yes
store-ssl-client-cert-pp = yes
store-plaintext-passwords = yes
store-ssl-client-cert-pp-plaintext = yes

For unknown reason, my ~/.subversion became (I don't remember I have ran svn with sudo...):
drwx------  6 root root 4.0K  1月 20 21:18 auth
-rw-r--r--  1 root root 7.7K  1月 23 21:38 config
-rw-r--r--  1 root root 4.2K  1月 20 21:18 README.txt
-rw-r--r--  1 root root 8.2K  1月 23 21:39 servers
This prevent svn from storing/reading the password to/from the directory auth. After the following fixed my problem.
chown test:test ~/.subversion -R; chmod +r ~/.subversion/auth -R
It's just too stupid that I don't want to waste my time again.....


svn - How to save password when using Subversion from the console - Stack Overflow
http://stackoverflow.com/questions/2899209/how-to-save-password-when-using-subversion-from-the-console

SVN not storing password
http://www.wandisco.com/svnforum/threads/62783-SVN-not-storing-password