Month: April 2021

国密备忘录

by 
1
2
3
4

SM2用于替换RSA/Diffie-Hellman/ECDSA/ECDH等
SM3用于替代MD5/SHA-1/SHA-256等
SM4用于替代DES/AES等
SM9用于替代PKI/CA

gmssl编译指定路径

1

./config --prefix=`pwd`/installed no-shared

refer to:
http://gmssl.org
https://ai-science-ape.blog.csdn.net/article/details/113551179
https://www.jianshu.com/p/e41bc1eb1d81

gdb备忘录

by 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

save breakpoints file-name-to-save
source file-name-to-save
dprintf /dir/to/file.c:2368,"err is %d\n",err
x /8xw key
info files
info source
info variables
info locals
info args
set python print-stack full
dump binary memory ./file_path_to_save $from_addr $to_addr
cond 1 $rdi==0x0
thread apply all bt
set print elements 0
set follow-fork-mode [parent|child]
 
set logging file <file name>
set logging on
info functions
set logging off

refer to:
https://www.wenjiangs.com/doc/gdb-save-breakpoints
https://gist.github.com/nmcv/212250dc8eb865a5282e

possibly undefined macro: AC_DISABLE_STATIC

by 
1

sudo apt install automake libtool m4 autoconf

输出

1
2
3
4
5
6

The following additional packages will be installed:
  libltdl-dev
Suggested packages:
  libtool-doc gfortran | fortran95-compiler gcj-jdk
The following NEW packages will be installed:
  libltdl-dev libtool

refer to:
https://www.cnblogs.com/y4247464/p/14388334.html

数论备忘录

by 
1
2
3
4
5
6
7

本原元=原根=生成元
quadratic extension: 二次扩域
quadratic residue: 平方剩余 
二次互反律
 
φ(n): 小于或等于n并与n互质的正整数个数
欧拉定理: 若a,n为正整数,且两者互素,则a^φ(n) mod n = 1

StrongSwan PSK RSA

by

四台虚拟机ABCD,三段Host Only虚拟网络vmnet2、vmnet3、vmnet4,DHCP都禁掉。

1
2
3
4
5
6
7
8
9
10

A
vmnet2: 10.1.0.10/24 gw 10.1.0.2
B
vmnet2: 10.1.0.2/24
vmnet3: 192.168.0.2/24
C
vmnet3: 192.168.0.3/24
vmnet4: 10.2.0.2/24
D
vmnet4: 10.2.0.10/24 gw 10.2.0.2

BC两台上下载编译安装strongswan 5.4.0,其版本信息可在config.h中辨认。

1
2
3
4
5
6

wget http://download.strongswan.org/strongswan-5.4.0.tar.bz2
apt-get install libgmp-dev
apt-get install libssl-dev
tar -jxvf strongswan-5.4.0.tar.bz2
./configure --sysconfdir=/etc --enable-openssl --enable-gmp --prefix=`pwd`/installed
make && make install

BC两虚拟机都指向同一个共享文件夹share。
在B中生成证书

1
2
3
4
5
6
7
8
9
10
11
12
13
14

mkdir cert && cd cert
ipsec pki --gen --outform pem > ca.pem
ipsec pki --self --in ca.pem --dn "C=CN, O=NetworkLab, CN=NetworkLab CA" --ca --outform pem > ca.cert.pem
 
ipsec pki --gen --outform pem > sun.server.pem
ipsec pki --pub --in sun.server.pem | ipsec pki --issue --cacert ca.cert.pem --cakey ca.pem --dn "C=CN, O=NetworkLab, CN=sun.com" --san="sun.com" --flag serverAuth --flag ikeIntermediate --outform pem > sun.server.cert.pem
ipsec pki --gen --outform pem > moon.server.pem
ipsec pki --pub --in moon.server.pem | ipsec pki --issue --cacert ca.cert.pem --cakey ca.pem --dn "C=CN, O=NetworkLab, CN=moon.com" --san="moon.com" --flag serverAuth --flag ikeIntermediate --outform pem > moon.server.cert.pem
 
ipsec pki --gen --outform pem > sun.client.pem
ipsec pki --pub --in sun.client.pem | ipsec pki --issue --cacert ca.cert.pem --cakey ca.pem --dn "C=CN, O=NetworkLab, CN=client" --outform pem > sun.client.cert.pem
ipsec pki --gen --outform pem > moon.client.pem
ipsec pki --pub --in moon.client.pem | ipsec pki --issue --cacert ca.cert.pem --cakey ca.pem --dn "C=CN, O=NetworkLab, CN=client" --outform pem > moon.client.cert.pem
mv cert /mnt/hgfs/share/

B中安装证书

1
2
3
4
5

cp -r /mnt/hgfs/share/cert/ca.cert.pem /etc/ipsec.d/cacerts/
cp -r /mnt/hgfs/share/cert/moon.server.cert.pem /etc/ipsec.d/certs/
cp -r /mnt/hgfs/share/cert/moon.server.pem /etc/ipsec.d/private/
cp -r /mnt/hgfs/share/cert/sun.client.cert.pem /etc/ipsec.d/certs/
cp -r /mnt/hgfs/share/cert/sun.client.pem /etc/ipsec.d/private/

C中安装证书

1
2
3
4
5

cp -r /mnt/hgfs/share/cert/ca.cert.pem /etc/ipsec.d/cacerts/
cp -r /mnt/hgfs/share/cert/sun.server.cert.pem /etc/ipsec.d/certs/
cp -r /mnt/hgfs/share/cert/sun.server.pem /etc/ipsec.d/private/
cp -r /mnt/hgfs/share/cert/moon.client.cert.pem /etc/ipsec.d/certs/
cp -r /mnt/hgfs/share/cert/moon.client.pem /etc/ipsec.d/private/

B中配置
/etc/ipsec.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

config setup
	# strictcrlpolicy=yes
	# uniqueids = no
conn %default
	ikelifetime=60m
	keylife=20m
	rekeymargin=3m
	keyingtries=1
	keyexchange=ikev2
	mobike=no
conn net-net-rsa
	left=192.168.0.2
	leftcert=moon.server.cert.pem
	leftsubnet=10.1.0.0/24
	leftid=@moon.com
	leftfirewall=yes
	right=192.168.0.3
	rightsubnet=10.2.0.0/24
	rightid=@sun.com
	auto=add
conn net-net-psk
	keyexchange=ikev1
	authby=secret
	left=192.168.0.2
	leftsubnet=10.1.0.0/16
	leftid=@xxx.server.com
	leftfirewall=yes
	right=192.168.0.3
	rightsubnet=10.2.0.0/16
	rightid=@yyy.server.com
	ike=aes-sha1-modp1024
	esp=aes-sha1-modp1024
	auto=route
	type=tunnel

/etc/ipsec.secrets

1
2

@xxx.server.com @yyy.server.com : PSK hello
: RSA moon.server.pem

/etc/strongswan.conf

1
2
3
4
5
6
7

charon {
	load_modular = yes
	plugins {
		include strongswan.d/charon/*.conf
	}
}
include strongswan.d/*.conf

C中配置
/etc/ipsec.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

config setup
	# strictcrlpolicy=yes
	# uniqueids = no
conn %default
	ikelifetime=60m
	keylife=20m
	rekeymargin=3m
	keyingtries=1
	keyexchange=ikev2
	mobike=no
conn net-net-rsa
	left=192.168.0.3
	leftcert=sun.server.cert.pem
	leftsubnet=10.2.0.0/24
	leftid=@sun.com
	leftfirewall=yes
	right=192.168.0.2
	rightsubnet=10.1.0.0/24
	rightid=@moon.com
	auto=add
conn net-net-psk
	keyexchange=ikev1
	authby=secret
	left=192.168.0.3
	leftsubnet=10.2.0.0/16
	leftid=@yyy.server.com
	leftfirewall=yes
	right=192.168.0.2
	rightsubnet=10.1.0.0/16
	rightid=@xxx.server.com
	ike=aes-sha1-modp1024
	esp=aes-sha1-modp1024
	auto=route
	type=tunnel

/etc/ipsec.secrets

1
2

@xxx.server.com @yyy.server.com : PSK hello
: RSA sun.server.pem

/etc/strongswan.conf

1
2
3
4
5
6
7

charon {
	load_modular = yes
	plugins {
		include strongswan.d/charon/*.conf
	}
}
include strongswan.d/*.conf

到此,BC两台机器中都运行

1
2
3
4
5
6

echo 1 > /proc/sys/net/ipv4/ip_forward
ipsec restart --nofork
#如果要以rsa方式
ipsec up net-net-rsa
#如果要以psk方式
ipsec up net-net-psk

最后在A中ping机器D。

refer to:
https://www.strongswan.org/
https://blog.csdn.net/puppylpg/article/details/64918562
http://www.hqyman.cn/post/543.html
https://www.cnblogs.com/hugetong/p/10150992.html

dpdk备忘录

by 
1
2
3
4

nic: network interface card
kni: kernel nic interface
pmd: poll mode driver
eal: environment abstraction layer

refer to:
http://vinllen.com/tun-tap/