tlspool
2 months agoIntegration doc for containers and systemd master
Rick van Rein [Tue, 30 Jul 2019 08:33:04 +0000 (10:33 +0200)]
Integration doc for containers and systemd
TLS Tunnel would not work; TLS Proxy as a better alternative.
Effectively changing fd2=accept(fd) into fd2=tlspool_accept(fd,&tlsdata)
and passing TLS Pool messages to hold the fd2 instead of using plain
TCP/UDP/SCTP socket operations.  This means the tlsdata can also be
exchanged, and that future negotiations are possible with the control key.

2 months agoMerge pull request #133 from hfmanson/apache-mod
vanrein [Sat, 20 Jul 2019 09:35:44 +0000 (11:35 +0200)]
Merge pull request #133 from hfmanson/apache-mod

applied gnutls-abruptly-dropped-pgp.patch, file-based client cert, baton field

2 months agoclient .p12 certificate, PGP removed from TLS 1.3
Henri Manson [Fri, 19 Jul 2019 10:18:56 +0000 (10:18 +0000)]
client .p12 certificate, PGP removed from TLS 1.3

4 months agoMerge pull request #130 from hfmanson/select
vanrein [Sat, 25 May 2019 05:35:33 +0000 (07:35 +0200)]
Merge pull request #130 from hfmanson/select

timeout needs to reinitialized before each select

4 months agotimeout needs to reinitialized before each select
Henri Manson [Fri, 24 May 2019 21:55:26 +0000 (21:55 +0000)]
timeout needs to reinitialized before each select

4 months agoMerge pull request #129 from hfmanson/select
vanrein [Fri, 24 May 2019 19:56:56 +0000 (21:56 +0200)]
Merge pull request #129 from hfmanson/select

use select instead of poll in copycat function

4 months agoset eset inside while
Henri Manson [Fri, 24 May 2019 19:54:36 +0000 (19:54 +0000)]
set eset inside while

4 months agoselect timeout, break on exception on any selected fd
Henri Manson [Fri, 24 May 2019 14:14:15 +0000 (14:14 +0000)]
select timeout, break on exception on any selected fd

4 months agoclient fd exception
Henri Manson [Fri, 24 May 2019 09:51:16 +0000 (09:51 +0000)]
client fd exception

4 months agoMerge pull request #128 from arpa2/bug-fixes
vanrein [Tue, 21 May 2019 13:56:05 +0000 (15:56 +0200)]
Merge pull request #128 from arpa2/bug-fixes

Bug fixes: Quick DER upgrade, absolution for tlspool.conf

4 months agoMade configuration depend on CMake variables
Rick van Rein [Tue, 21 May 2019 12:20:12 +0000 (12:20 +0000)]
Made configuration depend on CMake variables
 - added etc/tlspool.conf.in
 - mapping it to src/tlspool.conf
 - installing it in SYSCONFDIR
 - note that this may default to /usr/local/etc not /etc
 - data (such as databases) stored in LOCALSTATEDIR/db/tlspool
 - note that this may default to funny things due to PREFIX settings
 - influence CMAKE_INSTALL_PREFIX to impact all locations at once

5 months agoUpdated TLS Pool to the newest Quick DER
Rick van Rein [Thu, 2 May 2019 12:00:48 +0000 (12:00 +0000)]
Updated TLS Pool to the newest Quick DER
 - Notably, an API-changing bugfix to der_iterate_first/next()
 - Also introduction of der_header2()
 - Also moved from #include <quick-der/api.h> to #include <arpa2/quick-der.h>

5 months agoReverting infoprint that wrongly suggests a bug
Rick van Rein [Thu, 2 May 2019 11:13:01 +0000 (11:13 +0000)]
Reverting infoprint that wrongly suggests a bug
The localid information is never documented to return another value
when it is called with an empty string.  This could be a feature to
desire, especially for handling SNI and wildcards on servers, but
now it looks like a bug and that is not intentional.  The proper
way to get a localid out of the TLS Pool is to process callbacks.
LOCALID_CHECK is early, NAMED_CONNECT is later.  The former will
avoid presenting certificates for non-services, which is the
preferred line of work.

5 months agoFix in the (default, commented) quantum_proof_ variables
Rick van Rein [Thu, 2 May 2019 09:12:30 +0000 (09:12 +0000)]
Fix in the (default, commented) quantum_proof_ variables
Dropped '=' sign.

5 months agoMerge pull request #125 from hfmanson/master
vanrein [Mon, 29 Apr 2019 08:03:24 +0000 (10:03 +0200)]
Merge pull request #125 from hfmanson/master

show local and remote id after tlspool_starttls return

5 months agoshow local and remote id affter tlspool_starttls return
Henri Manson [Sun, 28 Apr 2019 11:19:58 +0000 (11:19 +0000)]
show local and remote id affter tlspool_starttls return

5 months agoMerge pull request #122 from hfmanson/back_to_posix
vanrein [Thu, 18 Apr 2019 18:58:39 +0000 (20:58 +0200)]
Merge pull request #122 from hfmanson/back_to_posix

Back to posix

5 months agoremote pool_handle_t
Henri Manson [Thu, 18 Apr 2019 18:47:07 +0000 (20:47 +0200)]
remote pool_handle_t

6 months agowindows now supports pinentry
Henri Manson [Mon, 15 Apr 2019 15:58:26 +0000 (17:58 +0200)]
windows now supports pinentry

6 months agocorrect configvar in lidentry and pinentry
Henri Manson [Mon, 15 Apr 2019 10:46:14 +0000 (12:46 +0200)]
correct configvar in lidentry and pinentry

6 months agoMerge pull request #119 from arpa2/enhancements
vanrein [Sat, 13 Apr 2019 07:12:26 +0000 (09:12 +0200)]
Merge pull request #119 from arpa2/enhancements

Enhancements: pavlov

6 months agoMerge pull request #117 from hfmanson/poll_trouble
vanrein [Tue, 9 Apr 2019 15:58:20 +0000 (17:58 +0200)]
Merge pull request #117 from hfmanson/poll_trouble

copycat poll improvement -- POLL_HUP works slightly differently on Windows due to POSIX vagueness.

6 months agobool, better sz calculation
Henri Manson [Tue, 9 Apr 2019 14:20:36 +0000 (16:20 +0200)]
bool, better sz calculation

6 months agocopycat poll improvement
Henri Manson [Tue, 9 Apr 2019 11:16:20 +0000 (13:16 +0200)]
copycat poll improvement

6 months agoIntroduced pavlov(3) into tools, and split them up
Rick van Rein [Fri, 5 Apr 2019 12:57:57 +0000 (12:57 +0000)]
Introduced pavlov(3) into tools, and split them up
as per https://github.com/arpa2/tlspool/issues/110

  - testcli/srv/peer no longer exist (by those names)
  - chatcli/srv/peer install as tlspool-chat-xxx
  - chatcli/srv/peer are human-interfacing chat tools
  - tlsclient/server/peer install by their own names
  - tlsclient/server/peer wrap around a Pavlov experience
  - tlsclient/server/peer (future versions) may continue cmd
  - tlstunnel installs as tlstunnel
  - tlstunnel can start a Pavlov interaction for STARTTLS

6 months agoIssue #110, added "pavlov" command and "libpavlov"
Rick van Rein [Thu, 4 Apr 2019 13:04:41 +0000 (13:04 +0000)]
Issue #110, added "pavlov" command and "libpavlov"
 - To be a replacement for chat(8) as a new expect/response
 - To be used in tlstunnel, testcli, testsrv, testpeer
 - May be functional on its own -- given use cases
 - Commands implemented are ?<regex> !<string> @<msdelay>

6 months agoMerge pull request #115 from hfmanson/master
vanrein [Wed, 3 Apr 2019 17:44:46 +0000 (19:44 +0200)]
Merge pull request #115 from hfmanson/master

ca signed certs, fixed web templates

6 months agoimproved certificates
Henri Manson [Wed, 3 Apr 2019 17:39:45 +0000 (17:39 +0000)]
improved certificates

6 months agoMerge pull request #114 from hfmanson/master
vanrein [Wed, 3 Apr 2019 17:29:03 +0000 (19:29 +0200)]
Merge pull request #114 from hfmanson/master

fixed porting errors

6 months agofixed errors in os_sendmsg_command
Henri Manson [Wed, 3 Apr 2019 16:58:40 +0000 (16:58 +0000)]
fixed errors in os_sendmsg_command

6 months agoforgotten error handling
root [Wed, 3 Apr 2019 16:41:02 +0000 (16:41 +0000)]
forgotten error handling

6 months agoMerge pull request #112 from arpa2/fixes
vanrein [Wed, 3 Apr 2019 10:41:05 +0000 (12:41 +0200)]
Merge pull request #112 from arpa2/fixes

Updated the Makefile to allow building testdata

6 months agoUpdated the Makefile to allow building testdata
Rick van Rein [Wed, 3 Apr 2019 10:34:53 +0000 (10:34 +0000)]
Updated the Makefile to allow building testdata
The testdata is there for development purposes, but it is
important.  We use it in our Docker demo context, for instance.
It was broken after the massive update to 0.9.0 and is now
--hopefully-- resurrected.

6 months agoMerge pull request #111 from hfmanson/split_mind
vanrein [Tue, 2 Apr 2019 13:36:35 +0000 (15:36 +0200)]
Merge pull request #111 from hfmanson/split_mind

Split between POSIX specifics and Windows specifics, general code cleanup by Henri, author of the Windows compatibility patches.

6 months agoposix specifics
Henri Manson [Mon, 1 Apr 2019 17:33:27 +0000 (17:33 +0000)]
posix specifics

6 months agoMerge pull request #107 from arpa2/enhancements
vanrein [Thu, 28 Mar 2019 02:56:25 +0000 (03:56 +0100)]
Merge pull request #107 from arpa2/enhancements

Enhancements

6 months agoissue #100, part 2/2, name checking
Rick van Rein [Thu, 28 Mar 2019 02:40:27 +0000 (02:40 +0000)]
issue #100, part 2/2, name checking
Info Query support for SubjectAltName values; these match exactly
against a GeneralName, for which the certificate will be iterated.
Any entry that matches is considered valid, because each statement
of identity of this kinds stands on its own.

6 months agoissue #100, part 1/2, name checking
Rick van Rein [Wed, 27 Mar 2019 15:58:11 +0000 (15:58 +0000)]
issue #100, part 1/2, name checking
Info Query support for the DN in Subject and Issuer fields.
Renumbered PIOK_INFO_ codes (while on a development branch, not master)
because the initial idea to support Subject/Issuer Unique Identities
was squashed by the lyrics in RFC 5280, see the issue ticket.

6 months agoissue #69, channel binding support
Rick van Rein [Wed, 27 Mar 2019 10:42:05 +0000 (10:42 +0000)]
issue #69, channel binding support
Implemented the most important variant, tls-unique.
GnuTLS does not support the other one in RFC 5929,
namely tls-server-end-point, but we might infer that
ourselves --  it is merely a certificate hash.  It
is also less interesting as it cannot distinguish
TLS sesssions, so we will sit and wait if this is
indeed required by anyone.  This closes issue #69.

Two test runs report the same information on both
ends, but different among sessions.  With the
tls-server-end-point, the two test runs would yield
the same outcome.  This is why we are not keen on
carrying the weaker form.

1.
tlspool-test-client: Channel binding info, tls-unique, 12 bytes of 12: 1c 47 7f 50 84 e5 85 c3 50 24 71 06
tlspool-test-server: Channel binding info, tls-unique, 12 bytes of 12: 1c 47 7f 50 84 e5 85 c3 50 24 71 06

2.
tlspool-test-client: Channel binding info, tls-unique, 12 bytes of 12: 18 49 6d a4 b8 c3 fc db 14 9a ba 4b
tlspool-test-server: Channel binding info, tls-unique, 12 bytes of 12: 18 49 6d a4 b8 c3 fc db 14 9a ba 4b

6 months agoissue #69, initial design of commands
Rick van Rein [Tue, 26 Mar 2019 19:05:03 +0000 (19:05 +0000)]
issue #69, initial design of commands
This is the "design" of the commands for info check/query.
It includes a new command code, with a set of values for
kinds of information and a simple protocol to claims, queries,
checks.

6 months agoissue #99, state diagram for applications
Rick van Rein [Tue, 26 Mar 2019 17:35:35 +0000 (17:35 +0000)]
issue #99, state diagram for applications
Added a document, doc/message-flow.md, along with a
state diagram in doc/std-tlspool-starttls.* that
describes what applications usually do to work with
the TLS Pool.

6 months agoissue #104, infra for STARTTLS_DRIVER selection
Rick van Rein [Tue, 26 Mar 2019 16:18:36 +0000 (16:18 +0000)]
issue #104, infra for STARTTLS_DRIVER selection
We still have one choice, but GnuTLS is so slow in adopting
TLS-KDH that we are considering to switch to another stack.
The world needs TLS-KDH, for numerous reasons:
 - it is protected from Quantum Computing attacks
 - that includes encryption
 - it is tens of thousands of times more efficient than X.509
 - with KXOVER coming up, it can span the globe [0]

[0] though KXOVER is not yet protected from Quantum Computing,
    but not everybody needs it; most people don't at this time.

6 months agoissue #102, libev for runterminal
Rick van Rein [Tue, 26 Mar 2019 12:05:40 +0000 (12:05 +0000)]
issue #102, libev for runterminal
Added runterminal-libev.c and an option EXPERIMENTAL_LIBEV
to experiment with libev support.  This may be helpful with
ports to Windows -- and it may in general be a better idea
than crafting these details ourselves -- over and over.

6 months agoissue #44, show version number
Rick van Rein [Mon, 25 Mar 2019 21:14:47 +0000 (21:14 +0000)]
issue #44, show version number

Adriaan implemented it and kept it quit :) but thanks dude!

Merge branch 'add-version' of https://github.com/adriaandegroot/tlspool into enhancements

6 months agoissue #85, prepare for Quantum Computing, part 2/2, phase 1
Rick van Rein [Mon, 25 Mar 2019 20:51:53 +0000 (20:51 +0000)]
issue #85, prepare for Quantum Computing, part 2/2, phase 1

In phase 1, we have defaults set to disabling requirements for
Post Quantum cipher suites.

Part 2/2 adds flags `Q` and `q` to the validation expression language.
These flags currently fail on all accounts, but can still be used
in an OR compisition, with alternatives that you would like to
remove later.  In other words, the TLS Pool allows you to get
started with Quantum Proofing today.  If the cipher suites that
fall under your other options get in disgrace in the future, you
may find that your validation expressions silently fall back to
these extra OR options.

Note that TLS-KDH is a Post Quantum cipher suite.  When we finally
have our own unique code for this cipher suite, we can implement
tis positive results for both the `Q` and `q` flags.

6 months agoissue #85, prepare for Quantum Computing, part 1/2, phase 1
Rick van Rein [Mon, 25 Mar 2019 20:31:28 +0000 (20:31 +0000)]
issue #85, prepare for Quantum Computing, part 1/2, phase 1

In phase 1, we have defaults set to disabling requirements for
Post Quantum cipher suites.  One day, the default can migrate.
Administrators already get an opportunity to override, but are
STRONGLY SUGGESTED to never switch it off; however, it is now
possible to experiment with actively switching on support.  In
lieu of cipher suites, this will fail.  So, leave the lines
for Post Quantum cipher suites commented as they are in the
example configuration file.

Part 1/2 involves configuration file settings; part 2/2 involves
flags for the validation expression language.

6 months agoMerge pull request #98 from arpa2/bug-fixes
vanrein [Mon, 25 Mar 2019 14:59:48 +0000 (15:59 +0100)]
Merge pull request #98 from arpa2/bug-fixes

Bug fixes:

  * 50dea1a issue #91.  man pages for the Asynchronous API
  * 4e12313 issue #92, error code standardisation
  * 77cc246 issue #53, TLSPOOL_CFGFILE naming inconsistency
  * ba7826c issue #51.  Tool names are now scoped to avoid clashes
  * 9669523 issue #84.  PRNG now receives binary context values.
  * 98762a8 issue #93, tlspool_async_open() does pioc_ping()

6 months agoissue #91. man pages for the Asynchronous API
Rick van Rein [Mon, 25 Mar 2019 14:37:30 +0000 (14:37 +0000)]
issue #91.  man pages for the Asynchronous API
These still had to be written.  Quite a bit of detail
is embedded in them :-) namely
 - use of dup2() to swap a file descriptor
 - possible trouble in event loops after dup()
 - safety of cancelation of a TLS Pool command
 - workable alternatives for cancelation
 - details of the event-driven / asynchronous process
 - ...

6 months agoissue #92, error code standardisation
Rick van Rein [Mon, 25 Mar 2019 11:40:57 +0000 (11:40 +0000)]
issue #92, error code standardisation
Quite a few changes, but they should be meaningful:
 - the TLS Pool reports its own errors, avoiding POSIX
 - this is needed because POSIX has no numeric standards
 - we can thus use the TLS Pool remotely
 - we also merge in other numeric ranges, without overlap
 - constrained the tlserrno field in struct pioc_error to int32_t
 - this should be helpful for embedded systems -- no 64-bit needed
 - note that DER-encoding is always minimal, small int64 == int32

6 months agoissue #53, TLSPOOL_CFGFILE naming inconsistency
Rick van Rein [Mon, 25 Mar 2019 06:54:33 +0000 (06:54 +0000)]
issue #53, TLSPOOL_CFGFILE naming inconsistency
The new name is TLSPOOL_CONFIG_FILE.

6 months agoissue #51. Tool names are now scoped to avoid clashes
Rick van Rein [Mon, 25 Mar 2019 06:43:10 +0000 (06:43 +0000)]
issue #51.  Tool names are now scoped to avoid clashes

Kept tlstunnel and pgp11-genkey, as they appear unique.

Renamed tlspool to tlspool-daemon -> nicer in "ps".

Installed files follow (for PREFIX=/usr/local).

/usr/local/sbin/tlspool-daemon
/usr/include/tlspool/commands.h
/usr/include/tlspool/async.h
/usr/include/tlspool/uthash.h
/usr/include/tlspool/internal.h
/usr/include/tlspool/starttls.h
/usr/include/tlspool/commands.h.new
/usr/include/tlspool/utlist.h
/usr/local/lib/libtlspool.so
/usr/local/lib/libtlspool.a
/usr/local/lib/libtlspool_async.so
/usr/local/lib/libtlspool_async.a
/usr/local/sbin/tlspool-configvar
/usr/local/sbin/tlspool-disclose-get
/usr/local/sbin/tlspool-localid-get
/usr/local/sbin/tlspool-trust-get
/usr/local/sbin/tlspool-db-have
/usr/local/sbin/tlspool-localid-select
/usr/local/sbin/tlspool-pin-entry
/usr/local/sbin/tlspool-ping
/usr/local/sbin/tlspool-ping-async
/usr/local/sbin/tlspool-disclose-set
/usr/local/sbin/tlspool-localid-set
/usr/local/sbin/tlspool-trust-set
/usr/local/sbin/tlspool-test-client
/usr/local/sbin/tlspool-test-server
/usr/local/sbin/pgp11-genkey
/usr/local/sbin/tlstunnel
/usr/local/share/steamworks/pulleyback/pulleyback_tlspool.so
/usr/local/share/doc/tlspool/socketprotocol.rst
/usr/local/share/doc/tlspool/databases.rst
/usr/local/share/doc/tlspool/identities.rst
/usr/local/share/doc/tlspool/pkcs11.rst
/usr/local/share/doc/tlspool/validation.md
/usr/local/share/doc/tlspool/startxxx.md
/usr/local/share/doc/tlspool/p2p-tls.md
/usr/local/share/doc/tlspool/ircproxy-explained.md
/usr/local/share/doc/tlspool/localid-selection.md
/usr/local/share/doc/tlspool/anonymising-precursor.md
/usr/local/share/doc/tlspool/COPYRIGHT.MD
/usr/local/share/doc/tlspool/LICENSE-DAEMON.MD
/usr/local/share/doc/tlspool/LICENSE-DOCS.MD
/usr/local/share/doc/tlspool/LICENSE-USERSPACE.MD
/usr/local/share/man/man3/tlspool_socket.3
/usr/local/share/man/man3/tlspool_starttls.3
/usr/local/share/man/man3/tlspool_ping.3
/usr/local/share/man/man3/tlspool_prng.3
/usr/local/share/man/man3/tlspool_pin_service.3
/usr/local/share/man/man3/tlspool_localid_service.3
/usr/local/share/man/man3/tlspool_control_detach.3
/usr/local/share/man/man3/tlspool_control_reattach.3
/usr/local/share/man/man3/tlspool_configvar.3
/usr/local/share/man/man8/tlspool-daemon.8
/usr/local/share/man/man8/tlstunnel.8

6 months agoissue #84. PRNG now receives binary context values.
Rick van Rein [Mon, 25 Mar 2019 05:42:04 +0000 (05:42 +0000)]
issue #84.  PRNG now receives binary context values.

6 months agoissue #93, tlspool_async_open() does pioc_ping()
Rick van Rein [Mon, 25 Mar 2019 03:42:49 +0000 (03:42 +0000)]
issue #93, tlspool_async_open() does pioc_ping()
It did not actually ask for anything.  Now it is making a
proposal to the TLS Pool.  It is also checking that minimum
required facilities are present, as will be common on all
implementations.

6 months agoMerge pull request #90 from arpa2/async-event-api
vanrein [Sat, 23 Mar 2019 22:34:09 +0000 (23:34 +0100)]
Merge pull request #90 from arpa2/async-event-api

Async event api, resolving issue #57.

6 months agoWorking first use of Asynchronous API
Rick van Rein [Sat, 23 Mar 2019 22:27:46 +0000 (22:27 +0000)]
Working first use of Asynchronous API
pingpool-async uses libtlspool_async and is happy.
Made a small comparison between utlist.h and uthash.h
but code sizes do not differy incredibly; since uthash.h
is generally faster and the Asynchronous API serves mostly
speed, we shall continue to use uthash.h -- but have tested
against the //LIST_STYLE// commented-out code too.

6 months agoFirst version of the asynchronous API implementation
Rick van Rein [Sat, 23 Mar 2019 19:19:59 +0000 (19:19 +0000)]
First version of the asynchronous API implementation
This is untested code; it merely compiles

6 months agoInitial definitions for asynchronous API
Rick van Rein [Sat, 23 Mar 2019 16:34:04 +0000 (16:34 +0000)]
Initial definitions for asynchronous API
This works towards the implementation of issue #57 on GitHub.
Included in this commit are documentation and a header file:
 * <tlspool/async.h>
 * doc/asynchronous-api.md
Furthermore, an additional <tlspool/uthash.h> is included
from to implement a hash table; its documentation is on
http://troydhanson.github.io/uthash/userguide.html

6 months agoMerge pull request #89 from arpa2/automated-testing
vanrein [Sat, 23 Mar 2019 13:21:14 +0000 (14:21 +0100)]
Merge pull request #89 from arpa2/automated-testing

Automated testing

6 months agoExtended "ctest" with live testcli -> tlspool -> testsrv
Rick van Rein [Sat, 23 Mar 2019 13:17:52 +0000 (13:17 +0000)]
Extended "ctest" with live testcli -> tlspool -> testsrv
Just toggle this option to on, regenerate and run `ctest`:
```
option(TEST_UNDER_TLSPOOL "Test under the assumption of an available TLS Pool" OFF)
```
As the option says, you are assumed to have a working TLS Pool setup.

6 months agoTest client and server prepared for automation
Rick van Rein [Sat, 23 Mar 2019 10:11:52 +0000 (10:11 +0000)]
Test client and server prepared for automation
This is part of the work to resolve issue #88

We can now use a standard combination like this:

```
pypeline testcli . IP:ME TCP:MINE -5 -- testsrv . IP:ME TCP:MINE -10
```

This will:

  * Find a local IP and substitute it for `IP:ME`
  * Find a local TCP port and substitute it for `TCP:MINE`
  * Start `testcli` with 5 seconds timeout
  * Start `testsrv` with 10 seconds timeout

The result is a failed client (it was interrupted) and a
succeeding server (it finished a connection and was not
interrupted with another).

Setups involving the TLS Pool in the `pypeline` command are
also feasible, but will a `tlspool.conf` generator may help.

The work is not complete yet; we still need `chat` support,
to allow usage patterns such as

```
shell# pypeline testcli . IP:LOCAL TCP:PORT -5 -sSv hello -- testsrv . IP:LOCAL TCP:PORT -10 -sSv '' hello
```

Note the empty string `''` to not wait but instead take the
initiative, here done by the client.  The remaining tic-toc
is mirrorred in expect/response strings.  Also note that
Pypeline will start `testsrv` and await its output `--` before
it starts `testcli`.  The reading order is the initial message
flow, that's why Pypeline starts at the end.

Partial output fom the above statement:

```
FINAL OUTPUT FROM TESTSRV IS:
Scheduled to exit(exit_val) in 10 seconds
--
DEBUG: STARTTLS succeeded on testsrv
PRNG bytes: 06 3c c9 5e 08 86 e0 59 0d 27 7a 08 19 fe fa ec
SIGCONT will trigger renegotiation of the TLS handshake during a connection
DEBUG: Local plainfd = 6
DEBUG: Client connection terminated

pypeline: success: testcli -> exit (0)

FINAL OUTPUT FROM TESTCLI IS:
Scheduled to exit(exit_val) in 5 seconds
--
PRNG bytes: 06 3c c9 5e 08 86 e0 59 0d 27 7a 08 19 fe fa ec
DEBUG: STARTTLS succeeded on testcli
SIGCONT will trigger renegotiation of the TLS handshake
DEBUG: Local plainfd = 5
DEBUG: Closed connection.  Waiting 2s to improve testing.
```

The TLS Pool reports many single bytes being sent too...

6 months agoIntroduced Pypeline (from KXOVER) for automated testing
Rick van Rein [Sat, 23 Mar 2019 08:28:58 +0000 (08:28 +0000)]
Introduced Pypeline (from KXOVER) for automated testing
This helps to implement issue #88

10 months agostarttls.h windows update
Henri Manson [Thu, 13 Dec 2018 14:14:00 +0000 (15:14 +0100)]
starttls.h windows update

10 months ago#define IPPROTO_SCTP in windows (#80)
hfmanson [Tue, 11 Dec 2018 08:30:34 +0000 (09:30 +0100)]
#define IPPROTO_SCTP in windows (#80)

* GnuTLS buffer problem
* mxe fixes
* IPPROTO_SCTP on windows
*  libtlspool_configvar on windows
* Update src/starttls.c

Authored-By: hfmanson <hfmanson@gmail.com>

10 months agomiscellaneous fixes to compile tlspool again on windows (#79)
hfmanson [Mon, 10 Dec 2018 14:25:35 +0000 (15:25 +0100)]
miscellaneous fixes to compile tlspool again on windows  (#79)

* GnuTLS buffer problem
* gnutls_packet_deinit
* mxe fixes
* No IPPROTE_SCTP on windows
*  libtlspool_configvar on windows
* Update src/starttls.c

Authored-By: hfmanson <hfmanson@gmail.com>

10 months agoGnuTLS buffer problem solution (#78)
hfmanson [Sat, 1 Dec 2018 10:17:05 +0000 (11:17 +0100)]
GnuTLS buffer problem solution (#78)

GnuTLS records can be rather large, and fetching them in 1024 bytes at a time did not work.

10 months agoMerge branch 'master' of https://github.com/arpa2/tlspool
Rick van Rein [Sat, 1 Dec 2018 09:51:05 +0000 (09:51 +0000)]
Merge branch 'master' of https://github.com/arpa2/tlspool

10 months agoIntroduced default named connect function to tlspool library
root [Sat, 1 Dec 2018 09:42:50 +0000 (09:42 +0000)]
Introduced default named connect function to tlspool library

10 months agoFix to test server tool
root [Sat, 1 Dec 2018 09:42:30 +0000 (09:42 +0000)]
Fix to test server tool

10 months agoUpdates to handle SNI callbacks on the server side
root [Sat, 1 Dec 2018 09:26:27 +0000 (09:26 +0000)]
Updates to handle SNI callbacks on the server side

10 months agoAdded build option for Python language support; off by default.
Rick van Rein [Thu, 29 Nov 2018 20:07:52 +0000 (20:07 +0000)]
Added build option for Python language support; off by default.
The default is off, because that is both consistent and works everywhere.
Better support is possible:
 - find the package(s) to run setup.py
 - include tests for the python code
 - build with the setup.py build command
 - build in the CMake build directory, not the source directory

10 months agoMerge pull request #74 from hfmanson/socketpair
vanrein [Thu, 29 Nov 2018 12:28:02 +0000 (13:28 +0100)]
Merge pull request #74 from hfmanson/socketpair

socketpair type derived from tlsdata->ipproto

10 months agosocketpair type derived from tlsdata->ipproto
root [Thu, 29 Nov 2018 11:52:43 +0000 (11:52 +0000)]
socketpair type derived from tlsdata->ipproto

10 months agohttp_proxy.py
Henri Manson [Thu, 29 Nov 2018 10:43:23 +0000 (11:43 +0100)]
http_proxy.py

10 months agoModifications to testcli & testsrv for virtual host checks.
root [Sat, 24 Nov 2018 12:32:57 +0000 (12:32 +0000)]
Modifications to testcli & testsrv for virtual host checks.
(Dropped the possibility to specify address data on testsrv
 that was not mirrorred into testcli anyway.)

10 months agoFirst version of a protocolhandler.py tool, for web+tlspool: URI scheme
root [Fri, 23 Nov 2018 18:48:45 +0000 (18:48 +0000)]
First version of a protocolhandler.py tool, for web+tlspool: URI scheme

10 months agoCorrection to new testdata
root [Thu, 22 Nov 2018 09:15:19 +0000 (09:15 +0000)]
Correction to new testdata

10 months agoAdded privkey #8 and a certificate "playground.arpa2.lab"
root [Thu, 22 Nov 2018 08:31:02 +0000 (08:31 +0000)]
Added privkey #8 and a certificate "playground.arpa2.lab"

11 months agouse getaddrinfo in testsrv.c
Henri Manson [Fri, 26 Oct 2018 13:49:48 +0000 (15:49 +0200)]
use getaddrinfo in testsrv.c

11 months agoCorrections in Python wrappers
root [Wed, 24 Oct 2018 12:27:09 +0000 (12:27 +0000)]
Corrections in Python wrappers
Management of file descriptors was leaking.  The cryptfd was closed
by the tlspool_starttls() call or TLS Pool but also by Python, for
instance when garbage collecting the cryptfd.  This allowed closing
the same socket twice or, more accurately put, closing of the same
file descriptor number.  An intermediate process might have opened
another stream with the same number, and seen it closed.  Yet an
other process might have opened it once again and receive spurious
information from the stashed file descriptor in, say, the syslog()
API or Python sockets.

11 months agoImprovements in Python support and installation of Python and includes
Rick van Rein [Tue, 23 Oct 2018 06:57:43 +0000 (06:57 +0000)]
Improvements in Python support and installation of Python and includes

11 months agoUpdated #bits for RSA (it used to be 2000 to tease out expectations)
Rick van Rein [Sun, 21 Oct 2018 18:17:30 +0000 (18:17 +0000)]
Updated #bits for RSA (it used to be 2000 to tease out expectations)

11 months agoAdded a CMake option for EXPERIMENTAL_SRP, defaulting to OFF.
Rick van Rein [Sun, 21 Oct 2018 14:49:51 +0000 (14:49 +0000)]
Added a CMake option for EXPERIMENTAL_SRP, defaulting to OFF.
SRP support was always a bit experimental, referencing files relative
to the point of invocation.  This did not help stability.  This is now
off by default, but can simply be toggled on in the CMake Cache.

11 months agoUpdates, mostly to testdata, to tool modernisations
Rick van Rein [Sat, 20 Oct 2018 16:10:57 +0000 (16:10 +0000)]
Updates, mostly to testdata, to tool modernisations
 - label= become object= in certtool, breaking change?
 - libsofthsm2 is readily available in distributions
 - certtool now produces multiple hashes, and references with SHA1

19 months agoPolishing (#65)
Adriaan de Groot [Tue, 27 Feb 2018 11:22:59 +0000 (06:22 -0500)]
Polishing (#65)

Some reduction of compile warnings and a little extra documentation to help people building from source.

19 months agoCmakeing (#66)
Adriaan de Groot [Tue, 27 Feb 2018 11:22:33 +0000 (06:22 -0500)]
Cmakeing (#66)

Switch TLSPool build entirely to CMake; make DANE optional (not recommended, but needed to get it to build on older Ubuntu's).

19 months agoAdd a -V flag, which prints the TLSPool version string.
Adriaan de Groot [Fri, 23 Feb 2018 15:41:47 +0000 (16:41 +0100)]
Add a -V flag, which prints the TLSPool version string.

The string is the same as the git version information,
so could be '0.20.local-20180223-163246'.

Fixes #44

2 years agoMerge pull request #63 from adriaandegroot/pulleyback
vanrein [Mon, 28 Aug 2017 06:02:56 +0000 (08:02 +0200)]
Merge pull request #63 from adriaandegroot/pulleyback

CMake-ify

2 years agoMakefile: clean up build
Adriaan de Groot [Fri, 25 Aug 2017 08:43:23 +0000 (10:43 +0200)]
Makefile: clean up build

 - fix Quick-DER pkgconfig name
 - allow specifying BDB flags (needed on FreeBSD)
 - explicitly set c99 standard (where it wasn't set yet)
 - create directories where things will be installed

2 years agoCMake: install all libraries and executables and manpages
Adriaan de Groot [Fri, 25 Aug 2017 16:03:10 +0000 (18:03 +0200)]
CMake: install all libraries and executables and manpages

2 years agotest/: fix C code, add CMake
Adriaan de Groot [Thu, 24 Aug 2017 20:10:06 +0000 (22:10 +0200)]
test/: fix C code, add CMake

 - Run valexp tests through a supporting shell-script. This means
   less futzing with command-pipelines in the CMake code.
 - Run onlinecheck through supporting shell-script.

Fix up C code in test/ dir

 - The declaration of tlog() in internal.h is messed up by
   #defining it as empty, so see the declaration first, before
   #defining it away in the actual code.
 - Better usage message for onlinecheck (test)
 - Pulleybacksim minor pointer signedness fixes
 - Pulleybacksim executable also returns 0 on failure,
   so this test always succeeds.

2 years agotool/: fix C code, add CMake
Adriaan de Groot [Thu, 24 Aug 2017 09:32:43 +0000 (11:32 +0200)]
tool/: fix C code, add CMake

Refactor after finding 3 copies of code

 - Having fixed the same printf() format problems in 3 test
   programs, refactor the runterminal() function to be usable
   for each of those programs.
 - Introduce separate module runterminal.c, which is linked
   into targets through a CMake-level OBJECT library.

Other C fixes:
 - Arguments to main()
 - Minor constness, pointer-signedness fixes
 - Missing parameters for format-string in printf()
 - Constness
 - Lots and lots of format fixes for pgp11_genkey

2 years agolibtlspool: reduce warnings
Adriaan de Groot [Wed, 23 Aug 2017 08:18:04 +0000 (10:18 +0200)]
libtlspool: reduce warnings

 - pid is unsigned, comparison >= 0 is useless

2 years agoPulleyback: reduce warnings
Adriaan de Groot [Fri, 18 Aug 2017 10:11:54 +0000 (12:11 +0200)]
Pulleyback: reduce warnings

 - Pass int to %.*s
 - check() doesn't return anything
 - char vs uint8_t

2 years agoCMake-ify TLSPool (and pulleyback)
Adriaan de Groot [Fri, 18 Aug 2017 09:37:43 +0000 (11:37 +0200)]
CMake-ify TLSPool (and pulleyback)

 - Add top-level stub Makefile.cmake for driving cmake-builds,
   styled on the Quick-DER one. This allows 'make cmake-build'
   to be used to test the CMake system.
 - Find libunbound
 - Find libldns
 - Find p11-kit
 - Find gnutls
 - Find gnutls-dane extensions
 - Find libtasn1
 - Find openldap
 - Always include feature summary

2 years agoMerge pull request #61 from adriaandegroot/fix-build
vanrein [Tue, 22 Aug 2017 10:19:19 +0000 (12:19 +0200)]
Merge pull request #61 from adriaandegroot/fix-build

Fix build

2 years agoLDAP-types: use berelement instead of void
Adriaan de Groot [Tue, 22 Aug 2017 08:54:29 +0000 (10:54 +0200)]
LDAP-types: use berelement instead of void

2 years agoC-style: char vs uint8_t
Adriaan de Groot [Tue, 22 Aug 2017 08:52:47 +0000 (10:52 +0200)]
C-style: char vs uint8_t

2 years agoAdd some constness to parameters of strncatesc
Adriaan de Groot [Tue, 22 Aug 2017 08:50:11 +0000 (10:50 +0200)]
Add some constness to parameters of strncatesc

2 years agoFix string escaping
Adriaan de Groot [Tue, 22 Aug 2017 08:47:01 +0000 (10:47 +0200)]
Fix string escaping

2 years agoTests: try to introduce test for string escaping.
Adriaan de Groot [Tue, 22 Aug 2017 08:46:44 +0000 (10:46 +0200)]
Tests: try to introduce test for string escaping.