Adriaan de Groot [Fri, 18 Aug 2017 09:37:43 +0000 (11:37 +0200)]
CMake-ify TLSPool (and pulleyback)
- Add top-level stub Makefile.cmake for driving cmake-builds,
styled on the Quick-DER one. This allows 'make cmake-build'
to be used to test the CMake system.
- Find libunbound
- Find libldns
- Find p11-kit
- Find gnutls
- Find gnutls-dane extensions
- Find libtasn1
- Find openldap
- Always include feature summary
vanrein [Tue, 22 Aug 2017 10:19:19 +0000 (12:19 +0200)]
Merge pull request #61 from adriaandegroot/fix-build
Fix build
Adriaan de Groot [Tue, 22 Aug 2017 08:54:29 +0000 (10:54 +0200)]
LDAP-types: use berelement instead of void
Adriaan de Groot [Tue, 22 Aug 2017 08:52:47 +0000 (10:52 +0200)]
C-style: char vs uint8_t
Adriaan de Groot [Tue, 22 Aug 2017 08:50:11 +0000 (10:50 +0200)]
Add some constness to parameters of strncatesc
Adriaan de Groot [Tue, 22 Aug 2017 08:47:01 +0000 (10:47 +0200)]
Fix string escaping
Adriaan de Groot [Tue, 22 Aug 2017 08:46:44 +0000 (10:46 +0200)]
Tests: try to introduce test for string escaping.
Adriaan de Groot [Tue, 22 Aug 2017 08:32:24 +0000 (10:32 +0200)]
C-style: char vs uint8_t
Adriaan de Groot [Tue, 22 Aug 2017 08:27:35 +0000 (10:27 +0200)]
C-style: char vs uint8_t
Adriaan de Groot [Tue, 22 Aug 2017 08:17:28 +0000 (10:17 +0200)]
C-style: massage char / uint8_t to reduce warnings
Adriaan de Groot [Tue, 22 Aug 2017 08:08:54 +0000 (10:08 +0200)]
Logic-typos
- Intended was to check for both flag bits, cf. line 637
Adriaan de Groot [Tue, 22 Aug 2017 07:47:08 +0000 (09:47 +0200)]
C-style: simplify setup of validation-expression tables.
- original code had UB due to lack of sequence point in the assignment
of i++ to an expression indexed by i.
Adriaan de Groot [Tue, 22 Aug 2017 07:42:35 +0000 (09:42 +0200)]
C-style: drop trailing spaces
Adriaan de Groot [Mon, 21 Aug 2017 09:35:50 +0000 (11:35 +0200)]
TLS_KDH: code not guarded
Adriaan de Groot [Mon, 21 Aug 2017 09:08:46 +0000 (11:08 +0200)]
Assignment clobbers value in if
Adriaan de Groot [Mon, 21 Aug 2017 09:05:48 +0000 (11:05 +0200)]
C-style: reduce pointer-signedness warnings
Adriaan de Groot [Mon, 21 Aug 2017 08:53:49 +0000 (10:53 +0200)]
C-style: pointer typo
- Use a 10000-byte buffer for the data, instead of a probably-80000-byte
buffer with the wrong type.
Adriaan de Groot [Mon, 21 Aug 2017 08:50:38 +0000 (10:50 +0200)]
C-style: reduce signedness warnings
Adriaan de Groot [Mon, 21 Aug 2017 08:49:47 +0000 (10:49 +0200)]
C-style: use %p to print pointers
Adriaan de Groot [Mon, 21 Aug 2017 08:48:14 +0000 (10:48 +0200)]
C-style: drop unused printf parameter
Adriaan de Groot [Mon, 21 Aug 2017 09:28:22 +0000 (11:28 +0200)]
GnuTLS: unhandled enum values made explicit
Adriaan de Groot [Mon, 21 Aug 2017 08:47:16 +0000 (10:47 +0200)]
GnuTLS: fix call
- gnutls_certificate_get doesn't exist in GnuTLS 3.[135]; presumed typo.
Adriaan de Groot [Mon, 21 Aug 2017 08:38:31 +0000 (10:38 +0200)]
C-style: drop casts
- (locally) asn1_get_length_ber takes const unsigned char *,
so the cast is extra and introduces a warning.
Adriaan de Groot [Mon, 21 Aug 2017 08:36:05 +0000 (10:36 +0200)]
C-style: swapped format chars lead to warning
Adriaan de Groot [Sun, 20 Aug 2017 22:22:18 +0000 (00:22 +0200)]
C-style: massage char types
Adriaan de Groot [Sun, 20 Aug 2017 22:20:14 +0000 (00:20 +0200)]
C-style: lengths (sizes, really) are unsigned
Adriaan de Groot [Sun, 20 Aug 2017 22:18:36 +0000 (00:18 +0200)]
C-style: reduce signed/unsigned warnings
Adriaan de Groot [Sun, 20 Aug 2017 22:16:11 +0000 (00:16 +0200)]
C-style: drop duplicate const, make read-only data
Adriaan de Groot [Sun, 20 Aug 2017 22:15:27 +0000 (00:15 +0200)]
C-style: drop trailing spaces
Adriaan de Groot [Sun, 20 Aug 2017 21:16:02 +0000 (23:16 +0200)]
Fix-build: remove duplicate flag-setting (with bad pkg-config)
Adriaan de Groot [Sun, 20 Aug 2017 21:13:47 +0000 (23:13 +0200)]
Fix-build: for FreeBSD, allow specifying /usr/local/include/db5/ for BDB
Adriaan de Groot [Sun, 20 Aug 2017 21:12:30 +0000 (23:12 +0200)]
Fix-build: package is named Quick-DER
vanrein [Tue, 4 Jul 2017 09:27:58 +0000 (11:27 +0200)]
Merge pull request #59 from arpa2/pulleyback
Improved transaction handling in PulleyBack plugin (poolback)
Rick van Rein [Tue, 4 Jul 2017 09:10:42 +0000 (10:10 +0100)]
Improved transaction handling in PulleyBack plugin (poolback)
- Collected failures within a transaction as TXN_ABORT transactional state
- When commit fails, enact a rollback and remove transaction
- When prepare fails, still need to invoke rollback (see documentation)
Rick van Rein [Mon, 23 Jan 2017 11:23:34 +0000 (11:23 +0000)]
Changes to accommodate NixOS; thanks to Joachim Schiele <qknight>
Rick van Rein [Fri, 2 Dec 2016 10:48:24 +0000 (10:48 +0000)]
Added tool/have_db to ensure that at least empty databases exist
Rick van Rein [Mon, 17 Oct 2016 23:08:39 +0000 (00:08 +0100)]
Updates to testdata so as to build a localid.db that works with TLS-KDH
vanrein [Mon, 17 Oct 2016 22:09:19 +0000 (00:09 +0200)]
Merge pull request #46 from arpa2/tls-kdh
Integration of TLS-KDH
Rick van Rein [Mon, 17 Oct 2016 22:03:10 +0000 (23:03 +0100)]
Merge branch 'master' of https://github.com/arpa2/tlspool into tls-kdh
Conflicts:
testdata/Makefile
Rick van Rein [Mon, 17 Oct 2016 22:02:01 +0000 (23:02 +0100)]
Merge branch 'tls-kdh' of https://github.com/arpa2/tlspool into tls-kdh
Conflicts:
tool/get_localid.c
Rick van Rein [Mon, 17 Oct 2016 21:31:02 +0000 (22:31 +0100)]
Fixes of memory leaks in TLS-KDH handling
Rick van Rein [Mon, 17 Oct 2016 19:33:00 +0000 (20:33 +0100)]
First working TLS-KDH system! (Still with possible memleaks)
Rick van Rein [Thu, 25 Aug 2016 14:42:24 +0000 (15:42 +0100)]
Now passing Ticket and Authenticator between client and server
- tested for the KDH-only mode, without server certificate
- including a keytab for `generic/testsrv\@tlspool.arpa2.lab@ARPA2.NET`
Rick van Rein [Fri, 19 Aug 2016 10:10:18 +0000 (11:10 +0100)]
Now returning properly from cli_kdhsig_encode()
- simply forgot to add terminators to the syntax packers
- have not checked the actual data produced
Rick van Rein [Fri, 19 Aug 2016 08:34:17 +0000 (09:34 +0100)]
Mostly working-ish, with problems in Quick DER and GnuTLS-KDH remaining
- issue in TLS Pool: PIN entry does not work
- issue in Quick DER: der_pack() returns incredibly large size
- issue in GnuTLS-KDH: crashes on gcm/hash size
- issue in GnuTLS-KDH: gnutls_certificate_get_peers() is empty under KDH
This release bails out of cli_kdhsig_encode(), causing GNUTLS_E_USER_ERROR
Rick van Rein [Wed, 17 Aug 2016 08:08:12 +0000 (09:08 +0100)]
First version that seems to get the ticket accross (due to hacks)
The hacks are marked to be overruled #if TOM_IS_WEG
Rick van Rein [Sun, 3 Jul 2016 18:03:36 +0000 (19:03 +0100)]
Now running all the way up to the reception of Certificate Request
This is in combination with GnuTLS-KDH
63f3e43bfb19a9105004e6dc3b278d5fdec0ff3a
Rick van Rein [Sun, 3 Jul 2016 16:02:39 +0000 (17:02 +0100)]
Working up to and including clisrv_cert_retrieve()
- It fails with GnuTLS error -87, No supported cipher suites have been found.
- This is after returning a Kerberos ticket (both empty and DER NULL)
Rick van Rein [Sat, 2 Jul 2016 10:13:31 +0000 (11:13 +0100)]
Last (AFAIK) functional extension to TLS-KDH
- overlooked retrieval of data from client's Ticket into server cmd->...
- removed cmd->krb_tkt as it was never really needed
- kept cmd->krb_key for decryption of what comes up next
- added cmd->krbid_client for client principal, assured by both KDH modes
- added cmd->krbid_server for server principal, assured by only KDH-Only
- considering cmd->krbid_XXX to be verified identities after gnutls_handshake()
- checked against change of server ID after it starts with user-to-user
- it compiles, but let's not ship it quite yet
Rick van Rein [Fri, 1 Jul 2016 22:10:38 +0000 (23:10 +0100)]
Misc improvements
- malloc() now matched by free() in cli_kdhsig_encode()
- better GnuTLS error codes: E_DE/ENCRYPTION_FAILED, etc.
Rick van Rein [Fri, 1 Jul 2016 19:37:55 +0000 (20:37 +0100)]
Added srv_kdhsig_decode() to help verification of the Kerberos "signature"
- Unpack the EncryptedData
- Decrypt the EncryptedData with the key at hand
- Unpack the Authenticator
- Somewhat validate the Authenticator
- Deliver information from the Authenticator
Rick van Rein [Fri, 1 Jul 2016 18:52:22 +0000 (19:52 +0100)]
Update on cli_kdhsig_encode()
- new data field in include file
Rick van Rein [Fri, 1 Jul 2016 18:51:06 +0000 (19:51 +0100)]
Introduced compiling cli_kdhsig_encode()
- Construct an Authenticator
- Deliver it in dec_authenticator
- Encrypt the Authenticator and wrap it in EncryptedData
- Deliver that in enc_authenticator
Rick van Rein [Fri, 1 Jul 2016 12:39:13 +0000 (13:39 +0100)]
Compiling code to supply Tickets as certificates to GnuTLS' TLS-KDH extension
- As a client, provide a service ticket
- As a KDH-Only server, consider user-to-user mode instead of client-to-service
- In user-to-user mode, select a server TGT and supply it
- In client-to-service mode, select no server ticket (instead, supply 0 bytes)
Rick van Rein [Thu, 30 Jun 2016 22:25:53 +0000 (23:25 +0100)]
Looking good: have_key_tgt() produce a keyblock + creds in various ways
Rick van Rein [Thu, 30 Jun 2016 20:17:51 +0000 (21:17 +0100)]
Remodelled contexts (split for clients / servers) and started have_key_ctx()
Rick van Rein [Thu, 30 Jun 2016 14:58:41 +0000 (15:58 +0100)]
Potential extra precaution at setup of Kerberos.
Rick van Rein [Thu, 30 Jun 2016 14:58:07 +0000 (15:58 +0100)]
Potential extra precaution during startup of Kerberos
Rick van Rein [Thu, 30 Jun 2016 14:11:12 +0000 (15:11 +0100)]
Added keyblock to session, and cleanup at the end of the handshake
Rick van Rein [Thu, 30 Jun 2016 13:52:10 +0000 (14:52 +0100)]
Setup and cleanup for Kerberos: check colletion support on credential caches
Rick van Rein [Thu, 30 Jun 2016 13:34:59 +0000 (14:34 +0100)]
Created configuration variabels for Kerberos keytab,credcache of cli,srv
Rick van Rein [Mon, 27 Jun 2016 18:46:00 +0000 (19:46 +0100)]
First attempt at making TLS-KDH work with the TLS Pool
Rick van Rein [Mon, 30 May 2016 13:45:34 +0000 (14:45 +0100)]
Added priority string with asymmetric certificate type support (RFC 7250)
Rick van Rein [Mon, 30 May 2016 11:34:14 +0000 (13:34 +0200)]
Initial use of proposed GUI for TLS-KDH
Rick van Rein [Mon, 17 Oct 2016 21:31:02 +0000 (22:31 +0100)]
Fixes of memory leaks in TLS-KDH handling
Rick van Rein [Mon, 17 Oct 2016 19:33:00 +0000 (20:33 +0100)]
First working TLS-KDH system! (Still with possible memleaks)
Rick van Rein [Sun, 25 Sep 2016 20:09:41 +0000 (21:09 +0100)]
Update to Handbook, to make it work on tlspool.readthedocs.io
Rick van Rein [Sun, 25 Sep 2016 20:04:04 +0000 (21:04 +0100)]
Added the TLS Pool Handbook, first edition.
Note: The text previews upcoming name changes for tools!
Rick van Rein [Thu, 25 Aug 2016 14:42:24 +0000 (15:42 +0100)]
Now passing Ticket and Authenticator between client and server
- tested for the KDH-only mode, without server certificate
- including a keytab for `generic/testsrv\@tlspool.arpa2.lab@ARPA2.NET`
Rick van Rein [Wed, 24 Aug 2016 06:57:20 +0000 (07:57 +0100)]
Merge branch 'master' of https://github.com/arpa2/tlspool
Rick van Rein [Wed, 24 Aug 2016 06:56:50 +0000 (07:56 +0100)]
Fixes to improve building
Rick van Rein [Fri, 19 Aug 2016 10:10:18 +0000 (11:10 +0100)]
Now returning properly from cli_kdhsig_encode()
- simply forgot to add terminators to the syntax packers
- have not checked the actual data produced
Rick van Rein [Fri, 19 Aug 2016 08:34:17 +0000 (09:34 +0100)]
Mostly working-ish, with problems in Quick DER and GnuTLS-KDH remaining
- issue in TLS Pool: PIN entry does not work
- issue in Quick DER: der_pack() returns incredibly large size
- issue in GnuTLS-KDH: crashes on gcm/hash size
- issue in GnuTLS-KDH: gnutls_certificate_get_peers() is empty under KDH
This release bails out of cli_kdhsig_encode(), causing GNUTLS_E_USER_ERROR
vanrein [Thu, 18 Aug 2016 12:03:10 +0000 (14:03 +0200)]
Merge pull request #43 from leenaars/patch-4
Minor textual edits of README
leenaars [Thu, 18 Aug 2016 11:50:31 +0000 (13:50 +0200)]
Minor textual edits of README
Is the last part about Windows porting still relevant?
Rick van Rein [Wed, 17 Aug 2016 08:08:12 +0000 (09:08 +0100)]
First version that seems to get the ticket accross (due to hacks)
The hacks are marked to be overruled #if TOM_IS_WEG
Rick van Rein [Thu, 11 Aug 2016 17:31:07 +0000 (18:31 +0100)]
Misc changes
vanrein [Wed, 10 Aug 2016 13:00:25 +0000 (15:00 +0200)]
Merge pull request #41 from arpa2/configvar-apicall
Configvar apicall
Rick van Rein [Wed, 10 Aug 2016 12:58:14 +0000 (13:58 +0100)]
Adapted tool/* to newly added tlspool_configvar() call; testdata generates properly
Rick van Rein [Wed, 10 Aug 2016 11:13:48 +0000 (12:13 +0100)]
Added tlspool_configvar() to libtlspool
This retrieves a value from a configvar in a default location
Also used it to locate the TLS Pool socket
There is an environment variable to accommodate this
The TLS Pool daemon will not continue to use its own code (efficiency, security)
The tool/* and perhaps tests will later be updated to use this new facility
vanrein [Tue, 9 Aug 2016 15:24:30 +0000 (17:24 +0200)]
Merge pull request #40 from amarsman/tlspool-gui
fix c++ build: multiple definition errors of pioc_...
Aschwin Marsman [Tue, 9 Aug 2016 15:04:37 +0000 (17:04 +0200)]
fix c++ build: multiple definition errors of pioc_...
Rick van Rein [Tue, 9 Aug 2016 14:53:51 +0000 (15:53 +0100)]
Undone overzealous inclusion of changes in QUICKSTART.sh
Rick van Rein [Tue, 9 Aug 2016 10:51:45 +0000 (11:51 +0100)]
Removed length valexp_varchars[] dump sequence (DEBUG)
Rick van Rein [Tue, 9 Aug 2016 10:49:25 +0000 (11:49 +0100)]
Updated header files to support C++ (notably, g++)
Aschwin Marsman [Tue, 9 Aug 2016 05:26:12 +0000 (07:26 +0200)]
Merge branch 'master' of https://github.com/arpa2/tlspool into tlspool-gui
Rick van Rein [Wed, 3 Aug 2016 14:51:15 +0000 (15:51 +0100)]
Removed accidentally (?) added PEM files from testdata/
Rick van Rein [Tue, 2 Aug 2016 20:32:08 +0000 (21:32 +0100)]
Additional changes to SWIG-generated files (with new GIL support)
Rick van Rein [Tue, 2 Aug 2016 20:31:15 +0000 (21:31 +0100)]
Added GIL support to the Python wrapper (sigh... after a long search)
More local changes
Aschwin Marsman [Mon, 1 Aug 2016 05:00:40 +0000 (07:00 +0200)]
Merge branch 'master' of https://github.com/arpa2/tlspool into tlspool-gui
Rick van Rein [Thu, 28 Jul 2016 14:16:54 +0000 (15:16 +0100)]
Fix of missing sys introduced by PR on https_proxy
A few improvements on the build infra for lib/* wrappers
Aschwin Marsman [Thu, 28 Jul 2016 06:05:03 +0000 (08:05 +0200)]
Merge branch 'master' of https://github.com/arpa2/tlspool into tlspool-gui
Rick van Rein [Wed, 27 Jul 2016 14:41:15 +0000 (16:41 +0200)]
Changes to lib/*/Makefile to accommodate building without local SWIG
Aschwin Marsman [Tue, 26 Jul 2016 04:51:25 +0000 (06:51 +0200)]
Merge branch 'master' of https://github.com/arpa2/tlspool into tlspool-gui
vanrein [Mon, 25 Jul 2016 20:12:07 +0000 (22:12 +0200)]
Merge pull request #39 from leenaars/patch-3
Add tlspool socket parameter to https_proxy
leenaars [Mon, 25 Jul 2016 17:39:49 +0000 (19:39 +0200)]
Add tlspool socket parameter to https_proxy
Rick van Rein [Mon, 25 Jul 2016 16:40:33 +0000 (17:40 +0100)]
Parameter for socket filename to lib/python/webdemo.py
Added swig output for lib/go to GIT repo, only rebuilt with "make veryclean"
More advances with lib/go, but not done yet
Rick van Rein [Mon, 25 Jul 2016 16:21:37 +0000 (17:21 +0100)]
SWIG now is not needed for lib/python, unless after "make veryclean"
Aschwin Marsman [Fri, 22 Jul 2016 15:33:36 +0000 (17:33 +0200)]
Merge branch 'master' of https://github.com/amarsman/tlspool into tlspool-gui
Rick van Rein [Fri, 22 Jul 2016 13:20:16 +0000 (14:20 +0100)]
Merge branch 'master' of https://github.com/arpa2/tlspool