chiark / gitweb /
secnet.git
2 years agocredits: Make debian/copyright be a symlink
Ian Jackson [Thu, 30 Dec 2021 12:54:07 +0000 (12:54 +0000)]
credits: Make debian/copyright be a symlink

This reduces the number of places to edit to two.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
2 years agocredits: Add missing credit re python argparse extension
Ian Jackson [Thu, 30 Dec 2021 12:52:51 +0000 (12:52 +0000)]
credits: Add missing credit re python argparse extension

See argparseactionnoyes.py.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
2 years agoCREDITS, copyright: Promote Joey Hess's packaging credit
Ian Jackson [Thu, 30 Dec 2021 12:50:05 +0000 (12:50 +0000)]
CREDITS, copyright: Promote Joey Hess's packaging credit

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
2 years agolegal: Move legal information into its own file
Ian Jackson [Thu, 30 Dec 2021 12:49:11 +0000 (12:49 +0000)]
legal: Move legal information into its own file

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
2 years agocopyright: Add notice to random-fake-userv
Ian Jackson [Thu, 30 Dec 2021 11:52:34 +0000 (11:52 +0000)]
copyright: Add notice to random-fake-userv

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
2 years agotest-example/null-fake-userv: New test utility script
Ian Jackson [Thu, 30 Dec 2021 02:54:40 +0000 (02:54 +0000)]
test-example/null-fake-userv: New test utility script

This doesn't get used by anything yet.  We will want it for certian
tests, eg the autopkgtest I am working on.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
2 years agoexample.conf: Add mtu-target
Ian Jackson [Thu, 30 Dec 2021 02:05:52 +0000 (02:05 +0000)]
example.conf: Add mtu-target

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
2 years agoexample.conf: Add a commented-out mobile site setting
Ian Jackson [Thu, 30 Dec 2021 01:59:38 +0000 (01:59 +0000)]
example.conf: Add a commented-out mobile site setting

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
2 years agoexample.conf: Improve syntax by deleting one of the two map examples
Ian Jackson [Thu, 30 Dec 2021 01:16:38 +0000 (01:16 +0000)]
example.conf: Improve syntax by deleting one of the two map examples

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
2 years agoexample.conf: Comment out some tuning overrides
Ian Jackson [Thu, 30 Dec 2021 00:58:20 +0000 (00:58 +0000)]
example.conf: Comment out some tuning overrides

Not setting these is better.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
2 years agotest-example/common.conf: Fix a reference to the sites file
Ian Jackson [Thu, 30 Dec 2021 00:54:36 +0000 (00:54 +0000)]
test-example/common.conf: Fix a reference to the sites file

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
2 years agoinit script: source /lib/lsb/init-functions
Ian Jackson [Thu, 30 Dec 2021 00:22:51 +0000 (00:22 +0000)]
init script: source /lib/lsb/init-functions

As per lintian.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
2 years agodebian/control: Add missing Pre-Depends
Ian Jackson [Thu, 30 Dec 2021 00:22:28 +0000 (00:22 +0000)]
debian/control: Add missing Pre-Depends

As per lintian.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
2 years agodebian: Add some lintian overrides
Ian Jackson [Thu, 30 Dec 2021 00:19:44 +0000 (00:19 +0000)]
debian: Add some lintian overrides

(INSTALL contains setup instructions too.)

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
2 years agodebian/control: Adjust priority (as per modern policy and lintian)
Ian Jackson [Thu, 30 Dec 2021 00:19:22 +0000 (00:19 +0000)]
debian/control: Adjust priority (as per modern policy and lintian)

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
2 years agoDescription: expand
Ian Jackson [Thu, 30 Dec 2021 00:19:19 +0000 (00:19 +0000)]
Description: expand

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
2 years agoDescription: expand
Ian Jackson [Thu, 30 Dec 2021 00:15:11 +0000 (00:15 +0000)]
Description: expand

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
2 years agoREADME, copyright: add missing credits for base91
Ian Jackson [Thu, 30 Dec 2021 00:07:30 +0000 (00:07 +0000)]
README, copyright: add missing credits for base91

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
2 years agosite: promote creation of st->scratch
Ian Jackson [Thu, 30 Dec 2021 02:23:14 +0000 (02:23 +0000)]
site: promote creation of st->scratch

Without this, peer keyset loading does not work after restart!

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
2 years agocomprehensive-test: Actually allow OLD_SECNET_DIR set to ''
Ian Jackson [Thu, 30 Dec 2021 13:36:14 +0000 (13:36 +0000)]
comprehensive-test: Actually allow OLD_SECNET_DIR set to ''

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
2 years agoDir.sd.mk: Prevent builtin make rule overwriting conffile.c
Ian Jackson [Thu, 30 Dec 2021 13:14:27 +0000 (13:14 +0000)]
Dir.sd.mk: Prevent builtin make rule overwriting conffile.c

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
2 years agodebian/rules: Use dh sequencer
Ian Jackson [Wed, 29 Dec 2021 23:58:10 +0000 (23:58 +0000)]
debian/rules: Use dh sequencer

Resulting changes:
 * We now provide debug symbols in the new Debian way
 * The way the prerm stops secnet accords with modern practice

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
2 years agodebhelper compat: bump to 12 (stretch-backports)
Ian Jackson [Wed, 29 Dec 2021 23:50:38 +0000 (23:50 +0000)]
debhelper compat: bump to 12 (stretch-backports)

According to debdiff --controlfiles ALL the only change is a change to
the postinst, which now sometimes restarts rather than starts the
daemon.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
2 years agodebian/rules: Use dh_prep instead of deprecated dh_clean -k
Ian Jackson [Wed, 29 Dec 2021 23:51:57 +0000 (23:51 +0000)]
debian/rules: Use dh_prep instead of deprecated dh_clean -k

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
2 years agochangelog: start 0.6.2
Ian Jackson [Wed, 29 Dec 2021 23:46:39 +0000 (23:46 +0000)]
changelog: start 0.6.2

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
2 years agoconfigure: bug reporting address
Ian Jackson [Thu, 23 Dec 2021 11:27:29 +0000 (11:27 +0000)]
configure: bug reporting address

The correct address is the secnet-discuss list.

Reported-by: Colin Watson <cjwatson@debian.org>
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
2 years agocomm-common.h: Remove unused `notify' variable
Colin Watson [Sun, 15 Aug 2021 05:04:02 +0000 (05:04 +0000)]
comm-common.h: Remove unused `notify' variable

This only needs to declare the `comm_notify_list' type, and declaring
the variable here without `extern' causes a multiple-definition link
failure on bullseye.

4 years agochangelog: finalise 0.6.1 v0.6.1
Ian Jackson [Sun, 24 May 2020 21:14:34 +0000 (22:14 +0100)]
changelog: finalise 0.6.1

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agochangelog: document changes since 0.6.0
Ian Jackson [Sun, 24 May 2020 21:13:37 +0000 (22:13 +0100)]
changelog: document changes since 0.6.0

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agoUse CLOCK_MONOTONIC for all our timing needs, when possible
Ian Jackson [Mon, 30 Mar 2020 17:12:00 +0000 (18:12 +0100)]
Use CLOCK_MONOTONIC for all our timing needs, when possible

Otherwise we can malfunction if the clock warps.

This depends on an unreleased adns feature, so the warning is
currently not actually printed.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agoautoconf: Check for adns_if_monotonic and define USE_MONOTONIC
Ian Jackson [Sun, 24 May 2020 17:36:10 +0000 (18:36 +0100)]
autoconf: Check for adns_if_monotonic and define USE_MONOTONIC

Nothing uses this yet.  Split out into its own commit for clarity.

This flag is not yet in any released version of adns but as adns
upstream I promise this is how it will be.  for my convenience I am
making secnet check for it ahead of its existence in public adns....

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agoresolver: Break out adns_initflags value as variable
Ian Jackson [Sun, 24 May 2020 17:36:26 +0000 (18:36 +0100)]
resolver: Break out adns_initflags value as variable

This provides a single place to add flags, which we'll do in a moment.

No functional change.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agoconfig parsing: When closure is of wrong type, report how
Ian Jackson [Sun, 24 May 2020 19:46:00 +0000 (20:46 +0100)]
config parsing: When closure is of wrong type, report how

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agoClosures: Provide closure_type_name
Ian Jackson [Sun, 24 May 2020 19:45:22 +0000 (20:45 +0100)]
Closures: Provide closure_type_name

This will be used in error reporting.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agoconfig parsing: site: Use cfgfatal_cl_type for transform
Ian Jackson [Sun, 24 May 2020 19:34:01 +0000 (20:34 +0100)]
config parsing: site: Use cfgfatal_cl_type for transform

Minor improvement to the message.  We are going to improve
cfgfatal_cl_type.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agoconfig parsing: Break out cfgfatal_cl_type
Ian Jackson [Sun, 24 May 2020 19:33:26 +0000 (20:33 +0100)]
config parsing: Break out cfgfatal_cl_type

No functional change.  We are going to reuse and improve this.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agoexample.conf: Fix "transform" syntax
Ian Jackson [Sun, 24 May 2020 19:32:05 +0000 (20:32 +0100)]
example.conf: Fix "transform" syntax

These global closure names need to be invoked.

This was broken in 5b5f297f9a9d47ee
  site: support multiple transforms
(first released in 0.3.0)

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agorsa: Print errno value if we fail to open key file
Ian Jackson [Sun, 24 May 2020 17:35:42 +0000 (18:35 +0100)]
rsa: Print errno value if we fail to open key file

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agorsa: Do not crash with -j if key file does not exist
Ian Jackson [Sun, 24 May 2020 12:42:09 +0000 (13:42 +0100)]
rsa: Do not crash with -j if key file does not exist

This was messed up by 58913a3b93a6
  rsa1: Break rsa_loadpriv_core out of rsapriv_apply
where the early exit path should have been handled in both places but
wasn't.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agolog: Set log level for early logging
Ian Jackson [Sun, 24 May 2020 12:41:04 +0000 (13:41 +0100)]
log: Set log level for early logging

Unless ->level is set, logging is just a no-op.  We must set this
twice, because the system log is used to report command line parsing
errors, but the command line might increase the log level.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agoexample.conf: Use new name-prefixed format
Ian Jackson [Sun, 24 May 2020 18:11:09 +0000 (19:11 +0100)]
example.conf: Use new name-prefixed format

Otherwise it won't work at all.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agostest: No longer use localhost addresses
Ian Jackson [Tue, 10 Mar 2020 18:44:37 +0000 (18:44 +0000)]
stest: No longer use localhost addresses

This will make testing polypath stuff more sensible.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agomtest/t-userv: Check lack of optional group in fragment
Ian Jackson [Tue, 10 Mar 2020 18:30:30 +0000 (18:30 +0000)]
mtest/t-userv: Check lack of optional group in fragment

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agomake-secnet-sites: Tolerate missing group in userv sites file
Ian Jackson [Tue, 10 Mar 2020 18:26:16 +0000 (18:26 +0000)]
make-secnet-sites: Tolerate missing group in userv sites file

When processing a sites file fragment via userv, the group in the
provided file is supposed to be optional.  This was accidentally
regressed in 19482a2958fa
   make-secnet-sites: Do not write out unchecked output in sites

The additional call to w[2].groupname ought to have been conditional.
Now we have precisely the right code in OpBase, so simply call it.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agomtest/t-userv: Test that output conf file is correct
Ian Jackson [Tue, 10 Mar 2020 17:55:58 +0000 (17:55 +0000)]
mtest/t-userv: Test that output conf file is correct

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agomtest/t-userv: Test that updated sites file is readable.
Ian Jackson [Tue, 10 Mar 2020 17:55:19 +0000 (17:55 +0000)]
mtest/t-userv: Test that updated sites file is readable.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agomake-secnet-sites: Tolerate unused group in additions to location
Ian Jackson [Tue, 10 Mar 2020 18:00:57 +0000 (18:00 +0000)]
make-secnet-sites: Tolerate unused group in additions to location

When processing a sites file other than via userv, the group (if
specified) is not of any interest.

But since tainting, we need to bless it for re-output.  (This is
necessary even in modes where we don't actually write anything out,
like .conf generation.)

The correct place to do this is in OpConf's base class.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agomtest: Break out diff-mss-sites-conf
Ian Jackson [Tue, 10 Mar 2020 17:54:39 +0000 (17:54 +0000)]
mtest: Break out diff-mss-sites-conf

No functional change.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agomtest/t-userv: Check that user in wrong group is rejected
Ian Jackson [Tue, 10 Mar 2020 18:16:18 +0000 (18:16 +0000)]
mtest/t-userv: Check that user in wrong group is rejected

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agomake-secnet-sites: Fix error handling if caller is in wrong group
Ian Jackson [Tue, 10 Mar 2020 18:16:44 +0000 (18:16 +0000)]
make-secnet-sites: Fix error handling if caller is in wrong group

We would crash with an unbound variable error, instead of the right
error message.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agoMakefiles: Use Final.sd.mk to implementing RECHECK_RM
Ian Jackson [Sun, 16 Feb 2020 18:06:23 +0000 (18:06 +0000)]
Makefiles: Use Final.sd.mk to implementing RECHECK_RM

This is now read by make after all the other makefiles.  This allows
us to move the addition of {stest,mtest}/d-* to RECHECK_RM from
Dir.sd.mk into test-common.sd.mk, where it belongs.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agoMerge subdirmk 0.4
Ian Jackson [Sun, 16 Feb 2020 18:45:25 +0000 (18:45 +0000)]
Merge subdirmk 0.4

git subtree pull.  Fix up test-example/Dir.sd.mk for the incompatible
change (`&${' needs to become `&{').

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agoREADME: Update copyright date
Ian Jackson [Sun, 16 Feb 2020 18:39:51 +0000 (18:39 +0000)]
README: Update copyright date

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agoREADME: Fix documentation errors relating to &{ etc.
Ian Jackson [Sun, 16 Feb 2020 17:29:52 +0000 (17:29 +0000)]
README: Fix documentation errors relating to &{ etc.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agologging: site: Log state on PHASE_RUN entry instead of initially
Ian Jackson [Sun, 16 Feb 2020 15:06:34 +0000 (15:06 +0000)]
logging: site: Log state on PHASE_RUN entry instead of initially

site_startup calls enter_state_run which would print a message, but
logging is not set up that early.  The result is a message printed to
stderr before daemonisation.

We can distinguish this situation from other calls to enter_state_run
because the old state is SITE_STOP, which only occurs between config
reading (closure invocation) and site_startup being called.
So we can suppress this message.

But it did serve a purpose: it would only be printed if the site was
listed in `sites'; otherwise site_startup wouldn't be called and the
`entering state RUN' message would be absent.

So instead we provide a more explicit way to tell: on entering
PHASE_RUN, site_startup has either been called, or not.  And logging
is set up.  state is then STOP or RUN.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agosite: Rename site_phase_hook to site_phase_shutdown_hook
Ian Jackson [Sun, 16 Feb 2020 15:06:00 +0000 (15:06 +0000)]
site: Rename site_phase_hook to site_phase_shutdown_hook

This is misnamed.  And we are going to add yet another phase hook.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agologging: Move "starting" message earlier
Ian Jackson [Sun, 16 Feb 2020 14:47:24 +0000 (14:47 +0000)]
logging: Move "starting" message earlier

We are going to add some log messages to PHASE_RUN hooks.  We want the
overall startup message to come first.  Doing this right after
PHASE_DAEMONIZE makes sense as PHASE_DAEMONIZE now sets up logging,
too.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agosite: Change site->control(bool_t) to site->startup()
Ian Jackson [Sun, 16 Feb 2020 14:23:24 +0000 (14:23 +0000)]
site: Change site->control(bool_t) to site->startup()

This is only ever called with run=True.  We are going to want to rely
on this property.

If we ever do more runtime reconfig that will be done differently.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agologging; site: Do not log transport_peers_clear if already clear
Ian Jackson [Sun, 16 Feb 2020 14:18:49 +0000 (14:18 +0000)]
logging; site: Do not log transport_peers_clear if already clear

This suppresses a pointles message at startup.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agologging: site: Introduce transport_peers_init which doesn't log
Ian Jackson [Sun, 16 Feb 2020 14:21:09 +0000 (14:21 +0000)]
logging: site: Introduce transport_peers_init which doesn't log

This eliminates some spurious startup messages.  It also allows
transport_peers_clear to read *peers, since it doesn't have to do
initialisation.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agologging: start rather earlier
Ian Jackson [Sun, 16 Feb 2020 14:42:31 +0000 (14:42 +0000)]
logging: start rather earlier

This moves some messages printed by by early netlink and polypath
setup to the proper logfile / syslog directly, rather than having them
captured by the stderr capture from daemonize.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agostartup: Break out start_sites
Ian Jackson [Sun, 16 Feb 2020 13:21:00 +0000 (13:21 +0000)]
startup: Break out start_sites

We were going to want to change when this happens.  But actually it
seems that is not right.  Keep the commit anyway, as I think it
improves clarity a bit.

No functional change.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agochangelog: Start 0.6.1
Ian Jackson [Sun, 16 Feb 2020 13:00:49 +0000 (13:00 +0000)]
changelog: Start 0.6.1

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agoFinalise 0.6.0 v0.6.0
Ian Jackson [Sun, 16 Feb 2020 12:48:27 +0000 (12:48 +0000)]
Finalise 0.6.0

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agoconfigure[.ac]: Arrange to cope with jessie's gcc
Ian Jackson [Sun, 16 Feb 2020 12:39:39 +0000 (12:39 +0000)]
configure[.ac]: Arrange to cope with jessie's gcc

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agoRevert "site, pubkeys: Avoid for (int a=..."
Ian Jackson [Sun, 16 Feb 2020 12:40:51 +0000 (12:40 +0000)]
Revert "site, pubkeys: Avoid for (int a=..."

This reverts commit 983e0900816ece898f3d53a530fe0f2c73932bbc.

4 years agosite, pubkeys: Avoid for (int a=...
Ian Jackson [Sun, 16 Feb 2020 12:11:34 +0000 (12:11 +0000)]
site, pubkeys: Avoid for (int a=...

In jessie, gcc hates this unless you pass -std=gnu11 or something.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agomake-secnet-sites: Do ascii conversion after % format
Ian Jackson [Sun, 16 Feb 2020 12:10:50 +0000 (12:10 +0000)]
make-secnet-sites: Do ascii conversion after % format

In Python 3.4 (jessie) the % operator cannot take a bytes format.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agochangelog: Fix typo
Ian Jackson [Sun, 16 Feb 2020 11:27:43 +0000 (11:27 +0000)]
changelog: Fix typo

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agopretest-to-tested: Do not descend into subtree histories
Ian Jackson [Sat, 15 Feb 2020 22:05:52 +0000 (22:05 +0000)]
pretest-to-tested: Do not descend into subtree histories

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agochangelog: tidy up changes since 0.5.1
Ian Jackson [Fri, 14 Feb 2020 20:45:23 +0000 (20:45 +0000)]
changelog: tidy up changes since 0.5.1

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agochangelog: tidy up changes since 0.5.1
Ian Jackson [Fri, 14 Feb 2020 19:13:37 +0000 (19:13 +0000)]
changelog: tidy up changes since 0.5.1

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agochangelog: add notes about changes since 0.5.1
Ian Jackson [Fri, 14 Feb 2020 18:30:05 +0000 (18:30 +0000)]
changelog: add notes about changes since 0.5.1

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agochangelog: work on documentation of changes since ea31544cc33a
Ian Jackson [Fri, 14 Feb 2020 15:52:11 +0000 (15:52 +0000)]
changelog: work on documentation of changes since ea31544cc33a

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agosig: Abolish sethash and defhash everywhere
Ian Jackson [Thu, 13 Feb 2020 17:13:11 +0000 (17:13 +0000)]
sig: Abolish sethash and defhash everywhere

The only consumer of this wrongheaded interface was rsa1, which has
been updated.  Delete it all.

There is nothing to delete in the documentation, mostly because much
of this wasn't documented when we introduced it.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agorsa: Bring hash selection in-house
Ian Jackson [Thu, 13 Feb 2020 17:10:56 +0000 (17:10 +0000)]
rsa: Bring hash selection in-house

In
  13b8fbf4548f3457b02afd36e9284d39839d6f85
  sig: Move hashing into algorithm
we introduced a scheme were for rsa1 the hash function is stored
in the signature scheme's key structure, but provided by the caller.

The intent was to allow defaulting, with context-specific overrides.
However, this does not work correctly.  In particular, most sites
have a single "local-key" setting at the top level in the main config,
but take "hash" keys from the sites file.

The result is that as the various sites are initialised, ->sethash is
called multiple times, once for each site.  Possibly with different
hash_if's.  I did not foresee this and it is clearly wrong.

If all the hash_if's are sha1 then this is harmless.  However, they
might not be, in particular if certain site(s) or vpn(s) in the sites
file(s) specify a different hash.  Such a configuration would be
rather wrong, because it would imply reuse of the same raw RSA key
material with a different hash function.  (Also since the default hash
is sha1 and historically the only alternative was md5, this is surely
wrong simply because it implies md5 is being used somewhere.)

But it has come to my attention that such installations exist.  Even a
non-operational, vestigial, use of a different hash, can cause
lossage.

To fix this properly and allow hash-agility with a single private key,
we would have to have call sites continue to look up the hash, but to
pass in into the signature function.  This is too annoying,
particularly when it is in support only of unreasonable and very old
configurations.

Instead, change the semantics so that the two rsa closure verbs nail
down their hash at key load time, defaulting to sha1.  The "hash"
config key is now looked up sort of implicitly in the context.  This
is slightly odd, but it has roughly the right effect with sites.conf
files generated by make-secnet-sites.  And it is contained within the
rsa1 signature scheme which is a thing we should be replacing anyway.

This change makes it more clearly impossible (as it has, in fact, been
since 0.4.x) to use the same loaded private key with different hashes.

Installations which are only using sha1 with their rsa1 will just keep
working an all is well.

Installations which are using md5 everywhere can be made to work by
adding a global config hash= setting in every instance.

Installations which are using a mixture have a more complicated task
to keep things working (maybe loading the key twice, or propagating
hash information in sites files, or something), if they don't want a
flag day transition to sha1.

In the future for rsa1, what hash a site is using becomes a property
which should be carried with public key; so a non-sha1 hash must be
specified in the config file (alongside `local-key') and also
documented in the sites file entry.

For forthcoming non-rsa1 algorithms hash choice will be handled within
the signature scheme in a less irregular way, and this "hash" key will
thereby become obsolete.

Reported-by: Matthew Vernon <matthewv@chiark.greenend.org.uk>
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agoconfig: Reject rather than silently ignoring wrong closure values
Ian Jackson [Thu, 13 Feb 2020 17:02:57 +0000 (17:02 +0000)]
config: Reject rather than silently ignoring wrong closure values

find_cl_if(...,fail_if_invalid=False,,..) is only called in places
where a particular closure, or nothing, is expected.

It is really not a good idea for this function to silently ignore
config keys of the wrongn type.  It should behave more like
dict_read_number and dict_read_bool.

There are possible compatibility implications, but they can be solved
by deleting the wrong (currently-ignored) information from the config
file(s).

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agosha1: Provide sha1_hash_if
Ian Jackson [Thu, 13 Feb 2020 16:55:51 +0000 (16:55 +0000)]
sha1: Provide sha1_hash_if

This will be useful in a moment.

As a side effect, the sha1 st is statically allocated now.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agorsa: Provide dict context argument in load_ctx
Ian Jackson [Thu, 13 Feb 2020 16:48:37 +0000 (16:48 +0000)]
rsa: Provide dict context argument in load_ctx

This is going to be used to make the old rsa-public and rsa-private
names honour a "hash" dictionary key in the context.

The new generic privcache and keyset machinery will use a fixed hash
so does not pass the dictionary.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agomobile sites: Do not ever expire peer addresses
Ian Jackson [Sun, 2 Feb 2020 12:22:57 +0000 (12:22 +0000)]
mobile sites: Do not ever expire peer addresses

For mobile sites, peer addresses come from our config or DNS name
lookup.  Ones that are not working now may work later in a different
network environment.  The mobile end is in charge of public path
selection so it needs to retain the information to try these
currently-non-working addresses.

In practice, this change allows me to switch backwards and forwards
between the FOSDEM v6-only wifi, and my v4-only USB stick.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agotest-example: Use subdirmk's new &:macro feature
Ian Jackson [Mon, 30 Dec 2019 12:02:26 +0000 (12:02 +0000)]
test-example: Use subdirmk's new &:macro feature

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agosite: Always advertise all capabilities
Ian Jackson [Sat, 14 Dec 2019 15:19:32 +0000 (15:19 +0000)]
site: Always advertise all capabilities

The first version that can cope with this is 0.3.0 which is already
quite old (September 2013).  All older versions are quite badly
broken: eg, they use the serpent256-cbc transform.

This is the next phase in eventually getting rid of the distinction
between early and late capabilities.  When every running version of
secnet has this commit, we can declare every capability early since
every secnet will always advertise them early.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agobuild system: Fix race bug in recheck target
Ian Jackson [Sat, 14 Dec 2019 13:35:45 +0000 (13:35 +0000)]
build system: Fix race bug in recheck target

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agodh: Fix mpz padding bug in use of write_mpbin
Ian Jackson [Sun, 8 Dec 2019 13:15:37 +0000 (13:15 +0000)]
dh: Fix mpz padding bug in use of write_mpbin

If the BN needs less than buflen bytes, write_mpbin would write only
the first len bytes.  dh_makeshared wouldn't notice.  The remaining
bytes will be left uninitialised.

In current code this is only called from site.c, where it so happens
right now that this buffer is always zero on entry.  So the effect is
thst we pad the bignum with zeroes at the LS end, which is wrong.

We can't just change this because it's baked into the protocol.
So actually implement it properly.

We do this in the write_mpbin function, renaming it, because the old
API for write_mpbin invites precisely this error.

I don't think this is of an significant consequence
cryptographically.  Perhaps we should introduce a non-anomalous
version of DH over prime fields.  Or perhaps we should just leave it
as is and expect to switch to X448 or something.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agodh: move write_mpbin in to dh.c
Ian Jackson [Sun, 8 Dec 2019 13:13:34 +0000 (13:13 +0000)]
dh: move write_mpbin in to dh.c

This function has a hazardous API.  In fact, the one call site misuses
it, as we shall see in a moment.

If we wanted a thing like this with a less hazardous API we probably
wouldn't base it on mpz_get_str nowadays.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agostest: Print spawn rune on a line by itself
Ian Jackson [Sun, 8 Dec 2019 13:04:01 +0000 (13:04 +0000)]
stest: Print spawn rune on a line by itself

Especially useful with SECNET_STEST_DIVERT_*=i...: now you can c&p the
whole line.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agostest: Allow SECNET_STEST_DIVERT_*='i <some stuff>'
Ian Jackson [Sun, 8 Dec 2019 12:56:16 +0000 (12:56 +0000)]
stest: Allow SECNET_STEST_DIVERT_*='i <some stuff>'

Eg,
  SECNET_STEST_DIVERT_inside='i gdb --args'
which causes it to print something like this
  spawn UDP_PRELOAD_DIR=./stest/d-nonnego-oo/s LD_PRELOAD=./stest/udp-preload.so:libgtk3-nocsd.so.0 gdb --args ./secnet -dvnc ./stest/d-nonnego-oo/inside.conf
which is convenient.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agostest: Require SECNET_STEST_DIVERT_* paths to start / or ./
Ian Jackson [Sun, 8 Dec 2019 12:51:40 +0000 (12:51 +0000)]
stest: Require SECNET_STEST_DIVERT_* paths to start / or ./

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agostest: When SECNET_STEST_DIVERT_* set, print diverted command too
Ian Jackson [Sun, 8 Dec 2019 12:50:21 +0000 (12:50 +0000)]
stest: When SECNET_STEST_DIVERT_* set, print diverted command too

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agostest: Move puts $argl into divert branches
Ian Jackson [Sun, 8 Dec 2019 12:49:55 +0000 (12:49 +0000)]
stest: Move puts $argl into divert branches

We're going to want to do something slightly different in each one.

No functional change yet.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agostest: Honour SECNET_STEST_TIMEOUT_MUL to multiply timeouts
Ian Jackson [Sun, 8 Dec 2019 12:46:11 +0000 (12:46 +0000)]
stest: Honour SECNET_STEST_TIMEOUT_MUL to multiply timeouts

This is handy, for example, when running under valgrind.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agostest: Introduce adj-after
Ian Jackson [Sun, 8 Dec 2019 11:24:39 +0000 (11:24 +0000)]
stest: Introduce adj-after

We are going to want this to do something more complicated.

No functional change.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agoparallel bisect scripts: Honour $1 as iteration count
Ian Jackson [Sun, 8 Dec 2019 10:58:45 +0000 (10:58 +0000)]
parallel bisect scripts: Honour $1 as iteration count

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agoparallel bisect scripts: Better logging
Ian Jackson [Sun, 8 Dec 2019 02:15:48 +0000 (02:15 +0000)]
parallel bisect scripts: Better logging

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agoparallel bisect scripts: ad-hoc
Ian Jackson [Sun, 8 Dec 2019 02:07:02 +0000 (02:07 +0000)]
parallel bisect scripts: ad-hoc

This is as I just used to bisect a P(1/256) bug.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agosite: Move earlier all things needed for slog
Ian Jackson [Sun, 8 Dec 2019 10:19:19 +0000 (10:19 +0000)]
site: Move earlier all things needed for slog

Before this we actually read uninitialised memory!
But it was st->log_events which was generally all-bit-zero.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agolog: Remove a now-redundant conditional
Ian Jackson [Sun, 8 Dec 2019 10:19:02 +0000 (10:19 +0000)]
log: Remove a now-redundant conditional

system_log is always non-NULL now.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agolog: Provide system_log from the very start
Ian Jackson [Sun, 8 Dec 2019 10:17:27 +0000 (10:17 +0000)]
log: Provide system_log from the very start

It is just too inconvenient not to have this while reading the config.
Set up a default system_log which logs to stderr.  When setup_log
is called, system_log will be overwritten and this struct is no
longer used.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agolog: Break out logfile_file_init
Ian Jackson [Sun, 8 Dec 2019 10:16:55 +0000 (10:16 +0000)]
log: Break out logfile_file_init

We are going to reuse this.

No functional change.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
4 years agostest: Add test for load-private
Ian Jackson [Sat, 7 Dec 2019 16:05:37 +0000 (16:05 +0000)]
stest: Add test for load-private

The resulting interface for privkey() is a bit odd: it's either a list
of a string, and we look at both ends.  Ah well, it's only test code.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>