kip issueshttps://gitlab.com/arpa2/kip/-/issues2022-04-01T07:21:11Zhttps://gitlab.com/arpa2/kip/-/issues/97Replace `$UNBOUND_HOSTS` with `$UNBOUND_CONFIG`2022-04-01T07:21:11ZRick van ReinReplace `$UNBOUND_HOSTS` with `$UNBOUND_CONFIG`The tests use a replacement for `/etc/hosts` and go through a bit of effort to create it. This can be simplified with `$UNBOUND_CONFIG`, added in f4bf83dbf878484c828562f5936d8d04224da4aa.The tests use a replacement for `/etc/hosts` and go through a bit of effort to create it. This can be simplified with `$UNBOUND_CONFIG`, added in f4bf83dbf878484c828562f5936d8d04224da4aa.https://gitlab.com/arpa2/kip/-/issues/96Tone down error for `is_bind_style_root()`2022-01-19T13:42:00ZRick van ReinTone down error for `is_bind_style_root()`if it's not really an error, it shouldn't log like it is one.if it's not really an error, it shouldn't log like it is one.Rick van ReinRick van Reinhttps://gitlab.com/arpa2/kip/-/issues/95separate .fdx's for diasasl client and server2021-08-05T12:24:20ZHenri Mansonseparate .fdx's for diasasl client and serverhttps://gitlab.com/arpa2/kip/-/issues/94flow design of diasasl_* calls in mod_diasasl2021-08-05T12:23:37ZHenri Mansonflow design of diasasl_* calls in mod_diasaslhttps://gitlab.com/arpa2/kip/-/issues/92Crash of fD plugin2021-07-08T05:58:48ZRick van ReinCrash of fD pluginWhen removing envvars in a container, I saw fD crash. I chased it to the `strlen()` of a string that was NULL because `getenv()` failed. The code looked much like our test programs.
1. Would be nice if fD behaved more reliably that m...When removing envvars in a container, I saw fD crash. I chased it to the `strlen()` of a string that was NULL because `getenv()` failed. The code looked much like our test programs.
1. Would be nice if fD behaved more reliably that mere test programs ;-)
2. Why does fD need envvars? It has its own settings mechanism
3. I don't know, but: Could fD not find what it needs in Requests and/or in DiaSASL?
Note that 3. is also a test for the DiaSASL design.Henri MansonHenri Mansonhttps://gitlab.com/arpa2/kip/-/issues/91Scan source for TODOs2021-06-03T08:58:51ZRick van ReinScan source for TODOsRemedy the work -- mostly to be done before 1.0.0 can be released.Remedy the work -- mostly to be done before 1.0.0 can be released.Complete first KIP releasehttps://gitlab.com/arpa2/kip/-/issues/89Improve Unbound dependency2021-02-01T14:59:22ZRick van ReinImprove Unbound dependency * [ ] It can be configured with its own `unbound.conf` file
* [ ] It can load its initial root key with `unbound-anchor`
* [ ] It can be configured with a dynamic port for `kipd`
* [ ] It can replace `/etc/hosts` mangling
* [ ]... * [ ] It can be configured with its own `unbound.conf` file
* [ ] It can load its initial root key with `unbound-anchor`
* [ ] It can be configured with a dynamic port for `kipd`
* [ ] It can replace `/etc/hosts` mangling
* [ ] It can resolve locally, also for SRV records for KIPhttps://gitlab.com/arpa2/kip/-/issues/86GS2-SXOVER-PLUS breaks with installed package libsasl2-modules-gssapi-mit2022-03-31T15:48:19ZRick van ReinGS2-SXOVER-PLUS breaks with installed package libsasl2-modules-gssapi-mitWith [libsasl2-modules-gssapi-mit](https://packages.debian.org/buster/libsasl2-modules-gssapi-mit) installed, the SXOVER breaks down, presumably on the generic GS2-* support.
One message we've seen is `wrap_diameterd: Error: client inco...With [libsasl2-modules-gssapi-mit](https://packages.debian.org/buster/libsasl2-modules-gssapi-mit) installed, the SXOVER breaks down, presumably on the generic GS2-* support.
One message we've seen is `wrap_diameterd: Error: client incorrectly assumed server had no channel binding` that occurs [in `sasl_server_step`](https://github.com/cyrusimap/cyrus-sasl/blob/9b914e1d25d6414a2e4ef4c41a0a4ba27f20e79b/lib/server.c#L1662) presumably because the channel binding was [set to `_WANT`](https://github.com/cyrusimap/cyrus-sasl/blob/9b914e1d25d6414a2e4ef4c41a0a4ba27f20e79b/plugins/gs2.c#L516) in the generic [`gs2_server_mech_step`](https://github.com/cyrusimap/cyrus-sasl/blob/9b914e1d25d6414a2e4ef4c41a0a4ba27f20e79b/plugins/gs2.c#L327). Note that [`SCRAM` would set to `_USED`](https://github.com/cyrusimap/cyrus-sasl/blob/9b914e1d25d6414a2e4ef4c41a0a4ba27f20e79b/plugins/scram.c#L1507-L1518) in its [`scram_server_mech_step2`](https://github.com/cyrusimap/cyrus-sasl/blob/9b914e1d25d6414a2e4ef4c41a0a4ba27f20e79b/plugins/scram.c#L1160) procedure (but that may be a later message, not sure).
We are destined to remove the `GS2-` prefix because we want establish end-to-end secrets, as those are meaningful during Realm Crossover. Therefore, this problem may go away when we do. For now, a "fix" is to remove the said package.https://gitlab.com/arpa2/kip/-/issues/85break SXOVER cyclic dependencies, break up package2021-12-16T13:01:53ZRick van Reinbreak SXOVER cyclic dependencies, break up packageThere is a cyclic dependency of SXOVER on KIP and KIP on SXOVER. break it by moving SXOVER into Cyrus-SASL2 as a mechanism. Then take this package apart into separate ones.[cyclic-kip.graphml](/uploads/34fb3d421e14468957e8327ccd3c248f/...There is a cyclic dependency of SXOVER on KIP and KIP on SXOVER. break it by moving SXOVER into Cyrus-SASL2 as a mechanism. Then take this package apart into separate ones.[cyclic-kip.graphml](/uploads/34fb3d421e14468957e8327ccd3c248f/cyclic-kip.graphml)
![cyclic-kip](/uploads/a6ca649d242a7aa9f6fd322c3ef7ac63/cyclic-kip.png)Insecure but otherwise functional KIPhttps://gitlab.com/arpa2/kip/-/issues/84kip freediameter cleanup2021-02-03T14:04:32ZHenri Mansonkip freediameter cleanupInsecure but otherwise functional KIPhttps://gitlab.com/arpa2/kip/-/issues/80Negotiate SASL protocols based on realm2020-09-09T14:10:58ZHenri MansonNegotiate SASL protocols based on realmHenri MansonHenri Mansonhttps://gitlab.com/arpa2/kip/-/issues/77Move SXOVER into libsasl2 or libgssapi2020-07-30T09:32:21ZRick van ReinMove SXOVER into libsasl2 or libgssapiCurrently, we add the `GS2-SXOVER-PLUS` SASL mechanism in an `xsasl_*` API that shares the `qsasl_*` look. Disadvantages: (1) This only works on Quick SASL programs and (2) it entangles KIP with Quick SASL.
If we add the mechanism as a...Currently, we add the `GS2-SXOVER-PLUS` SASL mechanism in an `xsasl_*` API that shares the `qsasl_*` look. Disadvantages: (1) This only works on Quick SASL programs and (2) it entangles KIP with Quick SASL.
If we add the mechanism as a `libsasl2` plugin, which would include recursion as a part of SASL, we would have the mechanism available in all Cyrus-SASL2 applications, including Postfix; not sure about Dovecot which may enforce its own Dovecot SASL, which has limited strength because it stores no state.
If we add the mechanism as a `libgssapi` plugin, the choice would be specific to a GSS-API implementation, but MIT krb5 does not seem to be a very confronting choice. It would include applications like OpenSSH, Putty and knc.
The best option seems to be a `libgssapi` plugin that wraps Cyrus SASL2:
* It adds SASL functionality to GSS-API protocols (completing the circle, maximum crossover)
* It reaches all SASL implementations that support GS2 through `libgssapi`, including `libsasl2` applications
* It reaches all Quick SASL applications; `xsasl_*` can probably be removed
Spefically interesting is that it supports all of KIP, Postfix, Dovecot?, OpenSSH, Putty, knc, ...Rick van ReinRick van Reinhttps://gitlab.com/arpa2/kip/-/issues/76Consider support for HOTP, TOTP and OCRA2020-10-27T10:30:09ZRick van ReinConsider support for HOTP, TOTP and OCRAThese are popular standards for using symmetric keys for everyday authentication. Integration with SASL is not defined yet, but might relate to password entry (though not seemlessly).
The mechanisms are standardised: See [HOTP](https:/...These are popular standards for using symmetric keys for everyday authentication. Integration with SASL is not defined yet, but might relate to password entry (though not seemlessly).
The mechanisms are standardised: See [HOTP](https://tools.ietf.org/html/rfc4226), [TOTP](https://tools.ietf.org/html/rfc6238.html), [OCRA](https://tools.ietf.org/html/rfc6287). The digit sequences could be output like the `kipkey_usermud()` operation, but with the dedicated forms of these standards.https://gitlab.com/arpa2/kip/-/issues/75Consider PSKC instead of / next to Keytabs2020-07-13T15:28:06ZRick van ReinConsider PSKC instead of / next to KeytabsWe only use keytabs on services, so why have another format? Because [PSKC is standardised](https://tools.ietf.org/html/rfc6030) and integrates nicely with the HOTP, TOTP and OCRA standards.We only use keytabs on services, so why have another format? Because [PSKC is standardised](https://tools.ietf.org/html/rfc6030) and integrates nicely with the HOTP, TOTP and OCRA standards.https://gitlab.com/arpa2/kip/-/issues/73Stop relying on ktutil; move to kipvhs2021-06-18T05:15:03ZRick van ReinStop relying on ktutil; move to kipvhsExpand `kipvhs` with a `create` command for a service/vhost pair.
The `ktutil` interaction is unpleasant, and requires `krb5-user` which is fairly big.
Remove it from the documentation and, most importantly, from the "mkroot" component...Expand `kipvhs` with a `create` command for a service/vhost pair.
The `ktutil` interaction is unpleasant, and requires `krb5-user` which is fairly big.
Remove it from the documentation and, most importantly, from the "mkroot" component `internetwide/kip`.https://gitlab.com/arpa2/kip/-/issues/68Apache module HTTP SASL2020-06-08T11:17:32ZRick van ReinApache module HTTP SASLwith Quick SASL (or Cyrus SASL) backendwith Quick SASL (or Cyrus SASL) backendDemo Summer 2020Henri MansonHenri Mansonhttps://gitlab.com/arpa2/kip/-/issues/67Cleanup passphrase entry2020-05-03T04:44:55ZRick van ReinCleanup passphrase entryIt's confusing at the moment, with several levels for XoverSASL.
Perhaps extend the API with a `qsasl_setpass()` function, enabling forms like `qsasl_setpass (getenv ("QUICKSASL_PASSPHRASE"))` where a setting to `NULL` is interpreted as...It's confusing at the moment, with several levels for XoverSASL.
Perhaps extend the API with a `qsasl_setpass()` function, enabling forms like `qsasl_setpass (getenv ("QUICKSASL_PASSPHRASE"))` where a setting to `NULL` is interpreted as a request to interact with the user. This allows the use of different password variables for different protocol layer.
It would be more general to setup a callback function (as well). That starts to sound like a fullblown Cyrus-SASL reimplementation, though. For now, encapsulating that logic and coming back to it later is probably the more pleasant (as in, simpler to use) API.Rick van ReinRick van Reinhttps://gitlab.com/arpa2/kip/-/issues/66State export/recovery for Cyrus SASL2020-09-09T14:17:44ZRick van ReinState export/recovery for Cyrus SASLThe Cyrus SASL library, and its various mechanisms, keep state while processing requests. For HTTP, this is not permitted and for Diameter this may be better to avoid. So, to complete the embedding, the internal state after a step must...The Cyrus SASL library, and its various mechanisms, keep state while processing requests. For HTTP, this is not permitted and for Diameter this may be better to avoid. So, to complete the embedding, the internal state after a step must be stored (with signature and encryption to avoid abuse) in an `s2s` or `State` attribute that the client reflects back for the next step, so that it may be recovered for the next server step.
This will involve
* Mechanism choice (and state)
* Gathered mechanism-specific data
* Gathered generic server state
* Gathered generic output state
Most of the data is present as (string,length) and should be easy to store and recover.Demo Summer 2020https://gitlab.com/arpa2/kip/-/issues/65Channel Binding voor SXOVER uit Diameter2020-09-09T14:13:29ZRick van ReinChannel Binding voor SXOVER uit DiameterAanmelding van de informatie van het juiste type via
```
/* Supperted types of channel binding.
*/
typedef enum qsaslt_chanbind {
QSA_INDISCRIMINATE,
QSA_TLS_UNIQUE,
//TODO// server-endpoint-name, wellicht nodig voor HT...Aanmelding van de informatie van het juiste type via
```
/* Supperted types of channel binding.
*/
typedef enum qsaslt_chanbind {
QSA_INDISCRIMINATE,
QSA_TLS_UNIQUE,
//TODO// server-endpoint-name, wellicht nodig voor HTTPS
} qsaslt_chanbind;
/* Set the Channel Binding information for a given type.
*/
bool qsasl_set_chanbind (QuickSASL qsasl, qsaslt_chanbind type, bool enforce, dercursor value);
```Demo Summer 2020Henri MansonHenri Mansonhttps://gitlab.com/arpa2/kip/-/issues/64Consider shamir key sharing for key import/export2020-04-12T11:47:17ZRick van ReinConsider shamir key sharing for key import/exportSee https://github.com/satoshilabs/slips/blob/master/slip-0039.mdSee https://github.com/satoshilabs/slips/blob/master/slip-0039.md