latchset / tang Goto Github PK

Applications should survive the removal of their data in /var/cache/ and regenerate them as necessary.

With Tang, one needs to explicitly run tangd-update after rm -rf /var/cache/tang. And even then, tangd-update fails to create /var/cache/tang since it doesn't run as root.

Hi,

I tried to compile v1 and master as of 2f1142c and both failed with

make
Making all in src
make[1]: Entering directory '/home/loic/software/tang/tang/src'
  CC       tangd-io.o
io.c:74:1: error: redefinition of ‘json_decrefp’
 json_decrefp(json_t **json)
 ^
In file included from io.h:22:0,
                 from io.c:20:
/usr/local/include/jansson.h:117:6: note: previous definition of ‘json_decrefp’ was here
 void json_decrefp(json_t **json)
      ^
Makefile:561: recipe for target 'tangd-io.o' failed
make[1]: *** [tangd-io.o] Error 1
make[1]: Leaving directory '/home/loic/software/tang/tang/src'
Makefile:703: recipe for target 'all-recursive' failed
make: *** [all-recursive] Error 1

I compiled the dependencies using:

• https://github.com/nodejs/http-parser commit feae95a3a69f111bc1897b9048d9acbc290992f9 (HEAD -> master, tag: v2.7.1, origin/master, origin/HEAD)
• https://github.com/akheron/jansson commit 98be7da3e2cc256e16d3c9f76b3a0053a930eb2c (HEAD -> master, origin/master, origin/HEAD)
• https://github.com/latchset/jose commit e143d087d3ade6e03bcfc9b1b1549d26b654065b (HEAD -> master, origin/master, origin/HEAD)

I guess it would be better to use a jansson release instead of master (2.7 maybe ?) but jose requires 2.9 which is only provided with master. Or maybe I should use a jose release but I'm not sure which one.

Any hint to resolve that properly would be much appreciated. If there exists packages for those in any distribution it would also be a good way to figure out the right set of dependencies.

Thanks !

Don't crash.

Causes

system:

• tang: centos 7, 3.10.0-862.3.2.el7.x86_64
• clevis: ubuntu 18.04, 4.15.0-23-generic #25-Ubuntu

case 1:

# DB=/var/db/tang
 jose jwk gen -i '{"alg":"ES512"}' -o $DB/new_sig.jwk
 jose jwk gen -i '{"alg":"ECMR"}' -o $DB/new_exc.jwk

hide old keys by renaming

case 2:

tangd-keygen /var/db/tang

In both cases, the service return 404.

Partial Fixes:

tangd-update /var/db/tang /var/db/cache

The services now return 200 (at least most of the time) and execute tangd-update again will most certainly do it.

CRITICAL PROBLEM

system: ubuntu 18.04

setup BEFORE key rotation

clevis luks bind -d /dev/sda tang '{"url":...}'
systemctl enable clevis-luks-askpass.path

decrypt at boot works properly before key rotation

FAILED: after key rotation

• old keys still exists
• cached updated
• verified: curl -vf http://tang../adv

http-parser is not actively maintained and maintainers suggest switching to llhttp
nodejs/http-parser#522

Hello,

tang 7 introduced rendering the manpages during build, using asciidoc. However, asciidoc is EOL, see for example https://github.com/asciidoc/asciidoc/releases.

Switching to asciidoctor is fairly simple, however the invocation is not identical. I'll use

-	$(A2X) -f manpage $^ -D $(top_builddir)/$$(dirname $@)
+	$(A2X) --attribute reproducible --backend=manpage  $^ -D $(top_builddir)/$$(dirname $@)

in the Debian packaging (after exchanging the A2X definition, of course).

Run this script:

gensig() {
  jwe=`jose jwk gen -i '{"alg":"ES512"}'`
  sig=`echo "$jwe" | jose jwk thp -i-`
  echo $sig
  echo "$jwe" > /var/db/tang/$sig.jwk
}

rm -rf /var/db/tang/* /var/cache/tang/*
gensig
gensig
gensig
gensig
gensig
systemctl start tangd-update

sleep 1
echo ====
cat /var/cache/tang/default.jws | jose fmt -j- -g payload -y -o- | jose jwk thp -i-

It puts five signing keys into /var/db/tang, but default.jws never contains more than three of them for me. Here is a typical output:

ftVX1t2ls9G2X3SNfFXrGtFWq7Y
B7U_kOUlaes4yuPtiAwUqzCL2Lc
OChmt6EW-jDmEnkHPoRcfQGHfDA
wVT1AuHo2ZIcbbSzbZ25YavgPbQ
dtkh3lW40H2bkJkOlEBw6N952Po
====
B7U_kOUlaes4yuPtiAwUqzCL2Lc
ftVX1t2ls9G2X3SNfFXrGtFWq7Y

Looking at the journal, tangd-udpate is only started once for each run of the script, probably triggered by the rm. The explicit start doesn't do anything, probably because it is still running.

Changing systemctl start tangd-update to restart makes it all work.

This also happens for me with just tangd-keygen. In our test VMs, the "deriveKey" key that is generated last by tangd-keygen is almost always missing from the cache when we start tangd.socket.

So, for reliability, we should tell people to run systemctl restart tangd-update after making changes to /var/db/tang. Which kinda makes tangd-update.path superfluous, no?

This do-while in tang-gen.c is problematic. I'm not sure why loop is needed but
either existance/access checks are needed or, as a last resort, bail out after
a set number of loops.

Happy to patch this myself but needed to find out why the do-while is there
first :)

} else {
    do {
        r = keyfilegen(dbdir, filename);
        if (r != 0)
            error(EXIT_FAILURE, r, "Error generating keyfile name");

        file = fopen(filename, "wx");
    } while (!file);
}   

The server should figure out how to punch a hold in firewalld to allow easier deployment.

https://github.com/latchset/tang#docker-container links to https://gitlab.com/AdrianKoshka/tang-docker-container -> 404

#27 does mention https://github.com/AdrianKoshka/tang-docker-container too -> also 404

The only thing that works is mentioned as https://github.com/cloggo/tangd https://hub.docker.com/r/cloggo/tangd
However, that is a third-party implementation (not this project) of Tang in NodeJS.

So what to do about this? (Maybe you can make an official Docker container/maybe host/revive the old one whose repo has been deleted)

I'll admit that I'm coming at this as a new user to Tang and Clevis, so I could be missing something, but right now I'm not seeing any option for operational logs.

Eg journalctl -xn -u tangd.socket will only show the start-up of the socket.

I'd very much like to see typical syslog output in line with something like:

Feb 10 14:40:05 tangserver.college.edu tangd: issued adv key to 10.1.2.3
etc...

Thanks!

Does anyone actually use tang without systemd and the supplied xinetd services instead?
I see a few issues:

1. The service just exposes tangd itself, not the directory watch / key update aspect
2. I can't get it to work, with tang (Ubuntu Eoan 7-1build) on Ubuntu running on xinet, running both xinetd and tangd as non-root user): the service starts but does not respond to a tang-show-keys or manual curl request to /adv: the response only contains a header but stalls on the data portion. Only when I kill the xinetd-spawned tangd process I get the data in response to the query.

My understanding of the protocol is that it currently depends on classical cryptography: FFC or ECC.

Most of algorithms in consideration in the post-quantum selection process do not operate on groups though. With exception of SIKE – Supersingular Isogeny Key Exchange (or SIDH).

Maybe we should consider implementing support for it? (using two algorithms in parallel, like in CECPQ1, may be a good idea)

Are there any plans to implement a backend that does not rely on file system backends?

If tang is running on a system with an ephemeral filesystem, having the cache on the FS is fine, but the keys that currently reside in the db directory would be perfect candidates for an off-box object or KV storage.

This is happening on the current Fedora 32 image with tang-7-4.fc32.x86_64.

How to reproduce:

1. $ sudo jose jwk gen -i '{"alg":"ES512"}' -o /var/db/tang/newsig.jwk
2. $ sudo jose jwk gen -i '{"alg":"ECMR"}' -o /var/db/tang/newexc.jwk
3. $ sudo curl -sSf 127.0.0.1/adv

The last command returns curl: (52) Empty reply from server and when I look into journal I see:

Feb 25 06:20:17 localhost.localdomain systemd[1]: Started Tang Server (127.0.0.1:45812).
Feb 25 06:20:17 localhost.localdomain kernel: kauditd_printk_skb: 8 callbacks suppressed
Feb 25 06:20:17 localhost.localdomain kernel: audit: type=1130 audit(1582629617.351:617): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='[email protected]:80-127.0.0.1:45812 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Feb 25 06:20:17 localhost.localdomain audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='[email protected]:80-127.0.0.1:45812 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Feb 25 06:20:17 localhost.localdomain kernel: traps: tangd[29766] general protection fault ip:55ce5a4ad8f2 sp:7ffcb4a05f80 error:0 in tangd[55ce5a4ad000+2000]
Feb 25 06:20:17 localhost.localdomain audit[29766]: ANOM_ABEND auid=4294967295 uid=981 gid=981 ses=4294967295 subj=system_u:system_r:tangd_t:s0 pid=29766 comm="tangd" exe="/usr/libexec/tangd" sig=11 res=1
Feb 25 06:20:17 localhost.localdomain kernel: audit: type=1701 audit(1582629617.375:618): auid=4294967295 uid=981 gid=981 ses=4294967295 subj=system_u:system_r:tangd_t:s0 pid=29766 comm="tangd" exe="/usr/libexec/tangd" sig=11 res=1
Feb 25 06:20:17 localhost.localdomain audit: BPF prog-id=163 op=LOAD
Feb 25 06:20:17 localhost.localdomain kernel: audit: type=1334 audit(1582629617.408:619): prog-id=163 op=LOAD
Feb 25 06:20:17 localhost.localdomain audit: BPF prog-id=164 op=LOAD
Feb 25 06:20:17 localhost.localdomain kernel: audit: type=1334 audit(1582629617.411:620): prog-id=164 op=LOAD
Feb 25 06:20:17 localhost.localdomain kernel: audit: type=1334 audit(1582629617.413:621): prog-id=165 op=LOAD
Feb 25 06:20:17 localhost.localdomain audit: BPF prog-id=165 op=LOAD
Feb 25 06:20:17 localhost.localdomain systemd[1]: Started Process Core Dump (PID 29767/UID 0).
Feb 25 06:20:17 localhost.localdomain audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-coredump@9-29767-0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Feb 25 06:20:17 localhost.localdomain kernel: audit: type=1130 audit(1582629617.418:622): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-coredump@9-29767-0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Feb 25 06:20:17 localhost.localdomain systemd[1]: [email protected]:80-127.0.0.1:45812.service: Main process exited, code=dumped, status=11/SEGV
Feb 25 06:20:17 localhost.localdomain systemd[1]: [email protected]:80-127.0.0.1:45812.service: Failed with result 'core-dump'.
Feb 25 06:20:17 localhost.localdomain kernel: audit: type=1131 audit(1582629617.713:623): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='[email protected]:80-127.0.0.1:45812 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
Feb 25 06:20:17 localhost.localdomain audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='[email protected]:80-127.0.0.1:45812 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
Feb 25 06:20:17 localhost.localdomain systemd-coredump[29768]: Process 29766 (tangd) of user 981 dumped core.
                                                               
                                                               Stack trace of thread 29766:
                                                               #0  0x000055ce5a4ad8f2 on_url (tangd + 0x28f2)
                                                               #1  0x00007f42308ac579 http_parser_execute (libhttp_parser.so.2 + 0x4579)
                                                               #2  0x000055ce5a4ad6f0 main (tangd + 0x26f0)
                                                               #3  0x00007f42306ea042 __libc_start_main (libc.so.6 + 0x27042)
                                                               #4  0x000055ce5a4ad7ae _start (tangd + 0x27ae)

Verifpal® is new software for verifying the security of cryptographic protocols. Building upon contemporary research in symbolic formal verification, Verifpal’s main aim is to appeal more to real-world practitioners, students and engineers without sacrificing comprehensive formal verification features.

https://verifpal.com/

As such, I think, it would be a good thing to have some Verifpal models for this software and thus verify the security properties formally. (In that easy way, verifpal is way easier than these other formal-proof verification systems.)

Hi,
I have tried to build tang from sources and did not succeed nor think that I have done something wrong.
Command dnf install -y tang installs tang successfully without downloading other packages.

Virtual machine:

# uname -a
Linux tang-server24 4.5.5-300.fc24.x86_64 #1 SMP Thu May 19 13:05:32 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

Steps to reproduce:

# git clone https://github.com/latchset/tang.git
Cloning into 'tang'...
remote: Counting objects: 1008, done.
remote: Total 1008 (delta 0), reused 0 (delta 0), pack-reused 1008
Receiving objects: 100% (1008/1008), 299.99 KiB | 0 bytes/s, done.
Resolving deltas: 100% (677/677), done.
Checking connectivity... done.
# cd tang 
# autoreconf -ifv
autoreconf: Entering directory `.'
autoreconf: configure.ac: not using Gettext
autoreconf: running: aclocal --force 
autoreconf: configure.ac: tracing
autoreconf: configure.ac: not using Libtool
autoreconf: running: /usr/bin/autoconf --force
autoreconf: configure.ac: not using Autoheader
autoreconf: running: automake --add-missing --copy --force-missing
configure.ac:4: installing './compile'
configure.ac:3: installing './config.guess'
configure.ac:3: installing './config.sub'
configure.ac:7: installing './install-sh'
configure.ac:7: installing './missing'
Makefile.am: installing './depcomp'
parallel-tests: installing './test-driver'
autoreconf: Leaving directory `.'
# ./configure --prefix=/usr
configure: loading site script /usr/share/config.site
checking build system type... x86_64-unknown-linux-gnu
checking host system type... x86_64-unknown-linux-gnu
checking target system type... x86_64-unknown-linux-gnu
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables... 
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking whether gcc understands -c and -o together... yes
checking for gcc option to accept ISO C99... none needed
checking for a sed that does not truncate output... /usr/bin/sed
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /usr/bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking for style of include used by make... GNU
checking whether make supports nested variables... yes
checking dependency style of gcc... gcc3
checking whether make supports nested variables... (cached) yes
checking for pkg-config... /usr/bin/pkg-config
checking pkg-config is at least version 0.25... yes
checking for dlopen in -ldl... yes
checking for http_parser.h... yes
checking for http_parser_execute in -lhttp_parser... yes
checking for jose_zlib... no
configure: error: Package requirements (jose-zlib >= 5) were not met:

No package 'jose-zlib' found

Consider adjusting the PKG_CONFIG_PATH environment variable if you
installed software in a non-standard prefix.

Alternatively, you may set the environment variables jose_zlib_CFLAGS
and jose_zlib_LIBS to avoid the need to call pkg-config.
See the pkg-config man page for more details.

Packages installed:

# rpm -qa | grep jose
libjose-openssl-6-3.fc24.x86_64
libjose-6-3.fc24.x86_64
jose-6-3.fc24.x86_64
libjose-zlib-6-3.fc24.x86_64
# rpm -qa | grep zlib
zlib-1.2.8-10.fc24.x86_64
libjose-zlib-6-3.fc24.x86_64

Am I missing something?

Thank you very much for any help!

Tibor.

If a user downloads the latest tag: https://github.com/latchset/tang/releases/tag/v7

The install will not include the needed meson.build files if they are trying to install from source

TIL: The two After=... declarations in tangd.socket are being started in parallel. So if tangd-update starts checking @jwkdir@ before tangd-keygen wrote both files, the .jws in @cachedir@ will be incomplete. This happened here with relatively slow armhf hardware.

In that situation, an attempt to use that tang server with "clevis encrypt tang" will trigger a message "Key derivation key not available!", Debian Bug report is https://bugs.debian.org/975343

As a solution I suggest to move the

Requires=tangd-keygen.service
After=tangd-keygen.service

from tangd.socket to tangd-update.service, that worked for me.

Related, the entire logic around the keygen script seems a little fragile if operation is interrupted mid-way:

Writing the data to a temporary file first and atomically move them to the final location - as seen in the update script - avoids creation of zero-sized files. Alternatively, that job could already be done by jose, see latchset/jose#88.

Still, in case of an interruption, key generation will not be resumed since the ConditionDirectoryNotEmpty= in tangd-keygen.service will no longer apply. Perhaps there is a systemd way to deal with that, I'd just touch a "key-created" semaphore in @jwkdir@ - and as a next step merge keygen and update into a single script since detecting the necessity of having to create key is easy then. But perhaps I missed a use case here.

Hi there,

i have to upgrade from tang 7.2 (Debian Buster) to 8.3 (Debian Bullseye).
My tang servs already a few other servers
it there anything i have to watch bevor/while/after a distrib upgrade?

I wanted to setup tang, but also am using fedora atomic host, and thought I could just whip up a quick docker container to run tang for me. I was very wrong, after countless hours I've pretty much gotten no-where. Due to the way tangd is designed, is it possible to run it from a docker container at all and have it work properly? The repo for anyone interested: https://github.com/AdrianKoshka/tang-docker-container

The issue I would run into is that I'd never get tang to respond properly on port 80. Curl would always say connection reset by peer, or that the response was empty.

Title speaks for itself:

What are the origins of the name TANG for this project?

Support pushing keys to the client from the server.

When the tangd.socket unit is started, it makes sure that a initial set of keys is created. This happens in the background and tangd might accept its first connection before /var/cache/tang is fully populated.

To see this, run this script a couple of times:

PORT=80

systemctl stop tangd.socket
rm -rf /var/db/tang/* /var/cache/tang/*
sleep 1 # let the tangd-update finish that has been triggered by rm above

systemctl start tangd.socket
while ! curl -sSf localhost:$PORT/adv >/dev/null; do true; done

I get one or more curl: (22) The requested URL returned error: 404 Not Found before tangd returns the advertisement.

I think this is super hard to hit for connections that come in from the network, but it's still a bug, I'd say. Tangd should only start accepting connections once the initial key generation and cache preparation has finished.

(If you run the script too fast in a row, you will hit the default systemd start limit for tangd-update.service, and the cache wont be ready ever. Just wait a bit if that happens. "Too fast" is more than 5 times in 10 seconds.)

An unpleasant surprise was the inability to manage services via systemd and the high workload of the server. When trying to do something with the services, I got the error: Failed to load daemon: No buffer space available.

It turned out that there are 77 334 systemd units in the system of the form tangd@53241-<local ip>:80-<remote ip>:49204.service.

# systemctl list-units --all | grep tang
...
● tangd@9993-<local ip>:80-<remote ip>:41608.service                                         loaded    failed   failed    Tang Server
● tangd@9994-<local ip>:80-<remote ip>:41642.service                                         loaded    failed   failed    Tang Server
● tangd@9995-<local ip>:80-<remote ip>:41648.service                                         loaded    failed   failed    Tang Server
● tangd@9996-<local ip>:80-<remote ip>:41654.service                                         loaded    failed   failed    Tang Server
● tangd@9997-<local ip>:80-<remote ip>:41664.service                                         loaded    failed   failed    Tang Server
● tangd@9998-<local ip>:80-<remote ip>:41670.service                                         loaded    failed   failed    Tang Server
...

If I check log via journalctl -xeu tangd@63-...:62934.service I see this:

May 04 16:44:16 test-node-2 tangd[29047]: HTTP Parsing Error: invalid HTTP method

While building tang from source (...since apt install installed a buggy version 7) and installing it on Ubuntu 20.04, I bumped into some issues:

• The systemd service expects a tang user to be present on the system, which wasn't documented anywhere in the build instructions.
• Tang fails with Error calling stat() on path: /usr/local/var/db/tang: Permission denied. After adding o+rx permissions for each folder in the entire path I could start tang.

http-parser HEAD version is required. In v2.7.1 http_parser.h does not contain HTTP_STATUS_MAP.

upstream bug filed: nodejs/http-parser#394

After migrating from Travis to Github actions, it seems no compilation in Freebsd is performed. It would be great to add a pair of additional steps to compile and test in Freebsd operating system.

Hi,

I have installed the tang 7-1+deb10u1 on debian 10.8 and notice that after a while the service fails with:
tangd.socket: Trigger limit hit, refusing further activation.
tangd.socket: Failed with result 'trigger-limit-hit'.
At the moment only one clevis client exists, and does work for a short while when the service is restarted.

Any help much appreciated.

Thanks,
Tania

I guess to have some formal protocol specification would be great.

Especially so one could rewrite this in secure languages like Rust to rewrite the server component.

Also, I would generally call for rewrite this in memory-safe language like Rust. (in the future, maybe, of course)

Aka my idea would be to split this up and have:

• a tang-protocol that defines the endpoints/APIs (maybe also CLI tools) and how it can be used
• different implementations of that protocol like tang-c (this one here) and tang-rust etc.

To have a specification is e.g. also useful for #46 for instance.

In the readme, where the cryptographic algorithm is described, it would be nice to reference an academic article, where the algorithm is analysed further. Does one exist?

Hi,

I'm ttying to figure out how I can use tang + clevis in a public setup.

My idea was to develop an approvsl step around tang where a request for decription woll wait for human approval until it is served.

This might meje the system work over the internet. Of course this can be abused.

Is this a good solution?
Any ideas on how to solve the issue of using tang over public internet?

Thanks,

Why is [email protected] a templated unit? It does not use %i anywhere. Can you run multiple tangd processes?

In 80725f, you've introduced a build-time configuration for a user and a group - however, the service file only uses the user information. Care to set Group= as well? Else systemd will use the default group, which may or may not be the desired behaviour.

It no longer calls out to tangd
when i run dracut -f : it complains about : error installing clevis-decrypt-http

also now it spams

dracut-initqueue[396]: /usr/libexec/clevis-luks-askpass: line 67: cryptsetup: command not found

kickstart file i use:

https://raw.githubusercontent.com/DefenSec/dssp2-standard/master/support/scripts/quickvirtinstaller

Hi, I got Tang to work on the Ubnt EdgeRouter X, the write-up is here:

https://noobient.com/2020/12/29/ubuntu-luks-automatic-unlock-using-tang-edgerouter/

I'd be more than happy to help incorporating this in the Tang README. Please let me know if there's any info you need! :)

tang-show-keys currently uses SHA-1 to compute key fingerprints. SHA-1 is too broken these days and will be removed from e.g. RHEL 9 soon (see https://bugzilla.redhat.com/show_bug.cgi?id=1934937). Would it be possible to move to SHA2 for the key fingerprints?

Hi!

My tang stopped working, although everything was fine a few days ago.

Service looks fine:

# systemctl status tangd.socket
● tangd.socket - Tang Server socket
   Loaded: loaded (/lib/systemd/system/tangd.socket; enabled; vendor preset: enabled)
   Active: active (listening) since Fri 2021-10-22 18:32:49 EEST; 24min ago
   Listen: [::]:80 (Stream)
 Accepted: 60595; Connected: 0; Refused: 12
    Tasks: 0 (limit: 4915)
   Memory: 44.0K
   CGroup: /system.slice/tangd.socket

Oct 22 18:32:49 tang-int systemd[1]: Listening on Tang Server socket.

But when I use tang-show-keys or curl 'http://<IP>/adv' I receive curl: (52) Empty reply from server.

Please help me with the diagnosis and correction of this problem. What do I need to do?

Why listen on port 80? Or at least make it configurable. Makes it incompatible with running a normal web server on the same box.

Create a Nagios plugin to monitor the server for correct end to end operation. This should include but not be limited to verifying advertised signing keys and testeing as far as possible unlocking a LUKS encrypted filesystem.

Hi, is there a way to create the keys (under /var/db/tang) and advertisements offline without having tang installed by just using the jose cli?

The key generation is mentioned in the docs:

$ sudo jose jwk gen -i '{"alg":"ES512"}' -o /var/db/tang/newsig.jwk
$ sudo jose jwk gen -i '{"alg":"ECMR"}' -o /var/db/tang/newexc.jwk

but I'm not sure which command will output me a valid advertisement payload.

Hello, tang is most useful as a small, dedicated, energy efficient device. Arduino fits very well. Any chances tang can be compiled for it?

Also good alternatives would be Raspberry Pi Pico W and the likes, for example W6100-EVB-Pico.

If possible, can the server log when it performs a transaction for a client system? Something along the lines of "client IP X requested a transaction using protocol version Y"

This way, abusive/potentially malicious clients can be identified via log spam, and it can be used as a cross-check when nagios/etc does NOT report a reboot cycle, but the crypto server saw a decrypt request.

Can you please clarify the license. The GitHub information repository information shows GPLv3 and that's what's in the COPYING file, but the meson build configuration and the Fedora Rawhide RPM both show GPLv3+ i.e., v3 or later, but I don't see the "or later" clause anywhere. As an aside, that made me notice that there's an RPM spec file in the Jose source, but not the Tang source. Was that intentional or an accidental ommision?

systemd service files should have a pointer to applicable documentation. Fix is trivial:

--- a/units/[email protected]
+++ b/units/[email protected]
@@ -1,5 +1,6 @@
 [Unit]
 Description=Tang Server
+Documentation=man:tangd(8)
 
 [Service]
 StandardInput=socket

Hi,

I appreciate Tang does not require SSL/TLS or authentication, but as the README references both as optional, would you be able to provide some guidance/examples for implementing both please?

Is TLS natively supported by Tang or would we just use a reverse proxy?

I would like to remotely (i.e. from the Tang servers) block a single client from authenticating, to prevent it from unlocking automatically on it's next boot. How would this be achieved?

Thanks
M

I wanted to create a package for a OpenWRT, so I can set it up on a router. But I see there is some systemd staff used, like socket activation. Well, I have nothing against systemd, but OpenWRT does.

Can tang be used without systemd?

As I understand, tang itself stores it secrets in the filesystem on the host it runs.

Most public cloud environments feature HSM backed key vault services that can be accessed from within VMs securely using service principals or similar concepts. So my question here is:

What would it take to add support for the common key vault implementations (Azure, AWS, GCP) to Tang? Suggestions on where to start?

thanks!

Tobias W.

The wording of the default text from libcryptsetup isn't great for our case. Let's try to override it.

Make check fails with the following, most likely because of something in my environment that does not please it. Is there a way to get detailed logs so I can try to figure out what's wrong ?

make VERBOSE=1 check
make  check-TESTS
make[1]: Entering directory '/home/loic/software/tang/tang'
make[2]: Entering directory '/home/loic/software/tang/tang'
FAIL: tests/adv
FAIL: tests/rec
==============================
   tang 1: ./test-suite.log
==============================

# TOTAL: 2
# PASS:  0
# SKIP:  0
# XFAIL: 0
# FAIL:  2
# XPASS: 0
# ERROR: 0

.. contents:: :depth: 2

FAIL: tests/adv
===============

+ trap on_exit EXIT
+ trap exit ERR
++ which systemd-socket-activate
+ SD_ACTIVATE=
++ which /usr/lib/systemd/systemd-activate
+ SD_ACTIVATE=
++ which /lib/systemd/systemd-activate
+ SD_ACTIVATE=/lib/systemd/systemd-activate
+ :
++ mktemp -d
+ export TMP=/tmp/tmp.pGAEv0JdtK
+ TMP=/tmp/tmp.pGAEv0JdtK
+ mkdir -p /tmp/tmp.pGAEv0JdtK/db
+ mkdir -p /tmp/tmp.pGAEv0JdtK/cache
+ jose gen -t '{"alg": "ES256"}' -o /tmp/tmp.pGAEv0JdtK/db/sig.jwk
+ jose gen -t '{"alg": "ES256"}' -o /tmp/tmp.pGAEv0JdtK/db/.sig.jwk
+ jose gen -t '{"alg": "ES256"}' -o /tmp/tmp.pGAEv0JdtK/db/.oth.jwk
+ jose gen -t '{"kty": "EC", "crv": "P-256", "key_ops": ["deriveKey"] }' -o /tmp/tmp.pGAEv0JdtK/db/exc.jwk
+ ./tangd-update /tmp/tmp.pGAEv0JdtK/db /tmp/tmp.pGAEv0JdtK/cache
+ for addr in '"127.0.0.1"' '"[::1]"'
++ shuf -i 1024-65536 -n 1
+ port=52128
+ export PID=21812
+ PID=21812
+ sleep 0.1
+ /lib/systemd/systemd-activate -l 127.0.0.1:52128 -a ./tangd /tmp/tmp.pGAEv0JdtK/cache
Listening on 127.0.0.1:52128 as 3.
+ wget -t 1 -O- http://127.0.0.1:52128/
--2016-10-18 16:13:07--  http://127.0.0.1:52128/
Connecting to 127.0.0.1:52128... connected.
Communication attempt on fd 3.
HTTP request sent, awaiting response... Connection from 127.0.0.1:44872 to 127.0.0.1:52128
Spawned ./tangd (./tangd /tmp/tmp.pGAEv0JdtK/cache) as PID 21815
Execing ./tangd (./tangd /tmp/tmp.pGAEv0JdtK/cache)
Child 21815 died with code 0
Read error (Connection reset by peer) in headers.
Giving up.

++ jose thp -i /tmp/tmp.pGAEv0JdtK/db/exc.jwk
+ wget -t 1 -O- http://127.0.0.1:52128/adv/RqMsFhQj9TgxDWwnoYxZZXpbnV5y7HYLzTuHQJBHJgg
--2016-10-18 16:13:07--  http://127.0.0.1:52128/adv/RqMsFhQj9TgxDWwnoYxZZXpbnV5y7HYLzTuHQJBHJgg
Connecting to 127.0.0.1:52128... connected.
HTTP request sent, awaiting response... Communication attempt on fd 3.
Connection from 127.0.0.1:44874 to 127.0.0.1:52128
Spawned ./tangd (./tangd /tmp/tmp.pGAEv0JdtK/cache) as PID 21818
Execing ./tangd (./tangd /tmp/tmp.pGAEv0JdtK/cache)
Child 21818 died with code 0
Read error (Connection reset by peer) in headers.
Giving up.

++ jose thp -H sha512 -i /tmp/tmp.pGAEv0JdtK/db/exc.jwk
+ wget -t 1 -O- http://127.0.0.1:52128/adv/-dkjd6QcWvZKek-V6fk6wZ4-2M0xHz8WdnNtD1WOlp09TuakxwxPfY5pdOBc6-AdMtB6esA9VcHMnN5KAUVE2Q
--2016-10-18 16:13:07--  http://127.0.0.1:52128/adv/-dkjd6QcWvZKek-V6fk6wZ4-2M0xHz8WdnNtD1WOlp09TuakxwxPfY5pdOBc6-AdMtB6esA9VcHMnN5KAUVE2Q
Connecting to 127.0.0.1:52128... connected.
Communication attempt on fd 3.
HTTP request sent, awaiting response... Connection from 127.0.0.1:44876 to 127.0.0.1:52128
Spawned ./tangd (./tangd /tmp/tmp.pGAEv0JdtK/cache) as PID 21821
Execing ./tangd (./tangd /tmp/tmp.pGAEv0JdtK/cache)
Child 21821 died with code 0
Read error (Connection reset by peer) in headers.
Giving up.

+ wget -t 1 -O- http://127.0.0.1:52128/adv
--2016-10-18 16:13:07--  http://127.0.0.1:52128/adv
Connecting to 127.0.0.1:52128... connected.
Communication attempt on fd 3.
HTTP request sent, awaiting response... Connection from 127.0.0.1:44878 to 127.0.0.1:52128
Spawned ./tangd (./tangd /tmp/tmp.pGAEv0JdtK/cache) as PID 21823
Execing ./tangd (./tangd /tmp/tmp.pGAEv0JdtK/cache)
Child 21823 died with code 0
Read error (Connection reset by peer) in headers.
Giving up.

++ exit
+ on_exit
+ '[' 21812 ']'
+ kill 21812
+ wait 21812
./tests/adv: line 22: 21812 Terminated              $SD_ACTIVATE $INET -l "$addr:$port" -a $VALGRIND ./tangd $TMP/cache
+ true
+ '[' -d /tmp/tmp.pGAEv0JdtK ']'
+ rm -rf /tmp/tmp.pGAEv0JdtK
FAIL tests/adv (exit status: 4)

FAIL: tests/rec
===============

+ trap on_exit EXIT
+ trap exit ERR
++ which systemd-socket-activate
+ SD_ACTIVATE=
++ which /usr/lib/systemd/systemd-activate
+ SD_ACTIVATE=
++ which /lib/systemd/systemd-activate
+ SD_ACTIVATE=/lib/systemd/systemd-activate
+ :
++ mktemp -d
+ export TMP=/tmp/tmp.BYuqFZRDDn
+ TMP=/tmp/tmp.BYuqFZRDDn
+ mkdir -p /tmp/tmp.BYuqFZRDDn/db
+ mkdir -p /tmp/tmp.BYuqFZRDDn/cache
+ jose gen -t '{"alg": "ES256"}' -o /tmp/tmp.BYuqFZRDDn/db/sig.jwk
+ jose gen -t '{"kty": "EC", "crv": "P-256", "key_ops": ["deriveKey"] }' -o /tmp/tmp.BYuqFZRDDn/db/exc.jwk
+ ./tangd-update /tmp/tmp.BYuqFZRDDn/db /tmp/tmp.BYuqFZRDDn/cache
++ jose thp -i /tmp/tmp.BYuqFZRDDn/db/exc.jwk
+ exc_kid=YhOac6MejEFAOWML8XmKC3q5UMXl_rWyTKMxoiG1Cy8
+ jose gen -t '{"kty":"EC","crv":"P-256"}' -o /tmp/tmp.BYuqFZRDDn/exc.jwk
+ jose pub -i /tmp/tmp.BYuqFZRDDn/exc.jwk -o /tmp/tmp.BYuqFZRDDn/exc.pub.jwk
++ shuf -i 1024-65536 -n 1
+ port=10697
+ export PID=21944
+ PID=21944
+ wget -t1 -O- http://127.0.0.1:10697/rec
+ /lib/systemd/systemd-activate -l 127.0.0.1:10697 -a ./tangd /tmp/tmp.BYuqFZRDDn/cache
Listening on 127.0.0.1:10697 as 3.
--2016-10-18 16:13:07--  http://127.0.0.1:10697/rec
Connecting to 127.0.0.1:10697... connected.
Communication attempt on fd 3.
HTTP request sent, awaiting response... Connection from 127.0.0.1:49144 to 127.0.0.1:10697
Spawned ./tangd (./tangd /tmp/tmp.BYuqFZRDDn/cache) as PID 21946
Execing ./tangd (./tangd /tmp/tmp.BYuqFZRDDn/cache)
Child 21946 died with code 0
Read error (Connection reset by peer) in headers.
Giving up.

+ wget -t1 -O- http://127.0.0.1:10697/rec/
--2016-10-18 16:13:07--  http://127.0.0.1:10697/rec/
Connecting to 127.0.0.1:10697... connected.
HTTP request sent, awaiting response... Communication attempt on fd 3.
Connection from 127.0.0.1:49146 to 127.0.0.1:10697
Spawned ./tangd (./tangd /tmp/tmp.BYuqFZRDDn/cache) as PID 21948
Execing ./tangd (./tangd /tmp/tmp.BYuqFZRDDn/cache)
Child 21948 died with code 0
Read error (Connection reset by peer) in headers.
Giving up.

++ jose exc -l /tmp/tmp.BYuqFZRDDn/exc.jwk -r /tmp/tmp.BYuqFZRDDn/db/exc.jwk
+ good='{"crv":"P-256","kty":"EC","x":"OKj0KMYNDvIXOblwmnj9HwQG0F6dFrqChsOMEmWJpWc","y":"zjDuYqNhNVFWxHgsImbhjcyLWgW5CTwjMDX-TQpFMj0"}'
+++ cat /tmp/tmp.BYuqFZRDDn/exc.pub.jwk
++ wget -t1 -O- '--post-data={"crv":"P-256","kty":"EC","x":"agdGV1DQcLKAsmAAa_gt4_xXG3Aux15IjyaBCfgjysc","y":"DPhYj87RS0_vbe_UQ0GK80hWKYs42lDOLZvbFTajetQ"}' http://127.0.0.1:10697/rec/YhOac6MejEFAOWML8XmKC3q5UMXl_rWyTKMxoiG1Cy8
--2016-10-18 16:13:07--  http://127.0.0.1:10697/rec/YhOac6MejEFAOWML8XmKC3q5UMXl_rWyTKMxoiG1Cy8
Connecting to 127.0.0.1:10697... connected.
Communication attempt on fd 3.
HTTP request sent, awaiting response... Connection from 127.0.0.1:49148 to 127.0.0.1:10697
Spawned ./tangd (./tangd /tmp/tmp.BYuqFZRDDn/cache) as PID 21953
Execing ./tangd (./tangd /tmp/tmp.BYuqFZRDDn/cache)
Child 21953 died with code 0
Read error (Connection reset by peer) in headers.
Giving up.

+ test=
++ exit
+ on_exit
+ '[' 21944 ']'
+ kill 21944
+ wait 21944
./tests/rec: line 22: 21944 Terminated              $SD_ACTIVATE $INET -l 127.0.0.1:$port -a $VALGRIND ./tangd $TMP/cache
+ true
+ '[' -d /tmp/tmp.BYuqFZRDDn ']'
+ rm -rf /tmp/tmp.BYuqFZRDDn
FAIL tests/rec (exit status: 4)

============================================================================
Testsuite summary for tang 1
============================================================================
# TOTAL: 2
# PASS:  0
# SKIP:  0
# XFAIL: 0
# FAIL:  2
# XPASS: 0
# ERROR: 0
============================================================================
See ./test-suite.log
============================================================================
Makefile:841: recipe for target 'test-suite.log' failed
make[2]: *** [test-suite.log] Error 1
make[2]: Leaving directory '/home/loic/software/tang/tang'
Makefile:947: recipe for target 'check-TESTS' failed
make[1]: *** [check-TESTS] Error 2
make[1]: Leaving directory '/home/loic/software/tang/tang'
Makefile:1159: recipe for target 'check-am' failed
make: *** [check-am] Error 2