Kea issueshttps://gitlab.isc.org/isc-projects/kea/-/issues2024-03-22T13:55:21Zhttps://gitlab.isc.org/isc-projects/kea/-/issues/3079Process: Fix issues reported by dependabot2024-03-22T13:55:21ZTomek MrugalskiProcess: Fix issues reported by dependabot[Dependabot on github](https://github.com/isc-projects/kea/security/dependabot) reports 4 issues and complains that updates are disabled, because previous reports were not addressed.
![Screenshot_from_2023-09-21_11-34-35](/uploads/d6025...[Dependabot on github](https://github.com/isc-projects/kea/security/dependabot) reports 4 issues and complains that updates are disabled, because previous reports were not addressed.
![Screenshot_from_2023-09-21_11-34-35](/uploads/d602529e436a9edff8387c2c120a0e2c/Screenshot_from_2023-09-21_11-34-35.png)
The goal is to:
- [ ] update the dependencies
- [ ] make sure the PRs on github are resolved
- [ ] make sure the dependabot updates are no longer pausedkea2.5.7Tomek MrugalskiTomek Mrugalskihttps://gitlab.isc.org/isc-projects/kea/-/issues/3080Process: need to publish security policy2023-10-23T08:20:40ZTomek MrugalskiProcess: need to publish security policyAnother thing pointed out by @manu in his [security audit](https://gitlab.isc.org/isc-private/kea/-/wikis/Kea-Security-Review-02-2023#10-process-how-to-handle-confidential-information-fix-for-a-reported-security-vulnerability). We need t...Another thing pointed out by @manu in his [security audit](https://gitlab.isc.org/isc-private/kea/-/wikis/Kea-Security-Review-02-2023#10-process-how-to-handle-confidential-information-fix-for-a-reported-security-vulnerability). We need to publish security policy in a concise form and publish it in a standard github way. That basically means creating SECURITY.md file and enabling security reporting on github.
We already have Section 23.3 in ARM and [KB article](https://kb.isc.org/docs/aa-00861). Both look like great sources of info.kea2.5.3Tomek MrugalskiTomek Mrugalskihttps://gitlab.isc.org/isc-projects/kea/-/issues/2821array-bounds warnings in ubuntu build2023-08-29T08:45:39ZSeth Arnoldarray-bounds warnings in ubuntu buildHello, I'm reviewing KEA as part of the Ubuntu Main Inclusion request. Part of this is taking a look through the build logs, and there's a few instances of `-Warray-bounds` warnings that concern me:
- MIR process bug: https://bugs.launc...Hello, I'm reviewing KEA as part of the Ubuntu Main Inclusion request. Part of this is taking a look through the build logs, and there's a few instances of `-Warray-bounds` warnings that concern me:
- MIR process bug: https://bugs.launchpad.net/ubuntu/+source/isc-kea/+bug/2002861
- Ubuntu Lunar Build: https://launchpad.net/ubuntu/+source/isc-kea/2.2.0-5ubuntu1/+build/25670367
- Ubuntu Lunar direct build logs: https://launchpadlibrarian.net/655959506/buildlog_ubuntu-lunar-amd64.isc-kea_2.2.0-5ubuntu1_BUILDING.txt.gz
```
...
libtool: compile: g++ -DHAVE_CONFIG_H -I. -I../../.. -I../../../src/lib -I../../../src/lib -Wdate-time -D_FORTIFY_SOURCE=2 -DOS_LINUX -I../../.. -I../../.. -Wall -Wextra -Wnon-virtual-dtor -Wwrite-strings -Woverloaded-virtual -Wno-sign-compare -pthread -Wno-missing-field-initializers -fPIC -g -O2 -ffile-prefix-map=/<<PKGBUILDDIR>>=. -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -fdebug-prefix-map=/<<PKGBUILDDIR>>=/usr/src/isc-kea-2.2.0-5ubuntu1 -c libdhcp++.cc -fPIC -DPIC -o .libs/libkea_dhcp___la-libdhcp++.o
In file included from /usr/include/c++/12/string:50,
from /usr/include/boost/asio/ip/address.hpp:19,
from ../../../src/lib/asiolink/io_address.h:15,
from ../../../src/lib/dhcp/duid.h:10,
from ../../../src/lib/dhcp/duid_factory.h:10,
from duid_factory.cc:9:
In function ‘std::__copy_move<true, true, std::random_access_iterator_tag>::__copy_m<unsigned char>(unsigned char const*, unsigned char const*, unsigned char*)unsigned char*’,
inlined from ‘std::__copy_move_a2<true, unsigned char*, unsigned char*>(unsigned char*, unsigned char*, unsigned char*)unsigned char*’ at /usr/include/c++/12/bits/stl_algobase.h:495:30,
inlined from ‘std::__copy_move_a1<true, unsigned char*, unsigned char*>(unsigned char*, unsigned char*, unsigned char*)unsigned char*’ at /usr/include/c++/12/bits/stl_algobase.h:522:42,
inlined from ‘std::__copy_move_a<true, unsigned char*, unsigned char*>(unsigned char*, unsigned char*, unsigned char*)unsigned char*’ at /usr/include/c++/12/bits/stl_algobase.h:529:31,
inlined from ‘std::copy<std::move_iterator<unsigned char*>, unsigned char*>(std::move_iterator<unsigned char*>, std::move_iterator<unsigned char*>, unsigned char*)unsigned char*’ at /usr/include/c++/12/bits/stl_algobase.h:620:7,
inlined from ‘std::__uninitialized_copy<true>::__uninit_copy<std::move_iterator<unsigned char*>, unsigned char*>(std::move_iterator<unsigned char*>, std::move_iterator<unsigned char*>, unsigned char*)unsigned char*’ at /usr/include/c++/12/bits/stl_uninitialized.h:147:27,
inlined from ‘std::uninitialized_copy<std::move_iterator<unsigned char*>, unsigned char*>(std::move_iterator<unsigned char*>, std::move_iterator<unsigned char*>, unsigned char*)unsigned char*’ at /usr/include/c++/12/bits/stl_uninitialized.h:185:15,
inlined from ‘std::__uninitialized_copy_a<std::move_iterator<unsigned char*>, unsigned char*, unsigned char>(std::move_iterator<unsigned char*>, std::move_iterator<unsigned char*>, unsigned char*, std::allocator<unsigned char>&)unsigned char*’ at /usr/include/c++/12/bits/stl_uninitialized.h:372:37,
inlined from ‘std::__uninitialized_move_if_noexcept_a<unsigned char*, unsigned char*, std::allocator<unsigned char> >(unsigned char*, unsigned char*, unsigned char*, std::allocator<unsigned char>&)unsigned char*’ at /usr/include/c++/12/bits/stl_uninitialized.h:397:2,
inlined from ‘std::vector<unsigned char, std::allocator<unsigned char> >::_M_range_insert<__gnu_cxx::__normal_iterator<unsigned char const*, std::vector<unsigned char, std::allocator<unsigned char> > > >(__gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char const*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char const*, std::vector<unsigned char, std::allocator<unsigned char> > >, std::forward_iterator_tag)void’ at /usr/include/c++/12/bits/vector.tcc:801:9,
inlined from ‘std::vector<unsigned char, std::allocator<unsigned char> >::_M_insert_dispatch<__gnu_cxx::__normal_iterator<unsigned char const*, std::vector<unsigned char, std::allocator<unsigned char> > > >(__gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char const*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char const*, std::vector<unsigned char, std::allocator<unsigned char> > >, std::__false_type)void’ at /usr/include/c++/12/bits/stl_vector.h:1779:19,
inlined from ‘std::vector<unsigned char, std::allocator<unsigned char> >::insert<__gnu_cxx::__normal_iterator<unsigned char const*, std::vector<unsigned char, std::allocator<unsigned char> > >, void>(__gnu_cxx::__normal_iterator<unsigned char const*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char const*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char const*, std::vector<unsigned char, std::allocator<unsigned char> > >)__gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >’ at /usr/include/c++/12/bits/stl_vector.h:1481:22,
inlined from ‘isc::dhcp::DUIDFactory::createEN(unsigned int, std::vector<unsigned char, std::allocator<unsigned char> > const&)’ at duid_factory.cc:180:24:
/usr/include/c++/12/bits/stl_algobase.h:431:30: warning: ‘memcpy’ offset 6 is out of the bounds [0, 6] [-Warray-bounds]
431 | __builtin_memmove(__result, __first, sizeof(_Tp) * _Num);
| ~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/usr/include/c++/12/bits/stl_algobase.h:431:30: warning: ‘memcpy’ offset 6 is out of the bounds [0, 6] [-Warray-bounds]
...
```
```
...
libtool: compile: g++ -DHAVE_CONFIG_H -I. -I../../.. -I../../../src/lib -I../../../src/lib -Wdate-time -D_FORTIFY_SOURCE=2 -DOS_LINUX -I../../.. -I../../.. -Wall -Wextra -Wnon-virtual-dtor -Wwrite-strings -Woverloaded-virtual -Wno-sign-compare -pthread -Wno-missing-field-initializers -fPIC -g -O2 -ffile-prefix-map=/<<PKGBUILDDIR>>=. -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -fdebug-prefix-map=/<<PKGBUILDDIR>>=/usr/src/isc-kea-2.2.0-5ubuntu1 -c ncr_udp.cc -fPIC -DPIC -o .libs/libkea_dhcp_ddns_la-ncr_udp.o
In file included from /usr/include/c++/12/string:50,
from /usr/include/c++/12/bits/locale_classes.h:40,
from /usr/include/c++/12/bits/ios_base.h:41,
from /usr/include/c++/12/ios:42,
from /usr/include/c++/12/ostream:38,
from /usr/include/c++/12/iostream:39,
from ../../../src/lib/cc/data.h:10,
from ../../../src/lib/dhcp_ddns/ncr_msg.h:15,
from ncr_msg.cc:9:
In function ‘std::__copy_move<true, true, std::random_access_iterator_tag>::__copy_m<unsigned char>(unsigned char const*, unsigned char const*, unsigned char*)unsigned char*’,
inlined from ‘std::__copy_move_a2<true, unsigned char*, unsigned char*>(unsigned char*, unsigned char*, unsigned char*)unsigned char*’ at /usr/include/c++/12/bits/stl_algobase.h:495:30,
inlined from ‘std::__copy_move_a1<true, unsigned char*, unsigned char*>(unsigned char*, unsigned char*, unsigned char*)unsigned char*’ at /usr/include/c++/12/bits/stl_algobase.h:522:42,
inlined from ‘std::__copy_move_a<true, unsigned char*, unsigned char*>(unsigned char*, unsigned char*, unsigned char*)unsigned char*’ at /usr/include/c++/12/bits/stl_algobase.h:529:31,
inlined from ‘std::copy<std::move_iterator<unsigned char*>, unsigned char*>(std::move_iterator<unsigned char*>, std::move_iterator<unsigned char*>, unsigned char*)unsigned char*’ at /usr/include/c++/12/bits/stl_algobase.h:620:7,
inlined from ‘std::__uninitialized_copy<true>::__uninit_copy<std::move_iterator<unsigned char*>, unsigned char*>(std::move_iterator<unsigned char*>, std::move_iterator<unsigned char*>, unsigned char*)unsigned char*’ at /usr/include/c++/12/bits/stl_uninitialized.h:147:27,
inlined from ‘std::uninitialized_copy<std::move_iterator<unsigned char*>, unsigned char*>(std::move_iterator<unsigned char*>, std::move_iterator<unsigned char*>, unsigned char*)unsigned char*’ at /usr/include/c++/12/bits/stl_uninitialized.h:185:15,
inlined from ‘std::__uninitialized_copy_a<std::move_iterator<unsigned char*>, unsigned char*, unsigned char>(std::move_iterator<unsigned char*>, std::move_iterator<unsigned char*>, unsigned char*, std::allocator<unsigned char>&)unsigned char*’ at /usr/include/c++/12/bits/stl_uninitialized.h:372:37,
inlined from ‘std::__uninitialized_move_if_noexcept_a<unsigned char*, unsigned char*, std::allocator<unsigned char> >(unsigned char*, unsigned char*, unsigned char*, std::allocator<unsigned char>&)unsigned char*’ at /usr/include/c++/12/bits/stl_uninitialized.h:397:2,
inlined from ‘std::vector<unsigned char, std::allocator<unsigned char> >::_M_range_insert<__gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > > >(__gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, std::forward_iterator_tag)void’ at /usr/include/c++/12/bits/vector.tcc:801:9,
inlined from ‘std::vector<unsigned char, std::allocator<unsigned char> >::_M_insert_dispatch<__gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > > >(__gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, std::__false_type)void’ at /usr/include/c++/12/bits/stl_vector.h:1779:19,
inlined from ‘std::vector<unsigned char, std::allocator<unsigned char> >::insert<__gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, void>(__gnu_cxx::__normal_iterator<unsigned char const*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >)__gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >’ at /usr/include/c++/12/bits/stl_vector.h:1481:22,
inlined from ‘isc::dhcp_ddns::D2Dhcid::fromHWAddr(boost::shared_ptr<isc::dhcp::HWAddr> const&, std::vector<unsigned char, std::allocator<unsigned char> > const&)’ at ncr_msg.cc:144:23:
/usr/include/c++/12/bits/stl_algobase.h:431:30: warning: ‘memcpy’ offset 1 is out of the bounds [0, 1] [-Warray-bounds]
431 | __builtin_memmove(__result, __first, sizeof(_Tp) * _Num);
| ~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/usr/include/c++/12/bits/stl_algobase.h:431:30: warning: ‘memcpy’ offset 1 is out of the bounds [0, 1] [-Warray-bounds]
...
```
```
...
libtool: compile: g++ -DHAVE_CONFIG_H -I. -I../../.. -I../../../src/lib -I../../../src/lib -I../../../src/bin -I../../../src/bin -Wdate-time -D_FORTIFY_SOURCE=2 -DOS_LINUX -I../../.. -I../../.. -Wall -Wextra -Wnon-virtual-dtor -Wwrite-strings -Woverloaded-virtual -Wno-sign-compare -pthread -Wno-missing-field-initializers -fPIC -g -O2 -ffile-prefix-map=/<<PKGBUILDDIR>>=. -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -fdebug-prefix-map=/<<PKGBUILDDIR>>=/usr/src/isc-kea-2.2.0-5ubuntu1 -c basic_scen.cc -fPIC -DPIC -o .libs/basic_scen.o
In file included from /usr/include/c++/12/memory:63,
from /usr/include/boost/smart_ptr/detail/sp_counted_impl.hpp:35,
from /usr/include/boost/smart_ptr/detail/shared_count.hpp:27,
from /usr/include/boost/smart_ptr/shared_ptr.hpp:17,
from /usr/include/boost/shared_ptr.hpp:17,
from ../../../src/bin/perfdhcp/packet_storage.h:11,
from ../../../src/bin/perfdhcp/test_control.h:10,
from test_control.cc:9:
In function ‘std::__copy_move<true, true, std::random_access_iterator_tag>::__copy_m<unsigned char>(unsigned char const*, unsigned char const*, unsigned char*)unsigned char*’,
inlined from ‘std::__copy_move_a2<true, unsigned char*, unsigned char*>(unsigned char*, unsigned char*, unsigned char*)unsigned char*’ at /usr/include/c++/12/bits/stl_algobase.h:495:30,
inlined from ‘std::__copy_move_a1<true, unsigned char*, unsigned char*>(unsigned char*, unsigned char*, unsigned char*)unsigned char*’ at /usr/include/c++/12/bits/stl_algobase.h:522:42,
inlined from ‘std::__copy_move_a<true, unsigned char*, unsigned char*>(unsigned char*, unsigned char*, unsigned char*)unsigned char*’ at /usr/include/c++/12/bits/stl_algobase.h:529:31,
inlined from ‘std::copy<std::move_iterator<unsigned char*>, unsigned char*>(std::move_iterator<unsigned char*>, std::move_iterator<unsigned char*>, unsigned char*)unsigned char*’ at /usr/include/c++/12/bits/stl_algobase.h:620:7,
inlined from ‘std::__uninitialized_copy<true>::__uninit_copy<std::move_iterator<unsigned char*>, unsigned char*>(std::move_iterator<unsigned char*>, std::move_iterator<unsigned char*>, unsigned char*)unsigned char*’ at /usr/include/c++/12/bits/stl_uninitialized.h:147:27,
inlined from ‘std::uninitialized_copy<std::move_iterator<unsigned char*>, unsigned char*>(std::move_iterator<unsigned char*>, std::move_iterator<unsigned char*>, unsigned char*)unsigned char*’ at /usr/include/c++/12/bits/stl_uninitialized.h:185:15,
inlined from ‘std::__uninitialized_copy_a<std::move_iterator<unsigned char*>, unsigned char*, unsigned char>(std::move_iterator<unsigned char*>, std::move_iterator<unsigned char*>, unsigned char*, std::allocator<unsigned char>&)unsigned char*’ at /usr/include/c++/12/bits/stl_uninitialized.h:372:37,
inlined from ‘std::__uninitialized_move_if_noexcept_a<unsigned char*, unsigned char*, std::allocator<unsigned char> >(unsigned char*, unsigned char*, unsigned char*, std::allocator<unsigned char>&)unsigned char*’ at /usr/include/c++/12/bits/stl_uninitialized.h:397:2,
inlined from ‘std::vector<unsigned char, std::allocator<unsigned char> >::_M_range_insert<__gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > > >(__gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, std::forward_iterator_tag)void’ at /usr/include/c++/12/bits/vector.tcc:801:9,
inlined from ‘std::vector<unsigned char, std::allocator<unsigned char> >::_M_insert_dispatch<__gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > > >(__gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, std::__false_type)void’ at /usr/include/c++/12/bits/stl_vector.h:1779:19,
inlined from ‘std::vector<unsigned char, std::allocator<unsigned char> >::insert<__gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, void>(__gnu_cxx::__normal_iterator<unsigned char const*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >)__gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >’ at /usr/include/c++/12/bits/stl_vector.h:1481:22,
inlined from ‘isc::perfdhcp::TestControl::generateClientId(boost::shared_ptr<isc::dhcp::HWAddr> const&) const’ at test_control.cc:408:21:
/usr/include/c++/12/bits/stl_algobase.h:431:30: warning: ‘memcpy’ offset 1 is out of the bounds [0, 1] [-Warray-bounds]
431 | __builtin_memmove(__result, __first, sizeof(_Tp) * _Num);
| ~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/usr/include/c++/12/bits/stl_algobase.h:431:30: warning: ‘memcpy’ offset 1 is out of the bounds [0, 1] [-Warray-bounds]
...
```
I'm nowhere near skilled enough with C++ to determine if this is a false positive from the compiler (or FORTIFY_SOURCE?) and I'm hoping this is a quick and easy one for someone more familiar.
Thankskea2.5.1Razvan BecheriuRazvan Becheriuhttps://gitlab.isc.org/isc-projects/kea/-/issues/2760Add CodeQL on github2023-07-17T13:58:21ZTomek MrugalskiAdd CodeQL on githubWe now have CodeQL (a LGTM replacement) code scanner enabled for Stork. We need to enable it for Kea, too.We now have CodeQL (a LGTM replacement) code scanner enabled for Stork. We need to enable it for Kea, too.kea2.3.8Tomek MrugalskiTomek Mrugalskihttps://gitlab.isc.org/isc-projects/kea/-/issues/1706HA support for TLS / HTTPS2022-06-23T15:44:17ZFrancis DupontHA support for TLS / HTTPSI propose to use the same 4 parameters as in #1662 but the HA case is more complex because the config can be global or per peer i.e. with some kind of inheritance to design.I propose to use the same 4 parameters as in #1662 but the HA case is more complex because the config can be global or per peer i.e. with some kind of inheritance to design.kea2.1.7Francis DupontFrancis Duponthttps://gitlab.isc.org/isc-projects/kea/-/issues/1661TLS socket2022-03-30T15:19:28ZTomek MrugalskiTLS socketWe want to implement a TLS support in Kea as [designed here](https://gitlab.isc.org/isc-projects/kea/-/wikis/designs/rbac-tls-design). There is a PoC done in #1619.
The goal of this ticket is to do the TLS socket implementation, includi...We want to implement a TLS support in Kea as [designed here](https://gitlab.isc.org/isc-projects/kea/-/wikis/designs/rbac-tls-design). There is a PoC done in #1619.
The goal of this ticket is to do the TLS socket implementation, including asiolink and libhttp updates. This will likely reuse code from #1619, but this time it requires tests, proper docs etc. In other words, a production ready code.kea1.9.6Francis DupontFrancis Duponthttps://gitlab.isc.org/isc-projects/kea/-/issues/2006CA: store credentials in file2022-02-21T08:12:55ZTomek MrugalskiCA: store credentials in fileRight now supports storing user credentials in the config file directly:
```json
"authentication": {
"type": "basic",
"realm": "kea-control-agent",
"clients": [
{
"user": "...Right now supports storing user credentials in the config file directly:
```json
"authentication": {
"type": "basic",
"realm": "kea-control-agent",
"clients": [
{
"user": "admin",
"password": "1234"
} ]
}
```
This is considered insecure as it shows on all config-get results and is being shown in Stork for example. An alternative would be to add credentials file, a file that would contain the same content as `clients: [ ... ]`.kea2.1.2Francis DupontFrancis Duponthttps://gitlab.isc.org/isc-projects/kea/-/issues/2250TLS unit tests fail with OpenSSL 1.1.1m2022-02-09T09:07:25ZAndrei Pavelandrei@isc.orgTLS unit tests fail with OpenSSL 1.1.1m```
$ grep OPENSSL_VERSION_TEXT /usr/include/openssl/opensslv.h
# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1m 14 Dec 2021"
```
<details open>
<summary>The full list of failing tests:</summary>
<pre>
[ RUN ] TLSTest.loadNoCAFile...```
$ grep OPENSSL_VERSION_TEXT /usr/include/openssl/opensslv.h
# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1m 14 Dec 2021"
```
<details open>
<summary>The full list of failing tests:</summary>
<pre>
[ RUN ] TLSTest.loadNoCAFile
tls_unittest.cc:359: Failure
Failed
exception with unknown 'No such file or directory (system library, fopen)'
[ FAILED ] TLSTest.loadNoCAFile (0 ms)
[ RUN ] TLSTest.loadCAPath
[ OK ] TLSTest.loadCAPath (0 ms)
[ RUN ] TLSTest.loadKeyCA
tls_unittest.cc:359: Failure
Failed
exception with unknown 'no certificate or crl found (x509 certificate routines, X509_load_cert_crl_file)'
[ FAILED ] TLSTest.loadKeyCA (0 ms)
[ RUN ] TLSTest.loadCertFile
[ OK ] TLSTest.loadCertFile (0 ms)
[ RUN ] TLSTest.loadNoCertFile
tls_unittest.cc:359: Failure
Failed
exception with unknown 'No such file or directory (system library, fopen)'
[ FAILED ] TLSTest.loadNoCertFile (0 ms)
[ RUN ] TLSTest.loadCsrCertFile
tls_unittest.cc:359: Failure
Failed
exception with unknown 'no start line (PEM routines, get_name)'
[ FAILED ] TLSTest.loadCsrCertFile (0 ms)
[ RUN ] TLSTest.loadKeyFile
[ OK ] TLSTest.loadKeyFile (0 ms)
[ RUN ] TLSTest.loadNoKeyFile
tls_unittest.cc:359: Failure
Failed
exception with unknown 'No such file or directory (system library, fopen)'
[ FAILED ] TLSTest.loadNoKeyFile (0 ms)
[ RUN ] TLSTest.loadCertKeyFile
tls_unittest.cc:359: Failure
Failed
exception with unknown 'no start line (PEM routines, get_name)'
[ FAILED ] TLSTest.loadCertKeyFile (0 ms)
[ RUN ] TLSTest.loadMismatch
[ OK ] TLSTest.loadMismatch (0 ms)
[ RUN ] TLSTest.configure
[ OK ] TLSTest.configure (0 ms)
[ RUN ] TLSTest.configureError
tls_unittest.cc:359: Failure
Failed
exception with unknown 'load of cert file '/no-such-file' failed: No such file or directory (system library, fopen)'
[ FAILED ] TLSTest.configureError (0 ms)
[ RUN ] TLSTest.stream
[ OK ] TLSTest.stream (0 ms)
[ RUN ] TLSTest.noHandshake
tls_unittest.cc:406: Failure
Failed
send got unexpected error 'uninitialized (SSL routines, ssl_write_internal)'
tls_unittest.cc:406: Failure
Failed
receive got unexpected error 'uninitialized (SSL routines, ssl_read_internal)'
[ FAILED ] TLSTest.noHandshake (2 ms)
[ RUN ] TLSTest.serverNotConfigured
tls_unittest.cc:406: Failure
Failed
server got unexpected error 'no shared cipher (SSL routines, tls_post_process_client_hello)'
tls_unittest.cc:406: Failure
Failed
client got unexpected error 'sslv3 alert handshake failure (SSL routines, ssl3_read_bytes)'
[ FAILED ] TLSTest.serverNotConfigured (2 ms)
[ RUN ] TLSTest.clientNotConfigured
tls_unittest.cc:406: Failure
Failed
server got unexpected error 'tlsv1 alert unknown ca (SSL routines, ssl3_read_bytes)'
tls_unittest.cc:406: Failure
Failed
client got unexpected error 'certificate verify failed (SSL routines, tls_process_server_certificate)'
[ FAILED ] TLSTest.clientNotConfigured (14 ms)
[ RUN ] TLSTest.clientHTTPnoS
tls_unittest.cc:406: Failure
Failed
server got unexpected error 'http request (SSL routines, ssl3_get_record)'
[ FAILED ] TLSTest.clientHTTPnoS (1 ms)
[ RUN ] TLSTest.unknownClient
tls_unittest.cc:406: Failure
Failed
server got unexpected error 'wrong version number (SSL routines, ssl3_get_record)'
[ FAILED ] TLSTest.unknownClient (1 ms)
[ RUN ] TLSTest.anotherClient
tls_unittest.cc:406: Failure
Failed
server got unexpected error 'certificate verify failed (SSL routines, tls_process_client_certificate)'
[ FAILED ] TLSTest.anotherClient (18 ms)
[ RUN ] TLSTest.selfSigned
tls_unittest.cc:406: Failure
Failed
server got unexpected error 'certificate verify failed (SSL routines, tls_process_client_certificate)'
[ FAILED ] TLSTest.selfSigned (19 ms)
[ RUN ] TLSTest.noHandshakeCloseOnError
tls_unittest.cc:406: Failure
Failed
send got unexpected error 'uninitialized (SSL routines, ssl_write_internal)'
tls_unittest.cc:406: Failure
Failed
receive got unexpected error 'uninitialized (SSL routines, ssl_read_internal)'
[ FAILED ] TLSTest.noHandshakeCloseOnError (2 ms)
[ RUN ] TLSTest.serverNotConfiguredCloseonError
tls_unittest.cc:406: Failure
Failed
server got unexpected error 'no shared cipher (SSL routines, tls_post_process_client_hello)'
tls_unittest.cc:406: Failure
Failed
client got unexpected error 'sslv3 alert handshake failure (SSL routines, ssl3_read_bytes)'
[ FAILED ] TLSTest.serverNotConfiguredCloseonError (2 ms)
[ RUN ] TLSTest.clientNotConfiguredCloseonError
tls_unittest.cc:406: Failure
Failed
server got unexpected error 'tlsv1 alert unknown ca (SSL routines, ssl3_read_bytes)'
tls_unittest.cc:406: Failure
Failed
client got unexpected error 'certificate verify failed (SSL routines, tls_process_server_certificate)'
[ FAILED ] TLSTest.clientNotConfiguredCloseonError (7 ms)
[ RUN ] TLSTest.clientHTTPnoSCloseonError
tls_unittest.cc:406: Failure
Failed
server got unexpected error 'http request (SSL routines, ssl3_get_record)'
[ FAILED ] TLSTest.clientHTTPnoSCloseonError (1 ms)
[ RUN ] TLSTest.anotherClientCloseonError
tls_unittest.cc:406: Failure
Failed
server got unexpected error 'certificate verify failed (SSL routines, tls_process_client_certificate)'
[ FAILED ] TLSTest.anotherClientCloseonError (19 ms)
[ RUN ] TLSTest.selfSignedCloseonError
tls_unittest.cc:406: Failure
Failed
server got unexpected error 'certificate verify failed (SSL routines, tls_process_client_certificate)'
[ FAILED ] TLSTest.selfSignedCloseonError (18 ms)
</pre>
</details>kea2.1.3Andrei Pavelandrei@isc.orgAndrei Pavelandrei@isc.orghttps://gitlab.isc.org/isc-projects/kea/-/issues/2225Allow extra arguments for database command line tools in kea-admin2022-01-25T15:24:34ZFrancis DupontAllow extra arguments for database command line tools in kea-adminThe idea is to allow multiple -x / --extra <argument> to kea-admin: these extra arguments are passed to the database command line tool, e.g. -x --ssl will pass --ssl to mysql when the user managing a MySQL database was configured to requ...The idea is to allow multiple -x / --extra <argument> to kea-admin: these extra arguments are passed to the database command line tool, e.g. -x --ssl will pass --ssl to mysql when the user managing a MySQL database was configured to require SSL/TLS protection of the connection to the server.kea2.1.2Andrei Pavelandrei@isc.orgAndrei Pavelandrei@isc.orghttps://gitlab.isc.org/isc-projects/kea/-/issues/1628Postgres backend with SSL2022-01-06T13:08:49ZvarsrajaPostgres backend with SSLWe would like to know if we can specify the client cert,key and ca chain to be used for connecting to postgres backend for leases.
If kea supports ssl , can you please provide us the keywords to be used in lease-database section.We would like to know if we can specify the client cert,key and ca chain to be used for connecting to postgres backend for leases.
If kea supports ssl , can you please provide us the keywords to be used in lease-database section.kea2.1-backlogFrancis DupontFrancis Duponthttps://gitlab.isc.org/isc-projects/kea/-/issues/1974Verify that random calls are seeded and used appropriately2021-09-25T08:16:25ZMichael McNallyVerify that random calls are seeded and used appropriatelyA recent issue with [weak randomization used by the dhclient part of the ISC DHCP project](https://gitlab.isc.org/isc-projects/dhcp/-/issues/197) is a good reminder that we should examine PRNG use in each of ISC's open source projects to...A recent issue with [weak randomization used by the dhclient part of the ISC DHCP project](https://gitlab.isc.org/isc-projects/dhcp/-/issues/197) is a good reminder that we should examine PRNG use in each of ISC's open source projects to ensure that we are using (pseudo-)randomness appropriately.
Please treat this ticket as:
- a reminder to review PRNG use in your project to ensure that it is used properly
- a request to report on the status of that review, so that users who search for this ticket can satisfy themselves that we have checked our usage and believe it to be reasonable.kea2.0.0 (formerly 1.9.12)https://gitlab.isc.org/isc-projects/kea/-/issues/1957use cryptolink RNG for qid2021-07-16T07:34:27ZFrancis Dupontuse cryptolink RNG for qidCurrently the qid (DNS query ID) is randomly generated by a weak RNG in lib util. This code should be moved to the DNS++ library and the RNG replaced by the cryptolink one.Currently the qid (DNS query ID) is randomly generated by a weak RNG in lib util. This code should be moved to the DNS++ library and the RNG replaced by the cryptolink one.kea1.9.10Francis DupontFrancis Duponthttps://gitlab.isc.org/isc-projects/kea/-/issues/1551Granular control over logging authentication information2021-05-21T14:48:33ZVicky Riskvicky@isc.orgGranular control over logging authentication informationin some organizations/jurisdictions (but IANAL) authentication information is seen as sensitive information and it should be possible to treat authentication logging information differently from other (non authentication) log output.
It...in some organizations/jurisdictions (but IANAL) authentication information is seen as sensitive information and it should be possible to treat authentication logging information differently from other (non authentication) log output.
It should be possible to turn off all authentication logging without restricting the other log output, or to send the authentication log information into a separate file (with different access permissions).
Without such function, users that must implement regulation compliant logging will need to turn off all logging that could contain authentication information.kea1.9.9Vicky Riskvicky@isc.orgVicky Riskvicky@isc.orghttps://gitlab.isc.org/isc-projects/kea/-/issues/1721Obfuscate passwords in logs that show configuration2021-05-21T13:43:06ZAndrei Pavelandrei@isc.orgObfuscate passwords in logs that show configurationThere seem to be only two types of logging that could expose passwords: configuration logs and dbaccess logs.
INFO [kea-dhcp4.dhcpsrv] DHCPSRV_MYSQL_DB opening MySQL lease database: host=127.0.0.1 max-reconnect-tries=3 name=keatest pas...There seem to be only two types of logging that could expose passwords: configuration logs and dbaccess logs.
INFO [kea-dhcp4.dhcpsrv] DHCPSRV_MYSQL_DB opening MySQL lease database: host=127.0.0.1 max-reconnect-tries=3 name=keatest password=***** port=3306 reconnect-wait-time=3000 type=mysql universe=4 user=keatest
dbaccess logs are covered, but config logs have the password exposed. **except** for this kea-ctrl-agent configuration log which also obfuscates:
DEBUG [kea-ctrl-agent.dctl] DCTL_CONFIG_START parsing new configuration: { "authentication": { "clients": [ { "password": "*****", "user": "superadmin" } ], ... }
So this seems like a slip-up in hiding passwords everywhere?
Something to note in the code is that there might be some places where passwords can't be hidden like this place where the problem seems to be that it might rethrow:
```
} catch (const std::exception& ex) {
// We'd obscure the password if we could parse the access string.
DB_LOG_ERROR(DB_INVALID_ACCESS).arg(dbaccess);
throw;
}
```
Is this a similar case?
[RT#17595](https://support.isc.org/Ticket/Display.html?id=17597)kea1.9.8Andrei Pavelandrei@isc.orgAndrei Pavelandrei@isc.orghttps://gitlab.isc.org/isc-projects/kea/-/issues/1590Auth: logged user and command should be printed on dedicated logger2021-05-05T16:35:44ZTomek MrugalskiAuth: logged user and command should be printed on dedicated loggerAs requested by @vicky in https://gitlab.isc.org/isc-projects/stork/-/issues/353#note_164884, we need a dedicated logger. This logger should provide at least two pieces of information: which command was authorized and the username of the...As requested by @vicky in https://gitlab.isc.org/isc-projects/stork/-/issues/353#note_164884, we need a dedicated logger. This logger should provide at least two pieces of information: which command was authorized and the username of the user who authorized it.kea1.9.8Tomek MrugalskiTomek Mrugalskihttps://gitlab.isc.org/isc-projects/kea/-/issues/1665Botan TLS2021-05-05T10:18:02ZTomek MrugalskiBotan TLSThe #1661 to #1664 tickets assume the code się using boost.SSL lib, which uses OpenSSL internally. The goal of this ticket is to try to come up with a solution that uses Botan instead.
If it’s too difficult or requires too many changes ...The #1661 to #1664 tickets assume the code się using boost.SSL lib, which uses OpenSSL internally. The goal of this ticket is to try to come up with a solution that uses Botan instead.
If it’s too difficult or requires too many changes compared to boost.ssl, then it is acceptable to have TLS support only when compiling with OpenSSL. If compiling with Botan, we could disable TLS support. Obviously, getting it work would be better...
(done (i.e. it works) and the description obviously needs more edit than this one)kea1.9.8Francis DupontFrancis Duponthttps://gitlab.isc.org/isc-projects/kea/-/issues/1662TLS support in CA (parsers, certs,...)2021-04-01T17:23:49ZTomek MrugalskiTLS support in CA (parsers, certs,...)Once #1661 is done, the next step is to do the CA code extension (including parsers update, ability to open TLS sockets, load certs, etc.). Again, it is likely to reuse pots of code form #1619 with some tests and docs improvements needed.Once #1661 is done, the next step is to do the CA code extension (including parsers update, ability to open TLS sockets, load certs, etc.). Again, it is likely to reuse pots of code form #1619 with some tests and docs improvements needed.kea1.9.6Francis DupontFrancis Duponthttps://gitlab.isc.org/isc-projects/kea/-/issues/1663TLS support in kea-shell2021-03-25T18:53:31ZTomek MrugalskiTLS support in kea-shellOnce #1661 and #1662 are done, the next step is to extend ``kea-shell`` to be able to connect to TLS socket. We don’t need python 2 support anymore. It’s ok to replace the existing kea-shell code as loNg as the new code is able to do bot...Once #1661 and #1662 are done, the next step is to extend ``kea-shell`` to be able to connect to TLS socket. We don’t need python 2 support anymore. It’s ok to replace the existing kea-shell code as loNg as the new code is able to do both http and https connections.
Similar to earlier tickets, we may try to reuse code from keys-secure-shell done in #1619, although the tool should be called kea-shell.kea1.9.6Francis DupontFrancis Duponthttps://gitlab.isc.org/isc-projects/kea/-/issues/1664Doc for TLS2021-03-25T08:28:26ZTomek MrugalskiDoc for TLSOnce #1661 to #1663 are done, we need docs:
- ARM for users, explaining how to configure certs,update CA Config etc
- develop guide section explaining how the code works. This is for devs who are not security expertsOnce #1661 to #1663 are done, we need docs:
- ARM for users, explaining how to configure certs,update CA Config etc
- develop guide section explaining how the code works. This is for devs who are not security expertskea1.9.6Francis DupontFrancis Duponthttps://gitlab.isc.org/isc-projects/kea/-/issues/1619Implement TLS support in libhttp (PoC)2021-03-24T09:40:59ZTomek MrugalskiImplement TLS support in libhttp (PoC)The Boost library has a TLS support (https://www.boost.org/doc/libs/1_74_0/doc/html/boost_asio/overview/ssl.html) that's been available since boost 1.36, released in 2008. It provides TLS support using openssl. The goal of this ticket is...The Boost library has a TLS support (https://www.boost.org/doc/libs/1_74_0/doc/html/boost_asio/overview/ssl.html) that's been available since boost 1.36, released in 2008. It provides TLS support using openssl. The goal of this ticket is to do the following:
**conduct PoC implementation (no tests, hacky, some parameters hardcoded) and provide a write-up**
There is no expectation for the code to be merged on master.
The goal is to determine whether Boost implementation is a reasonable one and we could possible use it. If the general answer is yes, there should be a new ticket created for production code and a pointer to the write-up. If the answer is no, the write-up should be very specific what are the Boost limitations that would prevent us from using it.
Yes, we understand that Boost can't use Botan. It is a problem, but it's a problem we can live with.kea1.9.4