Splat is a daemon designed to help keep information in an LDAP directory in sync with information outside of an LDAP directory. This information can be any set of attributes on any object in the LDAP directory.
Splat was originally written for the purpose of distributing SSH keys from LDAP in a way that did not require modifying the SSH daemon.
In the process, we designed a generic daemon capable of pulling nearly any information from LDAP and using it in any way you see fit. Synchronize your LDAP directory with a relational database, update an organizational chart, or build a x509 certificate revocation list.
I'm pleased to announce that Bacula's File Daemon now has complete support for signing and encrypting data prior to sending it to the Storage Daemon, and decrypting said data upon receipt from the Storage Daemon.
The code has been committed to Bacula CVS; usage instructions follow.
A few months ago, I read Dan Kaminsky's presentation slides, Attacking Distributed Systems: The DNS Case Study. In the presentation, Kaminsky documents a method of implementing single bit data transfer with nothing more than:
After a particularly stressful week, I decided I needed to work on something fun -- an implementation of a DNS-based dead drop messaging system, utilizing Kaminsky's ideas.
NOTE: For information on Mac OS X Leopard (10.5), refer to this article.
PT_DENY_ATTACH is a non-standard ptrace() request type available on Mac OS X that prevents a debugger from attaching to the calling process. This article will cover disabling PT_DENY_ATTACH for all processes on Mac OS X 10.4. For more information on how the request type is implemented, please refer to the previous article.
Below is the final tally of EFF donations. A big thanks to all those that donated to the project! If you are not listed, but should be, send me an e-mail.
Update! Thanks to Roberto Moreda of Allenta Consulting for the final donation of $180, bringing the final tally to $3000!
Donor: Amount: WingNET Internet $500 Timo Neuvonen $250 Ed Grether $25 Charles Reinehr $100 Michael Proto $25 Phil Cordier $100 Dan Langille $100 Tom Plancon $65 Felix Schwarz $60 ClarkConnect $500 Andrew Ford $25 INetU, Inc $1000 Jo at Winfix.it $70 Allenta Consulting $180 Goal: $3000 Total: $3,000
I just committed support for cryptographic signatures in the File Daemon. The signatures are stored using the ASN.1 syntax I previously outlined. The code supports multiple signers, but the configuration file only supports the specification of a single signing key. You can, however, specify multiple trusted public keys, and any signatures made with those keys will be accepted.
Changes include the addition of an autoconf-based build system and support for Linux.
More information is available from the OpenVPN Auth-LDAP Plugin page
After spending last weekend studying the PKCS #7 and CMS (RFC 3852) specifications, I dedicated this weekend to assembling a Bacula ASN.1 syntax for signing file data and implementing the requisite changes in the backup, verification , and digest handling code paths.
While I would have liked to make use of either PKCS #7 or RFC 3852, OpenSSL's current BER encoder and PKCS #7 API are not capable of handling streaming encoding and decoding. As such, I've designed an ASN.1 syntax inspired by RFC 3852, working around the lack of streaming support by using detached signatures and session key information.
Additionally, I've added support for SHA-256 and SHA-512 digests when using OpenSSL 0.9.8 or greater and completed a great deal of code cleanup. You can find the full ChangeLog below.
Next Up:
The latest patchset is available here: bacula-crypto-3.diff.gz
In the interest of providing visibility into my on-going work, I will be posting regular snapshots of my encryption support diffs, along with some hopefully understandable explanations.
To get the project started, I've modified the OpenSSL autoconf macros to define an additional preprocessor directive, HAVE_CRYPTO. In conjunction with this, I've started implementing the abstract cryptography API in src/lib/crypto.c. As with the TLS implementation, I am attempting to abstract the details of OpenSSL from the rest of the Bacula codebase.
One of the first steps necessary to implement signed message digests is a refactoring of the digest code used by the file daemon. I've created a new digest API in src/lib/crypto.c, and updated all clients of the previous digest API. The new implementation supports MD5 and SHA-1 hashes for both basic digests and signing. If OpenSSL 0.9.8 is available, SHA-512 is used for signed digests.
Additionally, I've migrated the OpenSSL initialization code to crypto.c, and added code for reading -- and signing with -- PEM-encoded x509 certificates and RSA and DSA private keys. I've also added encryption configuration options to the various daemons.
If you would like to take a look at the current patchset in all its glory, you can find it here: bacula-crypto-1.diff.gz
The next task on my list is storage of signed message digests and per-session symmetric keys in both the catalog and volume. I will be out on holiday next week, but I hope to have another patchset available shortly after I return.
A few weeks ago we officially announced the Bacula data encryption project -- an endeavor to add data encryption support to Bacula and raise funds for the Electronic Frontier Foundation.
The community's response has been wonderful, and we've managed to raise a total of $1,165. Your donations are appreciated! With your continued support, I hope we can meet our goal of $3,000.
Below is a list of the donors to-date. If I have missed anyone, or any information is incorrect, please send me an e-mail.
Donor: Amount: WingNET Internet $500 Timo Neuvonen $250 Ed Grether $25 Charles Reinehr $100 Michael Proto $25 Phil Cordier $100 Dan Langille $100 Tom Plancon $65 Total: $1,165
The EFF has taken notice:
"In addition, huge thanks to Landon Fuller and the Bacula Project for helping to raise money for EFF..."
"Grassroots fundraising efforts like these give EFF the energy (and funds!) to keep on fighting the good fight - defending free speech, fair use, innovation, and privacy on the electronic frontier. By supporting EFF, you help carry the banner to protect digital civil liberties."
Thank you for your donations!