Upgraded to cables-1.0.1

This upgrades gets rid of duplicated nginx and spawn-fcgi.cable
configuration files.

conf/rootfs.excludes

@@ -49,7 +49,6 @@
 /usr/share/aclocal/
 /usr/share/baselayout/
 /usr/share/awk/
-/usr/share/cables/
 /usr/share/florence/**.rnc
 /usr/share/florence/svg11/
 /usr/share/getopt/

doc/cable.txt

@@ -1,220 +0,0 @@
-CMS messages exchange
-=====================
-
-Authentication and encryption
------------------------------
-
-<send>
-  + [message]     <- <input>
-  + [message]     -> signed    with sender's    [private sign.pem]    -> [message.sig]
-  + [message.sig] -> encrypted with recipient's [X.509   encrypt.pem] -> [message.out]
-  + [message.out] -> <send>
-
-<recv>
-  + [message.out] <- <receive>
-  + [message.out] -> decrypted with recipient's [private decrypt.pem] -> [message.sig]
-  + [message.sig] -> verified  wrt  sender's    [X.509   verify.pem]  -> [message]
-  +               -> r-signed  with recipient's [private sign.pem]    -> [receipt.sig]
-  + [receipt.sig] -> encrypted with sender's    [X.509   encrypt.pem] -> [receipt.out]
-  + [receipt.out] -> <send>
-
-<ack>
-  + [receipt.out] <- <receive>
-  + [receipt.out] -> decrypted with sender's    [private decrypt.pem] -> [receipt.sig]
-  + [receipt.sig] -> verified  wrt  recipient's [X.509   verify.pem]  +  [message.sig]
-  + [hash(receipt.sig)] -> <send>
-
-
-Protocol
---------
-  + username is explicitly verified against root CA fingerprint
-  + hostname is implicitly verified when fetching files
-  + resistant against MITM injections (except first MSG substitution with same <msgid>)
-  + resistant against temporary MITM resources substitution
-  + resistant to request replay attacks intended to cause large number of disk writes
-
-  + resistant against fingerprinting if username is unknown
-  + vulnerable to DoS (e.g., many MSG requests) if username is known
-
-  + each loop type is mutually exclusive for a given (r)queue/<msgid>
-  + all code blocks are restartable (e.g., after crash)
-  + messages and receipts are never lost if /cables filesystem is transactional
-
-  + <hostname>/<username>/                         transient public directory w/o list permission
-                  /certs/                          public X.509 certificates
-                  /queue/<msgid>                   outgoing message <msgid>
-                  /rqueue/<msgid>                  outgoing receipt <msgid>
-                  /request/...                     service interface
-
-  + /cables/                                       private directory
-                  /queue/<msgid>/                  outgoing message <msgid> work dir
-                  /rqueue/<msgid>/                 outgoing receipt <msgid> work dir
-
-  + [send]        (MUA-invoked script)          writes to /cables/queue
-  + [service]     (fast and secure web service) writes to /cables/{queue,rqueue}
-  + [crypto loop] writes to /cables/{queue,rqueue}, MUA inbox directory;
-                  reads from X.509 directory
-  + [fetch  loop] writes to /cables/{queue,rqueue}; reads from network
-  + [comm   loop] writes to /{<username>,cables}/{queue,rqueue}, network;
-                  reads username from X.509 directory
-
-
-<send>
-  [send]
-  + generate random 160-bit (40 hex digits) <msgid>
-  + prepare /cables/queue/<msgid>/{message{,.hdr},username,{,s}hostname}
-  + create  /cables/queue/<msgid>/send.req
-  * (atomic via rename from /cables/queue/tmp.<random>/<msgid>/)
-
-  [fetch loop]
-  + check   /cables/queue/<msgid>/send.req
-  + fetch   <hostname>/<username>/certs/*.pem      -> /cables/queue/<msgid>/*.pem
-  + rename  /cables/queue/<msgid>/send.req         -> send.rdy
-
-  [crypto loop]
-  + check   /cables/queue/<msgid>/send.rdy
-  + prepare /cables/queue/<msgid>/message.out
-  + rename  /cables/queue/<msgid>/send.rdy         -> send.ok  (success)
-  +                                                -> send.req (crypto fail)
-  + remove  /cables/queue/<msgid>/message          (if success)
-
-  [comm loop]
-  + check   /cables/queue/<msgid>/send.ok
-  + checkno /cables/queue/<msgid>/ack.ok
-  + copy    /cables/queue/<msgid>/message.out -> //<susername>/queue/<msgid> (atomic, if not exists)
-  + request <hostname>/<username>/request/msg/<msgid>/<shostname>/<susername> -> send.ans
-
-
-<recv>
-  [service]
-  + upon    msg/<msgid>/<hostname>/<username>
-  + checkno /cables/rqueue/<msgid>
-  + create  /cables/rqueue/<msgid>.new/            (ok if exists)
-  + write   /cables/rqueue/<msgid>.new/{username,hostname}
-  + create  /cables/rqueue/<msgid>.new/recv.req    (ok if exists)
-  + rename  /cables/rqueue/<msgid>.new             -> <msgid>
-
-  [fetch loop]
-  + check   /cables/rqueue/<msgid>/recv.req
-  + fetch   <hostname>/<username>/queue/<msgid>    -> /cables/rqueue/<msgid>/message.out
-  + fetch   <hostname>/<username>/certs/*.pem      -> /cables/rqueue/<msgid>/*.pem
-  + rename  /cables/rqueue/<msgid>/recv.req        -> recv.rdy
-
-  [crypto loop]
-  + check   /cables/rqueue/<msgid>/recv.rdy
-  + prepare /cables/rqueue/<msgid>/{message{,.hdr},receipt.{ack,out}}
-  + create  <mua message>                          <- /cables/rqueue/<msgid>/message
-  + rename  /cables/rqueue/<msgid>/recv.rdy        -> recv.ok  (success)
-  +                                                -> recv.req (crypto fail)
-  + remove  /cables/rqueue/<msgid>/message{,.out}  (if success)
-
-  [comm loop]
-  + check   /cables/rqueue/<msgid>/recv.ok
-  + copy    /cables/rqueue/<msgid>/receipt.out -> //<rusername>/rqueue/<msgid> (atomic, if not exists)
-  + request <hostname>/<username>/request/rcp/<msgid> -> recv.ans
-
-
-<ack>
-  [service]
-  + upon    rcp/<msgid>
-  + check   /cables/queue/<msgid>/send.ok
-  + create  /cables/queue/<msgid>/ack.req          (atomic, ok if exists)
-  + touch   /cables/queue/<msgid>/                 (if ack.req did not exist)
-
-  [fetch loop]
-  + check   /cables/queue/<msgid>/ack.req
-  + checkno /cables/queue/<msgid>/ack.{rdy,ok}
-  + fetch   <hostname>/<username>/rqueue/<msgid>   -> /cables/queue/<msgid>/receipt.out
-  + rename  /cables/queue/<msgid>/ack.req          -> ack.rdy
-
-  [crypto loop]
-  + check   /cables/queue/<msgid>/ack.rdy
-  + prepare /cables/queue/<msgid>/receipt.ack
-  + create  <mua acknowledge>
-  + rename  /cables/queue/<msgid>/ack.rdy          -> ack.ok  (success)
-  +                                                -> ack.req (crypto fail)
-  + remove  /cables/queue/<msgid>/{message.{out,sig},receipt.out}  (if success)
-
-  [comm loop]
-  + check   /cables/queue/<msgid>/ack.ok
-  + remove  //<susername>/queue/<msgid>            (if exists)
-  + read    /cables/queue/<msgid>/receipt.ack      (128 hex digits)
-  + request <hostname>/<username>/request/ack/<msgid>/<ackhash> (wait) -> ack.ans
-  + rename  /cables/queue/<msgid>                  -> <msgid>.del
-  (if ack is lost due to MITM attack, receiver will keep requesting rcp/<msgid>)
-
-  -and/or-
-
-  + check   /cables/queue/<msgid>.del/
-  + remove  //<susername>/queue/<msgid>            (if exists)
-  + remove  /cables/queue/<msgid>.del/
-
-
-<fin>
-  [service]
-  + upon    ack/<msgid>/<ackhash>
-  + check   /cables/rqueue/<msgid>/recv.ok
-  + compare /cables/rqueue/<msgid>/receipt.ack    <-> <ackhash>
-  + rename  /cables/rqueue/<msgid>                 -> <msgid>.del
-
-  [comm loop]
-  + check   /cables/rqueue/<msgid>.del/
-  + remove  //<rusername>/rqueue/<msgid>           (if exists)
-  + remove  /cables/rqueue/<msgid>.del/
-
-
-Loop scheduler
---------------
-
-Initialization (for <msgid>s of 40 hex digits):
-  + remove /cables/rqueue/<msgid>.new/                (before [service] startup)
-
-Watch list (for <msgid>s of 40 hex digits):
-  + /cables/queue/  <msgid>, <msgid>.del              (inotify: moved_to, attrib)
-  + /cables/rqueue/ <msgid>, <msgid>.del              (inotify: moved_to)
-
-  + <msgid>:     non-blocking lock attempt
-  + <msgid>.del: blocking lock (with timeout)
-
-Retry policies:
-  + retry every X min. (+ random component)
-
-Validation: upon reaching max age (from <msgid>/username timestamp):
-  (mutually exclusive with all loop types)
-
-  + (queue)  create  <mua message>
-                 send.req/rdy:        failed to fetch certificates and encrypt message
-                 send.ok + no ack.ok: failed to send message and receive receipt
-                 ack.ok:              failed to acknowledge receipt
-  + (queue)  rename  /cables/queue/<msgid>  -> <msgid>.del
-
-  + (rqueue) create  <mua message>
-                 recv.req/rdy:        failed to fetch and decrypt message
-                 recv.ok:             failed to send receipt and receive acknowledgment
-  + (rqueue) rename  /cables/rqueue/<msgid> -> <msgid>.del
-
-
-Message format
---------------
-
-(send)
-  + extract all unique To:, Cc:, Bcc: addresses
-  + check that all addresses (+ From:) are recognized (e.g., *.onion)
-  + remove Bcc: and all X-*: headers
-  + reformat Date: as UTC
-  + compress with gzip
-
-
-(recv)
-  + uncompress with classic (single-threaded) gzip
-  + replace From: header with the verified address (rename old header)
-  + add X-Received-Date: header
-
-
-(ack)
-  + extract original From:, To:, Cc:, Bcc:, Subject:, Date:, Message-ID:,
-                     In-Reply-To:, References: fields
-  + replace Date: header with current date (rename old header)
-  + prepend [vfy] to Subject: field contents
-  + append body with verification message, including current timestamp
-    and verified delivery address

src/etc/conf.d/spawn-fcgi.cable

@@ -1,25 +0,0 @@
-# Need to start before nginx
-rc_before="nginx"
-
-# The filename is suffixed with -1, -2, ... for each child process
-FCGI_SOCKET=/var/run/fastcgi.sock
-
-# 0.0.0.0 binds to all addresses
-# Child processes use consecutive ports
-FCGI_ADDRESS=127.0.0.1
-FCGI_PORT=
-
-FCGI_PROGRAM=/usr/sbin/fcgiwrap
-FCGI_CHILDREN=1
-
-FCGI_CHROOT=
-FCGI_CHDIR=
-
-FCGI_USER=cable
-FCGI_GROUP=cable
-
-FCGI_EXTRA_OPTIONS="-U nginx -G nginx -M 0600"
-
-# Additional environment variables
-ALLOWED_ENV="PATH CABLE_QUEUES"
-CABLE_QUEUES=/home/anon/persist/cables

src/etc/init.d/identity

@@ -107,7 +107,7 @@ start() {
         username=`cat ${certsdir}/username | LC_ALL=C tr -cd '[:alnum:]'`
         rsync -lptHS --safe-links --chmod=u=rw,g=r,o= ${certsdir}/*.pem ${cableflag}/certs \
             && mv -T ${cableflag} /var/www/"${username}" \
-            && sed -i "s/\<CABLE\>/${username}/; s/## allow/allow/" /etc/nginx/nginx.conf
+            && sed -i "s/\<CABLE\>/${username}/; s/## allow/allow/" /etc/nginx/nginx-cable.conf
         eend $?
     fi
 

src/etc/init.d/spawn-fcgi.cable

@@ -1 +0,0 @@
-spawn-fcgi

src/etc/nginx/nginx.conf

@@ -1,97 +0,0 @@
-# Upon boot:
-#   _CABLE_ must be replaced with the cables username
-#   "allow" lines must be uncommented
-# Without the above, nginx will deny all requests
-
-user             nginx nginx;
-worker_processes 1;
-
-error_log /var/log/nginx/error_log crit;
-
-events {
-    worker_connections 1024;
-    use                epoll;
-}
-
-http {
-    include      mime.types;
-    default_type application/octet-stream;
-    index        index.html;
-
-    client_header_timeout 10m;
-    client_body_timeout   10m;
-    send_timeout          10m;
-
-    # NOTE: nginx doesn't support range requests for compressed data
-    gzip            on;
-    gzip_comp_level 9;
-    gzip_proxied    any;
-    gzip_types text/plain text/css text/xml application/x-javascript
-               application/xhtml+xml application/rss+xml
-               application/atom+xml image/svg+xml 
-               application/x-x509-ca-cert application/octet-stream;
-
-    sendfile    on;
-    tcp_nopush  on;
-    tcp_nodelay on;
-
-    keepalive_timeout      20;
-    ignore_invalid_headers on;
-
-    log_format main
-               '$remote_addr - $remote_user [$time_iso8601] '
-               '"$request" $status $bytes_sent '
-               '"$http_referer" "$http_user_agent" '
-               '"$gzip_ratio"';
-    # access_log /var/log/nginx/access_log main;
-    access_log off;
-
-    server_tokens           off;
-    server_name_in_redirect off;
-
-    server {
-        listen      127.0.0.1 default;
-        server_name localhost;
-
-        # Disable all access when substitutions are not done during boot
-        ## allow       127.0.0.1;
-        deny        all;
-
-        root        /var/www;
-
-        location    / {
-            deny all;
-        }
-
-        # Provide access to published files (certs/, queue/, rqueue/)
-        location    /CABLE/ {
-            limit_except GET {
-                deny all;
-            }
-        }
-
-        # Provide access to FastCGI service
-        location    /CABLE/request/ {
-            # Disable FastCGI if substitution fails during boot
-            if (-e $document_root/CABLE) {
-                fastcgi_pass unix:/var/run/fastcgi.sock-1;
-            }
-
-            fastcgi_split_path_info       ^(/CABLE/request/)(.*)$;
-
-            fastcgi_param SCRIPT_FILENAME /usr/libexec/cable/service;
-            fastcgi_param PATH_INFO       $fastcgi_path_info;
-
-            limit_except GET {
-                deny all;
-            }
-        }
-
-        # location    = /nginx-status {
-        #     stub_status on;
-        #     access_log  off;
-        #     allow       127.0.0.1;
-        #     deny        all;
-        # }
-    }
-}

src/etc/nginx/nginx.conf

@@ -0,0 +1 @@
+nginx-cable.conf

src/usr/local/portage/net-mail/cables/Manifest

@@ -1,3 +1,3 @@
-DIST cables-1.0.tar.gz 27677 RMD160 585308a10be98c3d3b6d7a72e90e3511b09345c9 SHA1 a6e7887fe1137a8b2eda7782fd12a35636f59a67 SHA256 2342f6b49b2997e05a5a6fa5e8fb71ba102f865ca54c624613068558394e0bc4
+DIST cables-1.0.1.tar.gz 27744 RMD160 8269092a1fbae386119691c0b9ad282ae0ba1b3c SHA1 080c5c71051b4b5c353005cdc1e8d843ff9be4f5 SHA256 9bac924220f51940417601a66cec44c038560abe8afc7044db2a7772d967bfaf
 DIST i2pupdate_0.8.8.zip 5041856 RMD160 0aa592660835fb64a977bec04958c77d17e9aa4c SHA1 e6caa760a80553b189eef8673d6291654f5ea3c8 SHA256 5c454ca3e63f436df4abbd394e6aa66da280b57179453eb5f90dff33325d9259
-EBUILD cables-1.0.ebuild 4229 RMD160 d01efddec1799f85c97d8f7b81fe62500854c690 SHA1 fa41fdf6047d480152ce0d4d705f756152a81671 SHA256 93066ccb649a9267f5f658657f5a1903baa7ec2ec918f92a7ea64c72b281456f
+EBUILD cables-1.0.1.ebuild 4437 RMD160 5b624c67a7bb84bf04f1316e9f2f1ecf4a491210 SHA1 b34d235dcb7fbcb14aa52125160eef6cb1deee78 SHA256 3c817e205e46cd172b8daa99fbbabfc34c25d353994204d38fe64aed2085f0c9

src/usr/local/portage/net-mail/cables/cables-1.0.ebuild → src/usr/local/portage/net-mail/cables/cables-1.0.1.ebuild

@@ -16,7 +16,7 @@ I2P_PV=0.8.8
 I2P_MY_P=i2pupdate_${I2P_PV}
 
 # In the actual ebuild the GitHub URI should be replaced with a tagged download
-SRC_URI="https://github.com/mkdesu/cables/tarball/v1.0 -> ${P}.tar.gz
+SRC_URI="https://github.com/mkdesu/cables/tarball/v1.0.1 -> ${P}.tar.gz
          http://mirror.i2p2.de/${I2P_MY_P}.zip
          http://launchpad.net/i2p/trunk/${I2P_PV}/+download/${I2P_MY_P}.zip"
 
@@ -53,11 +53,13 @@ src_compile() {
 }
 
 src_install() {
-	doinitd  init/cabled
+	doinitd  init/cabled              || die
+	doconfd  conf/spawn-fcgi.cable    || die
+	dosym    spawn-fcgi /etc/init.d/spawn-fcgi.cable || die
 
-	insinto  /usr/share/${PN}
-	doins    conf/nginx.conf conf/spawn-fcgi.cable || die
-	fperms   600 ${INSDESTTREE}/nginx.conf         || die
+	insinto  /etc/nginx
+	doins    conf/nginx-cable.conf    || die
+	fperms   600 ${INSDESTTREE}/nginx-cable.conf || die
 
 	dobin    bin/*                    || die
 
@@ -69,21 +71,23 @@ src_install() {
 
 	keepdir       /var/www/cable/certs /var/www/cable/queue /var/www/cable/rqueue
 	fperms  3310  /var/www/cable/certs /var/www/cable/queue /var/www/cable/rqueue || die
-	fperms   711  /var/www/cable                                                  || die
+	fperms   711  /var/www             /var/www/cable                             || die
 	fowners      :nginx /var/www/cable/certs                                      || die "failed to change ownership"
 	fowners cable:nginx /var/www/cable/queue /var/www/cable/rqueue                || die "failed to change ownership"
 }
 
 pkg_postinst() {
 	elog "Remember to add cabled and nginx to the default runlevel"
-	elog "    rc-update add cabled default"
-	elog "    rc-update add nginx  default"
+	elog "    rc-update add cabled           default"
+	elog "    rc-update add nginx            default"
+	elog "    rc-update add spawn-fcgi.cable default"
 	elog ""
 	elog "You need to adjust the user-specific paths in:"
 	elog "    /usr/libexec/cable/suprofile (CABLE_MOUNT must be mountpoint or /)"
 	elog "    /etc/conf.d/spawn-fcgi.cable (CABLE_QUEUES should mirror suprofile)"
-	elog "    /etc/nginx/nginx.conf        (root should mirror CABLE_PUB in suprofile)"
-	elog "    (take spawn-fcgi.cable and nginx.conf from /usr/share/${PN})"
+	elog "    /etc/nginx/nginx-cable.conf  (root should mirror CABLE_PUB in suprofile)"
+	elog "and then set the nginx configuration"
+	elog "    ln -snf nginx-cable.conf /etc/nginx/nginx.conf"
 	elog "Note that CABLE_INBOX and CABLE_QUEUES/{queue,rqueue} directories"
 	elog "must be writable by 'cable' (create them if they don't exist)."
 	elog ""
@@ -98,7 +102,7 @@ pkg_postinst() {
 	elog "Once a cables username has been generated for the user:"
 	elog "    rename CABLE_PUB/cable to CABLE_PUB/<username>"
 	elog "        <username> is located in CABLE_CERTS/certs/username"
-	elog "    /etc/nginx/nginx.conf"
+	elog "    /etc/nginx/nginx-cable.conf"
 	elog "        replace each occurrence of CABLE with <username>"
 	elog "        uncomment the 'allow' line"
 	elog ""