From f01ec97d6b4c9160fe88d76563850e200022205c Mon Sep 17 00:00:00 2001 From: Johannes Bauer Date: Fri, 25 Oct 2019 18:02:51 +0200 Subject: [PATCH] TLS-PSK now taken out of secure vault, but LUKS passphrases not LUKS passphrases still broken, they're copied over into the secure vault but then not used (i.e., the zeroed-out originals are read). --- client.c | 1 + log.c | 7 ++++++- server.c | 29 ++++++++++++++++++++++++++++- 3 files changed, 35 insertions(+), 2 deletions(-) diff --git a/client.c b/client.c index c27aeea..91577f9 100644 --- a/client.c +++ b/client.c @@ -249,6 +249,7 @@ static bool broadcast_for_keyserver(struct keyclient_t *keyclient) { memcpy(query.magic, UDP_MESSAGE_MAGIC, sizeof(query.magic)); memcpy(query.host_uuid, keyclient->keydb->hosts[0].host_uuid, 16); while (true) { + log_msg(LLVL_TRACE, "Broadcasting search for luksrku keyserver"); send_udp_broadcast_message(sd, keyclient->opts->port, &query, sizeof(query)); struct sockaddr_in src = { diff --git a/log.c b/log.c index d31eed1..af19ea0 100644 --- a/log.c +++ b/log.c @@ -29,6 +29,7 @@ #include #include "log.h" +#include "util.h" static enum loglvl_t current_loglvl = LOGLEVEL_DEFAULT; static const char *loglvl_names[] = { @@ -88,8 +89,12 @@ void log_libc(enum loglvl_t level, const char *msg, ...) { } static int log_openssl_error_callback(const char *msg, size_t len, void *vlvlptr) { + char msgcopy[strlen(msg) + 1]; + strcpy(msgcopy, msg); + truncate_crlf(msgcopy); + enum loglvl_t* levelptr = (enum loglvl_t*)vlvlptr; - log_msg(*levelptr, msg); + log_msg(*levelptr, msgcopy); return 0; } diff --git a/server.c b/server.c index a380a63..737a0ef 100644 --- a/server.c +++ b/server.c @@ -49,9 +49,11 @@ #include "signals.h" #include "udp.h" #include "blacklist.h" +#include "vaulted_keydb.h" struct keyserver_t { struct keydb_t* keydb; + struct vaulted_keydb_t *vaulted_keydb; struct generic_tls_ctx_t gctx; const struct pgmopts_server_t *opts; int tcp_sd, udp_sd; @@ -60,6 +62,7 @@ struct keyserver_t { struct client_thread_ctx_t { struct generic_tls_ctx_t *gctx; const struct keydb_t *keydb; + struct vaulted_keydb_t *vaulted_keydb; const struct host_entry_t *host; int fd; }; @@ -128,7 +131,15 @@ static int psk_server_callback(SSL *ssl, const unsigned char *identity, size_t i return 0; } - return openssl_tls13_psk_establish_session(ssl, ctx->host->tls_psk, PSK_SIZE_BYTES, EVP_sha256(), sessptr); + uint8_t psk[PSK_SIZE_BYTES]; + if (!vaulted_keydb_get_tls_psk(ctx->vaulted_keydb, psk, ctx->host)) { + log_msg(LLVL_WARNING, "Cannot establish server connection without TLS-PSK."); + return 0; + } + + int result = openssl_tls13_psk_establish_session(ssl, psk, PSK_SIZE_BYTES, EVP_sha256(), sessptr); + OPENSSL_cleanse(psk, PSK_SIZE_BYTES); + return result; } static void client_handler_thread(void *vctx) { @@ -140,6 +151,7 @@ static void client_handler_thread(void *vctx) { SSL_set_app_data(ssl, client); if (SSL_accept(ssl) <= 0) { + log_openssl(LLVL_WARNING, "Could not establish TLS connection to connecting client."); ERR_print_errors_fp(stderr); } else { if (client->host) { @@ -224,6 +236,20 @@ bool keyserver_start(const struct pgmopts_server_t *opts) { break; } + if (keyserver.keydb->host_count == 0) { + log_msg(LLVL_FATAL, "No host entries in key database: %s", opts->filename); + success = false; + break; + } + + /* Then convert it into a vaulted key database */ + keyserver.vaulted_keydb = vaulted_keydb_new(keyserver.keydb); + if (!keyserver.vaulted_keydb) { + log_msg(LLVL_FATAL, "Failed to create vaulted key database."); + success = false; + break; + } + if (!create_generic_tls_context(&keyserver.gctx, true)) { log_msg(LLVL_FATAL, "Failed to create OpenSSL server context."); success = false; @@ -273,6 +299,7 @@ bool keyserver_start(const struct pgmopts_server_t *opts) { struct client_thread_ctx_t client_ctx = { .gctx = &keyserver.gctx, .keydb = keyserver.keydb, + .vaulted_keydb = keyserver.vaulted_keydb, .fd = client, }; if (!pthread_create_detached_thread(client_handler_thread, &client_ctx, sizeof(client_ctx))) {