TLS-PSK now taken out of secure vault, but LUKS passphrases not

LUKS passphrases still broken, they're copied over into the secure vault but then not used (i.e., the zeroed-out originals are read).
2019-10-25 18:02:51 +02:00 · 2019-10-25 18:02:51 +02:00 · f01ec97d6b
commit f01ec97d6b
parent dce9c1b323
3 changed files with 35 additions and 2 deletions
--- a/client.c
+++ b/client.c
@ -249,6 +249,7 @@ static bool broadcast_for_keyserver(struct keyclient_t *keyclient) {
 	memcpy(query.magic, UDP_MESSAGE_MAGIC, sizeof(query.magic));
 	memcpy(query.host_uuid, keyclient->keydb->hosts[0].host_uuid, 16);
 	while (true) {
 		log_msg(LLVL_TRACE, "Broadcasting search for luksrku keyserver");
 		send_udp_broadcast_message(sd, keyclient->opts->port, &query, sizeof(query));
 		struct sockaddr_in src = {
--- a/log.c
+++ b/log.c
@ -29,6 +29,7 @@
 #include <openssl/err.h>
 #include "log.h"
 #include "util.h"
 static enum loglvl_t current_loglvl = LOGLEVEL_DEFAULT;
 static const char *loglvl_names[] = {
@ -88,8 +89,12 @@ void log_libc(enum loglvl_t level, const char *msg, ...) {
 }
 static int log_openssl_error_callback(const char *msg, size_t len, void *vlvlptr) {
 	char msgcopy[strlen(msg) + 1];
 	strcpy(msgcopy, msg);
 	truncate_crlf(msgcopy);
 	enum loglvl_t* levelptr = (enum loglvl_t*)vlvlptr;
-	log_msg(*levelptr, msg);
+	log_msg(*levelptr, msgcopy);
 	return 0;
 }
--- a/server.c
+++ b/server.c
@ -49,9 +49,11 @@
 #include "signals.h"
 #include "udp.h"
 #include "blacklist.h"
 #include "vaulted_keydb.h"
 struct keyserver_t {
 	struct keydb_t* keydb;
 	struct vaulted_keydb_t *vaulted_keydb;
 	struct generic_tls_ctx_t gctx;
 	const struct pgmopts_server_t *opts;
 	int tcp_sd, udp_sd;
@ -60,6 +62,7 @@ struct keyserver_t {
 struct client_thread_ctx_t {
 	struct generic_tls_ctx_t *gctx;
 	const struct keydb_t *keydb;
 	struct vaulted_keydb_t *vaulted_keydb;
 	const struct host_entry_t *host;
 	int fd;
 };
@ -128,7 +131,15 @@ static int psk_server_callback(SSL *ssl, const unsigned char *identity, size_t i
 		return 0;
 	}
-	return openssl_tls13_psk_establish_session(ssl, ctx->host->tls_psk, PSK_SIZE_BYTES, EVP_sha256(), sessptr);
+	uint8_t psk[PSK_SIZE_BYTES];
 	if (!vaulted_keydb_get_tls_psk(ctx->vaulted_keydb, psk, ctx->host)) {
 		log_msg(LLVL_WARNING, "Cannot establish server connection without TLS-PSK.");
 		return 0;
 	}
 	int result = openssl_tls13_psk_establish_session(ssl, psk, PSK_SIZE_BYTES, EVP_sha256(), sessptr);
 	OPENSSL_cleanse(psk, PSK_SIZE_BYTES);
 	return result;
 }
 static void client_handler_thread(void *vctx) {
@ -140,6 +151,7 @@ static void client_handler_thread(void *vctx) {
 		SSL_set_app_data(ssl, client);
 		if (SSL_accept(ssl) <= 0) {
 			log_openssl(LLVL_WARNING, "Could not establish TLS connection to connecting client.");
 			ERR_print_errors_fp(stderr);
 		} else {
 			if (client->host) {
@ -224,6 +236,20 @@ bool keyserver_start(const struct pgmopts_server_t *opts) {
 			break;
 		}
 		if (keyserver.keydb->host_count == 0) {
 			log_msg(LLVL_FATAL, "No host entries in key database: %s", opts->filename);
 			success = false;
 			break;
 		}
 		/* Then convert it into a vaulted key database */
 		keyserver.vaulted_keydb = vaulted_keydb_new(keyserver.keydb);
 		if (!keyserver.vaulted_keydb) {
 			log_msg(LLVL_FATAL, "Failed to create vaulted key database.");
 			success = false;
 			break;
 		}
 		if (!create_generic_tls_context(&keyserver.gctx, true)) {
 			log_msg(LLVL_FATAL, "Failed to create OpenSSL server context.");
 			success = false;
@ -273,6 +299,7 @@ bool keyserver_start(const struct pgmopts_server_t *opts) {
 			struct client_thread_ctx_t client_ctx = {
 				.gctx = &keyserver.gctx,
 				.keydb = keyserver.keydb,
 				.vaulted_keydb = keyserver.vaulted_keydb,
 				.fd = client,
 			};
 			if (!pthread_create_detached_thread(client_handler_thread, &client_ctx, sizeof(client_ctx))) {