Georg/luksrku
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
84 Commits 3 Branches 4 Tags 284 KiB
0bf0759c9c
Commit Graph

84 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Johannes Bauer
0bf0759c9c Make vault threadsafe 
We might have multiple processes accessing the vault and need to always
keep a proper reference count.
 2019-10-25 16:30:46 +02:00
Johannes Bauer
54063ec025 Remove duplicate "now" function 
We also have this functionality in util, no need to copy it.
 2019-10-25 16:21:37 +02:00
Johannes Bauer
6ac94dbd83 Integrate vault into build process 
Right now it's still not used, but integrated into the build process
anyways.
 2019-10-25 16:16:13 +02:00
Johannes Bauer
17d1b9a52d Remove redundant files and add more info 
Show a more informative message when server's been successfully started
and remove unused files.
 2019-10-25 16:13:28 +02:00
Johannes Bauer
1469d83a96 Fix default KDF 
Inconsistency in KDF documentation fixed.
 2019-10-25 13:33:48 +02:00
Johannes Bauer
78104a8b87 Remove debugging and set default timeout 
While timeout was announced in "client" help page, it wasn't effective.
Fixed. Also disable debugging.
 2019-10-25 13:24:08 +02:00
Johannes Bauer
ba46e5bb43 Adapt initramfs hooks 
Unlocking entity is now the client, not the server anymore. Change
filenames and syntax in initramfs scripts to reflect both.
 2019-10-25 13:06:20 +02:00
Johannes Bauer
ab670a431a Refactor command execution to not use tempfile 
Previously, we wrote the passphrase contents to a temporary file on
/dev/shm and then wiped it afterwards. This is odd, why don't we use a
pipe for this purpose, like it's intended to be used? Replace all of
that previous code by piped IPC.
 2019-10-25 13:02:35 +02:00
Johannes Bauer
3478fa4555 Unlocking LUKS volumes works 
First complete technical round-trip complete, can unlock the LUKS
volumes described in the server/client databases successfully.
 2019-10-25 12:19:01 +02:00
Johannes Bauer
849e3a5949 Implemented finding of keyserver and unlocking of volumes 
We'll now parse the response messages on the client side, abort after a
previously defined timeout and trigger the LUKS unlocking process, if
requested (although the latter isn't fully implemented yet).
 2019-10-25 11:08:20 +02:00
Johannes Bauer
05e112065e Implemented proper query response on server side 
The server now checks the host database and responds correctly, but the
client still does not know how to get that response.
 2019-10-25 10:21:29 +02:00
Johannes Bauer
8c7c0e5870 Receiving broadcast messages and plausibility-checking 
Now we're receiving the client broadcasts on the server side and
checking if they match the magic number we're expecting.
 2019-10-25 09:33:20 +02:00
Johannes Bauer
2f36b56417 Can now receive UDP broadcasts 
Still need to figure out how to receive UDP broadcast, but respond as
unicast. Not entirely sure yet.
 2019-10-24 19:03:48 +02:00
Johannes Bauer
60b1b2bf39 Refactoring of server code 
Consolidate server state into one struct, similar to our client
solution.
 2019-10-24 17:04:49 +02:00
Johannes Bauer
39ced77b98 More disabled code removal 
Removed the code that was previously the main application.
 2019-10-24 16:57:35 +02:00
Johannes Bauer
25649e0caa Add luksrku version in help page 
Before we forget to include it, put it right in there so it's easy to
determine which version it was built from.
 2019-10-23 22:32:35 +02:00
Johannes Bauer
4ee2739bac Prettify Makefile 
Have the dependent objects in alphabetical order.
 2019-10-23 22:31:41 +02:00
Johannes Bauer
2a4f2a8e3b Implemented client broadcasting again 
Clients now broadcast their host UUID and magic number via UDP, but the
server does not respond nor would the client trigger anything if the
server did.
 2019-10-23 22:29:40 +02:00
Johannes Bauer
36f9988fce Cleanup in server socket code 
This is ancient programming style. Bring it up to 2019.
 2019-10-23 22:13:36 +02:00
Johannes Bauer
6b5ed8f62c Remove unused code 
Old, now unused code removed entirely.
 2019-10-23 22:12:00 +02:00
Johannes Bauer
1f56e19361 Consolidated session establishment for client and server 
Essentially, they share most of the same code. Consolidate everything
into one function.
 2019-10-23 22:06:47 +02:00
Johannes Bauer
0e8e42d0ea Client and server commnunication now works 
We can send our little datagrams over and that works nicely. Need to
consolidate the PSK session establishment into one shared function.
 2019-10-23 21:54:10 +02:00
Johannes Bauer
983217ffbd Further work on the client code 
Trying to get everything in shape, not looking too bad.
 2019-10-23 21:13:50 +02:00
Johannes Bauer
425e2dcd66 Add client code back in 
Client code basis back in, parsing of command line options as well.
Client does not do anything yet, though.
 2019-10-23 20:13:25 +02:00
Johannes Bauer
9ea0a9695c Fix bug with commandline parsing 
For each parameter, all previous parameters were overwritten with
default values. Fixed.
 2019-10-23 20:01:54 +02:00
Johannes Bauer
2143adc91f Added detached thread handling code 
Make it easier to create a detached thread, it's always the same and
error-checking is quite repetitive.
 2019-10-23 19:47:26 +02:00
Johannes Bauer
8200c9668d Rewrite README 
A lot has changed, let's update the README even though it's not all done
yet.
 2019-10-23 16:13:23 +02:00
Johannes Bauer
c89ff552d4 Also print OpenSSL command line to debug the server 
In debug mode, print the OpenSSL command line needed to connect to a
luksrku server.
 2019-10-23 16:03:58 +02:00
Johannes Bauer
603e63876f Server implementation seems to work 
Rudimentary functionality of server (not including responding to
announcements over UDP) is working now.
 2019-10-23 15:56:06 +02:00
Johannes Bauer
3e5c7d541c Implement actual lookup of luksrku entry 
Now with a proper UUID the PSK is looked up from the key database.
 2019-10-23 15:28:38 +02:00
Johannes Bauer
d70bd1f672 TLS-PSK connection is working in TLSv1.3 
Apparently, I need to spell out "-ciphersuites
TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384" in the openssl
s_client command, or it simply will not work.
 2019-10-23 14:28:42 +02:00
Johannes Bauer
969eae12c7 Started with server implementation 
Running into issues with TLSv1.3-PSK. Connection establishment does not
work at the moment.
 2019-10-23 13:18:51 +02:00
Johannes Bauer
667ff55af1 Integrate editor properly from command line 
Now have a way to invoke the editor functionality from the command line
and also provisions to include the server and client parsers.
 2019-10-23 11:34:40 +02:00
Johannes Bauer
ecbf3827ca Integrate current state-of-affairs into luksrku 
Now integrated into the official Makefile. All functionality is broken
(was for a while), but it's progress nevertheless.
 2019-10-23 09:39:40 +02:00
Johannes Bauer
20ffe38b53 Implemented export of key database 
Key database is exported on a client-per-client basis, but with
sanitized LUKS passphrases of course. This is implemented now.
 2019-10-21 22:47:58 +02:00
Johannes Bauer
722476e7fd Implemented more useful commands 
Implemented add/delete operations of hosts and volumes and rekeying of
both as well.
 2019-10-21 21:30:29 +02:00
Johannes Bauer
0cb0e5d470 Further work in keydb 
Work in transcribing the binary LUKS PSK to ASCII. Still buggy, had an
error in thinking (it's not 4 bytes transcribed to 3, but 3 to 4 of
course). Needs fixing.
 2019-10-20 21:09:41 +02:00
Johannes Bauer
bcd794a6c1 Further work on creating correct type-4 UUIDs 
Have the UUIDs actually look and feel like Type-4 UUIDs according to
RFC.
 2019-10-20 17:45:21 +02:00
Johannes Bauer
ffca14559f Further work on UUIDs and the interactive editor 
Listing now works and we've extracted the UUID code into separate files.
 2019-10-20 10:12:37 +02:00
Johannes Bauer
68c74de050 Saving and loading of key database works 
We now can save and load the database from a file and also add hosts.
 2019-10-19 21:52:34 +02:00
Johannes Bauer
9c888cbe4e Major rework of keydb and file encryption 
Currently, main program does not compile, massive rework of the internal
database storage mechanism to allow integration of vault and online
editing.
 2019-10-19 21:28:26 +02:00
Johannes Bauer
b79ae0b417 Initial work on providing an editor 
Just laid out the framework for online editing of the key database,
which was just horrible before.
 2019-10-19 18:12:00 +02:00
Johannes Bauer
1790275960 Release v0.02 
If this release ever makes it to a disto, we want to be able to identify
it by version number, not by commit. Therefore, introduce re-release
with proper tagging.
 2019-10-19 15:08:30 +02:00
Johannes Bauer
73ab437fc9 Include tags in released version number 
We want the displayed version number to contain tags, so add it to the
Makefile option.
 2019-10-19 15:06:39 +02:00
Johannes Bauer
f824198abd Release v0.01 
First release after three years of daily use seems a justified testing
period.
 2019-10-19 14:50:29 +02:00
Johannes Bauer
363fc70f1c Use pkg-config and have git-based version number 
Use pkg-config to find OpenSSL headers and library. Use "git describe"
to determine current version.
 2019-10-19 14:47:54 +02:00
Johannes Bauer
52dee3bad0 More tests to show key changes 
Demonstrating that a new key is chosen on every close operation.
 2019-10-19 11:32:32 +02:00
Johannes Bauer
d8208fbab5 Make vault iteration count adaptible to hardware 
We want to specify a real time for key derivation and let it figure out
by itself how many iterations it needs.
 2019-10-19 11:29:39 +02:00
Johannes Bauer
1312bce9af Add license header to vault files 
Since this was just work-in-progress, I had forgotten to include license
header text.
 2019-10-19 11:10:03 +02:00
Johannes Bauer
aa9fa3e995 Started working on a coldboot-resistant "vault" implementation 
When not needed, encrypt the keys in-memory with a large pre-key so that
forensic acquisition of data using coldboot becomes infeasible. Not used
yet internally.
 2019-10-19 11:07:55 +02:00