Johannes Bauer
36f9988fce
Cleanup in server socket code
...
This is ancient programming style. Bring it up to 2019.
2019-10-23 22:13:36 +02:00
Johannes Bauer
6b5ed8f62c
Remove unused code
...
Old, now unused code removed entirely.
2019-10-23 22:12:00 +02:00
Johannes Bauer
1f56e19361
Consolidated session establishment for client and server
...
Essentially, they share most of the same code. Consolidate everything
into one function.
2019-10-23 22:06:47 +02:00
Johannes Bauer
0e8e42d0ea
Client and server commnunication now works
...
We can send our little datagrams over and that works nicely. Need to
consolidate the PSK session establishment into one shared function.
2019-10-23 21:54:10 +02:00
Johannes Bauer
983217ffbd
Further work on the client code
...
Trying to get everything in shape, not looking too bad.
2019-10-23 21:13:50 +02:00
Johannes Bauer
425e2dcd66
Add client code back in
...
Client code basis back in, parsing of command line options as well.
Client does not do anything yet, though.
2019-10-23 20:13:25 +02:00
Johannes Bauer
9ea0a9695c
Fix bug with commandline parsing
...
For each parameter, all previous parameters were overwritten with
default values. Fixed.
2019-10-23 20:01:54 +02:00
Johannes Bauer
2143adc91f
Added detached thread handling code
...
Make it easier to create a detached thread, it's always the same and
error-checking is quite repetitive.
2019-10-23 19:47:26 +02:00
Johannes Bauer
8200c9668d
Rewrite README
...
A lot has changed, let's update the README even though it's not all done
yet.
2019-10-23 16:13:23 +02:00
Johannes Bauer
c89ff552d4
Also print OpenSSL command line to debug the server
...
In debug mode, print the OpenSSL command line needed to connect to a
luksrku server.
2019-10-23 16:03:58 +02:00
Johannes Bauer
603e63876f
Server implementation seems to work
...
Rudimentary functionality of server (not including responding to
announcements over UDP) is working now.
2019-10-23 15:56:06 +02:00
Johannes Bauer
3e5c7d541c
Implement actual lookup of luksrku entry
...
Now with a proper UUID the PSK is looked up from the key database.
2019-10-23 15:28:38 +02:00
Johannes Bauer
d70bd1f672
TLS-PSK connection is working in TLSv1.3
...
Apparently, I need to spell out "-ciphersuites
TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384" in the openssl
s_client command, or it simply will not work.
2019-10-23 14:28:42 +02:00
Johannes Bauer
969eae12c7
Started with server implementation
...
Running into issues with TLSv1.3-PSK. Connection establishment does not
work at the moment.
2019-10-23 13:18:51 +02:00
Johannes Bauer
667ff55af1
Integrate editor properly from command line
...
Now have a way to invoke the editor functionality from the command line
and also provisions to include the server and client parsers.
2019-10-23 11:34:40 +02:00
Johannes Bauer
ecbf3827ca
Integrate current state-of-affairs into luksrku
...
Now integrated into the official Makefile. All functionality is broken
(was for a while), but it's progress nevertheless.
2019-10-23 09:39:40 +02:00
Johannes Bauer
20ffe38b53
Implemented export of key database
...
Key database is exported on a client-per-client basis, but with
sanitized LUKS passphrases of course. This is implemented now.
2019-10-21 22:47:58 +02:00
Johannes Bauer
722476e7fd
Implemented more useful commands
...
Implemented add/delete operations of hosts and volumes and rekeying of
both as well.
2019-10-21 21:30:29 +02:00
Johannes Bauer
0cb0e5d470
Further work in keydb
...
Work in transcribing the binary LUKS PSK to ASCII. Still buggy, had an
error in thinking (it's not 4 bytes transcribed to 3, but 3 to 4 of
course). Needs fixing.
2019-10-20 21:09:41 +02:00
Johannes Bauer
bcd794a6c1
Further work on creating correct type-4 UUIDs
...
Have the UUIDs actually look and feel like Type-4 UUIDs according to
RFC.
2019-10-20 17:45:21 +02:00
Johannes Bauer
ffca14559f
Further work on UUIDs and the interactive editor
...
Listing now works and we've extracted the UUID code into separate files.
2019-10-20 10:12:37 +02:00
Johannes Bauer
68c74de050
Saving and loading of key database works
...
We now can save and load the database from a file and also add hosts.
2019-10-19 21:52:34 +02:00
Johannes Bauer
9c888cbe4e
Major rework of keydb and file encryption
...
Currently, main program does not compile, massive rework of the internal
database storage mechanism to allow integration of vault and online
editing.
2019-10-19 21:28:26 +02:00
Johannes Bauer
b79ae0b417
Initial work on providing an editor
...
Just laid out the framework for online editing of the key database,
which was just horrible before.
2019-10-19 18:12:00 +02:00
Johannes Bauer
1790275960
Release v0.02
...
If this release ever makes it to a disto, we want to be able to identify
it by version number, not by commit. Therefore, introduce re-release
with proper tagging.
2019-10-19 15:08:30 +02:00
Johannes Bauer
73ab437fc9
Include tags in released version number
...
We want the displayed version number to contain tags, so add it to the
Makefile option.
2019-10-19 15:06:39 +02:00
Johannes Bauer
f824198abd
Release v0.01
...
First release after three years of daily use seems a justified testing
period.
2019-10-19 14:50:29 +02:00
Johannes Bauer
363fc70f1c
Use pkg-config and have git-based version number
...
Use pkg-config to find OpenSSL headers and library. Use "git describe"
to determine current version.
2019-10-19 14:47:54 +02:00
Johannes Bauer
52dee3bad0
More tests to show key changes
...
Demonstrating that a new key is chosen on every close operation.
2019-10-19 11:32:32 +02:00
Johannes Bauer
d8208fbab5
Make vault iteration count adaptible to hardware
...
We want to specify a real time for key derivation and let it figure out
by itself how many iterations it needs.
2019-10-19 11:29:39 +02:00
Johannes Bauer
1312bce9af
Add license header to vault files
...
Since this was just work-in-progress, I had forgotten to include license
header text.
2019-10-19 11:10:03 +02:00
Johannes Bauer
aa9fa3e995
Started working on a coldboot-resistant "vault" implementation
...
When not needed, encrypt the keys in-memory with a large pre-key so that
forensic acquisition of data using coldboot becomes infeasible. Not used
yet internally.
2019-10-19 11:07:55 +02:00
Johannes Bauer
2cde43d357
Fix issue with TLSv1.3 negotiation
...
TLSv1.3 behaves differently in how PSK identity/PSK identity hints are
exchanged, at least in regards to OpenSSL. This caused the TLS client to
not send their TLS identity to the server, which rejected the connection
(it expected "luksrku v1"). Couldn't solve it with TLSv1.3, so we're now
simply forcing TLSv1.2.
2019-07-22 21:46:18 +02:00
Johannes Bauer
aece35134e
More debugging
...
More debug output for password.
2018-01-16 19:43:19 +01:00
Johannes Bauer
935d0f478d
Fix comment
...
Some comment was having some copy/paste issue. Fixed.
2018-01-16 19:42:22 +01:00
Johannes Bauer
1c61480b71
Show log output even in verbose mode
...
Compiling with -DDEBUG isn't required to show output of commands,
verbose mode is sufficient.
2018-01-16 19:40:13 +01:00
Johannes Bauer
bc291dcbd8
Change stupid debug message and output more debug info
...
When compiled in debug mode, output more info. Also change the insanely
stupid "exited successfully" message to something actually sensible.
2018-01-16 19:36:38 +01:00
Johannes Bauer
625998fc8a
Only execute luksrku when an actual server config is present
...
Previously, it was always executed (although it shouldn't have made it
into the image if no /etc/luksrku-server.bin were present).
2018-01-16 19:01:55 +01:00
Johannes Bauer
781b10c0c9
Assume system-wide installed OpenSSL v1.1
...
After Debian has pretty much migrated to v1.1, we now assume that
OpenSSL is preinstalled system-wide -- it's not experimental anymore.
Currently we assume it's preinstalled in /usr/local.
2018-01-16 18:59:50 +01:00
Johannes Bauer
b8659ae8fc
More README.md fixes
...
Mixing terminal output and lists isn't apparently well supported (or I
cannot figure out how to do it). Change text a bit as a workaround.
2017-08-13 12:27:21 +02:00
Johannes Bauer
2f094c4f55
Fix README.md
...
Some indentation problems caused weird display.
2017-08-13 12:25:36 +02:00
Johannes Bauer
a8b8dfb15f
Fix typo in README
...
Small typo fixed.
2017-07-10 21:08:19 +02:00
Johannes Bauer
fd2e456076
Remove references to SSL and replace by TLS.
...
We're using TLS, not SSL. Use the proper terminology.
2017-03-07 21:48:00 +01:00
Johannes Bauer
8b892e3347
Update OpenSSL version and change sig algs
...
While the PSK cipher suites do not use any ECDHE/RSA signatures, in the
future someone may change the code. In that case, as a robustness
measure, already set the acceptable signature algorithms now.
Additionally upgrade to OpenSSL v1.1.0e and include the comment to
include X448 once it becomes available for TLS ECDHE (it's not yet,
unfortunately).
2017-03-07 21:40:21 +01:00
Johannes Bauer
8f2dabc053
Change to build against OpenSSL 1.1.0b
...
Critical CVE in 1.1.0a, upgrade immediately.
2016-09-27 21:18:25 +02:00
Johannes Bauer
13bbc2e565
Print version number on help page
2016-09-24 20:16:09 +02:00
Johannes Bauer
9c3670db9b
Cleanups
2016-09-24 20:14:53 +02:00
Johannes Bauer
58a73a552f
Try to use initramfs IP autoconfig
...
Trying to get rid of the current (shitty) manual IP configuration
process. This should enable you to specify on the kernel command line a
parameter like ip=:::::eth0:dhcp and the initramfs scripts would take
care of acquiring a DHCP address instead of static configuration in the
script itself.
2016-09-24 16:02:40 +02:00
Johannes Bauer
6089d98721
Introduce --max-bcast-errs command line option
...
This enables luksrku to terminate if a certain number of broadcast
attempts has failed (usually due to unavailable networking), therefore
enabling a second method of unlocking LUKS disks (e.g., by manually
entering the password on the console).
2016-09-24 15:58:52 +02:00
Johannes Bauer
192df4470e
initramfs scripts will only include luksrku if it's needed
2016-09-24 11:50:41 +02:00