Commit Graph

20 Commits

Author SHA1 Message Date
Johannes Bauer
323db6d08d Default timeout parameter added
When we're modifying the binary format, we can introduce host-dependent
timeouts as well.
2021-06-27 12:51:51 +02:00
Johannes Bauer
b0fc16bfc7 Consistent naming and implemented flag honoring
Name the flag exactly as it's used by LUKS everywhere: allow_discards
(we had in some places "discard", "allow_discard"). Implement actually
honoring that flag if it's set. Untested code.
2021-06-27 09:47:59 +02:00
Johannes Bauer
b0909557ad Refactoring of version code
We want to introduce a new feature (volumes with discard support) which
will cause file incompatibility.  This means we need to prepare data
migration code. This prepares that change.
2021-06-26 23:34:26 +02:00
Johannes Bauer
9dc8164dcc Vaulted key database fully used
Now all keys are encrypted when they're not in use to thwart cold-boot
attacks. Furthermore, all unlocking messages are sent in bulk to avoid
fragmentation and improve performance.
2019-10-25 18:17:43 +02:00
Johannes Bauer
f01ec97d6b TLS-PSK now taken out of secure vault, but LUKS passphrases not
LUKS passphrases still broken, they're copied over into the secure vault
but then not used (i.e., the zeroed-out originals are read).
2019-10-25 18:02:51 +02:00
Johannes Bauer
ab670a431a Refactor command execution to not use tempfile
Previously, we wrote the passphrase contents to a temporary file on
/dev/shm and then wiped it afterwards. This is odd, why don't we use a
pipe for this purpose, like it's intended to be used? Replace all of
that previous code by piped IPC.
2019-10-25 13:02:35 +02:00
Johannes Bauer
3478fa4555 Unlocking LUKS volumes works
First complete technical round-trip complete, can unlock the LUKS
volumes described in the server/client databases successfully.
2019-10-25 12:19:01 +02:00
Johannes Bauer
849e3a5949 Implemented finding of keyserver and unlocking of volumes
We'll now parse the response messages on the client side, abort after a
previously defined timeout and trigger the LUKS unlocking process, if
requested (although the latter isn't fully implemented yet).
2019-10-25 11:08:20 +02:00
Johannes Bauer
2a4f2a8e3b Implemented client broadcasting again
Clients now broadcast their host UUID and magic number via UDP, but the
server does not respond nor would the client trigger anything if the
server did.
2019-10-23 22:29:40 +02:00
Johannes Bauer
6b5ed8f62c Remove unused code
Old, now unused code removed entirely.
2019-10-23 22:12:00 +02:00
Johannes Bauer
1f56e19361 Consolidated session establishment for client and server
Essentially, they share most of the same code. Consolidate everything
into one function.
2019-10-23 22:06:47 +02:00
Johannes Bauer
0e8e42d0ea Client and server commnunication now works
We can send our little datagrams over and that works nicely. Need to
consolidate the PSK session establishment into one shared function.
2019-10-23 21:54:10 +02:00
Johannes Bauer
983217ffbd Further work on the client code
Trying to get everything in shape, not looking too bad.
2019-10-23 21:13:50 +02:00
Johannes Bauer
425e2dcd66 Add client code back in
Client code basis back in, parsing of command line options as well.
Client does not do anything yet, though.
2019-10-23 20:13:25 +02:00
Johannes Bauer
667ff55af1 Integrate editor properly from command line
Now have a way to invoke the editor functionality from the command line
and also provisions to include the server and client parsers.
2019-10-23 11:34:40 +02:00
Johannes Bauer
2cde43d357 Fix issue with TLSv1.3 negotiation
TLSv1.3 behaves differently in how PSK identity/PSK identity hints are
exchanged, at least in regards to OpenSSL. This caused the TLS client to
not send their TLS identity to the server, which rejected the connection
(it expected "luksrku v1"). Couldn't solve it with TLSv1.3, so we're now
simply forcing TLSv1.2.
2019-07-22 21:46:18 +02:00
Johannes Bauer
fd2e456076 Remove references to SSL and replace by TLS.
We're using TLS, not SSL. Use the proper terminology.
2017-03-07 21:48:00 +01:00
Johannes Bauer
0d4d2220b2 Implemented unlock cnt and blacklist
Can now unlock a specified number of hosts as specified on the command
line (e.g., if you want a luksrku client run indefinitely) and also used
the already implemented blacklisting functionality (i.e., if an
unlocking is unsuccessful, it is retried in 120 seconds, not
immediately, as not to spam servers with illegal credentials).
2016-09-24 11:45:58 +02:00
Johannes Bauer
edb25da877 LICENSE added (GPLv3) 2016-09-22 20:47:43 +02:00
Johannes Bauer
2df69508aa Initial import 2016-09-22 20:40:58 +02:00