luksrku

Author	SHA1	Message	Date
Johannes Bauer	47f7ca6c31	Fix numerous log format issues We had not declared function attributes that check the format syntax; this led to a number of issues that remained undetected. Fixed.	2021-06-26 22:48:33 +02:00
Johannes Bauer	265dd0582a	Modify keying in vault We currently derive the dkey from the source key at every open or close (decrypt or encrypt) operation. However, we want to keep the time that the internal data is exposed (decrypted) as short as possible. While the vault is open, there's no problem keeping a copy of the dkey around (because the data is decrypted anyways, therefore it isn't important). So we change things around and, at the expense of doubling the time that decryption takes, we make encryption extremely fast. We do this by computing the next (rekeyed) key at the start of the decryption routine (but before the data has been decrypted) and keep the dkey stored in the vault structure for direct access on the next encryption run.	2019-10-26 12:55:25 +02:00
Johannes Bauer	8681e49561	Slight refactoring of vault code We want to keep the dkey in the vault structure as long as it's open (because only the open operation should take long, the close operation should be really fast).	2019-10-26 10:33:36 +02:00
Johannes Bauer	1a765b6369	Remove unneeded file Another file that's not necessary anymore, now ditched.	2019-10-26 10:29:40 +02:00
Johannes Bauer	e2bb69144d	Remove licensify files We can do this by hand, no need for a special script.	2019-10-25 20:40:21 +02:00
Johannes Bauer	912b874f7a	Spellcheck and remove unused files Some minor, cosmetic cleanups.	2019-10-25 20:39:55 +02:00
Johannes Bauer	e0444c493e	This version of luksrku is incompatible with v0.02 Database format has changed and messaging as well. Document this.	2019-10-25 18:51:45 +02:00
Johannes Bauer	f2e21ebdde	Explain more of the internal workings of luksrku Openness and transparency build trust, document what we're doing so that it can be easily reviewed.	2019-10-25 18:49:09 +02:00
Johannes Bauer	5400e3716a	Documentation of usage Added documentation of simple usage and also integration into initramfs.	2019-10-25 18:39:10 +02:00
Johannes Bauer	9dc8164dcc	Vaulted key database fully used Now all keys are encrypted when they're not in use to thwart cold-boot attacks. Furthermore, all unlocking messages are sent in bulk to avoid fragmentation and improve performance.	2019-10-25 18:17:43 +02:00
Johannes Bauer	f01ec97d6b	TLS-PSK now taken out of secure vault, but LUKS passphrases not LUKS passphrases still broken, they're copied over into the secure vault but then not used (i.e., the zeroed-out originals are read).	2019-10-25 18:02:51 +02:00
Johannes Bauer	dce9c1b323	Vaulted keydb should work, but it's not used yet All the methods are implemented to get the vaulted key database running, but it's not in use yet.	2019-10-25 17:46:21 +02:00
Johannes Bauer	40a0871e03	Vault creation works We can now generated a vaulted key database from the key database and cleanse the original key data.	2019-10-25 17:18:09 +02:00
Johannes Bauer	0bf0759c9c	Make vault threadsafe We might have multiple processes accessing the vault and need to always keep a proper reference count.	2019-10-25 16:30:46 +02:00
Johannes Bauer	54063ec025	Remove duplicate "now" function We also have this functionality in util, no need to copy it.	2019-10-25 16:21:37 +02:00
Johannes Bauer	6ac94dbd83	Integrate vault into build process Right now it's still not used, but integrated into the build process anyways.	2019-10-25 16:16:13 +02:00
Johannes Bauer	17d1b9a52d	Remove redundant files and add more info Show a more informative message when server's been successfully started and remove unused files.	2019-10-25 16:13:28 +02:00
Johannes Bauer	1469d83a96	Fix default KDF Inconsistency in KDF documentation fixed.	2019-10-25 13:33:48 +02:00
Johannes Bauer	78104a8b87	Remove debugging and set default timeout While timeout was announced in "client" help page, it wasn't effective. Fixed. Also disable debugging.	2019-10-25 13:24:08 +02:00
Johannes Bauer	ba46e5bb43	Adapt initramfs hooks Unlocking entity is now the client, not the server anymore. Change filenames and syntax in initramfs scripts to reflect both.	2019-10-25 13:06:20 +02:00
Johannes Bauer	ab670a431a	Refactor command execution to not use tempfile Previously, we wrote the passphrase contents to a temporary file on /dev/shm and then wiped it afterwards. This is odd, why don't we use a pipe for this purpose, like it's intended to be used? Replace all of that previous code by piped IPC.	2019-10-25 13:02:35 +02:00
Johannes Bauer	3478fa4555	Unlocking LUKS volumes works First complete technical round-trip complete, can unlock the LUKS volumes described in the server/client databases successfully.	2019-10-25 12:19:01 +02:00
Johannes Bauer	849e3a5949	Implemented finding of keyserver and unlocking of volumes We'll now parse the response messages on the client side, abort after a previously defined timeout and trigger the LUKS unlocking process, if requested (although the latter isn't fully implemented yet).	2019-10-25 11:08:20 +02:00
Johannes Bauer	05e112065e	Implemented proper query response on server side The server now checks the host database and responds correctly, but the client still does not know how to get that response.	2019-10-25 10:21:29 +02:00
Johannes Bauer	8c7c0e5870	Receiving broadcast messages and plausibility-checking Now we're receiving the client broadcasts on the server side and checking if they match the magic number we're expecting.	2019-10-25 09:33:20 +02:00
Johannes Bauer	2f36b56417	Can now receive UDP broadcasts Still need to figure out how to receive UDP broadcast, but respond as unicast. Not entirely sure yet.	2019-10-24 19:03:48 +02:00
Johannes Bauer	60b1b2bf39	Refactoring of server code Consolidate server state into one struct, similar to our client solution.	2019-10-24 17:04:49 +02:00
Johannes Bauer	39ced77b98	More disabled code removal Removed the code that was previously the main application.	2019-10-24 16:57:35 +02:00
Johannes Bauer	25649e0caa	Add luksrku version in help page Before we forget to include it, put it right in there so it's easy to determine which version it was built from.	2019-10-23 22:32:35 +02:00
Johannes Bauer	4ee2739bac	Prettify Makefile Have the dependent objects in alphabetical order.	2019-10-23 22:31:41 +02:00
Johannes Bauer	2a4f2a8e3b	Implemented client broadcasting again Clients now broadcast their host UUID and magic number via UDP, but the server does not respond nor would the client trigger anything if the server did.	2019-10-23 22:29:40 +02:00
Johannes Bauer	36f9988fce	Cleanup in server socket code This is ancient programming style. Bring it up to 2019.	2019-10-23 22:13:36 +02:00
Johannes Bauer	6b5ed8f62c	Remove unused code Old, now unused code removed entirely.	2019-10-23 22:12:00 +02:00
Johannes Bauer	1f56e19361	Consolidated session establishment for client and server Essentially, they share most of the same code. Consolidate everything into one function.	2019-10-23 22:06:47 +02:00
Johannes Bauer	0e8e42d0ea	Client and server commnunication now works We can send our little datagrams over and that works nicely. Need to consolidate the PSK session establishment into one shared function.	2019-10-23 21:54:10 +02:00
Johannes Bauer	983217ffbd	Further work on the client code Trying to get everything in shape, not looking too bad.	2019-10-23 21:13:50 +02:00
Johannes Bauer	425e2dcd66	Add client code back in Client code basis back in, parsing of command line options as well. Client does not do anything yet, though.	2019-10-23 20:13:25 +02:00
Johannes Bauer	9ea0a9695c	Fix bug with commandline parsing For each parameter, all previous parameters were overwritten with default values. Fixed.	2019-10-23 20:01:54 +02:00
Johannes Bauer	2143adc91f	Added detached thread handling code Make it easier to create a detached thread, it's always the same and error-checking is quite repetitive.	2019-10-23 19:47:26 +02:00
Johannes Bauer	8200c9668d	Rewrite README A lot has changed, let's update the README even though it's not all done yet.	2019-10-23 16:13:23 +02:00
Johannes Bauer	c89ff552d4	Also print OpenSSL command line to debug the server In debug mode, print the OpenSSL command line needed to connect to a luksrku server.	2019-10-23 16:03:58 +02:00
Johannes Bauer	603e63876f	Server implementation seems to work Rudimentary functionality of server (not including responding to announcements over UDP) is working now.	2019-10-23 15:56:06 +02:00
Johannes Bauer	3e5c7d541c	Implement actual lookup of luksrku entry Now with a proper UUID the PSK is looked up from the key database.	2019-10-23 15:28:38 +02:00
Johannes Bauer	d70bd1f672	TLS-PSK connection is working in TLSv1.3 Apparently, I need to spell out "-ciphersuites TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384" in the openssl s_client command, or it simply will not work.	2019-10-23 14:28:42 +02:00
Johannes Bauer	969eae12c7	Started with server implementation Running into issues with TLSv1.3-PSK. Connection establishment does not work at the moment.	2019-10-23 13:18:51 +02:00
Johannes Bauer	667ff55af1	Integrate editor properly from command line Now have a way to invoke the editor functionality from the command line and also provisions to include the server and client parsers.	2019-10-23 11:34:40 +02:00
Johannes Bauer	ecbf3827ca	Integrate current state-of-affairs into luksrku Now integrated into the official Makefile. All functionality is broken (was for a while), but it's progress nevertheless.	2019-10-23 09:39:40 +02:00
Johannes Bauer	20ffe38b53	Implemented export of key database Key database is exported on a client-per-client basis, but with sanitized LUKS passphrases of course. This is implemented now.	2019-10-21 22:47:58 +02:00
Johannes Bauer	722476e7fd	Implemented more useful commands Implemented add/delete operations of hosts and volumes and rekeying of both as well.	2019-10-21 21:30:29 +02:00
Johannes Bauer	0cb0e5d470	Further work in keydb Work in transcribing the binary LUKS PSK to ASCII. Still buggy, had an error in thinking (it's not 4 bytes transcribed to 3, but 3 to 4 of course). Needs fixing.	2019-10-20 21:09:41 +02:00

1 2

97 Commits