Apparently, I need to spell out "-ciphersuites
TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384" in the openssl
s_client command, or it simply will not work.
Work in transcribing the binary LUKS PSK to ASCII. Still buggy, had an
error in thinking (it's not 4 bytes transcribed to 3, but 3 to 4 of
course). Needs fixing.
If this release ever makes it to a disto, we want to be able to identify
it by version number, not by commit. Therefore, introduce re-release
with proper tagging.
When not needed, encrypt the keys in-memory with a large pre-key so that
forensic acquisition of data using coldboot becomes infeasible. Not used
yet internally.
TLSv1.3 behaves differently in how PSK identity/PSK identity hints are
exchanged, at least in regards to OpenSSL. This caused the TLS client to
not send their TLS identity to the server, which rejected the connection
(it expected "luksrku v1"). Couldn't solve it with TLSv1.3, so we're now
simply forcing TLSv1.2.
After Debian has pretty much migrated to v1.1, we now assume that
OpenSSL is preinstalled system-wide -- it's not experimental anymore.
Currently we assume it's preinstalled in /usr/local.
While the PSK cipher suites do not use any ECDHE/RSA signatures, in the
future someone may change the code. In that case, as a robustness
measure, already set the acceptable signature algorithms now.
Additionally upgrade to OpenSSL v1.1.0e and include the comment to
include X448 once it becomes available for TLS ECDHE (it's not yet,
unfortunately).
Trying to get rid of the current (shitty) manual IP configuration
process. This should enable you to specify on the kernel command line a
parameter like ip=:::::eth0:dhcp and the initramfs scripts would take
care of acquiring a DHCP address instead of static configuration in the
script itself.
This enables luksrku to terminate if a certain number of broadcast
attempts has failed (usually due to unavailable networking), therefore
enabling a second method of unlocking LUKS disks (e.g., by manually
entering the password on the console).
Can now unlock a specified number of hosts as specified on the command
line (e.g., if you want a luksrku client run indefinitely) and also used
the already implemented blacklisting functionality (i.e., if an
unlocking is unsuccessful, it is retried in 120 seconds, not
immediately, as not to spam servers with illegal credentials).