Johannes Bauer
b0fc16bfc7
Consistent naming and implemented flag honoring
...
Name the flag exactly as it's used by LUKS everywhere: allow_discards
(we had in some places "discard", "allow_discard"). Implement actually
honoring that flag if it's set. Untested code.
2021-06-27 09:47:59 +02:00
Johannes Bauer
cd38193993
Allow editing of volume flags
...
We can now set the "discard" flag of volumes, but it's not yet honored.
2021-06-27 09:42:04 +02:00
Johannes Bauer
bd5caae1ee
Introduce new host_flags field
...
While we're at it with migration, might as well add a host_flags field
so that if we have host-specific configuration flags we want to add
later on, we only have to do a migration once.
2021-06-27 09:17:05 +02:00
Johannes Bauer
af29d9cbf8
Preliminary file migration
...
Pretty raw and untested code which migrates data from v2 to v3,
introducing a new field in the process. This field is neither editable
as of now nor is it honored if it were set.
2021-06-27 00:28:00 +02:00
Johannes Bauer
b0909557ad
Refactoring of version code
...
We want to introduce a new feature (volumes with discard support) which
will cause file incompatibility. This means we need to prepare data
migration code. This prepares that change.
2021-06-26 23:34:26 +02:00
Johannes Bauer
bd929be9fa
Release v0.03
...
The previous bugfix commit justifies a new release.
2021-06-26 22:51:56 +02:00
Johannes Bauer
47f7ca6c31
Fix numerous log format issues
...
We had not declared function attributes that check the format syntax;
this led to a number of issues that remained undetected. Fixed.
2021-06-26 22:48:33 +02:00
Johannes Bauer
265dd0582a
Modify keying in vault
...
We currently derive the dkey from the source key at every open or close
(decrypt or encrypt) operation. However, we want to keep the time that
the internal data is exposed (decrypted) as short as possible. While the
vault is open, there's no problem keeping a copy of the dkey around
(because the data is decrypted anyways, therefore it isn't important).
So we change things around and, at the expense of doubling the time that
decryption takes, we make encryption extremely fast. We do this by
computing the next (rekeyed) key at the start of the decryption routine
(but before the data has been decrypted) and keep the dkey stored in the
vault structure for direct access on the next encryption run.
2019-10-26 12:55:25 +02:00
Johannes Bauer
8681e49561
Slight refactoring of vault code
...
We want to keep the dkey in the vault structure as long as it's open
(because only the open operation should take long, the close operation
should be really fast).
2019-10-26 10:33:36 +02:00
Johannes Bauer
1a765b6369
Remove unneeded file
...
Another file that's not necessary anymore, now ditched.
2019-10-26 10:29:40 +02:00
Johannes Bauer
e2bb69144d
Remove licensify files
...
We can do this by hand, no need for a special script.
2019-10-25 20:40:21 +02:00
Johannes Bauer
912b874f7a
Spellcheck and remove unused files
...
Some minor, cosmetic cleanups.
2019-10-25 20:39:55 +02:00
Johannes Bauer
e0444c493e
This version of luksrku is incompatible with v0.02
...
Database format has changed and messaging as well. Document this.
2019-10-25 18:51:45 +02:00
Johannes Bauer
f2e21ebdde
Explain more of the internal workings of luksrku
...
Openness and transparency build trust, document what we're doing so that
it can be easily reviewed.
2019-10-25 18:49:09 +02:00
Johannes Bauer
5400e3716a
Documentation of usage
...
Added documentation of simple usage and also integration into initramfs.
2019-10-25 18:39:10 +02:00
Johannes Bauer
9dc8164dcc
Vaulted key database fully used
...
Now all keys are encrypted when they're not in use to thwart cold-boot
attacks. Furthermore, all unlocking messages are sent in bulk to avoid
fragmentation and improve performance.
2019-10-25 18:17:43 +02:00
Johannes Bauer
f01ec97d6b
TLS-PSK now taken out of secure vault, but LUKS passphrases not
...
LUKS passphrases still broken, they're copied over into the secure vault
but then not used (i.e., the zeroed-out originals are read).
2019-10-25 18:02:51 +02:00
Johannes Bauer
dce9c1b323
Vaulted keydb should work, but it's not used yet
...
All the methods are implemented to get the vaulted key database running,
but it's not in use yet.
2019-10-25 17:46:21 +02:00
Johannes Bauer
40a0871e03
Vault creation works
...
We can now generated a vaulted key database from the key database and
cleanse the original key data.
2019-10-25 17:18:09 +02:00
Johannes Bauer
0bf0759c9c
Make vault threadsafe
...
We might have multiple processes accessing the vault and need to always
keep a proper reference count.
2019-10-25 16:30:46 +02:00
Johannes Bauer
54063ec025
Remove duplicate "now" function
...
We also have this functionality in util, no need to copy it.
2019-10-25 16:21:37 +02:00
Johannes Bauer
6ac94dbd83
Integrate vault into build process
...
Right now it's still not used, but integrated into the build process
anyways.
2019-10-25 16:16:13 +02:00
Johannes Bauer
17d1b9a52d
Remove redundant files and add more info
...
Show a more informative message when server's been successfully started
and remove unused files.
2019-10-25 16:13:28 +02:00
Johannes Bauer
1469d83a96
Fix default KDF
...
Inconsistency in KDF documentation fixed.
2019-10-25 13:33:48 +02:00
Johannes Bauer
78104a8b87
Remove debugging and set default timeout
...
While timeout was announced in "client" help page, it wasn't effective.
Fixed. Also disable debugging.
2019-10-25 13:24:08 +02:00
Johannes Bauer
ba46e5bb43
Adapt initramfs hooks
...
Unlocking entity is now the client, not the server anymore. Change
filenames and syntax in initramfs scripts to reflect both.
2019-10-25 13:06:20 +02:00
Johannes Bauer
ab670a431a
Refactor command execution to not use tempfile
...
Previously, we wrote the passphrase contents to a temporary file on
/dev/shm and then wiped it afterwards. This is odd, why don't we use a
pipe for this purpose, like it's intended to be used? Replace all of
that previous code by piped IPC.
2019-10-25 13:02:35 +02:00
Johannes Bauer
3478fa4555
Unlocking LUKS volumes works
...
First complete technical round-trip complete, can unlock the LUKS
volumes described in the server/client databases successfully.
2019-10-25 12:19:01 +02:00
Johannes Bauer
849e3a5949
Implemented finding of keyserver and unlocking of volumes
...
We'll now parse the response messages on the client side, abort after a
previously defined timeout and trigger the LUKS unlocking process, if
requested (although the latter isn't fully implemented yet).
2019-10-25 11:08:20 +02:00
Johannes Bauer
05e112065e
Implemented proper query response on server side
...
The server now checks the host database and responds correctly, but the
client still does not know how to get that response.
2019-10-25 10:21:29 +02:00
Johannes Bauer
8c7c0e5870
Receiving broadcast messages and plausibility-checking
...
Now we're receiving the client broadcasts on the server side and
checking if they match the magic number we're expecting.
2019-10-25 09:33:20 +02:00
Johannes Bauer
2f36b56417
Can now receive UDP broadcasts
...
Still need to figure out how to receive UDP broadcast, but respond as
unicast. Not entirely sure yet.
2019-10-24 19:03:48 +02:00
Johannes Bauer
60b1b2bf39
Refactoring of server code
...
Consolidate server state into one struct, similar to our client
solution.
2019-10-24 17:04:49 +02:00
Johannes Bauer
39ced77b98
More disabled code removal
...
Removed the code that was previously the main application.
2019-10-24 16:57:35 +02:00
Johannes Bauer
25649e0caa
Add luksrku version in help page
...
Before we forget to include it, put it right in there so it's easy to
determine which version it was built from.
2019-10-23 22:32:35 +02:00
Johannes Bauer
4ee2739bac
Prettify Makefile
...
Have the dependent objects in alphabetical order.
2019-10-23 22:31:41 +02:00
Johannes Bauer
2a4f2a8e3b
Implemented client broadcasting again
...
Clients now broadcast their host UUID and magic number via UDP, but the
server does not respond nor would the client trigger anything if the
server did.
2019-10-23 22:29:40 +02:00
Johannes Bauer
36f9988fce
Cleanup in server socket code
...
This is ancient programming style. Bring it up to 2019.
2019-10-23 22:13:36 +02:00
Johannes Bauer
6b5ed8f62c
Remove unused code
...
Old, now unused code removed entirely.
2019-10-23 22:12:00 +02:00
Johannes Bauer
1f56e19361
Consolidated session establishment for client and server
...
Essentially, they share most of the same code. Consolidate everything
into one function.
2019-10-23 22:06:47 +02:00
Johannes Bauer
0e8e42d0ea
Client and server commnunication now works
...
We can send our little datagrams over and that works nicely. Need to
consolidate the PSK session establishment into one shared function.
2019-10-23 21:54:10 +02:00
Johannes Bauer
983217ffbd
Further work on the client code
...
Trying to get everything in shape, not looking too bad.
2019-10-23 21:13:50 +02:00
Johannes Bauer
425e2dcd66
Add client code back in
...
Client code basis back in, parsing of command line options as well.
Client does not do anything yet, though.
2019-10-23 20:13:25 +02:00
Johannes Bauer
9ea0a9695c
Fix bug with commandline parsing
...
For each parameter, all previous parameters were overwritten with
default values. Fixed.
2019-10-23 20:01:54 +02:00
Johannes Bauer
2143adc91f
Added detached thread handling code
...
Make it easier to create a detached thread, it's always the same and
error-checking is quite repetitive.
2019-10-23 19:47:26 +02:00
Johannes Bauer
8200c9668d
Rewrite README
...
A lot has changed, let's update the README even though it's not all done
yet.
2019-10-23 16:13:23 +02:00
Johannes Bauer
c89ff552d4
Also print OpenSSL command line to debug the server
...
In debug mode, print the OpenSSL command line needed to connect to a
luksrku server.
2019-10-23 16:03:58 +02:00
Johannes Bauer
603e63876f
Server implementation seems to work
...
Rudimentary functionality of server (not including responding to
announcements over UDP) is working now.
2019-10-23 15:56:06 +02:00
Johannes Bauer
3e5c7d541c
Implement actual lookup of luksrku entry
...
Now with a proper UUID the PSK is looked up from the key database.
2019-10-23 15:28:38 +02:00
Johannes Bauer
d70bd1f672
TLS-PSK connection is working in TLSv1.3
...
Apparently, I need to spell out "-ciphersuites
TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384" in the openssl
s_client command, or it simply will not work.
2019-10-23 14:28:42 +02:00