Commit Graph

47 Commits

Author SHA1 Message Date
Johannes Bauer
bcd794a6c1 Further work on creating correct type-4 UUIDs
Have the UUIDs actually look and feel like Type-4 UUIDs according to
RFC.
2019-10-20 17:45:21 +02:00
Johannes Bauer
ffca14559f Further work on UUIDs and the interactive editor
Listing now works and we've extracted the UUID code into separate files.
2019-10-20 10:12:37 +02:00
Johannes Bauer
68c74de050 Saving and loading of key database works
We now can save and load the database from a file and also add hosts.
2019-10-19 21:52:34 +02:00
Johannes Bauer
9c888cbe4e Major rework of keydb and file encryption
Currently, main program does not compile, massive rework of the internal
database storage mechanism to allow integration of vault and online
editing.
2019-10-19 21:28:26 +02:00
Johannes Bauer
b79ae0b417 Initial work on providing an editor
Just laid out the framework for online editing of the key database,
which was just horrible before.
2019-10-19 18:12:00 +02:00
Johannes Bauer
1790275960 Release v0.02
If this release ever makes it to a disto, we want to be able to identify
it by version number, not by commit. Therefore, introduce re-release
with proper tagging.
2019-10-19 15:08:30 +02:00
Johannes Bauer
73ab437fc9 Include tags in released version number
We want the displayed version number to contain tags, so add it to the
Makefile option.
2019-10-19 15:06:39 +02:00
Johannes Bauer
f824198abd Release v0.01
First release after three years of daily use seems a justified testing
period.
2019-10-19 14:50:29 +02:00
Johannes Bauer
363fc70f1c Use pkg-config and have git-based version number
Use pkg-config to find OpenSSL headers and library. Use "git describe"
to determine current version.
2019-10-19 14:47:54 +02:00
Johannes Bauer
52dee3bad0 More tests to show key changes
Demonstrating that a new key is chosen on every close operation.
2019-10-19 11:32:32 +02:00
Johannes Bauer
d8208fbab5 Make vault iteration count adaptible to hardware
We want to specify a real time for key derivation and let it figure out
by itself how many iterations it needs.
2019-10-19 11:29:39 +02:00
Johannes Bauer
1312bce9af Add license header to vault files
Since this was just work-in-progress, I had forgotten to include license
header text.
2019-10-19 11:10:03 +02:00
Johannes Bauer
aa9fa3e995 Started working on a coldboot-resistant "vault" implementation
When not needed, encrypt the keys in-memory with a large pre-key so that
forensic acquisition of data using coldboot becomes infeasible. Not used
yet internally.
2019-10-19 11:07:55 +02:00
Johannes Bauer
2cde43d357 Fix issue with TLSv1.3 negotiation
TLSv1.3 behaves differently in how PSK identity/PSK identity hints are
exchanged, at least in regards to OpenSSL. This caused the TLS client to
not send their TLS identity to the server, which rejected the connection
(it expected "luksrku v1"). Couldn't solve it with TLSv1.3, so we're now
simply forcing TLSv1.2.
2019-07-22 21:46:18 +02:00
Johannes Bauer
aece35134e More debugging
More debug output for password.
2018-01-16 19:43:19 +01:00
Johannes Bauer
935d0f478d Fix comment
Some comment was having some copy/paste issue. Fixed.
2018-01-16 19:42:22 +01:00
Johannes Bauer
1c61480b71 Show log output even in verbose mode
Compiling with -DDEBUG isn't required to show output of commands,
verbose mode is sufficient.
2018-01-16 19:40:13 +01:00
Johannes Bauer
bc291dcbd8 Change stupid debug message and output more debug info
When compiled in debug mode, output more info. Also change the insanely
stupid "exited successfully" message to something actually sensible.
2018-01-16 19:36:38 +01:00
Johannes Bauer
625998fc8a Only execute luksrku when an actual server config is present
Previously, it was always executed (although it shouldn't have made it
into the image if no /etc/luksrku-server.bin were present).
2018-01-16 19:01:55 +01:00
Johannes Bauer
781b10c0c9 Assume system-wide installed OpenSSL v1.1
After Debian has pretty much migrated to v1.1, we now assume that
OpenSSL is preinstalled system-wide -- it's not experimental anymore.
Currently we assume it's preinstalled in /usr/local.
2018-01-16 18:59:50 +01:00
Johannes Bauer
b8659ae8fc More README.md fixes
Mixing terminal output and lists isn't apparently well supported (or I
cannot figure out how to do it). Change text a bit as a workaround.
2017-08-13 12:27:21 +02:00
Johannes Bauer
2f094c4f55 Fix README.md
Some indentation problems caused weird display.
2017-08-13 12:25:36 +02:00
Johannes Bauer
a8b8dfb15f Fix typo in README
Small typo fixed.
2017-07-10 21:08:19 +02:00
Johannes Bauer
fd2e456076 Remove references to SSL and replace by TLS.
We're using TLS, not SSL. Use the proper terminology.
2017-03-07 21:48:00 +01:00
Johannes Bauer
8b892e3347 Update OpenSSL version and change sig algs
While the PSK cipher suites do not use any ECDHE/RSA signatures, in the
future someone may change the code. In that case, as a robustness
measure, already set the acceptable signature algorithms now.
Additionally upgrade to OpenSSL v1.1.0e and include the comment to
include X448 once it becomes available for TLS ECDHE (it's not yet,
unfortunately).
2017-03-07 21:40:21 +01:00
Johannes Bauer
8f2dabc053 Change to build against OpenSSL 1.1.0b
Critical CVE in 1.1.0a, upgrade immediately.
2016-09-27 21:18:25 +02:00
Johannes Bauer
13bbc2e565 Print version number on help page 2016-09-24 20:16:09 +02:00
Johannes Bauer
9c3670db9b Cleanups 2016-09-24 20:14:53 +02:00
Johannes Bauer
58a73a552f Try to use initramfs IP autoconfig
Trying to get rid of the current (shitty) manual IP configuration
process. This should enable you to specify on the kernel command line a
parameter like ip=:::::eth0:dhcp and the initramfs scripts would take
care of acquiring a DHCP address instead of static configuration in the
script itself.
2016-09-24 16:02:40 +02:00
Johannes Bauer
6089d98721 Introduce --max-bcast-errs command line option
This enables luksrku to terminate if a certain number of broadcast
attempts has failed (usually due to unavailable networking), therefore
enabling a second method of unlocking LUKS disks (e.g., by manually
entering the password on the console).
2016-09-24 15:58:52 +02:00
Johannes Bauer
192df4470e initramfs scripts will only include luksrku if it's needed 2016-09-24 11:50:41 +02:00
Johannes Bauer
0d4d2220b2 Implemented unlock cnt and blacklist
Can now unlock a specified number of hosts as specified on the command
line (e.g., if you want a luksrku client run indefinitely) and also used
the already implemented blacklisting functionality (i.e., if an
unlocking is unsuccessful, it is retried in 120 seconds, not
immediately, as not to spam servers with illegal credentials).
2016-09-24 11:45:58 +02:00
Johannes Bauer
180b747d24 Fix README 2016-09-24 11:24:28 +02:00
Johannes Bauer
f82cb5dbf7 Fix <pre> areas in markdown 2016-09-24 11:23:38 +02:00
Johannes Bauer
4627410580 Convert tabs to spaces
I hate markdown. I really do.
2016-09-24 11:20:42 +02:00
Johannes Bauer
f2f6d091e1 Have a fairly decent help page
Reused the help page generator from luksipc.
2016-09-24 11:16:58 +02:00
Johannes Bauer
acc22cd1f6 Use newest OpenSSL version 1.1.0a 2016-09-24 11:07:58 +02:00
Johannes Bauer
b4c919e556 Fixups in the README 2016-09-22 21:21:52 +02:00
Johannes Bauer
2335da36aa Forgot to describe the step to add key 2016-09-22 21:20:16 +02:00
Johannes Bauer
2e1d3d8793 A bit more information 2016-09-22 21:18:16 +02:00
Johannes Bauer
7e27959f15 Minimal documentation added 2016-09-22 20:57:36 +02:00
Johannes Bauer
b8cc5b6bc0 Ignore binaries as well 2016-09-22 20:50:35 +02:00
Johannes Bauer
2b05fbdb52 GIT ignore file added 2016-09-22 20:50:08 +02:00
Johannes Bauer
c356bd33ac Script to add LICENSE headers to all files 2016-09-22 20:48:11 +02:00
Johannes Bauer
edb25da877 LICENSE added (GPLv3) 2016-09-22 20:47:43 +02:00
Johannes Bauer
9b60af8910 Just one sentence readme to clarify with a warning msg 2016-09-22 20:43:19 +02:00
Johannes Bauer
2df69508aa Initial import 2016-09-22 20:40:58 +02:00