Georg/luksrku
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
57 Commits 3 Branches 4 Tags 284 KiB
c89ff552d4
Commit Graph

57 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Johannes Bauer
c89ff552d4 Also print OpenSSL command line to debug the server 
In debug mode, print the OpenSSL command line needed to connect to a
luksrku server.
 2019-10-23 16:03:58 +02:00
Johannes Bauer
603e63876f Server implementation seems to work 
Rudimentary functionality of server (not including responding to
announcements over UDP) is working now.
 2019-10-23 15:56:06 +02:00
Johannes Bauer
3e5c7d541c Implement actual lookup of luksrku entry 
Now with a proper UUID the PSK is looked up from the key database.
 2019-10-23 15:28:38 +02:00
Johannes Bauer
d70bd1f672 TLS-PSK connection is working in TLSv1.3 
Apparently, I need to spell out "-ciphersuites
TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384" in the openssl
s_client command, or it simply will not work.
 2019-10-23 14:28:42 +02:00
Johannes Bauer
969eae12c7 Started with server implementation 
Running into issues with TLSv1.3-PSK. Connection establishment does not
work at the moment.
 2019-10-23 13:18:51 +02:00
Johannes Bauer
667ff55af1 Integrate editor properly from command line 
Now have a way to invoke the editor functionality from the command line
and also provisions to include the server and client parsers.
 2019-10-23 11:34:40 +02:00
Johannes Bauer
ecbf3827ca Integrate current state-of-affairs into luksrku 
Now integrated into the official Makefile. All functionality is broken
(was for a while), but it's progress nevertheless.
 2019-10-23 09:39:40 +02:00
Johannes Bauer
20ffe38b53 Implemented export of key database 
Key database is exported on a client-per-client basis, but with
sanitized LUKS passphrases of course. This is implemented now.
 2019-10-21 22:47:58 +02:00
Johannes Bauer
722476e7fd Implemented more useful commands 
Implemented add/delete operations of hosts and volumes and rekeying of
both as well.
 2019-10-21 21:30:29 +02:00
Johannes Bauer
0cb0e5d470 Further work in keydb 
Work in transcribing the binary LUKS PSK to ASCII. Still buggy, had an
error in thinking (it's not 4 bytes transcribed to 3, but 3 to 4 of
course). Needs fixing.
 2019-10-20 21:09:41 +02:00
Johannes Bauer
bcd794a6c1 Further work on creating correct type-4 UUIDs 
Have the UUIDs actually look and feel like Type-4 UUIDs according to
RFC.
 2019-10-20 17:45:21 +02:00
Johannes Bauer
ffca14559f Further work on UUIDs and the interactive editor 
Listing now works and we've extracted the UUID code into separate files.
 2019-10-20 10:12:37 +02:00
Johannes Bauer
68c74de050 Saving and loading of key database works 
We now can save and load the database from a file and also add hosts.
 2019-10-19 21:52:34 +02:00
Johannes Bauer
9c888cbe4e Major rework of keydb and file encryption 
Currently, main program does not compile, massive rework of the internal
database storage mechanism to allow integration of vault and online
editing.
 2019-10-19 21:28:26 +02:00
Johannes Bauer
b79ae0b417 Initial work on providing an editor 
Just laid out the framework for online editing of the key database,
which was just horrible before.
 2019-10-19 18:12:00 +02:00
Johannes Bauer
1790275960 Release v0.02 
If this release ever makes it to a disto, we want to be able to identify
it by version number, not by commit. Therefore, introduce re-release
with proper tagging.
 2019-10-19 15:08:30 +02:00
Johannes Bauer
73ab437fc9 Include tags in released version number 
We want the displayed version number to contain tags, so add it to the
Makefile option.
 2019-10-19 15:06:39 +02:00
Johannes Bauer
f824198abd Release v0.01 
First release after three years of daily use seems a justified testing
period.
 2019-10-19 14:50:29 +02:00
Johannes Bauer
363fc70f1c Use pkg-config and have git-based version number 
Use pkg-config to find OpenSSL headers and library. Use "git describe"
to determine current version.
 2019-10-19 14:47:54 +02:00
Johannes Bauer
52dee3bad0 More tests to show key changes 
Demonstrating that a new key is chosen on every close operation.
 2019-10-19 11:32:32 +02:00
Johannes Bauer
d8208fbab5 Make vault iteration count adaptible to hardware 
We want to specify a real time for key derivation and let it figure out
by itself how many iterations it needs.
 2019-10-19 11:29:39 +02:00
Johannes Bauer
1312bce9af Add license header to vault files 
Since this was just work-in-progress, I had forgotten to include license
header text.
 2019-10-19 11:10:03 +02:00
Johannes Bauer
aa9fa3e995 Started working on a coldboot-resistant "vault" implementation 
When not needed, encrypt the keys in-memory with a large pre-key so that
forensic acquisition of data using coldboot becomes infeasible. Not used
yet internally.
 2019-10-19 11:07:55 +02:00
Johannes Bauer
2cde43d357 Fix issue with TLSv1.3 negotiation 
TLSv1.3 behaves differently in how PSK identity/PSK identity hints are
exchanged, at least in regards to OpenSSL. This caused the TLS client to
not send their TLS identity to the server, which rejected the connection
(it expected "luksrku v1"). Couldn't solve it with TLSv1.3, so we're now
simply forcing TLSv1.2.
 2019-07-22 21:46:18 +02:00
Johannes Bauer
aece35134e More debugging 
More debug output for password.
 2018-01-16 19:43:19 +01:00
Johannes Bauer
935d0f478d Fix comment 
Some comment was having some copy/paste issue. Fixed.
 2018-01-16 19:42:22 +01:00
Johannes Bauer
1c61480b71 Show log output even in verbose mode 
Compiling with -DDEBUG isn't required to show output of commands,
verbose mode is sufficient.
 2018-01-16 19:40:13 +01:00
Johannes Bauer
bc291dcbd8 Change stupid debug message and output more debug info 
When compiled in debug mode, output more info. Also change the insanely
stupid "exited successfully" message to something actually sensible.
 2018-01-16 19:36:38 +01:00
Johannes Bauer
625998fc8a Only execute luksrku when an actual server config is present 
Previously, it was always executed (although it shouldn't have made it
into the image if no /etc/luksrku-server.bin were present).
 2018-01-16 19:01:55 +01:00
Johannes Bauer
781b10c0c9 Assume system-wide installed OpenSSL v1.1 
After Debian has pretty much migrated to v1.1, we now assume that
OpenSSL is preinstalled system-wide -- it's not experimental anymore.
Currently we assume it's preinstalled in /usr/local.
 2018-01-16 18:59:50 +01:00
Johannes Bauer
b8659ae8fc More README.md fixes 
Mixing terminal output and lists isn't apparently well supported (or I
cannot figure out how to do it). Change text a bit as a workaround.
 2017-08-13 12:27:21 +02:00
Johannes Bauer
2f094c4f55 Fix README.md 
Some indentation problems caused weird display.
 2017-08-13 12:25:36 +02:00
Johannes Bauer
a8b8dfb15f Fix typo in README 
Small typo fixed.
 2017-07-10 21:08:19 +02:00
Johannes Bauer
fd2e456076 Remove references to SSL and replace by TLS. 
We're using TLS, not SSL. Use the proper terminology.
 2017-03-07 21:48:00 +01:00
Johannes Bauer
8b892e3347 Update OpenSSL version and change sig algs 
While the PSK cipher suites do not use any ECDHE/RSA signatures, in the
future someone may change the code. In that case, as a robustness
measure, already set the acceptable signature algorithms now.
Additionally upgrade to OpenSSL v1.1.0e and include the comment to
include X448 once it becomes available for TLS ECDHE (it's not yet,
unfortunately).
 2017-03-07 21:40:21 +01:00
Johannes Bauer
8f2dabc053 Change to build against OpenSSL 1.1.0b 
Critical CVE in 1.1.0a, upgrade immediately.
 2016-09-27 21:18:25 +02:00
Johannes Bauer
13bbc2e565 Print version number on help page 2016-09-24 20:16:09 +02:00
Johannes Bauer
9c3670db9b Cleanups 2016-09-24 20:14:53 +02:00
Johannes Bauer
58a73a552f Try to use initramfs IP autoconfig 
Trying to get rid of the current (shitty) manual IP configuration
process. This should enable you to specify on the kernel command line a
parameter like ip=:::::eth0:dhcp and the initramfs scripts would take
care of acquiring a DHCP address instead of static configuration in the
script itself.
 2016-09-24 16:02:40 +02:00
Johannes Bauer
6089d98721 Introduce --max-bcast-errs command line option 
This enables luksrku to terminate if a certain number of broadcast
attempts has failed (usually due to unavailable networking), therefore
enabling a second method of unlocking LUKS disks (e.g., by manually
entering the password on the console).
 2016-09-24 15:58:52 +02:00
Johannes Bauer
192df4470e initramfs scripts will only include luksrku if it's needed 2016-09-24 11:50:41 +02:00
Johannes Bauer
0d4d2220b2 Implemented unlock cnt and blacklist 
Can now unlock a specified number of hosts as specified on the command
line (e.g., if you want a luksrku client run indefinitely) and also used
the already implemented blacklisting functionality (i.e., if an
unlocking is unsuccessful, it is retried in 120 seconds, not
immediately, as not to spam servers with illegal credentials).
 2016-09-24 11:45:58 +02:00
Johannes Bauer
180b747d24 Fix README 2016-09-24 11:24:28 +02:00
Johannes Bauer
f82cb5dbf7 Fix <pre> areas in markdown 2016-09-24 11:23:38 +02:00
Johannes Bauer
4627410580 Convert tabs to spaces 
I hate markdown. I really do.
 2016-09-24 11:20:42 +02:00
Johannes Bauer
f2f6d091e1 Have a fairly decent help page 
Reused the help page generator from luksipc.
 2016-09-24 11:16:58 +02:00
Johannes Bauer
acc22cd1f6 Use newest OpenSSL version 1.1.0a 2016-09-24 11:07:58 +02:00
Johannes Bauer
b4c919e556 Fixups in the README 2016-09-22 21:21:52 +02:00
Johannes Bauer
2335da36aa Forgot to describe the step to add key 2016-09-22 21:20:16 +02:00
Johannes Bauer
2e1d3d8793 A bit more information 2016-09-22 21:18:16 +02:00