Commit Graph

102 Commits

Author SHA1 Message Date
Johannes Bauer
cd38193993 Allow editing of volume flags
We can now set the "discard" flag of volumes, but it's not yet honored.
2021-06-27 09:42:04 +02:00
Johannes Bauer
bd5caae1ee Introduce new host_flags field
While we're at it with migration, might as well add a host_flags field
so that if we have host-specific configuration flags we want to add
later on, we only have to do a migration once.
2021-06-27 09:17:05 +02:00
Johannes Bauer
af29d9cbf8 Preliminary file migration
Pretty raw and untested code which migrates data from v2 to v3,
introducing a new field in the process. This field is neither editable
as of now nor is it honored if it were set.
2021-06-27 00:28:00 +02:00
Johannes Bauer
b0909557ad Refactoring of version code
We want to introduce a new feature (volumes with discard support) which
will cause file incompatibility.  This means we need to prepare data
migration code. This prepares that change.
2021-06-26 23:34:26 +02:00
Johannes Bauer
bd929be9fa Release v0.03
The previous bugfix commit justifies a new release.
2021-06-26 22:51:56 +02:00
Johannes Bauer
47f7ca6c31 Fix numerous log format issues
We had not declared function attributes that check the format syntax;
this led to a number of issues that remained undetected. Fixed.
2021-06-26 22:48:33 +02:00
Johannes Bauer
265dd0582a Modify keying in vault
We currently derive the dkey from the source key at every open or close
(decrypt or encrypt) operation. However, we want to keep the time that
the internal data is exposed (decrypted) as short as possible. While the
vault is open, there's no problem keeping a copy of the dkey around
(because the data is decrypted anyways, therefore it isn't important).
So we change things around and, at the expense of doubling the time that
decryption takes, we make encryption extremely fast. We do this by
computing the next (rekeyed) key at the start of the decryption routine
(but before the data has been decrypted) and keep the dkey stored in the
vault structure for direct access on the next encryption run.
2019-10-26 12:55:25 +02:00
Johannes Bauer
8681e49561 Slight refactoring of vault code
We want to keep the dkey in the vault structure as long as it's open
(because only the open operation should take long, the close operation
should be really fast).
2019-10-26 10:33:36 +02:00
Johannes Bauer
1a765b6369 Remove unneeded file
Another file that's not necessary anymore, now ditched.
2019-10-26 10:29:40 +02:00
Johannes Bauer
e2bb69144d Remove licensify files
We can do this by hand, no need for a special script.
2019-10-25 20:40:21 +02:00
Johannes Bauer
912b874f7a Spellcheck and remove unused files
Some minor, cosmetic cleanups.
2019-10-25 20:39:55 +02:00
Johannes Bauer
e0444c493e This version of luksrku is incompatible with v0.02
Database format has changed and messaging as well. Document this.
2019-10-25 18:51:45 +02:00
Johannes Bauer
f2e21ebdde Explain more of the internal workings of luksrku
Openness and transparency build trust, document what we're doing so that
it can be easily reviewed.
2019-10-25 18:49:09 +02:00
Johannes Bauer
5400e3716a Documentation of usage
Added documentation of simple usage and also integration into initramfs.
2019-10-25 18:39:10 +02:00
Johannes Bauer
9dc8164dcc Vaulted key database fully used
Now all keys are encrypted when they're not in use to thwart cold-boot
attacks. Furthermore, all unlocking messages are sent in bulk to avoid
fragmentation and improve performance.
2019-10-25 18:17:43 +02:00
Johannes Bauer
f01ec97d6b TLS-PSK now taken out of secure vault, but LUKS passphrases not
LUKS passphrases still broken, they're copied over into the secure vault
but then not used (i.e., the zeroed-out originals are read).
2019-10-25 18:02:51 +02:00
Johannes Bauer
dce9c1b323 Vaulted keydb should work, but it's not used yet
All the methods are implemented to get the vaulted key database running,
but it's not in use yet.
2019-10-25 17:46:21 +02:00
Johannes Bauer
40a0871e03 Vault creation works
We can now generated a vaulted key database from the key database and
cleanse the original key data.
2019-10-25 17:18:09 +02:00
Johannes Bauer
0bf0759c9c Make vault threadsafe
We might have multiple processes accessing the vault and need to always
keep a proper reference count.
2019-10-25 16:30:46 +02:00
Johannes Bauer
54063ec025 Remove duplicate "now" function
We also have this functionality in util, no need to copy it.
2019-10-25 16:21:37 +02:00
Johannes Bauer
6ac94dbd83 Integrate vault into build process
Right now it's still not used, but integrated into the build process
anyways.
2019-10-25 16:16:13 +02:00
Johannes Bauer
17d1b9a52d Remove redundant files and add more info
Show a more informative message when server's been successfully started
and remove unused files.
2019-10-25 16:13:28 +02:00
Johannes Bauer
1469d83a96 Fix default KDF
Inconsistency in KDF documentation fixed.
2019-10-25 13:33:48 +02:00
Johannes Bauer
78104a8b87 Remove debugging and set default timeout
While timeout was announced in "client" help page, it wasn't effective.
Fixed. Also disable debugging.
2019-10-25 13:24:08 +02:00
Johannes Bauer
ba46e5bb43 Adapt initramfs hooks
Unlocking entity is now the client, not the server anymore. Change
filenames and syntax in initramfs scripts to reflect both.
2019-10-25 13:06:20 +02:00
Johannes Bauer
ab670a431a Refactor command execution to not use tempfile
Previously, we wrote the passphrase contents to a temporary file on
/dev/shm and then wiped it afterwards. This is odd, why don't we use a
pipe for this purpose, like it's intended to be used? Replace all of
that previous code by piped IPC.
2019-10-25 13:02:35 +02:00
Johannes Bauer
3478fa4555 Unlocking LUKS volumes works
First complete technical round-trip complete, can unlock the LUKS
volumes described in the server/client databases successfully.
2019-10-25 12:19:01 +02:00
Johannes Bauer
849e3a5949 Implemented finding of keyserver and unlocking of volumes
We'll now parse the response messages on the client side, abort after a
previously defined timeout and trigger the LUKS unlocking process, if
requested (although the latter isn't fully implemented yet).
2019-10-25 11:08:20 +02:00
Johannes Bauer
05e112065e Implemented proper query response on server side
The server now checks the host database and responds correctly, but the
client still does not know how to get that response.
2019-10-25 10:21:29 +02:00
Johannes Bauer
8c7c0e5870 Receiving broadcast messages and plausibility-checking
Now we're receiving the client broadcasts on the server side and
checking if they match the magic number we're expecting.
2019-10-25 09:33:20 +02:00
Johannes Bauer
2f36b56417 Can now receive UDP broadcasts
Still need to figure out how to receive UDP broadcast, but respond as
unicast. Not entirely sure yet.
2019-10-24 19:03:48 +02:00
Johannes Bauer
60b1b2bf39 Refactoring of server code
Consolidate server state into one struct, similar to our client
solution.
2019-10-24 17:04:49 +02:00
Johannes Bauer
39ced77b98 More disabled code removal
Removed the code that was previously the main application.
2019-10-24 16:57:35 +02:00
Johannes Bauer
25649e0caa Add luksrku version in help page
Before we forget to include it, put it right in there so it's easy to
determine which version it was built from.
2019-10-23 22:32:35 +02:00
Johannes Bauer
4ee2739bac Prettify Makefile
Have the dependent objects in alphabetical order.
2019-10-23 22:31:41 +02:00
Johannes Bauer
2a4f2a8e3b Implemented client broadcasting again
Clients now broadcast their host UUID and magic number via UDP, but the
server does not respond nor would the client trigger anything if the
server did.
2019-10-23 22:29:40 +02:00
Johannes Bauer
36f9988fce Cleanup in server socket code
This is ancient programming style. Bring it up to 2019.
2019-10-23 22:13:36 +02:00
Johannes Bauer
6b5ed8f62c Remove unused code
Old, now unused code removed entirely.
2019-10-23 22:12:00 +02:00
Johannes Bauer
1f56e19361 Consolidated session establishment for client and server
Essentially, they share most of the same code. Consolidate everything
into one function.
2019-10-23 22:06:47 +02:00
Johannes Bauer
0e8e42d0ea Client and server commnunication now works
We can send our little datagrams over and that works nicely. Need to
consolidate the PSK session establishment into one shared function.
2019-10-23 21:54:10 +02:00
Johannes Bauer
983217ffbd Further work on the client code
Trying to get everything in shape, not looking too bad.
2019-10-23 21:13:50 +02:00
Johannes Bauer
425e2dcd66 Add client code back in
Client code basis back in, parsing of command line options as well.
Client does not do anything yet, though.
2019-10-23 20:13:25 +02:00
Johannes Bauer
9ea0a9695c Fix bug with commandline parsing
For each parameter, all previous parameters were overwritten with
default values. Fixed.
2019-10-23 20:01:54 +02:00
Johannes Bauer
2143adc91f Added detached thread handling code
Make it easier to create a detached thread, it's always the same and
error-checking is quite repetitive.
2019-10-23 19:47:26 +02:00
Johannes Bauer
8200c9668d Rewrite README
A lot has changed, let's update the README even though it's not all done
yet.
2019-10-23 16:13:23 +02:00
Johannes Bauer
c89ff552d4 Also print OpenSSL command line to debug the server
In debug mode, print the OpenSSL command line needed to connect to a
luksrku server.
2019-10-23 16:03:58 +02:00
Johannes Bauer
603e63876f Server implementation seems to work
Rudimentary functionality of server (not including responding to
announcements over UDP) is working now.
2019-10-23 15:56:06 +02:00
Johannes Bauer
3e5c7d541c Implement actual lookup of luksrku entry
Now with a proper UUID the PSK is looked up from the key database.
2019-10-23 15:28:38 +02:00
Johannes Bauer
d70bd1f672 TLS-PSK connection is working in TLSv1.3
Apparently, I need to spell out "-ciphersuites
TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384" in the openssl
s_client command, or it simply will not work.
2019-10-23 14:28:42 +02:00
Johannes Bauer
969eae12c7 Started with server implementation
Running into issues with TLSv1.3-PSK. Connection establishment does not
work at the moment.
2019-10-23 13:18:51 +02:00