shimun/fido2luks
1
0
Fork 0
Code Issues Pull Requests 3 Releases Wiki Activity

dectect enabled PIN
Some checks failed
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/pr Build is failing
Details

Browse Source
This commit is contained in:
shimun 2020-10-18 20:28:50 +02:00
parent 8e2948fbb9
commit 06f97592c1
Signed by: shimun
GPG Key ID: E81D8382DC2F971B
5 changed files with 26 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Cargo.lock generated
View File

@ -286,9 +286,9 @@ dependencies = [
[[package]] [[package]]
name = "ctap_hmac" name = "ctap_hmac"
version = "0.4.3" version = "0.4.4"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "33ccc28f298181e943187fa63805e652bc4806ad43708beebd22c230fbe0baa3" checksum = "c83f25a6970eb60fd32754c99ffb0b89ff464d70bf8dea147805497c7fb7eb5e"
dependencies = [ dependencies = [
"byteorder", "byteorder",
"cbor-codec", "cbor-codec",

4
Cargo.toml
View File

@ -14,7 +14,7 @@ categories = ["command-line-utilities"]
license = "MPL-2.0" license = "MPL-2.0"
[dependencies] [dependencies]
ctap_hmac = { version="0.4.2", features = ["request_multiple"] } ctap_hmac = { version="0.4.4", features = ["request_multiple"] }
hex = "0.3.2" hex = "0.3.2"
ring = "0.13.5" ring = "0.13.5"
failure = "0.1.5" failure = "0.1.5"
@ -26,7 +26,7 @@ serde_derive = "1.0.116"
serde = "1.0.116" serde = "1.0.116"
[build-dependencies] [build-dependencies]
ctap_hmac = { version="0.4.2", features = ["request_multiple"] } ctap_hmac = { version="0.4.4", features = ["request_multiple"] }
hex = "0.3.2" hex = "0.3.2"
ring = "0.13.5" ring = "0.13.5"
failure = "0.1.5" failure = "0.1.5"

13
src/cli.rs
View File

@ -94,7 +94,7 @@ pub fn get_input(
let salt = &secret.salt; let salt = &secret.salt;
Ok(if interactive { Ok(if interactive {
( (
if authenticator.pin { if authenticator.pin && may_require_pin()? {
Some(read_pin()?) Some(read_pin()?)
} else { } else {
None None
@ -102,7 +102,10 @@ pub fn get_input(
salt.obtain_sha256(Some(|| util::read_password_tty(q, verify)))?, salt.obtain_sha256(Some(|| util::read_password_tty(q, verify)))?,
) )
} else { } else {
match (authenticator.pin, authenticator.pin_prefixed) { match (
authenticator.pin && may_require_pin()?,
authenticator.pin_prefixed,
) {
(true, false) => (Some(read_pin()?), salt.obtain_sha256(password_helper)?), (true, false) => (Some(read_pin()?), salt.obtain_sha256(password_helper)?),
(true, true) => read_password_pin_prefixed(|| { (true, true) => read_password_pin_prefixed(|| {
salt.obtain(password_helper).and_then(|secret| { salt.obtain(password_helper).and_then(|secret| {
@ -157,7 +160,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
let args = parse_cmdline(); let args = parse_cmdline();
let log = |message: &dyn Fn() -> String| { let log = |message: &dyn Fn() -> String| {
if args.verbose { if args.verbose {
eprintln!("{}", message()); eprintln!("{}", &*message());
} }
}; };
match &args.command { match &args.command {
@ -166,7 +169,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
name, name,
} => { } => {
let pin_string; let pin_string;
let pin = if authenticator.pin { let pin = if authenticator.pin && may_require_pin()? {
pin_string = read_pin()?; pin_string = read_pin()?;
Some(pin_string.as_ref()) Some(pin_string.as_ref())
} else { } else {
@ -319,7 +322,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
let (new_secret, cred) = if *auto_credential && luks2 { let (new_secret, cred) = if *auto_credential && luks2 {
let cred = make_credential_id( let cred = make_credential_id(
Some(derive_credential_name(luks.device.as_path()).as_str()), Some(derive_credential_name(luks.device.as_path()).as_str()),
(if authenticator.pin { (if authenticator.pin && may_require_pin()? {
//TODO: not ideal since it ignores pin-prefixed //TODO: not ideal since it ignores pin-prefixed
Some(read_pin()?) Some(read_pin()?)
} else { } else {

2
src/cli_args/mod.rs
View File

@ -76,7 +76,7 @@ pub struct Credentials {
#[derive(Debug, StructOpt)] #[derive(Debug, StructOpt)]
pub struct AuthenticatorParameters { pub struct AuthenticatorParameters {
/// Request a PIN to unlock the authenticator /// Request a PIN to unlock the authenticator if required
#[structopt(short = "P", long = "pin")] #[structopt(short = "P", long = "pin")]
pub pin: bool, pub pin: bool,

15
src/device.rs
View File

@ -19,7 +19,7 @@ pub fn make_credential_id(
} }
let request = request.build().unwrap(); let request = request.build().unwrap();
let make_credential = |device: &mut FidoDevice| { let make_credential = |device: &mut FidoDevice| {
if let Some(pin) = pin { if let Some(pin) = pin.filter(|_| device.needs_pin()) {
device.unlock(pin)?; device.unlock(pin)?;
} }
device.make_hmac_credential(&request) device.make_hmac_credential(&request)
@ -44,7 +44,7 @@ pub fn perform_challenge<'a>(
.build() .build()
.unwrap(); .unwrap();
let get_assertion = |device: &mut FidoDevice| { let get_assertion = |device: &mut FidoDevice| {
if let Some(pin) = pin { if let Some(pin) = pin.filter(|_| device.needs_pin()) {
device.unlock(pin)?; device.unlock(pin)?;
} }
device.get_hmac_assertion(&request, &util::sha256(&[&salt[..]]), None) device.get_hmac_assertion(&request, &util::sha256(&[&salt[..]]), None)
@ -58,6 +58,17 @@ pub fn perform_challenge<'a>(
Ok((secret, credential)) Ok((secret, credential))
} }
pub fn may_require_pin() -> Fido2LuksResult<bool> {
for di in ctap::get_devices()? {
if let Ok(dev) = FidoDevice::new(&di) {
if dev.needs_pin() {
return Ok(true);
}
}
}
Ok(false)
}
pub fn get_devices() -> Fido2LuksResult<Vec<FidoDevice>> { pub fn get_devices() -> Fido2LuksResult<Vec<FidoDevice>> {
let mut devices = Vec::with_capacity(2); let mut devices = Vec::with_capacity(2);
for di in ctap::get_devices()? { for di in ctap::get_devices()? {