shimun/fido2luks
1
0
Fork 0
Code Issues Pull Requests 3 Releases Wiki Activity

Obvious password promt (#29)

Browse Source 
* obvious password promt

* prompt interaction with FIDO device
This commit is contained in:
shimunn 2021-02-08 15:58:41 +01:00 committed by GitHub
parent b0404f2fc1
commit 17ca487b85
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 25 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Cargo.lock generated
View File

@ -377,7 +377,7 @@ dependencies = [
[[package]] [[package]]
name = "fido2luks" name = "fido2luks"
version = "0.2.15" version = "0.2.16"
dependencies = [ dependencies = [
"ctap_hmac", "ctap_hmac",
"failure", "failure",

2
Cargo.toml
View File

@ -1,6 +1,6 @@
[package] [package]
name = "fido2luks" name = "fido2luks"
version = "0.2.15" version = "0.2.16"
authors = ["shimunn <shimun@shimun.net>"] authors = ["shimunn <shimun@shimun.net>"]
edition = "2018" edition = "2018"

34
src/cli.rs
View File

@ -71,6 +71,12 @@ pub fn parse_cmdline() -> Args {
Args::from_args() Args::from_args()
} }
pub fn prompt_interaction(interactive: bool) {
if interactive {
println!("Authorize using your FIDO device");
}
}
pub fn run_cli() -> Fido2LuksResult<()> { pub fn run_cli() -> Fido2LuksResult<()> {
let mut stdout = io::stdout(); let mut stdout = io::stdout();
let args = parse_cmdline(); let args = parse_cmdline();
@ -109,6 +115,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
} else { } else {
secret.salt.obtain_sha256(&secret.password_helper) secret.salt.obtain_sha256(&secret.password_helper)
}?; }?;
prompt_interaction(interactive);
let (secret, _cred) = derive_secret( let (secret, _cred) = derive_secret(
credentials.ids.0.as_slice(), credentials.ids.0.as_slice(),
&salt, &salt,
@ -164,23 +171,27 @@ pub fn run_cli() -> Fido2LuksResult<()> {
} => Ok((util::read_keyfile(file)?, None)), } => Ok((util::read_keyfile(file)?, None)),
OtherSecret { OtherSecret {
fido_device: true, .. fido_device: true, ..
} => Ok(derive_secret( } => {
&credentials.ids.0, prompt_interaction(interactive);
&salt(salt_q, verify)?, Ok(derive_secret(
authenticator.await_time, &credentials.ids.0,
pin.as_deref(), &salt(salt_q, verify)?,
) authenticator.await_time,
.map(|(secret, cred)| (secret[..].to_vec(), Some(cred)))?), pin.as_deref(),
)
.map(|(secret, cred)| (secret[..].to_vec(), Some(cred)))?)
}
_ => Ok(( _ => Ok((
util::read_password(salt_q, verify)?.as_bytes().to_vec(), util::read_password(salt_q, verify)?.as_bytes().to_vec(),
None, None,
)), )),
} }
}; };
let secret = |verify: bool| -> Fido2LuksResult<([u8; 32], FidoCredential)> { let secret = |q: &str, verify: bool| -> Fido2LuksResult<([u8; 32], FidoCredential)> {
prompt_interaction(interactive);
derive_secret( derive_secret(
&credentials.ids.0, &credentials.ids.0,
&salt("Password", verify)?, &salt(q, verify)?,
authenticator.await_time, authenticator.await_time,
pin.as_deref(), pin.as_deref(),
) )
@ -190,7 +201,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
match &args.command { match &args.command {
Command::AddKey { exclusive, .. } => { Command::AddKey { exclusive, .. } => {
let (existing_secret, _) = other_secret("Current password", false)?; let (existing_secret, _) = other_secret("Current password", false)?;
let (new_secret, cred) = secret(true)?; let (new_secret, cred) = secret("Password to be added", true)?;
let added_slot = luks_dev.add_key( let added_slot = luks_dev.add_key(
&new_secret, &new_secret,
&existing_secret[..], &existing_secret[..],
@ -215,7 +226,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
Ok(()) Ok(())
} }
Command::ReplaceKey { add_password, .. } => { Command::ReplaceKey { add_password, .. } => {
let (existing_secret, _) = secret(false)?; let (existing_secret, _) = secret("Current password", false)?;
let (replacement_secret, cred) = other_secret("Replacement password", true)?; let (replacement_secret, cred) = other_secret("Replacement password", true)?;
let slot = if *add_password { let slot = if *add_password {
luks_dev.add_key( luks_dev.add_key(
@ -274,6 +285,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
// Cow shouldn't be necessary // Cow shouldn't be necessary
let secret = |credentials: Cow<'_, Vec<HexEncoded>>| { let secret = |credentials: Cow<'_, Vec<HexEncoded>>| {
prompt_interaction(interactive);
derive_secret( derive_secret(
credentials.as_ref(), credentials.as_ref(),
&salt("Password", false)?, &salt("Password", false)?,