shimun/fido2luks
1
0
Fork 0
Code Issues Pull Requests 3 Releases Wiki Activity

refractor

Browse Source
This commit is contained in:
shimunn
2019-09-17 14:27:42 +02:00
parent f7b7617e0e
commit 4679e939cf
7 changed files with 359 additions and 202 deletions
Download Patch File Download Diff File Expand all files Collapse all files

92
src/cli.rs Normal file
View File

@@ -0,0 +1,92 @@
use crate::error::*;
use crate::*;
use cryptsetup_rs as luks;
use cryptsetup_rs::api::{CryptDeviceHandle, CryptDeviceOpenBuilder, Luks1Params};
use cryptsetup_rs::Luks1CryptDevice;
use ctap;
use ctap::extensions::hmac::{FidoHmacCredential, HmacExtension};
use ctap::FidoDevice;
use std::fs::File;
use std::io::{self, Read, Seek, Write};
use std::path::Path;
pub fn setup() -> Fido2LuksResult<()> {
let mut config = Config::default();
let save_config = |c: &Config| {
File::create("fido2luks.json")
.expect("Failed to save config")
.write_all(serde_json::to_string_pretty(c).unwrap().as_bytes())
.expect("Failed to save config");
};
fn ask_bool(q: &str) -> bool {
ask_str(&format!("{} (y/n)", q)).expect("Failed to read from stdin") == "y"
}
println!("1. Generating a credential");
let mut ccred: Option<FidoHmacCredential> = None;
for di in ctap::get_devices().expect("Failed to query USB for 2fa devices") {
let mut dev = FidoDevice::new(&di).expect("Failed to open 2fa device");
match dev.make_hmac_credential() {
Ok(cred) => {
ccred = Some(cred);
break;
}
Err(_e) => println!("Failed to to obtain credential trying next device(if applicable)"),
}
}
config.credential_id = hex::encode(ccred.expect("No credential could be obtained").id);
save_config(&config);
loop {
let device = ask_str("Path to your luks device: ").expect("Failed to read from stdin");;
if Path::new(&device).exists()
|| ask_bool(&format!("{} does not exist, save anyway?", device))
{
config.device = device.into();
break;
}
}
save_config(&config);
config.mapper_name = ask_str("Name for decrypted disk: ").expect("Failed to read from stdin");;
save_config(&config);
println!("Config saved to: fido2luks.json");
Ok(())
}
pub fn add_key_to_luks(conf: &Config) -> Fido2LuksResult<u8> {
fn offer_format(
_dev: CryptDeviceOpenBuilder,
) -> Fido2LuksResult<CryptDeviceHandle<Luks1Params>> {
unimplemented!()
}
let dev = || -> luks::device::Result<CryptDeviceOpenBuilder> {
luks::open(&conf.device.canonicalize()?)
};
let mut handle = match dev()?.luks1() {
Ok(handle) => handle,
Err(luks::device::Error::BlkidError(_)) => offer_format(dev()?)?,
Err(luks::device::Error::CryptsetupError(errno)) => {
//if i32::from(errno) == 555
dbg!(errno);
offer_format(dev()?)?
} //TODO: find correct errorno and offer to format as luks
err => err?,
};
let secret = {
let salt = conf.input_salt.obtain(&conf.password_helper)?;
assemble_secret(&perform_challenge(&conf.credential_id, &salt)?, &salt)
};
dbg!("Adding key");
let slot = handle.add_keyslot(&secret, None, None)?;
Ok(slot)
}

133
src/config.rs Normal file
View File

@@ -0,0 +1,133 @@
use crate::error::*;
use crate::*;
use crypto::digest::Digest;
use crypto::sha2::Sha256;
use serde_derive::{Deserialize, Serialize};
use std::collections::HashMap;
use std::env;
use std::fs::File;
use std::io::Read;
use std::path::PathBuf;
use std::process::Command;
#[derive(Debug, Deserialize, Serialize)]
pub struct Config {
pub credential_id: String,
pub input_salt: InputSalt,
pub device: PathBuf,
pub mapper_name: String,
pub password_helper: PasswordHelper,
}
impl Config {
pub fn load_default_location() -> Fido2LuksResult<Config> {
Self::load_config(
&mut File::open(
env::vars()
.collect::<HashMap<_, _>>()
.get("FIDO2LUKS_CONFIG")
.unwrap_or(&"/etc/fido2luks.json".to_owned()),
)
.or(File::open("fido2luks.json"))?,
)
}
pub fn load_config(reader: &mut dyn Read) -> Fido2LuksResult<Config> {
let mut conf_str = String::new();
reader.read_to_string(&mut conf_str)?;
Ok(serde_json::from_str(&conf_str)?)
}
}
impl Default for Config {
fn default() -> Self {
Config {
credential_id: "<required>".into(),
input_salt: Default::default(),
device: "/dev/some-vg/<volume>".into(),
mapper_name: "2fa-secured-luks".into(),
password_helper: PasswordHelper::default(),
}
}
}
#[derive(Debug, Deserialize, Serialize)]
pub enum InputSalt {
AskPassword,
File { path: PathBuf },
Both { path: PathBuf },
}
impl Default for InputSalt {
fn default() -> Self {
InputSalt::AskPassword
}
}
impl InputSalt {
pub fn obtain(&self, password_helper: &PasswordHelper) -> Fido2LuksResult<[u8; 32]> {
let mut digest = Sha256::new();
match self {
InputSalt::File { path } => {
let mut do_io = || {
let mut reader = File::open(path)?;
let mut buf = [0u8; 512];
loop {
let red = reader.read(&mut buf)?;
digest.input(&buf[0..red]);
if red == 0 {
break;
}
}
Ok(())
};
do_io().map_err(|cause| Fido2LuksError::KeyfileError { cause })?;
}
InputSalt::AskPassword => {
digest.input(password_helper.obtain()?.as_bytes());
}
InputSalt::Both { path } => {
digest.input(&InputSalt::AskPassword.obtain(password_helper)?);
digest.input(&InputSalt::File { path: path.clone() }.obtain(password_helper)?)
}
}
let mut salt = [0u8; 32];
digest.result(&mut salt);
Ok(salt)
}
}
#[derive(Debug, Deserialize, Serialize)]
pub enum PasswordHelper {
Script(String),
Systemd,
Stdin,
}
impl Default for PasswordHelper {
fn default() -> Self {
PasswordHelper::Script("plymouth ask-for-password".into())
}
}
impl PasswordHelper {
pub fn obtain(&self) -> Fido2LuksResult<String> {
use PasswordHelper::*;
match self {
Systemd => unimplemented!(),
Stdin => Ok(ask_str("Password: ")?),
Script(password_helper) => {
let mut helper_parts = password_helper.split(" ");
let password = Command::new((&mut helper_parts).next().unwrap())
.args(helper_parts)
.output()
.map_err(|e| Fido2LuksError::AskPassError { cause: e })?
.stdout;
Ok(String::from_utf8(password)?)
}
}
}
}

9
src/error.rs
View File

@@ -21,8 +21,11 @@ pub enum Fido2LuksError {
ConfigurationError { cause: serde_json::error::Error },
#[fail(display = "the submitted secret is not applicable to this luks device")]
WrongSecret,
#[fail(display = "not an utf8 string")]
StringEncodingError { cause: FromUtf8Error },
}
use std::string::FromUtf8Error;
use Fido2LuksError::*;
impl From<FidoError> for Fido2LuksError {
@@ -48,3 +51,9 @@ impl From<serde_json::error::Error> for Fido2LuksError {
ConfigurationError { cause: e }
}
}
impl From<FromUtf8Error> for Fido2LuksError {
fn from(e: FromUtf8Error) -> Self {
StringEncodingError { cause: e }
}
}

17
src/keystore.rs Normal file
View File

@@ -0,0 +1,17 @@
use keyutils::Keyring;
fn get_passphrase() -> Vec<u8> {
Keyring::request("user")
.unwrap()
.request_key("fido2luks")
.unwrap()
.read()
.unwrap()
}
fn add_secret(secret: &[u8]) {
Keyring::request("session")
.unwrap()
.add_key("cryptsetup", secret)
.unwrap();
}

257
src/main.rs
View File

@@ -2,120 +2,29 @@
extern crate failure;
#[macro_use]
extern crate serde_derive;
use crate::cli::*;
use crate::config::*;
use crate::error::*;
use crypto::digest::Digest;
use crypto::sha2::Sha256;
use cryptsetup_rs as luks;
use cryptsetup_rs::api::{CryptDeviceHandle, CryptDeviceOpenBuilder, Luks1Params};
use cryptsetup_rs::Luks1CryptDevice;
use ctap;
use ctap::extensions::hmac::{FidoHmacCredential, HmacExtension};
use ctap::FidoDevice;
use luks::device::Error::CryptsetupError;
use serde_derive::{Deserialize, Serialize};
use std::collections::HashMap;
use std::env;
use std::fs::File;
use std::io::{Read, Write};
use std::path::{Path, PathBuf};
use std::process::Command;
use std::io::{self, Read, Seek, Write};
use std::path::PathBuf;
mod cli;
mod config;
mod error;
#[derive(Debug, Deserialize, Serialize)]
pub struct Config {
pub credential_id: String,
pub input_salt: InputSalt,
pub device: PathBuf,
pub mapper_name: String,
pub password_helper: String,
}
impl Config {
pub fn load_default_location() -> Fido2LuksResult<Config> {
Self::load_config(
&mut File::open(
env::vars()
.collect::<HashMap<_, _>>()
.get("FIDO2LUKS_CONFIG")
.unwrap_or(&"/etc/fido2luks.json".to_owned()),
)
.or(File::open("fido2luks.json"))?,
)
}
pub fn load_config(reader: &mut dyn Read) -> Fido2LuksResult<Config> {
let mut conf_str = String::new();
reader.read_to_string(&mut conf_str)?;
Ok(serde_json::from_str(&conf_str)?)
}
}
impl Default for Config {
fn default() -> Self {
Config {
credential_id: "generate using solo key make-credential".into(),
input_salt: Default::default(),
device: "/dev/some-vg/my-volume".into(),
mapper_name: "2fa-secured-luks".into(),
password_helper: "/usr/bin/systemd-ask-password --no-tty --no-output --id='fido2luks' --keyname='fido2luks' 'Please enter second factor for LUKS disk encryption!'".into(),
}
}
}
#[derive(Debug, Deserialize, Serialize)]
pub enum InputSalt {
AskPassword,
File { path: PathBuf },
Both { path: PathBuf },
}
impl Default for InputSalt {
fn default() -> Self {
InputSalt::AskPassword
}
}
impl InputSalt {
fn obtain(&self, password_helper: &str) -> Fido2LuksResult<[u8; 32]> {
let mut digest = Sha256::new();
match self {
InputSalt::File { path } => {
let mut do_io = || {
let mut reader = File::open(path)?;
let mut buf = [0u8; 512];
loop {
let red = reader.read(&mut buf)?;
digest.input(&buf[0..red]);
if red == 0 {
break;
}
}
Ok(())
};
do_io().map_err(|cause| Fido2LuksError::KeyfileError { cause })?;
}
InputSalt::AskPassword => {
let mut helper_parts = password_helper.split(" ");
let password = Command::new((&mut helper_parts).next().unwrap())
.args(helper_parts)
.output()
.map_err(|e| Fido2LuksError::AskPassError { cause: e })?
.stdout;
digest.input(&password);
}
InputSalt::Both { path } => {
digest.input(&InputSalt::AskPassword.obtain(password_helper)?);
digest.input(&InputSalt::File { path: path.clone() }.obtain(password_helper)?)
}
}
let mut salt = [0u8; 32];
digest.result(&mut salt);
Ok(salt)
}
}
mod keystore;
fn open_container(device: &PathBuf, name: &str, secret: &[u8; 32]) -> Fido2LuksResult<()> {
let mut handle = luks::open(device.canonicalize()?)?.luks1()?;
@@ -151,107 +60,16 @@ fn assemble_secret(hmac_result: &[u8], salt: &[u8]) -> [u8; 32] {
digest.result(&mut secret);
secret
}
fn setup() -> Fido2LuksResult<()> {
let mut config = Config::default();
let save_config = |c: &Config| {
File::create("fido2luks.json")
.expect("Failed to save config")
.write_all(serde_json::to_string_pretty(c).unwrap().as_bytes())
.expect("Failed to save config");
};
fn ask_str(q: &str) -> String {
let stdin = std::io::stdin();
let mut s = String::new();
print!("{}", q);
std::io::stdout()
.flush()
.ok()
.expect("Could not flush stdout");
stdin.read_line(&mut s).expect("Failed to read rom stdin");
s.trim().to_owned()
}
fn ask_bool(q: &str) -> bool {
ask_str(&format!("{} (y/n)", q)) == "y"
}
println!("1. Generating a credential");
let mut ccred: Option<FidoHmacCredential> = None;
for di in ctap::get_devices().expect("Failed to query USB for 2fa devices") {
let mut dev = FidoDevice::new(&di).expect("Failed to open 2fa device");
match dev.make_hmac_credential() {
Ok(cred) => {
ccred = Some(cred);
break;
}
Err(_e) => println!("Failed to to obtain credential trying next device(if applicable)"),
}
}
config.credential_id = hex::encode(ccred.expect("No credential could be obtained").id);
save_config(&config);
loop {
let device = ask_str("Path to your luks device: ");
if Path::new(&device).exists()
|| ask_bool(&format!("{} does not exist, save anyway?", device))
{
config.device = device.into();
break;
}
}
save_config(&config);
config.mapper_name = ask_str("Name for decrypted disk: ");
save_config(&config);
println!("Config saved to: fido2luks.json");
Ok(())
fn ask_str(q: &str) -> Fido2LuksResult<String> {
let stdin = io::stdin();
let mut s = String::new();
print!("{}", q);
io::stdout().flush()?;
stdin.read_line(&mut s)?;
Ok(s.trim().to_owned())
}
fn add_key_to_luks(conf: &Config) -> Fido2LuksResult<u8> {
fn offer_format(
_dev: CryptDeviceOpenBuilder,
) -> Fido2LuksResult<CryptDeviceHandle<Luks1Params>> {
unimplemented!()
}
let dev = || -> luks::device::Result<CryptDeviceOpenBuilder> {
luks::open(&conf.device.canonicalize()?)
};
let mut handle = match dev()?.luks1() {
Ok(handle) => handle,
Err(luks::device::Error::BlkidError(_)) => offer_format(dev()?)?,
Err(luks::device::Error::CryptsetupError(errno)) => {
//if i32::from(errno) == 555
dbg!(errno);
offer_format(dev()?)?
} //TODO: find correct errorno and offer to format as luks
err => err?,
};
let secret = {
let salt = conf.input_salt.obtain(&conf.password_helper)?;
assemble_secret(&perform_challenge(&conf.credential_id, &salt)?, &salt)
};
dbg!("Adding key");
let slot = handle.add_keyslot(&secret, None, None)?;
Ok(slot)
}
fn open() -> Fido2LuksResult<()> {
let conf = Config::load_default_location()?;
let salt = conf.input_salt.obtain(&conf.password_helper)?;
dbg!(hex::encode(&salt));
let secret = {
let salt = conf.input_salt.obtain(&conf.password_helper)?;
assemble_secret(&perform_challenge(&conf.credential_id, &salt)?, &salt)
};
fn open(conf: &Config, secret: &[u8; 32]) -> Fido2LuksResult<()> {
dbg!(hex::encode(&secret));
match open_container(&conf.device, &conf.mapper_name, &secret) {
Err(Fido2LuksError::LuksError {
@@ -262,10 +80,45 @@ fn open() -> Fido2LuksResult<()> {
Ok(())
}
/*fn package_self() -> Fido2LuksResult<()> {
let conf = Config::load_default_location()?;
let binary_path: PathBuf = env::args().next().unwrap().into();
let mut me = File::open(binary_path)?;
me.seek(io::SeekFrom::End(("config".as_bytes().len() * -1) as i64 - 4))?;
let conf_len = me.read_u32()?;
let mut buf = vec![0u8; 512];
me.read(&mut buf[0..6])?;
if String::from_utf8((&buf[0..6]).iter().collect()).map(|s| &s == "config").unwrap_or(false) {
}
Ok(())
}*/
fn main() -> Fido2LuksResult<()> {
let args: Vec<_> = env::args().skip(1).collect(); //Ignore program name -> Vec
let env = env::vars().collect::<HashMap<_, _>>();
if args.is_empty() {
open()
let conf = Config::load_default_location()?;
let salt = conf.input_salt.obtain(&conf.password_helper)?;
dbg!(hex::encode(&salt));
let secret = {
let salt = conf.input_salt.obtain(&conf.password_helper)?;
assemble_secret(&perform_challenge(&conf.credential_id, &salt)?, &salt)
};
if env.contains_key("CRYPTTAB_NAME") {
//Indicates that this script is being run as keyscript
open(&conf, &secret)
} else {
io::stdout().write(&secret)?;
Ok(io::stdout().flush()?)
}
} else {
match args.first().map(|s| s.as_ref()).unwrap() {
"addkey" => add_key_to_luks(&Config::load_default_location()?).map(|_| ()),
@@ -273,7 +126,7 @@ fn main() -> Fido2LuksResult<()> {
_ => {
eprintln!("Usage: setup | addkey");
Ok(())
}
} //"selfcontain" => package_self()
}
}
}