shimun/fido2luks
1
0
Fork 0
Code Issues Pull Requests 3 Releases Wiki Activity

store luks token

Browse Source
This commit is contained in:
shimun 2020-04-27 19:26:21 +02:00
parent 1547f5e199
commit 478fb5e036
Signed by: shimun
GPG Key ID: E81D8382DC2F971B
7 changed files with 181 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
Cargo.lock generated
View File

@ -377,6 +377,9 @@ dependencies = [
"libcryptsetup-rs", "libcryptsetup-rs",
"ring", "ring",
"rpassword", "rpassword",
"serde",
"serde_derive",
"serde_json",
"structopt", "structopt",
] ]
@ -891,6 +894,17 @@ version = "1.0.106"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "36df6ac6412072f67cf767ebbde4133a5b2e88e76dc6187fa7104cd16f783399" checksum = "36df6ac6412072f67cf767ebbde4133a5b2e88e76dc6187fa7104cd16f783399"
[[package]]
name = "serde_derive"
version = "1.0.106"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9e549e3abf4fb8621bd1609f11dfc9f5e50320802273b12f3811a67e6716ea6c"
dependencies = [
"proc-macro2 1.0.10",
"quote 1.0.3",
"syn 1.0.17",
]
[[package]] [[package]]
name = "serde_json" name = "serde_json"
version = "1.0.51" version = "1.0.51"

3
Cargo.toml
View File

@ -21,6 +21,9 @@ failure = "0.1.5"
rpassword = "4.0.1" rpassword = "4.0.1"
structopt = "0.3.2" structopt = "0.3.2"
libcryptsetup-rs = "0.2.0" libcryptsetup-rs = "0.2.0"
serde_json = "1.0.51"
serde_derive = "1.0.106"
serde = "1.0.106"
[profile.release] [profile.release]
lto = true lto = true

42
src/cli.rs
View File

@ -120,6 +120,14 @@ impl SecretGeneration {
} }
pub fn obtain_secret(&self, password_query: &str) -> Fido2LuksResult<[u8; 32]> { pub fn obtain_secret(&self, password_query: &str) -> Fido2LuksResult<[u8; 32]> {
self.obtain_secret_and_credential(password_query)
.map(|(secret, _)| secret)
}
pub fn obtain_secret_and_credential(
&self,
password_query: &str,
) -> Fido2LuksResult<([u8; 32], FidoCredential)> {
let mut salt = [0u8; 32]; let mut salt = [0u8; 32];
match self.password_helper { match self.password_helper {
PasswordHelper::Stdin if !self.verify_password.unwrap_or(true) => { PasswordHelper::Stdin if !self.verify_password.unwrap_or(true) => {
@ -158,10 +166,9 @@ impl SecretGeneration {
}) })
.collect::<Vec<_>>(); .collect::<Vec<_>>();
let credentials = credentials.iter().collect::<Vec<_>>(); let credentials = credentials.iter().collect::<Vec<_>>();
Ok(assemble_secret( let (secret, credential) =
&perform_challenge(&credentials[..], &salt, timeout - start.elapsed().unwrap())?, perform_challenge(&credentials[..], &salt, timeout - start.elapsed().unwrap())?;
&salt, Ok((assemble_secret(&secret, &salt), credential.clone()))
))
} }
} }
@ -220,6 +227,9 @@ pub enum Command {
/// Will wipe all other keys /// Will wipe all other keys
#[structopt(short = "e", long = "exclusive")] #[structopt(short = "e", long = "exclusive")]
exclusive: bool, exclusive: bool,
/// Will add an token to your LUKS 2 header, including the credential id
#[structopt(short = "t", long = "token")]
token: bool,
#[structopt(flatten)] #[structopt(flatten)]
existing_secret: OtherSecret, existing_secret: OtherSecret,
#[structopt(flatten)] #[structopt(flatten)]
@ -235,6 +245,9 @@ pub enum Command {
/// Add the password and keep the key /// Add the password and keep the key
#[structopt(short = "a", long = "add-password")] #[structopt(short = "a", long = "add-password")]
add_password: bool, add_password: bool,
// /// Will add an token to your LUKS 2 header, including the credential id
// #[structopt(short = "t", long = "token")]
// token: bool,
#[structopt(flatten)] #[structopt(flatten)]
replacement: OtherSecret, replacement: OtherSecret,
#[structopt(flatten)] #[structopt(flatten)]
@ -296,18 +309,20 @@ pub fn run_cli() -> Fido2LuksResult<()> {
Command::AddKey { Command::AddKey {
device, device,
exclusive, exclusive,
token,
existing_secret, existing_secret,
ref secret_gen, ref secret_gen,
luks_settings, luks_settings,
} => { } => {
let secret_gen = secret_gen.patch(&args, None); let secret_gen = secret_gen.patch(&args, None);
let old_secret = existing_secret.obtain(&secret_gen, false, "Existing password")?; let old_secret = existing_secret.obtain(&secret_gen, false, "Existing password")?;
let secret = secret_gen.obtain_secret("Password")?; let (secret, credential) = secret_gen.obtain_secret_and_credential("Password")?;
let added_slot = luks::add_key( let added_slot = luks::add_key(
device.clone(), device.clone(),
&secret, &secret,
&old_secret[..], &old_secret[..],
luks_settings.kdf_time.or(Some(10)), luks_settings.kdf_time.or(Some(10)),
Some(&credential.id[..]).filter(|_| *token),
)?; )?;
if *exclusive { if *exclusive {
let destroyed = luks::remove_keyslots(&device, &[added_slot])?; let destroyed = luks::remove_keyslots(&device, &[added_slot])?;
@ -329,6 +344,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
Command::ReplaceKey { Command::ReplaceKey {
device, device,
add_password, add_password,
//token,
replacement, replacement,
ref secret_gen, ref secret_gen,
luks_settings, luks_settings,
@ -337,9 +353,21 @@ pub fn run_cli() -> Fido2LuksResult<()> {
let secret = secret_gen.obtain_secret("Password")?; let secret = secret_gen.obtain_secret("Password")?;
let new_secret = replacement.obtain(&secret_gen, true, "Replacement password")?; let new_secret = replacement.obtain(&secret_gen, true, "Replacement password")?;
let slot = if *add_password { let slot = if *add_password {
luks::add_key(device, &new_secret[..], &secret, luks_settings.kdf_time) luks::add_key(
device,
&new_secret[..],
&secret,
luks_settings.kdf_time,
None,
)
} else { } else {
luks::replace_key(device, &new_secret[..], &secret, luks_settings.kdf_time) luks::replace_key(
device,
&new_secret[..],
&secret,
luks_settings.kdf_time,
None,
)
}?; }?;
println!( println!(
"Added to password to device {}, slot: {}", "Added to password to device {}, slot: {}",

10
src/device.rs
View File

@ -24,11 +24,11 @@ pub fn make_credential_id(name: Option<&str>) -> Fido2LuksResult<FidoCredential>
)?) )?)
} }
pub fn perform_challenge( pub fn perform_challenge<'a>(
credentials: &[&FidoCredential], credentials: &'a [&'a FidoCredential],
salt: &[u8; 32], salt: &[u8; 32],
timeout: Duration, timeout: Duration,
) -> Fido2LuksResult<[u8; 32]> { ) -> Fido2LuksResult<([u8; 32], &'a FidoCredential)> {
let request = FidoAssertionRequestBuilder::default() let request = FidoAssertionRequestBuilder::default()
.rp_id(RP_ID) .rp_id(RP_ID)
.credentials(credentials) .credentials(credentials)
@ -37,13 +37,13 @@ pub fn perform_challenge(
let get_assertion = |device: &mut FidoDevice| { let get_assertion = |device: &mut FidoDevice| {
device.get_hmac_assertion(&request, &util::sha256(&[&salt[..]]), None) device.get_hmac_assertion(&request, &util::sha256(&[&salt[..]]), None)
}; };
let (_, (secret, _)) = request_multiple_devices( let (credential, (secret, _)) = request_multiple_devices(
get_devices()? get_devices()?
.iter_mut() .iter_mut()
.map(|device| (device, &get_assertion)), .map(|device| (device, &get_assertion)),
Some(timeout), Some(timeout),
)?; )?;
Ok(secret) Ok((secret, credential))
} }
pub fn get_devices() -> Fido2LuksResult<Vec<FidoDevice>> { pub fn get_devices() -> Fido2LuksResult<Vec<FidoDevice>> {

18
src/error.rs
View File

@ -13,11 +13,13 @@ pub enum Fido2LuksError {
AuthenticatorError { cause: ctap::FidoError }, AuthenticatorError { cause: ctap::FidoError },
#[fail(display = "no authenticator found, please ensure your device is plugged in")] #[fail(display = "no authenticator found, please ensure your device is plugged in")]
NoAuthenticatorError, NoAuthenticatorError,
#[fail(display = "luks err")] #[fail(display = " {}", cause)]
LuksError { CryptsetupError {
cause: libcryptsetup_rs::LibcryptErr, cause: libcryptsetup_rs::LibcryptErr,
}, },
#[fail(display = "no authenticator found, please ensure your device is plugged in")] #[fail(display = "{}", cause)]
LuksError { cause: LuksError },
#[fail(display = "{}", cause)]
IoError { cause: io::Error }, IoError { cause: io::Error },
#[fail(display = "supplied secret isn't valid for this device")] #[fail(display = "supplied secret isn't valid for this device")]
WrongSecret, WrongSecret,
@ -46,6 +48,14 @@ pub enum AskPassError {
Mismatch, Mismatch,
} }
#[derive(Debug, Fail)]
pub enum LuksError {
#[fail(display = "This feature requires to the LUKS device to be formatted as LUKS 2")]
Luks2Required,
#[fail(display = "Invalid token: {}", _0)]
InvalidToken(String),
}
use libcryptsetup_rs::LibcryptErr; use libcryptsetup_rs::LibcryptErr;
use std::string::FromUtf8Error; use std::string::FromUtf8Error;
use Fido2LuksError::*; use Fido2LuksError::*;
@ -62,7 +72,7 @@ impl From<LibcryptErr> for Fido2LuksError {
LibcryptErr::IOError(e) if e.raw_os_error().iter().any(|code| code == &1i32) => { LibcryptErr::IOError(e) if e.raw_os_error().iter().any(|code| code == &1i32) => {
WrongSecret WrongSecret
} }
_ => LuksError { cause: e }, _ => CryptsetupError { cause: e },
} }
} }
} }

114
src/luks.rs
View File

@ -1,15 +1,53 @@
use crate::error::*; use crate::error::*;
use libcryptsetup_rs::{CryptActivateFlags, CryptDevice, CryptInit, KeyslotInfo}; use failure::{Fail, ResultExt};
use libcryptsetup_rs::{
CryptActivateFlags, CryptDevice, CryptInit, CryptTokenInfo, EncryptionFormat, KeyslotInfo,
};
use std::path::Path; use std::path::Path;
fn load_device_handle<P: AsRef<Path>>(path: P) -> Fido2LuksResult<CryptDevice> { fn load_device_handle<P: AsRef<Path>>(path: P) -> Fido2LuksResult<CryptDevice> {
let mut device = CryptInit::init(path.as_ref())?; let mut device = CryptInit::init(path.as_ref())?;
let format = device.format_handle().get_type()?; //TODO: determine luks version some way other way than just trying
device.context_handle().load::<()>(format, None).map(|_| ())?; let mut load = |format| device.context_handle().load::<()>(format, None).map(|_| ());
vec![EncryptionFormat::Luks2, EncryptionFormat::Luks1]
.into_iter()
.fold(None, |res, format| match res {
Some(Ok(())) => res,
Some(e) => Some(e.or_else(|_| load(format))),
None => Some(load(format)),
})
.unwrap()?;
Ok(device) Ok(device)
} }
fn check_luks2(device: &mut CryptDevice) -> Fido2LuksResult<()> {
match device.format_handle().get_type()? {
EncryptionFormat::Luks2 => Ok(()),
other => Err(Fido2LuksError::LuksError {
cause: LuksError::Luks2Required,
}),
}
}
#[derive(Debug, Clone, Serialize, Deserialize)]
struct Fido2LuksToken {
#[serde(rename = "type")]
type_: String,
credential: Vec<String>,
keyslots: Vec<String>,
}
impl Fido2LuksToken {
fn new(credential_id: impl AsRef<[u8]>, slot: u32) -> Self {
Self {
type_: "fido2luks".into(),
credential: vec![hex::encode(credential_id)],
keyslots: vec![slot.to_string()],
}
}
}
pub fn open_container<P: AsRef<Path>>(path: P, name: &str, secret: &[u8]) -> Fido2LuksResult<()> { pub fn open_container<P: AsRef<Path>>(path: P, name: &str, secret: &[u8]) -> Fido2LuksResult<()> {
let mut device = load_device_handle(path)?; let mut device = load_device_handle(path)?;
device device
@ -19,11 +57,18 @@ pub fn open_container<P: AsRef<Path>>(path: P, name: &str, secret: &[u8]) -> Fid
.map_err(|_e| Fido2LuksError::WrongSecret) .map_err(|_e| Fido2LuksError::WrongSecret)
} }
/*pub fn open_container_token<P: AsRef<Path>>(path: P, name: &str, secret: &[u8]) -> Fido2LuksResult<()> {
let mut device = load_device_handle(path)?;
check_luks2(&mut device)?;
unimplemented!()
}*/
pub fn add_key<P: AsRef<Path>>( pub fn add_key<P: AsRef<Path>>(
path: P, path: P,
secret: &[u8], secret: &[u8],
old_secret: &[u8], old_secret: &[u8],
iteration_time: Option<u64>, iteration_time: Option<u64>,
credential_id: Option<&[u8]>,
) -> Fido2LuksResult<u32> { ) -> Fido2LuksResult<u32> {
let mut device = load_device_handle(path)?; let mut device = load_device_handle(path)?;
if let Some(millis) = iteration_time { if let Some(millis) = iteration_time {
@ -32,9 +77,53 @@ pub fn add_key<P: AsRef<Path>>(
let slot = device let slot = device
.keyslot_handle(None) .keyslot_handle(None)
.add_by_passphrase(old_secret, secret)?; .add_by_passphrase(old_secret, secret)?;
if let Some(id) = credential_id {
/* if let e @ Err(_) = check_luks2(&mut device) {
//rollback
device.keyslot_handle(Some(slot)).destroy()?;
return e.map(|_| 0u32);
}*/
device.token_handle().json_set(
None,
&serde_json::to_value(&Fido2LuksToken::new(id, slot)).unwrap(),
)?;
}
Ok(slot) Ok(slot)
} }
fn find_token(
device: &mut CryptDevice,
slot: u32,
) -> Fido2LuksResult<Option<(u32, Fido2LuksToken)>> {
for i in 0..256 {
let (status, type_) = device.token_handle().status(i)?;
if status == CryptTokenInfo::Inactive {
break;
}
if type_ != "fido2luks" {
continue;
}
let json = device.token_handle().json_get(i)?;
let info: Fido2LuksToken =
serde_json::from_value(json.clone()).map_err(|_| Fido2LuksError::LuksError {
cause: LuksError::InvalidToken(json.to_string()),
})?;
if info.keyslots.contains(&slot.to_string()) {
return Ok(Some((i, info)));
}
}
Ok((None))
}
fn remove_token(device: &mut CryptDevice, slot: u32) -> Fido2LuksResult<()> {
if let Some((token, _)) = find_token(device, slot)? {
// remove API??
// device.token_handle()
}
Ok(())
}
pub fn remove_keyslots<P: AsRef<Path>>(path: P, exclude: &[u32]) -> Fido2LuksResult<u32> { pub fn remove_keyslots<P: AsRef<Path>>(path: P, exclude: &[u32]) -> Fido2LuksResult<u32> {
let mut device = load_device_handle(path)?; let mut device = load_device_handle(path)?;
let mut handle; let mut handle;
@ -42,15 +131,17 @@ pub fn remove_keyslots<P: AsRef<Path>>(path: P, exclude: &[u32]) -> Fido2LuksRes
//TODO: detect how many keyslots there are instead of trying within a given range //TODO: detect how many keyslots there are instead of trying within a given range
for slot in 0..1024 { for slot in 0..1024 {
handle = device.keyslot_handle(Some(slot)); handle = device.keyslot_handle(Some(slot));
let last = KeyslotInfo::ActiveLast == handle.status()?;
match handle.status()? { match handle.status()? {
KeyslotInfo::Inactive => continue, KeyslotInfo::Inactive => continue,
KeyslotInfo::Active if !exclude.contains(&slot) => { KeyslotInfo::Active if !exclude.contains(&slot) => {
handle.destroy()?; handle.destroy()?;
remove_token(&mut device, slot)?;
destroyed += 1; destroyed += 1;
} }
_ => (), _ => (),
} }
if let KeyslotInfo::ActiveLast = handle.status()? { if last {
break; break;
} }
} }
@ -62,13 +153,24 @@ pub fn replace_key<P: AsRef<Path>>(
secret: &[u8], secret: &[u8],
old_secret: &[u8], old_secret: &[u8],
iteration_time: Option<u64>, iteration_time: Option<u64>,
credential_id: Option<&[u8]>,
) -> Fido2LuksResult<u32> { ) -> Fido2LuksResult<u32> {
let mut device = load_device_handle(path)?; let mut device = load_device_handle(path)?;
// Set iteration time not sure wether this applies to luks2 as well // Set iteration time not sure wether this applies to luks2 as well
if let Some(millis) = iteration_time { if let Some(millis) = iteration_time {
device.settings_handle().set_iteration_time(millis) device.settings_handle().set_iteration_time(millis)
} }
Ok(device let slot = device
.keyslot_handle(None) .keyslot_handle(None)
.change_by_passphrase(None, None, old_secret, secret)? as u32) .change_by_passphrase(None, None, old_secret, secret)? as u32;
if let Some(id) = credential_id {
if check_luks2(&mut device).is_ok() {
let token = find_token(&mut device, slot)?.map(|(t, _)| t);
device.token_handle().json_set(
token,
&serde_json::to_value(&Fido2LuksToken::new(id, slot)).unwrap(),
)?;
}
}
Ok(slot)
} }

2
src/main.rs
View File

@ -1,6 +1,8 @@
#[macro_use] #[macro_use]
extern crate failure; extern crate failure;
extern crate ctap_hmac as ctap; extern crate ctap_hmac as ctap;
#[macro_use]
extern crate serde_derive;
use crate::cli::*; use crate::cli::*;
use crate::config::*; use crate::config::*;
use crate::device::*; use crate::device::*;