shimun/fido2luks
1
0
Fork 0
Code Issues Pull Requests 3 Releases Wiki Activity

enable fido requests to be sent to multiple devices at once

Browse Source
This commit is contained in:
shimun 2020-04-06 21:00:11 +02:00
commit 49e2835f60
Signed by: shimun
GPG Key ID: E81D8382DC2F971B
5 changed files with 653 additions and 438 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

801
Cargo.lock generated
View File

File diff suppressed because it is too large Load Diff

6
Cargo.toml
View File

@ -1,6 +1,6 @@
[package]
name = "fido2luks"
version = "0.2.5"
version = "0.2.6"
authors = ["shimunn <shimun@shimun.net>"]
edition = "2018"
@ -14,9 +14,7 @@ categories = ["command-line-utilities"]
license-file = "LICENSE"
[dependencies]
ctap_hmac = "0.2.2"
ctap_hmac = { version="0.4.1", features = ["request_multiple"] }
hex = "0.3.2"
ring = "0.13.5"
failure = "0.1.5"

171
src/cli.rs
View File

@ -4,11 +4,11 @@ use crate::*;
use structopt::StructOpt;
use failure::_core::fmt::{Error, Formatter};
use ctap::{FidoCredential, FidoErrorKind};
use failure::_core::fmt::{Display, Error, Formatter};
use failure::_core::str::FromStr;
use failure::_core::time::Duration;
use std::io::Write;
use std::process::exit;
use std::thread;
@ -16,9 +16,9 @@ use crate::util::read_password;
use std::time::SystemTime;
#[derive(Debug, Eq, PartialEq, Clone)]
pub struct HexEncoded(Vec<u8>);
pub struct HexEncoded(pub Vec<u8>);
impl std::fmt::Display for HexEncoded {
impl Display for HexEncoded {
fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error> {
f.write_str(&hex::encode(&self.0))
}
@ -32,6 +32,30 @@ impl FromStr for HexEncoded {
}
}
#[derive(Debug, Eq, PartialEq, Clone)]
pub struct CommaSeparated<T: FromStr + Display>(pub Vec<T>);
impl<T: Display + FromStr> Display for CommaSeparated<T> {
fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error> {
for i in &self.0 {
f.write_str(&i.to_string())?;
f.write_str(",")?;
}
Ok(())
}
}
impl<T: Display + FromStr> FromStr for CommaSeparated<T> {
type Err = <T as FromStr>::Err;
fn from_str(s: &str) -> Result<Self, Self::Err> {
Ok(CommaSeparated(
s.split(',')
.map(|part| <T as FromStr>::from_str(part))
.collect::<Result<Vec<_>, _>>()?,
))
}
}
#[derive(Debug, StructOpt)]
pub struct Args {
/// Request passwords via Stdin instead of using the password helper
@ -43,9 +67,9 @@ pub struct Args {
#[derive(Debug, StructOpt, Clone)]
pub struct SecretGeneration {
/// FIDO credential id, generate using fido2luks credential
/// FIDO credential ids, seperated by ',' generate using fido2luks credential
#[structopt(name = "credential-id", env = "FIDO2LUKS_CREDENTIAL_ID")]
pub credential_id: HexEncoded,
pub credential_ids: CommaSeparated<HexEncoded>,
/// Salt for secret generation, defaults to 'ask'
///
/// Options:{n}
@ -99,9 +123,11 @@ impl SecretGeneration {
let mut salt = [0u8; 32];
match self.password_helper {
PasswordHelper::Stdin if !self.verify_password.unwrap_or(true) => {
salt.copy_from_slice(
read_password(password_query, self.verify_password.unwrap_or(true))?.as_bytes(),
);
salt.copy_from_slice(&util::sha256(&[&read_password(
password_query,
self.verify_password.unwrap_or(true),
)?
.as_bytes()[..]]));
}
_ => {
salt = self.salt.obtain(&self.password_helper)?;
@ -122,13 +148,60 @@ impl SecretGeneration {
}
thread::sleep(Duration::from_millis(500));
}
let credentials = &self
.credential_ids
.0
.iter()
.map(|HexEncoded(id)| FidoCredential {
id: id.to_vec(),
public_key: None,
})
.collect::<Vec<_>>();
let credentials = credentials.iter().collect::<Vec<_>>();
Ok(assemble_secret(
&perform_challenge(&self.credential_id.0, &salt)?,
&perform_challenge(&credentials[..], &salt, timeout - start.elapsed().unwrap())?,
&salt,
))
}
}
#[derive(Debug, StructOpt, Clone)]
pub struct LuksSettings {
/// Number of milliseconds required to derive the volume decryption key
/// Defaults to 10ms when using an authenticator or the default by cryptsetup when using a password
#[structopt(long = "kdf-time", name = "kdf-time")]
kdf_time: Option<u64>,
}
#[derive(Debug, StructOpt, Clone)]
pub struct OtherSecret {
/// Use a keyfile instead of a password
#[structopt(short = "d", long = "keyfile", conflicts_with = "fido_device")]
keyfile: Option<PathBuf>,
/// Use another fido device instead of a password
/// Note: this requires for the credential fot the other device to be passed as argument as well
#[structopt(short = "f", long = "fido-device", conflicts_with = "keyfile")]
fido_device: bool,
}
impl OtherSecret {
pub fn obtain(
&self,
secret_gen: &SecretGeneration,
verify_password: bool,
password_question: &str,
) -> Fido2LuksResult<Vec<u8>> {
match &self.keyfile {
Some(keyfile) => util::read_keyfile(keyfile.clone()),
None if self.fido_device => {
Ok(Vec::from(&secret_gen.obtain_secret(password_question)?[..]))
}
None => util::read_password(password_question, verify_password)
.map(|p| p.as_bytes().to_vec()),
}
}
}
#[derive(Debug, StructOpt)]
pub enum Command {
#[structopt(name = "print-secret")]
@ -147,11 +220,12 @@ pub enum Command {
/// Will wipe all other keys
#[structopt(short = "e", long = "exclusive")]
exclusive: bool,
/// Use a keyfile instead of typing a previous password
#[structopt(short = "d", long = "keyfile")]
keyfile: Option<PathBuf>,
#[structopt(flatten)]
existing_secret: OtherSecret,
#[structopt(flatten)]
secret_gen: SecretGeneration,
#[structopt(flatten)]
luks_settings: LuksSettings,
},
/// Replace a previously added key with a password
#[structopt(name = "replace-key")]
@ -161,11 +235,12 @@ pub enum Command {
/// Add the password and keep the key
#[structopt(short = "a", long = "add-password")]
add_password: bool,
/// Use a keyfile instead of typing a previous password
#[structopt(short = "d", long = "keyfile")]
keyfile: Option<PathBuf>,
#[structopt(flatten)]
replacement: OtherSecret,
#[structopt(flatten)]
secret_gen: SecretGeneration,
#[structopt(flatten)]
luks_settings: LuksSettings,
},
/// Open the LUKS device
#[structopt(name = "open")]
@ -221,16 +296,19 @@ pub fn run_cli() -> Fido2LuksResult<()> {
Command::AddKey {
device,
exclusive,
keyfile,
existing_secret,
ref secret_gen,
luks_settings,
} => {
let old_secret = if let Some(keyfile) = keyfile.clone() {
util::read_keyfile(keyfile.clone())
} else {
util::read_password("Old password", false).map(|p| p.as_bytes().to_vec())
}?;
let secret = secret_gen.patch(&args, None).obtain_secret("Password")?;
let added_slot = luks::add_key(device.clone(), &secret, &old_secret[..], Some(10))?;
let old_secret = existing_secret.obtain(&secret_gen, false, "Existing password")?;
let secret_gen = secret_gen.patch(&args, None);
let secret = secret_gen.obtain_secret("Password")?;
let added_slot = luks::add_key(
device.clone(),
&secret,
&old_secret[..],
luks_settings.kdf_time.or(Some(10)),
)?;
if *exclusive {
let destroyed = luks::remove_keyslots(&device, &[added_slot])?;
println!(
@ -251,21 +329,17 @@ pub fn run_cli() -> Fido2LuksResult<()> {
Command::ReplaceKey {
device,
add_password,
keyfile,
replacement,
ref secret_gen,
luks_settings,
} => {
let new_secret = if let Some(keyfile) = keyfile.clone() {
util::read_keyfile(keyfile.clone())
} else {
util::read_password("Password to add", *add_password).map(|p| p.as_bytes().to_vec())
}?;
let secret = secret_gen
.patch(&args, Some(false))
.obtain_secret("Password")?;
let secret_gen = secret_gen.patch(&args, Some(false));
let secret = secret_gen.obtain_secret("Password")?;
let new_secret = replacement.obtain(&secret_gen, true, "Replacement password")?;
let slot = if *add_password {
luks::add_key(device, &new_secret[..], &secret, None)
luks::add_key(device, &new_secret[..], &secret, luks_settings.kdf_time)
} else {
luks::replace_key(device, &new_secret[..], &secret, Some(5))
luks::replace_key(device, &new_secret[..], &secret, luks_settings.kdf_time)
}?;
println!(
"Added to password to device {}, slot: {}",
@ -282,18 +356,25 @@ pub fn run_cli() -> Fido2LuksResult<()> {
} => {
let mut retries = *retries;
loop {
let secret = secret_gen
match secret_gen
.patch(&args, Some(false))
.obtain_secret("Password")?;
match luks::open_container(&device, &name, &secret) {
Err(e) => match e {
Fido2LuksError::WrongSecret if retries > 0 => {
retries -= 1;
eprintln!("{}", e);
continue;
.obtain_secret("Password")
.and_then(|secret| luks::open_container(&device, &name, &secret))
{
Err(e) => {
match e {
Fido2LuksError::WrongSecret if retries > 0 => (),
Fido2LuksError::AuthenticatorError { ref cause }
if cause.kind() == FidoErrorKind::Timeout && retries > 0 =>
{
()
}
e => break Err(e)?,
}
e => Err(e)?,
},
retries -= 1;
eprintln!("{}", e);
}
res => break res,
}
}

112
src/device.rs
View File

@ -1,91 +1,49 @@
use crate::error::*;
use crate::util::sha256;
use crate::util;
use ctap::{
self,
extensions::hmac::{FidoHmacCredential, HmacExtension},
AuthenticatorOptions, FidoDevice, FidoError, FidoErrorKind, PublicKeyCredentialRpEntity,
PublicKeyCredentialUserEntity,
self, extensions::hmac::HmacExtension, request_multiple_devices, FidoAssertionRequestBuilder,
FidoCredential, FidoCredentialRequestBuilder, FidoDevice, FidoError, FidoErrorKind,
};
use std::time::Duration;
const RP_ID: &'static str = "fido2luks";
fn authenticator_options() -> Option<AuthenticatorOptions> {
Some(AuthenticatorOptions {
uv: false, //TODO: should get this from config
rk: true,
})
}
fn authenticator_rp() -> PublicKeyCredentialRpEntity<'static> {
PublicKeyCredentialRpEntity {
id: RP_ID,
name: None,
icon: None,
pub fn make_credential_id(name: Option<&str>) -> Fido2LuksResult<FidoCredential> {
let mut request = FidoCredentialRequestBuilder::default().rp_id(RP_ID);
if let Some(user_name) = name {
request = request.user_name(user_name);
}
let request = request.build().unwrap();
let make_credential = |device: &mut FidoDevice| device.make_hmac_credential(&request);
Ok(request_multiple_devices(
get_devices()?
.iter_mut()
.map(|device| (device, &make_credential)),
None,
)?)
}
fn authenticator_user(name: Option<&str>) -> PublicKeyCredentialUserEntity {
PublicKeyCredentialUserEntity {
id: &[0u8],
name: name.unwrap_or(""),
icon: None,
display_name: name,
}
}
pub fn make_credential_id(name: Option<&str>) -> Fido2LuksResult<FidoHmacCredential> {
let mut errs = Vec::new();
match get_devices()? {
ref devs if devs.is_empty() => Err(Fido2LuksError::NoAuthenticatorError)?,
devs => {
for mut dev in devs.into_iter() {
match dev
.make_hmac_credential_full(
authenticator_rp(),
authenticator_user(name),
&[0u8; 32],
&[],
authenticator_options(),
)
.map(|cred| cred.into())
{
//TODO: make credentials device specific
Ok(cred) => {
return Ok(cred);
}
Err(e) => {
errs.push(e);
}
}
}
}
}
Err(errs.pop().ok_or(Fido2LuksError::NoAuthenticatorError)?)?
}
pub fn perform_challenge(credential_id: &[u8], salt: &[u8; 32]) -> Fido2LuksResult<[u8; 32]> {
let cred = FidoHmacCredential {
id: credential_id.to_vec(),
rp_id: RP_ID.to_string(),
pub fn perform_challenge(
credentials: &[&FidoCredential],
salt: &[u8; 32],
timeout: Duration,
) -> Fido2LuksResult<[u8; 32]> {
let request = FidoAssertionRequestBuilder::default()
.rp_id(RP_ID)
.credentials(credentials)
.build()
.unwrap();
let get_assertion = |device: &mut FidoDevice| {
device.get_hmac_assertion(&request, &util::sha256(&[&salt[..]]), None)
};
let mut errs = Vec::new();
match get_devices()? {
ref devs if devs.is_empty() => Err(Fido2LuksError::NoAuthenticatorError)?,
devs => {
for mut dev in devs.into_iter() {
match dev.get_hmac_assertion(&cred, &sha256(&[&salt[..]]), None, None) {
Ok(secret) => {
return Ok(secret.0);
}
Err(e) => {
errs.push(e);
}
}
}
}
}
Err(errs.pop().ok_or(Fido2LuksError::NoAuthenticatorError)?)?
let (_, (secret, _)) = request_multiple_devices(
get_devices()?
.iter_mut()
.map(|device| (device, &get_assertion)),
Some(timeout),
)?;
Ok(secret)
}
pub fn get_devices() -> Fido2LuksResult<Vec<FidoDevice>> {

1
src/luks.rs
View File

@ -34,7 +34,6 @@ pub fn add_key<P: AsRef<Path>>(
iteration_time: Option<u64>,
) -> Fido2LuksResult<u32> {
let mut device = load_device_handle(path)?;
// Set iteration time not sure wether this applies to luks2 as well
if let Some(millis) = iteration_time {
device.settings_handle().set_iteration_time(millis)
}