shimun/fido2luks
1
0
Fork 0
Code Issues Pull Requests 3 Releases Wiki Activity

WIP: 0.2.2
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse Source 
Warning: This release cointains changes to way credentials are generated,
which may cause your authenticator to reject the old credential.
This commit is contained in:
shimun
2020-01-09 00:02:30 +01:00
parent e7049a281a
commit 721dded6d2
5 changed files with 54 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/cli.rs
View File

@@ -70,10 +70,6 @@ pub fn add_password_to_luks(
Ok(slot)
}
pub fn authenticator_connected() -> Fido2LuksResult<bool> {
Ok(!device::get_devices()?.is_empty())
}
#[derive(Debug, StructOpt)]
pub struct Args {
/// Request passwords via Stdin instead of using the password helper

44
src/device.rs
View File

@@ -1,11 +1,39 @@
use crate::error::*;
use crate::util::sha256;
use ctap::{
self,
extensions::hmac::{FidoHmacCredential, HmacExtension},
FidoDevice, FidoError, FidoErrorKind,
AuthenticatorOptions, FidoDevice, FidoError, FidoErrorKind, PublicKeyCredentialRpEntity,
PublicKeyCredentialUserEntity,
};
const RP_ID: &'static str = "fido2luks";
fn authenticator_options() -> Option<AuthenticatorOptions> {
Some(AuthenticatorOptions {
uv: false, //TODO: should get this from config
rk: true,
})
}
fn authenticator_rp() -> PublicKeyCredentialRpEntity<'static> {
PublicKeyCredentialRpEntity {
id: RP_ID,
name: None,
icon: None,
}
}
fn authenticator_user() -> PublicKeyCredentialUserEntity<'static> {
PublicKeyCredentialUserEntity {
id: &[0u8],
name: "",
icon: None,
display_name: None,
}
}
pub fn make_credential_id() -> Fido2LuksResult<FidoHmacCredential> {
let mut errs = Vec::new();
match get_devices()? {
@@ -13,7 +41,13 @@ pub fn make_credential_id() -> Fido2LuksResult<FidoHmacCredential> {
devs => {
for mut dev in devs.into_iter() {
match dev
.make_credential("fido2luks", &[0u8], "", &[0u8; 32])
.make_hmac_credential_full(
authenticator_rp(),
authenticator_user(),
&[0u8; 32],
&[],
authenticator_options(),
)
.map(|cred| cred.into())
{
//TODO: make credentials device specific
@@ -33,16 +67,16 @@ pub fn make_credential_id() -> Fido2LuksResult<FidoHmacCredential> {
pub fn perform_challenge(credential_id: &str, salt: &[u8; 32]) -> Fido2LuksResult<[u8; 32]> {
let cred = FidoHmacCredential {
id: hex::decode(credential_id).unwrap(),
rp_id: "hmac".to_string(),
rp_id: RP_ID.to_string(),
};
let mut errs = Vec::new();
match get_devices()? {
ref devs if devs.is_empty() => Err(Fido2LuksError::NoAuthenticatorError)?,
devs => {
for mut dev in devs.into_iter() {
match dev.hmac_challange(&cred, &salt[..]) {
match dev.get_hmac_assertion(&cred, &sha256(&[&salt[..]]), None, None) {
Ok(secret) => {
return Ok(secret);
return Ok(secret.0);
}
Err(e) => {
errs.push(e);

10
src/main.rs
View File

@@ -7,9 +7,8 @@ use crate::device::*;
use crate::error::*;
use cryptsetup_rs as luks;
use cryptsetup_rs::Luks1CryptDevice;
use ring::digest;
use std::io::{self};
use std::io;
use std::path::PathBuf;
use std::process::exit;
@@ -26,12 +25,7 @@ fn open_container(device: &PathBuf, name: &str, secret: &[u8; 32]) -> Fido2LuksR
}
fn assemble_secret(hmac_result: &[u8], salt: &[u8]) -> [u8; 32] {
let mut digest = digest::Context::new(&digest::SHA256);
digest.update(salt);
digest.update(hmac_result);
let mut secret = [0u8; 32];
secret.as_mut().copy_from_slice(digest.finish().as_ref());
secret
util::sha256(&[salt, hmac_result])
}
fn main() -> Fido2LuksResult<()> {

11
src/util.rs
View File

@@ -1,8 +1,19 @@
use crate::error::*;
use ring::digest;
use std::fs::File;
use std::io::Read;
use std::path::PathBuf;
pub fn sha256<'a>(messages: &[&[u8]]) -> [u8; 32] {
let mut digest = digest::Context::new(&digest::SHA256);
for m in messages.iter() {
digest.update(m);
}
let mut secret = [0u8; 32];
secret.as_mut().copy_from_slice(digest.finish().as_ref());
secret
}
pub fn read_password(q: &str, verify: bool) -> Fido2LuksResult<String> {
match rpassword::read_password_from_tty(Some(&[q, ": "].join("")))? {
ref pass