shimun/fido2luks
1
0
Fork 0
Code Issues Pull Requests 3 Releases Wiki Activity

handle tokens when replacing

Browse Source
This commit is contained in:
shimun 2020-06-08 19:22:19 +02:00
parent 09be5ef551
commit a8482c50a2
Signed by: shimun
GPG Key ID: E81D8382DC2F971B
2 changed files with 19 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
src/cli.rs
View File

@ -232,9 +232,9 @@ pub enum Command {
/// Add the password and keep the key /// Add the password and keep the key
#[structopt(short = "a", long = "add-password")] #[structopt(short = "a", long = "add-password")]
add_password: bool, add_password: bool,
// /// Will add an token to your LUKS 2 header, including the credential id /// Will add an token to your LUKS 2 header, including the credential id
// #[structopt(short = "t", long = "token")] #[structopt(short = "t", long = "token")]
// token: bool, token: bool,
#[structopt(flatten)] #[structopt(flatten)]
replacement: OtherSecret, replacement: OtherSecret,
#[structopt(flatten)] #[structopt(flatten)]
@ -346,6 +346,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
secret, secret,
luks_mod, luks_mod,
existing_secret: other_secret, existing_secret: other_secret,
token,
.. ..
} }
| Command::ReplaceKey { | Command::ReplaceKey {
@ -355,6 +356,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
secret, secret,
luks_mod, luks_mod,
replacement: other_secret, replacement: other_secret,
token,
.. ..
} => { } => {
let pin = if authenticator.pin { let pin = if authenticator.pin {
@ -369,12 +371,12 @@ pub fn run_cli() -> Fido2LuksResult<()> {
secret.salt.obtain(&secret.password_helper) secret.salt.obtain(&secret.password_helper)
} }
}; };
let other_secret = |salt_q: &str, verify: bool| -> Fido2LuksResult<Vec<u8>> { let other_secret = |salt_q: &str, verify: bool| -> Fido2LuksResult<(Vec<u8>, Option<FidoCredential>)> {
match other_secret { match other_secret {
OtherSecret { OtherSecret {
keyfile: Some(file), keyfile: Some(file),
.. ..
} => util::read_keyfile(file), } => Ok((util::read_keyfile(file)?, None)),
OtherSecret { OtherSecret {
fido_device: true, .. fido_device: true, ..
} => Ok(derive_secret( } => Ok(derive_secret(
@ -383,9 +385,8 @@ pub fn run_cli() -> Fido2LuksResult<()> {
authenticator.await_time, authenticator.await_time,
pin.as_deref(), pin.as_deref(),
) )
.map(|(secret, _cred)| secret)?[..] .map(|(secret, cred)| (secret[..].to_vec(), Some(cred)))?),
.to_vec()), _ => Ok((util::read_password(salt_q, verify)?.as_bytes().to_vec(), None)),
_ => Ok(util::read_password(salt_q, verify)?.as_bytes().to_vec()),
} }
}; };
let secret = |verify: bool| -> Fido2LuksResult<([u8; 32], FidoCredential)> { let secret = |verify: bool| -> Fido2LuksResult<([u8; 32], FidoCredential)> {
@ -399,9 +400,9 @@ pub fn run_cli() -> Fido2LuksResult<()> {
// Non overlap // Non overlap
match &args.command { match &args.command {
Command::AddKey { Command::AddKey {
exclusive, token, .. exclusive, ..
} => { } => {
let existing_secret = other_secret("Current password", false)?; let (existing_secret, _) = other_secret("Current password", false)?;
let (new_secret, cred) = secret(true)?; let (new_secret, cred) = secret(true)?;
let added_slot = luks::add_key( let added_slot = luks::add_key(
&luks.device, &luks.device,
@ -428,15 +429,15 @@ pub fn run_cli() -> Fido2LuksResult<()> {
Ok(()) Ok(())
} }
Command::ReplaceKey { add_password, .. } => { Command::ReplaceKey { add_password, .. } => {
let (existing_secret, _cred) = secret(false)?; let (existing_secret, _) = secret(false)?;
let replacement_secret = other_secret("Replacement password", true)?; let (replacement_secret, cred) = other_secret("Replacement password", true)?;
let slot = if *add_password { let slot = if *add_password {
luks::add_key( luks::add_key(
&luks.device, &luks.device,
&replacement_secret[..], &replacement_secret[..],
&existing_secret, &existing_secret,
luks_mod.kdf_time, luks_mod.kdf_time,
None, cred.as_ref().filter(|_| *token).map(|cred| &cred.id[..]),
) )
} else { } else {
luks::replace_key( luks::replace_key(
@ -444,7 +445,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
&replacement_secret[..], &replacement_secret[..],
&existing_secret, &existing_secret,
luks_mod.kdf_time, luks_mod.kdf_time,
None, cred.as_ref().filter(|_| *token).map(|cred| &cred.id[..]),
) )
}?; }?;
println!( println!(

6
src/luks.rs
View File

@ -189,7 +189,7 @@ pub fn remove_keyslots<P: AsRef<Path>>(path: P, exclude: &[u32]) -> Fido2LuksRes
KeyslotInfo::Inactive => continue, KeyslotInfo::Inactive => continue,
KeyslotInfo::Active | KeyslotInfo::ActiveLast if !exclude.contains(&slot) => { KeyslotInfo::Active | KeyslotInfo::ActiveLast if !exclude.contains(&slot) => {
if let Ok(_) = check_luks2(&mut device) { if let Ok(_) = check_luks2(&mut device) {
if let Some((token, _)) = dbg!(find_token(&mut device, slot))? { if let Some((token, _)) = find_token(&mut device, slot)? {
tokens.push(token); tokens.push(token);
} }
} }
@ -203,7 +203,9 @@ pub fn remove_keyslots<P: AsRef<Path>>(path: P, exclude: &[u32]) -> Fido2LuksRes
break; break;
} }
} }
for token in tokens.iter() { // Ensure indices stay valid
tokens.sort();
for token in tokens.iter().rev() {
device device
.token_handle() .token_handle()
.json_set(TokenInput::RemoveToken(*token))?; .json_set(TokenInput::RemoveToken(*token))?;