shimun/fido2luks
1
0
Fork 0
Code Issues Pull Requests 3 Releases Wiki Activity

generate shell completions during build
Some checks failed
continuous-integration/drone/push Build is failing
Details
continuous-integration/drone/tag Build is failing
Details

Browse Source
This commit is contained in:
shimun 2020-09-04 22:41:50 +02:00
parent 03ef5721e0
commit c2e38eb06f
Signed by: shimun
GPG Key ID: E81D8382DC2F971B
10 changed files with 413 additions and 347 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.gitignore vendored
View File

@ -2,3 +2,7 @@
**/*.rs.bk **/*.rs.bk
.idea/ .idea/
*.iml *.iml
fido2luks.bash
fido2luks.elv
fido2luks.fish
fido2luks.zsh

2
Cargo.lock generated
View File

@ -377,7 +377,7 @@ dependencies = [
[[package]] [[package]]
name = "fido2luks" name = "fido2luks"
version = "0.2.13" version = "0.2.14"
dependencies = [ dependencies = [
"ctap_hmac", "ctap_hmac",
"failure", "failure",

12
Cargo.toml
View File

@ -1,6 +1,6 @@
[package] [package]
name = "fido2luks" name = "fido2luks"
version = "0.2.13" version = "0.2.14"
authors = ["shimunn <shimun@shimun.net>"] authors = ["shimunn <shimun@shimun.net>"]
edition = "2018" edition = "2018"
@ -25,6 +25,15 @@ serde_json = "1.0.51"
serde_derive = "1.0.106" serde_derive = "1.0.106"
serde = "1.0.106" serde = "1.0.106"
[build-dependencies]
ctap_hmac = { version="0.4.2", features = ["request_multiple"] }
hex = "0.3.2"
ring = "0.13.5"
failure = "0.1.5"
rpassword = "4.0.1"
libcryptsetup-rs = "0.4.1"
structopt = "0.3.2"
[profile.release] [profile.release]
lto = true lto = true
opt-level = 'z' opt-level = 'z'
@ -38,6 +47,7 @@ build-depends = "libclang-dev, libcryptsetup-dev"
extended-description = "Decrypt your LUKS partition using a FIDO2 compatible authenticator" extended-description = "Decrypt your LUKS partition using a FIDO2 compatible authenticator"
assets = [ assets = [
["target/release/fido2luks", "usr/bin/", "755"], ["target/release/fido2luks", "usr/bin/", "755"],
["fido2luks.bash", "usr/share/bash-completion/completions/fido2luks", "644"],
["initramfs-tools/keyscript.sh", "/lib/cryptsetup/scripts/fido2luks", "755" ], ["initramfs-tools/keyscript.sh", "/lib/cryptsetup/scripts/fido2luks", "755" ],
["initramfs-tools/hook/fido2luks.sh", "etc/initramfs-tools/hooks/", "755" ], ["initramfs-tools/hook/fido2luks.sh", "etc/initramfs-tools/hooks/", "755" ],
["initramfs-tools/fido2luks.conf", "etc/", "644"], ["initramfs-tools/fido2luks.conf", "etc/", "644"],

3
PKGBUILD
View File

@ -17,10 +17,9 @@ pkgver() {
build() { build() {
cargo build --release --locked --all-features --target-dir=target cargo build --release --locked --all-features --target-dir=target
./target/release/fido2luks completions bash target
} }
package() { package() {
install -Dm 755 target/release/${pkgname} -t "${pkgdir}/usr/bin" install -Dm 755 target/release/${pkgname} -t "${pkgdir}/usr/bin"
install -Dm 644 target/fido2luks.bash "${pkgdir}/usr/share/bash-completion/completions/fido2luks" install -Dm 644 fido2luks.bash "${pkgdir}/usr/share/bash-completion/completions/fido2luks"
} }

24
build.rs Normal file
View File

@ -0,0 +1,24 @@
#![allow(warnings)]
#[macro_use]
extern crate failure;
extern crate ctap_hmac as ctap;
#[path = "src/cli_args/mod.rs"]
mod cli_args;
#[path = "src/error.rs"]
mod error;
#[path = "src/util.rs"]
mod util;
use cli_args::Args;
use std::env;
use std::str::FromStr;
use structopt::clap::Shell;
use structopt::StructOpt;
fn main() {
// generate completion scripts, zsh does panic for some reason
for shell in Shell::variants().iter().filter(|shell| **shell != "zsh") {
Args::clap().gen_completions(env!("CARGO_PKG_NAME"), Shell::from_str(shell).unwrap(), ".");
}
}

323
src/cli.rs
View File

@ -1,150 +1,34 @@
use crate::error::*; use crate::error::*;
use crate::luks::{Fido2LuksToken, LuksDevice};
use crate::util::sha256;
use crate::*; use crate::*;
use cli_args::*;
use structopt::clap::{AppSettings, Shell}; use structopt::clap::Shell;
use structopt::StructOpt; use structopt::StructOpt;
use ctap::{FidoCredential, FidoErrorKind}; use ctap::{FidoCredential, FidoErrorKind};
use failure::_core::fmt::{Display, Error, Formatter};
use failure::_core::str::FromStr;
use failure::_core::time::Duration;
use std::io::{Read, Write};
use std::process::exit;
use std::thread;
use crate::luks::{Fido2LuksToken, LuksDevice}; use std::io::{Read, Write};
use crate::util::sha256; use std::str::FromStr;
use std::thread;
use std::time::Duration;
use std::borrow::Cow; use std::borrow::Cow;
use std::collections::HashSet; use std::collections::HashSet;
use std::fs::File; use std::fs::File;
use std::time::SystemTime; use std::time::SystemTime;
#[derive(Debug, Eq, PartialEq, Clone)] pub use cli_args::Args;
pub struct HexEncoded(pub Vec<u8>);
impl Display for HexEncoded { fn read_pin(ap: &AuthenticatorParameters) -> Fido2LuksResult<String> {
fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error> { if let Some(src) = ap.pin_source.as_ref() {
f.write_str(&hex::encode(&self.0))
}
}
impl AsRef<[u8]> for HexEncoded {
fn as_ref(&self) -> &[u8] {
&self.0[..]
}
}
impl FromStr for HexEncoded {
type Err = hex::FromHexError;
fn from_str(s: &str) -> Result<Self, Self::Err> {
Ok(HexEncoded(hex::decode(s)?))
}
}
#[derive(Debug, Eq, PartialEq, Clone)]
pub struct CommaSeparated<T: FromStr + Display>(pub Vec<T>);
impl<T: Display + FromStr> Display for CommaSeparated<T> {
fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error> {
for i in &self.0 {
f.write_str(&i.to_string())?;
f.write_str(",")?;
}
Ok(())
}
}
impl<T: Display + FromStr> FromStr for CommaSeparated<T> {
type Err = <T as FromStr>::Err;
fn from_str(s: &str) -> Result<Self, Self::Err> {
Ok(CommaSeparated(
s.split(',')
.map(|part| <T as FromStr>::from_str(part))
.collect::<Result<Vec<_>, _>>()?,
))
}
}
#[derive(Debug, StructOpt)]
pub struct Credentials {
/// FIDO credential ids, separated by ',' generate using fido2luks credential
#[structopt(name = "credential-id", env = "FIDO2LUKS_CREDENTIAL_ID")]
pub ids: CommaSeparated<HexEncoded>,
}
#[derive(Debug, StructOpt)]
pub struct AuthenticatorParameters {
/// Request a PIN to unlock the authenticator
#[structopt(short = "P", long = "pin")]
pub pin: bool,
/// Location to read PIN from
#[structopt(long = "pin-source", env = "FIDO2LUKS_PIN_SOURCE")]
pub pin_source: Option<PathBuf>,
/// Await for an authenticator to be connected, timeout after n seconds
#[structopt(
long = "await-dev",
name = "await-dev",
env = "FIDO2LUKS_DEVICE_AWAIT",
default_value = "15"
)]
pub await_time: u64,
}
impl AuthenticatorParameters {
fn read_pin(&self) -> Fido2LuksResult<String> {
if let Some(src) = self.pin_source.as_ref() {
let mut pin = String::new(); let mut pin = String::new();
File::open(src)?.read_to_string(&mut pin)?; File::open(src)?.read_to_string(&mut pin)?;
Ok(pin) Ok(pin)
} else { } else {
util::read_password("Authenticator PIN", false) util::read_password("Authenticator PIN", false)
} }
}
}
#[derive(Debug, StructOpt)]
pub struct LuksParameters {
#[structopt(env = "FIDO2LUKS_DEVICE")]
device: PathBuf,
/// Try to unlock the device using a specifc keyslot, ignore all other slots
#[structopt(long = "slot", env = "FIDO2LUKS_DEVICE_SLOT")]
slot: Option<u32>,
}
#[derive(Debug, StructOpt, Clone)]
pub struct LuksModParameters {
/// Number of milliseconds required to derive the volume decryption key
/// Defaults to 10ms when using an authenticator or the default by cryptsetup when using a password
#[structopt(long = "kdf-time", name = "kdf-time")]
kdf_time: Option<u64>,
}
#[derive(Debug, StructOpt)]
pub struct SecretParameters {
/// Salt for secret generation, defaults to 'ask'
///
/// Options:{n}
/// - ask : Prompt user using password helper{n}
/// - file:<PATH> : Will read <FILE>{n}
/// - string:<STRING> : Will use <STRING>, which will be handled like a password provided to the 'ask' option{n}
#[structopt(
name = "salt",
long = "salt",
env = "FIDO2LUKS_SALT",
default_value = "ask"
)]
pub salt: InputSalt,
/// Script used to obtain passwords, overridden by --interactive flag
#[structopt(
name = "password-helper",
env = "FIDO2LUKS_PASSWORD_HELPER",
default_value = "/usr/bin/env systemd-ask-password 'Please enter second factor for LUKS disk encryption!'"
)]
pub password_helper: PasswordHelper,
} }
fn derive_secret( fn derive_secret(
@ -183,175 +67,6 @@ fn derive_secret(
Ok((sha256(&[salt, &unsalted[..]]), cred.clone())) Ok((sha256(&[salt, &unsalted[..]]), cred.clone()))
} }
#[derive(Debug, StructOpt)]
pub struct Args {
/// Request passwords via Stdin instead of using the password helper
#[structopt(short = "i", long = "interactive")]
pub interactive: bool,
#[structopt(subcommand)]
pub command: Command,
}
#[derive(Debug, StructOpt, Clone)]
pub struct OtherSecret {
/// Use a keyfile instead of a password
#[structopt(short = "d", long = "keyfile", conflicts_with = "fido_device")]
keyfile: Option<PathBuf>,
/// Use another fido device instead of a password
/// Note: this requires for the credential fot the other device to be passed as argument as well
#[structopt(short = "f", long = "fido-device", conflicts_with = "keyfile")]
fido_device: bool,
}
#[derive(Debug, StructOpt)]
pub enum Command {
#[structopt(name = "print-secret")]
PrintSecret {
/// Prints the secret as binary instead of hex encoded
#[structopt(short = "b", long = "bin")]
binary: bool,
#[structopt(flatten)]
credentials: Credentials,
#[structopt(flatten)]
authenticator: AuthenticatorParameters,
#[structopt(flatten)]
secret: SecretParameters,
},
/// Adds a generated key to the specified LUKS device
#[structopt(name = "add-key")]
AddKey {
#[structopt(flatten)]
luks: LuksParameters,
#[structopt(flatten)]
credentials: Credentials,
#[structopt(flatten)]
authenticator: AuthenticatorParameters,
#[structopt(flatten)]
secret: SecretParameters,
/// Will wipe all other keys
#[structopt(short = "e", long = "exclusive")]
exclusive: bool,
/// Will add an token to your LUKS 2 header, including the credential id
#[structopt(short = "t", long = "token")]
token: bool,
#[structopt(flatten)]
existing_secret: OtherSecret,
#[structopt(flatten)]
luks_mod: LuksModParameters,
},
/// Replace a previously added key with a password
#[structopt(name = "replace-key")]
ReplaceKey {
#[structopt(flatten)]
luks: LuksParameters,
#[structopt(flatten)]
credentials: Credentials,
#[structopt(flatten)]
authenticator: AuthenticatorParameters,
#[structopt(flatten)]
secret: SecretParameters,
/// Add the password and keep the key
#[structopt(short = "a", long = "add-password")]
add_password: bool,
/// Will add an token to your LUKS 2 header, including the credential id
#[structopt(short = "t", long = "token")]
token: bool,
#[structopt(flatten)]
replacement: OtherSecret,
#[structopt(flatten)]
luks_mod: LuksModParameters,
},
/// Open the LUKS device
#[structopt(name = "open")]
Open {
#[structopt(flatten)]
luks: LuksParameters,
#[structopt(env = "FIDO2LUKS_MAPPER_NAME")]
name: String,
#[structopt(flatten)]
credentials: Credentials,
#[structopt(flatten)]
authenticator: AuthenticatorParameters,
#[structopt(flatten)]
secret: SecretParameters,
#[structopt(short = "r", long = "max-retries", default_value = "0")]
retries: i32,
},
/// Open the LUKS device using credentials embedded in the LUKS 2 header
#[structopt(name = "open-token")]
OpenToken {
#[structopt(flatten)]
luks: LuksParameters,
#[structopt(env = "FIDO2LUKS_MAPPER_NAME")]
name: String,
#[structopt(flatten)]
authenticator: AuthenticatorParameters,
#[structopt(flatten)]
secret: SecretParameters,
#[structopt(short = "r", long = "max-retries", default_value = "0")]
retries: i32,
},
/// Generate a new FIDO credential
#[structopt(name = "credential")]
Credential {
#[structopt(flatten)]
authenticator: AuthenticatorParameters,
/// Name to be displayed on the authenticator if it has a display
#[structopt(env = "FIDO2LUKS_CREDENTIAL_NAME")]
name: Option<String>,
},
/// Check if an authenticator is connected
#[structopt(name = "connected")]
Connected,
Token(TokenCommand),
/// Generate bash completion scripts
#[structopt(name = "completions", setting = AppSettings::Hidden)]
GenerateCompletions {
/// Shell to generate completions for: bash, fish
#[structopt(possible_values = &["bash", "fish"])]
shell: String,
out_dir: PathBuf,
},
}
///LUKS2 token related operations
#[derive(Debug, StructOpt)]
pub enum TokenCommand {
/// List all tokens associated with the specified device
List {
#[structopt(env = "FIDO2LUKS_DEVICE")]
device: PathBuf,
/// Dump all credentials as CSV
#[structopt(long = "csv")]
csv: bool,
},
/// Add credential to a keyslot
Add {
#[structopt(env = "FIDO2LUKS_DEVICE")]
device: PathBuf,
#[structopt(flatten)]
credentials: Credentials,
/// Slot to which the credentials will be added
#[structopt(long = "slot", env = "FIDO2LUKS_DEVICE_SLOT")]
slot: u32,
},
/// Remove credentials from token(s)
Remove {
#[structopt(env = "FIDO2LUKS_DEVICE")]
device: PathBuf,
#[structopt(flatten)]
credentials: Credentials,
/// Token from which the credentials will be removed
#[structopt(long = "token")]
token_id: Option<u32>,
},
/// Remove all unassigned tokens
GC {
#[structopt(env = "FIDO2LUKS_DEVICE")]
device: PathBuf,
},
}
pub fn parse_cmdline() -> Args { pub fn parse_cmdline() -> Args {
Args::from_args() Args::from_args()
} }
@ -367,7 +82,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
} => { } => {
let pin_string; let pin_string;
let pin = if authenticator.pin { let pin = if authenticator.pin {
pin_string = authenticator.read_pin()?; pin_string = read_pin(authenticator)?;
Some(pin_string.as_ref()) Some(pin_string.as_ref())
} else { } else {
None None
@ -384,7 +99,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
} => { } => {
let pin_string; let pin_string;
let pin = if authenticator.pin { let pin = if authenticator.pin {
pin_string = authenticator.read_pin()?; pin_string = read_pin(authenticator)?;
Some(pin_string.as_ref()) Some(pin_string.as_ref())
} else { } else {
None None
@ -392,7 +107,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
let salt = if interactive || secret.password_helper == PasswordHelper::Stdin { let salt = if interactive || secret.password_helper == PasswordHelper::Stdin {
util::read_password_hashed("Password", false) util::read_password_hashed("Password", false)
} else { } else {
secret.salt.obtain(&secret.password_helper) secret.salt.obtain_sha256(&secret.password_helper)
}?; }?;
let (secret, _cred) = derive_secret( let (secret, _cred) = derive_secret(
credentials.ids.0.as_slice(), credentials.ids.0.as_slice(),
@ -428,7 +143,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
.. ..
} => { } => {
let pin = if authenticator.pin { let pin = if authenticator.pin {
Some(authenticator.read_pin()?) Some(read_pin(authenticator)?)
} else { } else {
None None
}; };
@ -436,7 +151,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
if interactive || secret.password_helper == PasswordHelper::Stdin { if interactive || secret.password_helper == PasswordHelper::Stdin {
util::read_password_hashed(q, verify) util::read_password_hashed(q, verify)
} else { } else {
secret.salt.obtain(&secret.password_helper) secret.salt.obtain_sha256(&secret.password_helper)
} }
}; };
let other_secret = |salt_q: &str, let other_secret = |salt_q: &str,
@ -544,7 +259,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
} => { } => {
let pin_string; let pin_string;
let pin = if authenticator.pin { let pin = if authenticator.pin {
pin_string = authenticator.read_pin()?; pin_string = read_pin(authenticator)?;
Some(pin_string.as_ref()) Some(pin_string.as_ref())
} else { } else {
None None
@ -553,7 +268,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
if interactive || secret.password_helper == PasswordHelper::Stdin { if interactive || secret.password_helper == PasswordHelper::Stdin {
util::read_password_hashed(q, verify) util::read_password_hashed(q, verify)
} else { } else {
secret.salt.obtain(&secret.password_helper) secret.salt.obtain_sha256(&secret.password_helper)
} }
}; };

76
src/config.rs → src/cli_args/config.rs
View File

@ -10,33 +10,33 @@ use std::process::Command;
use std::str::FromStr; use std::str::FromStr;
#[derive(Debug, Clone, PartialEq)] #[derive(Debug, Clone, PartialEq)]
pub enum InputSalt { pub enum SecretInput {
AskPassword, AskPassword,
String(String), String(String),
File { path: PathBuf }, File { path: PathBuf },
} }
impl Default for InputSalt { impl Default for SecretInput {
fn default() -> Self { fn default() -> Self {
InputSalt::AskPassword SecretInput::AskPassword
} }
} }
impl From<&str> for InputSalt { impl From<&str> for SecretInput {
fn from(s: &str) -> Self { fn from(s: &str) -> Self {
let mut parts = s.split(':'); let mut parts = s.split(':');
match parts.next() { match parts.next() {
Some("ask") | Some("Ask") => InputSalt::AskPassword, Some("ask") | Some("Ask") => SecretInput::AskPassword,
Some("file") => InputSalt::File { Some("file") => SecretInput::File {
path: parts.collect::<Vec<_>>().join(":").into(), path: parts.collect::<Vec<_>>().join(":").into(),
}, },
Some("string") => InputSalt::String(parts.collect::<Vec<_>>().join(":")), Some("string") => SecretInput::String(parts.collect::<Vec<_>>().join(":")),
_ => Self::default(), _ => Self::default(),
} }
} }
} }
impl FromStr for InputSalt { impl FromStr for SecretInput {
type Err = Fido2LuksError; type Err = Fido2LuksError;
fn from_str(s: &str) -> Result<Self, Self::Err> { fn from_str(s: &str) -> Result<Self, Self::Err> {
@ -44,21 +44,42 @@ impl FromStr for InputSalt {
} }
} }
impl fmt::Display for InputSalt { impl fmt::Display for SecretInput {
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> Result<(), fmt::Error> { fn fmt(&self, f: &mut fmt::Formatter<'_>) -> Result<(), fmt::Error> {
f.write_str(&match self { f.write_str(&match self {
InputSalt::AskPassword => "ask".to_string(), SecretInput::AskPassword => "ask".to_string(),
InputSalt::String(s) => ["string", s].join(":"), SecretInput::String(s) => ["string", s].join(":"),
InputSalt::File { path } => ["file", path.display().to_string().as_str()].join(":"), SecretInput::File { path } => ["file", path.display().to_string().as_str()].join(":"),
}) })
} }
} }
impl InputSalt { impl SecretInput {
pub fn obtain(&self, password_helper: &PasswordHelper) -> Fido2LuksResult<[u8; 32]> { pub fn obtain_string(&self, password_helper: &PasswordHelper) -> Fido2LuksResult<String> {
Ok(String::from_utf8(self.obtain(password_helper)?)?)
}
pub fn obtain(&self, password_helper: &PasswordHelper) -> Fido2LuksResult<Vec<u8>> {
let mut secret = Vec::new();
match self {
SecretInput::File { path } => {
//TODO: replace with try_blocks
let mut do_io = || File::open(path)?.read_to_end(&mut secret);
do_io().map_err(|cause| Fido2LuksError::KeyfileError { cause })?;
}
SecretInput::AskPassword => {
secret.extend_from_slice(password_helper.obtain()?.as_bytes())
}
SecretInput::String(s) => secret.extend_from_slice(s.as_bytes()),
}
Ok(secret)
}
pub fn obtain_sha256(&self, password_helper: &PasswordHelper) -> Fido2LuksResult<[u8; 32]> {
let mut digest = digest::Context::new(&digest::SHA256); let mut digest = digest::Context::new(&digest::SHA256);
match self { match self {
InputSalt::File { path } => { SecretInput::File { path } => {
let mut do_io = || { let mut do_io = || {
let mut reader = File::open(path)?; let mut reader = File::open(path)?;
let mut buf = [0u8; 512]; let mut buf = [0u8; 512];
@ -73,10 +94,7 @@ impl InputSalt {
}; };
do_io().map_err(|cause| Fido2LuksError::KeyfileError { cause })?; do_io().map_err(|cause| Fido2LuksError::KeyfileError { cause })?;
} }
InputSalt::AskPassword => { _ => digest.update(self.obtain(password_helper)?.as_slice()),
digest.update(password_helper.obtain()?.as_bytes());
}
InputSalt::String(s) => digest.update(s.as_bytes()),
} }
let mut salt = [0u8; 32]; let mut salt = [0u8; 32];
salt.as_mut().copy_from_slice(digest.finish().as_ref()); salt.as_mut().copy_from_slice(digest.finish().as_ref());
@ -157,23 +175,29 @@ mod test {
#[test] #[test]
fn input_salt_from_str() { fn input_salt_from_str() {
assert_eq!( assert_eq!(
"file:/tmp/abc".parse::<InputSalt>().unwrap(), "file:/tmp/abc".parse::<SecretInput>().unwrap(),
InputSalt::File { SecretInput::File {
path: "/tmp/abc".into() path: "/tmp/abc".into()
} }
); );
assert_eq!( assert_eq!(
"string:abc".parse::<InputSalt>().unwrap(), "string:abc".parse::<SecretInput>().unwrap(),
InputSalt::String("abc".into()) SecretInput::String("abc".into())
);
assert_eq!(
"ask".parse::<SecretInput>().unwrap(),
SecretInput::AskPassword
);
assert_eq!(
"lol".parse::<SecretInput>().unwrap(),
SecretInput::default()
); );
assert_eq!("ask".parse::<InputSalt>().unwrap(), InputSalt::AskPassword);
assert_eq!("lol".parse::<InputSalt>().unwrap(), InputSalt::default());
} }
#[test] #[test]
fn input_salt_obtain() { fn input_salt_obtain() {
assert_eq!( assert_eq!(
InputSalt::String("abc".into()) SecretInput::String("abc".into())
.obtain(&PasswordHelper::Stdin) .obtain(&PasswordHelper::Stdin)
.unwrap(), .unwrap(),
[ [

293
src/cli_args/mod.rs Normal file
View File

@ -0,0 +1,293 @@
use std::fmt::{Display, Error, Formatter};
use std::path::PathBuf;
use std::str::FromStr;
use structopt::clap::AppSettings;
use structopt::StructOpt;
mod config;
pub use config::*;
#[derive(Debug, Eq, PartialEq, Clone)]
pub struct HexEncoded(pub Vec<u8>);
impl Display for HexEncoded {
fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error> {
f.write_str(&hex::encode(&self.0))
}
}
impl AsRef<[u8]> for HexEncoded {
fn as_ref(&self) -> &[u8] {
&self.0[..]
}
}
impl FromStr for HexEncoded {
type Err = hex::FromHexError;
fn from_str(s: &str) -> Result<Self, Self::Err> {
Ok(HexEncoded(hex::decode(s)?))
}
}
#[derive(Debug, Eq, PartialEq, Clone)]
pub struct CommaSeparated<T: FromStr + Display>(pub Vec<T>);
impl<T: Display + FromStr> Display for CommaSeparated<T> {
fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error> {
for i in &self.0 {
f.write_str(&i.to_string())?;
f.write_str(",")?;
}
Ok(())
}
}
impl<T: Display + FromStr> FromStr for CommaSeparated<T> {
type Err = <T as FromStr>::Err;
fn from_str(s: &str) -> Result<Self, Self::Err> {
Ok(CommaSeparated(
s.split(',')
.map(|part| <T as FromStr>::from_str(part))
.collect::<Result<Vec<_>, _>>()?,
))
}
}
#[derive(Debug, StructOpt)]
pub struct Credentials {
/// FIDO credential ids, separated by ',' generate using fido2luks credential
#[structopt(name = "credential-id", env = "FIDO2LUKS_CREDENTIAL_ID")]
pub ids: CommaSeparated<HexEncoded>,
}
#[derive(Debug, StructOpt)]
pub struct AuthenticatorParameters {
/// Request a PIN to unlock the authenticator
#[structopt(short = "P", long = "pin")]
pub pin: bool,
/// Location to read PIN from
#[structopt(long = "pin-source", env = "FIDO2LUKS_PIN_SOURCE")]
pub pin_source: Option<PathBuf>,
/// Await for an authenticator to be connected, timeout after n seconds
#[structopt(
long = "await-dev",
name = "await-dev",
env = "FIDO2LUKS_DEVICE_AWAIT",
default_value = "15"
)]
pub await_time: u64,
}
#[derive(Debug, StructOpt)]
pub struct LuksParameters {
#[structopt(env = "FIDO2LUKS_DEVICE")]
pub device: PathBuf,
/// Try to unlock the device using a specifc keyslot, ignore all other slots
#[structopt(long = "slot", env = "FIDO2LUKS_DEVICE_SLOT")]
pub slot: Option<u32>,
}
#[derive(Debug, StructOpt, Clone)]
pub struct LuksModParameters {
/// Number of milliseconds required to derive the volume decryption key
/// Defaults to 10ms when using an authenticator or the default by cryptsetup when using a password
#[structopt(long = "kdf-time", name = "kdf-time")]
pub kdf_time: Option<u64>,
}
#[derive(Debug, StructOpt)]
pub struct SecretParameters {
/// Salt for secret generation, defaults to 'ask'
///
/// Options:{n}
/// - ask : Prompt user using password helper{n}
/// - file:<PATH> : Will read <FILE>{n}
/// - string:<STRING> : Will use <STRING>, which will be handled like a password provided to the 'ask' option{n}
#[structopt(
name = "salt",
long = "salt",
env = "FIDO2LUKS_SALT",
default_value = "ask"
)]
pub salt: SecretInput,
/// Script used to obtain passwords, overridden by --interactive flag
#[structopt(
name = "password-helper",
env = "FIDO2LUKS_PASSWORD_HELPER",
default_value = "/usr/bin/env systemd-ask-password 'Please enter second factor for LUKS disk encryption!'"
)]
pub password_helper: PasswordHelper,
}
#[derive(Debug, StructOpt)]
pub struct Args {
/// Request passwords via Stdin instead of using the password helper
#[structopt(short = "i", long = "interactive")]
pub interactive: bool,
#[structopt(subcommand)]
pub command: Command,
}
#[derive(Debug, StructOpt, Clone)]
pub struct OtherSecret {
/// Use a keyfile instead of a password
#[structopt(short = "d", long = "keyfile", conflicts_with = "fido_device")]
pub keyfile: Option<PathBuf>,
/// Use another fido device instead of a password
/// Note: this requires for the credential fot the other device to be passed as argument as well
#[structopt(short = "f", long = "fido-device", conflicts_with = "keyfile")]
pub fido_device: bool,
}
#[derive(Debug, StructOpt)]
pub enum Command {
#[structopt(name = "print-secret")]
PrintSecret {
/// Prints the secret as binary instead of hex encoded
#[structopt(short = "b", long = "bin")]
binary: bool,
#[structopt(flatten)]
credentials: Credentials,
#[structopt(flatten)]
authenticator: AuthenticatorParameters,
#[structopt(flatten)]
secret: SecretParameters,
},
/// Adds a generated key to the specified LUKS device
#[structopt(name = "add-key")]
AddKey {
#[structopt(flatten)]
luks: LuksParameters,
#[structopt(flatten)]
credentials: Credentials,
#[structopt(flatten)]
authenticator: AuthenticatorParameters,
#[structopt(flatten)]
secret: SecretParameters,
/// Will wipe all other keys
#[structopt(short = "e", long = "exclusive")]
exclusive: bool,
/// Will add an token to your LUKS 2 header, including the credential id
#[structopt(short = "t", long = "token")]
token: bool,
#[structopt(flatten)]
existing_secret: OtherSecret,
#[structopt(flatten)]
luks_mod: LuksModParameters,
},
/// Replace a previously added key with a password
#[structopt(name = "replace-key")]
ReplaceKey {
#[structopt(flatten)]
luks: LuksParameters,
#[structopt(flatten)]
credentials: Credentials,
#[structopt(flatten)]
authenticator: AuthenticatorParameters,
#[structopt(flatten)]
secret: SecretParameters,
/// Add the password and keep the key
#[structopt(short = "a", long = "add-password")]
add_password: bool,
/// Will add an token to your LUKS 2 header, including the credential id
#[structopt(short = "t", long = "token")]
token: bool,
#[structopt(flatten)]
replacement: OtherSecret,
#[structopt(flatten)]
luks_mod: LuksModParameters,
},
/// Open the LUKS device
#[structopt(name = "open")]
Open {
#[structopt(flatten)]
luks: LuksParameters,
#[structopt(env = "FIDO2LUKS_MAPPER_NAME")]
name: String,
#[structopt(flatten)]
credentials: Credentials,
#[structopt(flatten)]
authenticator: AuthenticatorParameters,
#[structopt(flatten)]
secret: SecretParameters,
#[structopt(short = "r", long = "max-retries", default_value = "0")]
retries: i32,
},
/// Open the LUKS device using credentials embedded in the LUKS 2 header
#[structopt(name = "open-token")]
OpenToken {
#[structopt(flatten)]
luks: LuksParameters,
#[structopt(env = "FIDO2LUKS_MAPPER_NAME")]
name: String,
#[structopt(flatten)]
authenticator: AuthenticatorParameters,
#[structopt(flatten)]
secret: SecretParameters,
#[structopt(short = "r", long = "max-retries", default_value = "0")]
retries: i32,
},
/// Generate a new FIDO credential
#[structopt(name = "credential")]
Credential {
#[structopt(flatten)]
authenticator: AuthenticatorParameters,
/// Name to be displayed on the authenticator if it has a display
#[structopt(env = "FIDO2LUKS_CREDENTIAL_NAME")]
name: Option<String>,
},
/// Check if an authenticator is connected
#[structopt(name = "connected")]
Connected,
Token(TokenCommand),
/// Generate bash completion scripts
#[structopt(name = "completions", setting = AppSettings::Hidden)]
GenerateCompletions {
/// Shell to generate completions for: bash, fish
#[structopt(possible_values = &["bash", "fish"])]
shell: String,
out_dir: PathBuf,
},
}
///LUKS2 token related operations
#[derive(Debug, StructOpt)]
pub enum TokenCommand {
/// List all tokens associated with the specified device
List {
#[structopt(env = "FIDO2LUKS_DEVICE")]
device: PathBuf,
/// Dump all credentials as CSV
#[structopt(long = "csv")]
csv: bool,
},
/// Add credential to a keyslot
Add {
#[structopt(env = "FIDO2LUKS_DEVICE")]
device: PathBuf,
#[structopt(flatten)]
credentials: Credentials,
/// Slot to which the credentials will be added
#[structopt(long = "slot", env = "FIDO2LUKS_DEVICE_SLOT")]
slot: u32,
},
/// Remove credentials from token(s)
Remove {
#[structopt(env = "FIDO2LUKS_DEVICE")]
device: PathBuf,
#[structopt(flatten)]
credentials: Credentials,
/// Token from which the credentials will be removed
#[structopt(long = "token")]
token_id: Option<u32>,
},
/// Remove all unassigned tokens
GC {
#[structopt(env = "FIDO2LUKS_DEVICE")]
device: PathBuf,
},
}

9
src/error.rs
View File

@ -1,5 +1,9 @@
use ctap::FidoError; use ctap::FidoError;
use libcryptsetup_rs::LibcryptErr;
use std::io; use std::io;
use std::io::ErrorKind;
use std::string::FromUtf8Error;
use Fido2LuksError::*;
pub type Fido2LuksResult<T> = Result<T, Fido2LuksError>; pub type Fido2LuksResult<T> = Result<T, Fido2LuksError>;
@ -81,11 +85,6 @@ impl From<LuksError> for Fido2LuksError {
} }
} }
use libcryptsetup_rs::LibcryptErr;
use std::io::ErrorKind;
use std::string::FromUtf8Error;
use Fido2LuksError::*;
impl From<FidoError> for Fido2LuksError { impl From<FidoError> for Fido2LuksError {
fn from(e: FidoError) -> Self { fn from(e: FidoError) -> Self {
AuthenticatorError { cause: e } AuthenticatorError { cause: e }

4
src/main.rs
View File

@ -4,15 +4,13 @@ extern crate ctap_hmac as ctap;
#[macro_use] #[macro_use]
extern crate serde_derive; extern crate serde_derive;
use crate::cli::*; use crate::cli::*;
use crate::config::*;
use crate::device::*; use crate::device::*;
use crate::error::*; use crate::error::*;
use std::io; use std::io;
use std::path::PathBuf;
use std::process::exit; use std::process::exit;
mod cli; mod cli;
mod config; pub mod cli_args;
mod device; mod device;
mod error; mod error;
mod luks; mod luks;