diff --git a/.drone.yml b/.drone.yml index 7e3a505..469fb73 100644 --- a/.drone.yml +++ b/.drone.yml @@ -8,22 +8,20 @@ steps: - rustup component add rustfmt - cargo fmt --all -- --check - name: test - image: ubuntu:focal + image: shimun/fido2luks@sha256:6d0b4017bffbec5fac8f25d383d68671fcc9930efb02e97ce5ea81acf0060ece environment: DEBIAN_FRONTEND: noninteractive commands: - - apt update && apt install -y cargo libkeyutils-dev libclang-dev clang pkg-config libcryptsetup-dev - cargo test --locked - name: publish - image: ubuntu:focal + image: shimun/fido2luks@sha256:6d0b4017bffbec5fac8f25d383d68671fcc9930efb02e97ce5ea81acf0060ece environment: DEBIAN_FRONTEND: noninteractive CARGO_REGISTRY_TOKEN: from_secret: cargo_tkn commands: - grep -E 'version ?= ?"${DRONE_TAG}"' -i Cargo.toml || (printf "incorrect crate/tag version" && exit 1) - - apt update && apt install -y cargo libkeyutils-dev libclang-dev clang pkg-config libcryptsetup-dev - - cargo package --all-features - - cargo publish --all-features + - cargo package --all-features --allow-dirty + - cargo publish --all-features --allow-dirty when: event: tag diff --git a/.gitignore b/.gitignore index 057a1eb..52533a2 100644 --- a/.gitignore +++ b/.gitignore @@ -5,4 +5,6 @@ fido2luks.bash fido2luks.elv fido2luks.fish -fido2luks.zsh \ No newline at end of file +fido2luks.zsh +result +result-* diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..e19c064 --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,11 @@ +## 0.3.0 + +* LUKS2 Tokens are now supported by every subcommand +* `` has been converted into the flag `--creds` +credentials provided by `--creds` will be supplemented from the LUKS header unless this is disabled by `--disable-token` +* `fido2luks add-key` will take an `--auto-cred` flag which allows for credentials to be generated and stored without having to use `fido2luks credential` +`fido2luks replace-key` will allow for credentials to be removed using the `--remove-cred` flag respectively +* Removed `fido2luks open-token` subcommand + `fido2luks open` now fulfills both functions +* Added `fido2luks open --dry-run` flag, to perform the whole procedure apart from mounting the LUKS volume +* Added an `--verbose` flag to display additional information like credentials and keyslots used if desired \ No newline at end of file diff --git a/Cargo.lock b/Cargo.lock index f3f2431..6c986e4 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -58,9 +58,9 @@ checksum = "cdb031dd78e28731d87d56cc8ffef4a8f36ca26c38fe2de700543e627f8a464a" [[package]] name = "backtrace" -version = "0.3.52" +version = "0.3.50" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f813291114c186a042350e787af10c26534601062603d888be110f59f85ef8fa" +checksum = "46254cf2fdcdf1badb5934448c1bcbe046a56537b3987d96c51a7afc5d03f293" dependencies = [ "addr2line", "cfg-if", @@ -86,7 +86,7 @@ dependencies = [ "lazycell", "log", "peeking_take_while", - "proc-macro2 1.0.24", + "proc-macro2 1.0.27", "quote 1.0.7", "regex", "rustc-hash", @@ -102,9 +102,9 @@ checksum = "cf1de2fe8c75bc145a2f577add951f8134889b4795d47466a54a5c846d691693" [[package]] name = "bstr" -version = "0.2.13" +version = "0.2.15" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "31accafdb70df7871592c058eca3985b71104e15ac32f64706022c58867da931" +checksum = "a40b47ad93e1a5404e6c18dec46b628214fee441c70f4ab5d6942142cc268a3d" dependencies = [ "lazy_static", "memchr", @@ -130,9 +130,9 @@ dependencies = [ [[package]] name = "cc" -version = "1.0.61" +version = "1.0.59" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ed67cbde08356238e75fc4656be4749481eeffb09e19f320a25237d5221c985d" +checksum = "66120af515773fb005778dc07c261bd201ec8ce50bd6e7144c927753fe013381" [[package]] name = "cexpr" @@ -258,9 +258,9 @@ dependencies = [ [[package]] name = "csv" -version = "1.1.3" +version = "1.1.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "00affe7f6ab566df61b4be3ce8cf16bc2576bca0963ceb0955e45d514bf9a279" +checksum = "22813a6dc45b335f9bade10bf7271dc477e81113e89eb251a0bc2a8a81c536e1" dependencies = [ "bstr", "csv-core", @@ -280,9 +280,9 @@ dependencies = [ [[package]] name = "ctap_hmac" -version = "0.4.3" +version = "0.4.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "33ccc28f298181e943187fa63805e652bc4806ad43708beebd22c230fbe0baa3" +checksum = "e9c22d4c95aeeb4e2d41e823912d5460cfa1ebf672363eb97b32fa7c91cab89a" dependencies = [ "byteorder", "cbor-codec", @@ -319,10 +319,10 @@ checksum = "f0c960ae2da4de88a91b2d920c2a7233b400bc33cb28453a2987822d8392519b" dependencies = [ "fnv", "ident_case", - "proc-macro2 1.0.24", + "proc-macro2 1.0.27", "quote 1.0.7", "strsim 0.9.3", - "syn 1.0.44", + "syn 1.0.73", ] [[package]] @@ -333,7 +333,7 @@ checksum = "d9b5a2f4ac4969822c62224815d069952656cadc7084fdca9751e6d959189b72" dependencies = [ "darling_core", "quote 1.0.7", - "syn 1.0.44", + "syn 1.0.73", ] [[package]] @@ -344,9 +344,9 @@ checksum = "a2658621297f2cf68762a6f7dc0bb7e1ff2cfd6583daef8ee0fed6f7ec468ec0" dependencies = [ "darling", "derive_builder_core", - "proc-macro2 1.0.24", + "proc-macro2 1.0.27", "quote 1.0.7", - "syn 1.0.44", + "syn 1.0.73", ] [[package]] @@ -356,16 +356,16 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "2791ea3e372c8495c0bc2033991d76b512cd799d07491fbd6890124db9458bef" dependencies = [ "darling", - "proc-macro2 1.0.24", + "proc-macro2 1.0.27", "quote 1.0.7", - "syn 1.0.44", + "syn 1.0.73", ] [[package]] name = "either" -version = "1.6.1" +version = "1.6.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e78d4f1cc4ae33bbfc157ed5d5a5ef3bc29227303d595861deb238fcec4e9457" +checksum = "cd56b59865bce947ac5958779cfa508f6c3b9497cc762b7e24a12d11ccde2c4f" [[package]] name = "env_logger" @@ -396,9 +396,9 @@ version = "0.1.8" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "aa4da3c766cd7a0db8242e326e9e4e081edd567072893ed320008189715366a4" dependencies = [ - "proc-macro2 1.0.24", + "proc-macro2 1.0.27", "quote 1.0.7", - "syn 1.0.44", + "syn 1.0.73", "synstructure", ] @@ -459,9 +459,9 @@ dependencies = [ [[package]] name = "hermit-abi" -version = "0.1.17" +version = "0.1.15" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5aca5565f760fb5b220e499d72710ed156fdb74e631659e99377d9ebfbd13ae8" +checksum = "3deed196b6e7f9e44a2ae8d94225d80302d81208b1bb673fd21fe634645c85a9" dependencies = [ "libc", ] @@ -507,9 +507,9 @@ checksum = "830d08ce1d1d941e6b30645f1a0eb5643013d835ce3779a5fc208261dbe10f55" [[package]] name = "libc" -version = "0.2.79" +version = "0.2.76" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2448f6066e80e3bfc792e9c98bf705b4b0fc6e8ef5b43e5889aff0eaa9c58743" +checksum = "755456fae044e6fa1ebbbd1b3e902ae19e73097ed4ed87bb79934a867c007bc3" [[package]] name = "libcryptsetup-rs" @@ -571,21 +571,20 @@ checksum = "3728d817d99e5ac407411fa471ff9800a778d88a24685968b36824eaf4bee400" [[package]] name = "memoffset" -version = "0.5.6" +version = "0.5.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "043175f069eda7b85febe4a74abbaeff828d9f8b448515d3151a14a3542811aa" +checksum = "c198b026e1bbf08a937e94c6c60f9ec4a2267f5b0d2eec9c1b21b061ce2be55f" dependencies = [ "autocfg 1.0.1", ] [[package]] name = "miniz_oxide" -version = "0.4.3" +version = "0.4.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0f2d26ec3309788e423cfbf68ad1800f061638098d76a83681af979dc4eda19d" +checksum = "4d7559a8a40d0f97e1edea3220f698f78b1c5ab67532e49f68fde3910323b722" dependencies = [ "adler", - "autocfg 1.0.1", ] [[package]] @@ -643,9 +642,9 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "da25490ff9892aab3fcf7c36f08cfb902dd3e71ca0f9f9517bea02a73a5ce38c" dependencies = [ "proc-macro-error-attr", - "proc-macro2 1.0.24", + "proc-macro2 1.0.27", "quote 1.0.7", - "syn 1.0.44", + "syn 1.0.73", "version_check", ] @@ -655,7 +654,7 @@ version = "1.0.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a1be40180e52ecc98ad80b184934baf3d0d29f979574e439af5a55274b35f869" dependencies = [ - "proc-macro2 1.0.24", + "proc-macro2 1.0.27", "quote 1.0.7", "version_check", ] @@ -671,9 +670,9 @@ dependencies = [ [[package]] name = "proc-macro2" -version = "1.0.24" +version = "1.0.27" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1e0704ee1a7e00d7bb417d0770ea303c1bccbabf0ef1667dae92b5967f5f8a71" +checksum = "f0d8caf72986c1a598726adc988bb5984792ef84f5ee5aa50209145ee8077038" dependencies = [ "unicode-xid 0.2.1", ] @@ -699,7 +698,7 @@ version = "1.0.7" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "aa563d17ecb180e500da1cfd2b028310ac758de548efdd203e18f283af693f37" dependencies = [ - "proc-macro2 1.0.24", + "proc-macro2 1.0.27", ] [[package]] @@ -854,12 +853,9 @@ dependencies = [ [[package]] name = "regex-automata" -version = "0.1.9" +version = "0.1.10" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ae1ded71d66a4a97f5e961fd0cb25a5f366a42a41570d16a763a69c092c26ae4" -dependencies = [ - "byteorder", -] +checksum = "6c230d73fb8d8c1b9c0b3135c5142a8acee3a0558fb8db5cf1cb65f8d7862132" [[package]] name = "regex-syntax" @@ -904,9 +900,9 @@ dependencies = [ [[package]] name = "rustc-demangle" -version = "0.1.17" +version = "0.1.16" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b2610b7f643d18c87dff3b489950269617e6601a51f1f05aa5daefee36f64f0b" +checksum = "4c691c0e608126e00913e33f0ccf3727d5fc84573623b8d65b2df340b5201783" [[package]] name = "rustc-hash" @@ -949,26 +945,26 @@ checksum = "388a1df253eca08550bef6c72392cfe7c30914bf41df5269b68cbd6ff8f570a3" [[package]] name = "serde" -version = "1.0.116" +version = "1.0.126" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "96fe57af81d28386a513cbc6858332abc6117cfdb5999647c6444b8f43a370a5" +checksum = "ec7505abeacaec74ae4778d9d9328fe5a5d04253220a85c4ee022239fc996d03" [[package]] name = "serde_derive" -version = "1.0.116" +version = "1.0.126" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f630a6370fd8e457873b4bd2ffdae75408bc291ba72be773772a4c2a065d9ae8" +checksum = "963a7dbc9895aeac7ac90e74f34a5d5261828f79df35cbed41e10189d3804d43" dependencies = [ - "proc-macro2 1.0.24", + "proc-macro2 1.0.27", "quote 1.0.7", - "syn 1.0.44", + "syn 1.0.73", ] [[package]] name = "serde_json" -version = "1.0.58" +version = "1.0.57" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a230ea9107ca2220eea9d46de97eddcb04cd00e92d13dda78e478dd33fa82bd4" +checksum = "164eacbdb13512ec2745fb09d51fd5b22b0d65ed294a1dcf7285a360c80a675c" dependencies = [ "itoa", "ryu", @@ -995,9 +991,9 @@ checksum = "6446ced80d6c486436db5c078dde11a9f73d42b57fb273121e160b84f63d894c" [[package]] name = "structopt" -version = "0.3.19" +version = "0.3.17" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a7a7159e7d0dbcab6f9c980d7971ef50f3ff5753081461eeda120d5974a4ee95" +checksum = "6cc388d94ffabf39b5ed5fadddc40147cb21e605f53db6f8f36a625d27489ac5" dependencies = [ "clap", "lazy_static", @@ -1006,15 +1002,15 @@ dependencies = [ [[package]] name = "structopt-derive" -version = "0.4.12" +version = "0.4.10" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8fc47de4dfba76248d1e9169ccff240eea2a4dc1e34e309b95b2393109b4b383" +checksum = "5e2513111825077552a6751dfad9e11ce0fba07d7276a3943a037d7e93e64c5f" dependencies = [ "heck", "proc-macro-error", - "proc-macro2 1.0.24", + "proc-macro2 1.0.27", "quote 1.0.7", - "syn 1.0.44", + "syn 1.0.73", ] [[package]] @@ -1030,11 +1026,11 @@ dependencies = [ [[package]] name = "syn" -version = "1.0.44" +version = "1.0.73" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e03e57e4fcbfe7749842d53e24ccb9aa12b7252dbe5e91d2acad31834c8b8fdd" +checksum = "f71489ff30030d2ae598524f61326b902466f72a0fb1a8564c001cc63425bcc7" dependencies = [ - "proc-macro2 1.0.24", + "proc-macro2 1.0.27", "quote 1.0.7", "unicode-xid 0.2.1", ] @@ -1045,9 +1041,9 @@ version = "0.12.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b834f2d66f734cb897113e34aaff2f1ab4719ca946f9a7358dba8f8064148701" dependencies = [ - "proc-macro2 1.0.24", + "proc-macro2 1.0.27", "quote 1.0.7", - "syn 1.0.44", + "syn 1.0.73", "unicode-xid 0.2.1", ] diff --git a/Cargo.toml b/Cargo.toml index f9b83e8..f768f4a 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "fido2luks" -version = "0.3.0" +version = "0.3.0-alpha" authors = ["shimunn "] edition = "2018" @@ -14,19 +14,19 @@ categories = ["command-line-utilities"] license = "MPL-2.0" [dependencies] -ctap_hmac = { version="0.4.2", features = ["request_multiple"] } +ctap_hmac = { version="0.4.5", features = ["request_multiple"] } hex = "0.3.2" ring = "0.13.5" failure = "0.1.5" rpassword = "4.0.1" structopt = "0.3.2" -libcryptsetup-rs = "0.4.1" +libcryptsetup-rs = "0.4.2" serde_json = "1.0.51" -serde_derive = "1.0.106" -serde = "1.0.106" +serde_derive = "1.0.116" +serde = "1.0.116" [build-dependencies] -ctap_hmac = { version="0.4.2", features = ["request_multiple"] } +ctap_hmac = { version="0.4.5", features = ["request_multiple"] } hex = "0.3.2" ring = "0.13.5" failure = "0.1.5" diff --git a/PKGBUILD b/PKGBUILD index 6828676..d4155b9 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -1,25 +1,37 @@ # Maintainer: shimunn -pkgname=fido2luks -pkgver=0.2.12 + +pkgname=fido2luks-git +pkgver=0.2.16.7e6b33a pkgrel=1 -makedepends=('rust' 'cargo' 'cryptsetup' 'clang') +makedepends=('rust' 'cargo' 'cryptsetup' 'clang' 'git') depends=('cryptsetup') arch=('i686' 'x86_64' 'armv6h' 'armv7h') pkgdesc="Decrypt your LUKS partition using a FIDO2 compatible authenticator" url="https://github.com/shimunn/fido2luks" license=('MPL-2.0') +source=('git+https://github.com/shimunn/fido2luks') +sha512sums=('SKIP') pkgver() { - # Use tag version if possible otherwise concat project version and git ref - git describe --exact-match --tags HEAD 2> /dev/null || \ - echo "$(cargo pkgid | cut -d'#' -f2).$(git describe --always)" + cd fido2luks + + # Use tag version if possible otherwise concat project version and git ref + git describe --exact-match --tags HEAD 2>/dev/null || + echo "$(cargo pkgid | cut -d'#' -f2).$(git describe --always)" } build() { + cd fido2luks cargo build --release --locked --all-features --target-dir=target } package() { - install -Dm 755 target/release/${pkgname} -t "${pkgdir}/usr/bin" - install -Dm 644 ../fido2luks.bash "${pkgdir}/usr/share/bash-completion/completions/fido2luks" + cd fido2luks + + install -Dm 755 target/release/fido2luks -t "${pkgdir}/usr/bin" + install -Dm 755 pam_mount/fido2luksmounthelper.sh -t "${pkgdir}/usr/bin" + install -Dm 644 initcpio/hooks/fido2luks -t "${pkgdir}/usr/lib/initcpio/hooks" + install -Dm 644 initcpio/install/fido2luks -t "${pkgdir}/usr/lib/initcpio/install" + install -Dm 644 fido2luks.bash "${pkgdir}/usr/share/bash-completion/completions/fido2luks" + install -Dm 644 fido2luks.fish -t "${pkgdir}/usr/share/fish/vendor_completions.d" } diff --git a/README.md b/README.md index 2691701..23d2c01 100644 --- a/README.md +++ b/README.md @@ -1,130 +1,7 @@ # fido2luks [![Crates.io Version](https://img.shields.io/crates/v/fido2luks.svg)](https://crates.io/crates/fido2luks) -This will allow you to unlock your LUKS encrypted disk with an FIDO2 compatible key. - -Note: This has only been tested under Fedora 31, [Ubuntu 20.04](initramfs-tools/), [NixOS](https://nixos.org/nixos/manual/#sec-luks-file-systems-fido2) using a Solo Key, Trezor Model T - -## Setup - -### Prerequisites - -``` -dnf install clang cargo cryptsetup-devel -y -``` - -### Device - -``` -git clone https://github.com/shimunn/fido2luks.git && cd fido2luks - -# Alternativly cargo build --release && sudo cp target/release/fido2luks /usr/bin/ -sudo -E cargo install -f --path . --root /usr - -# Copy template -cp dracut/96luks-2fa/fido2luks.conf /etc/ -# Name is optional but useful if your authenticator has a display -echo FIDO2LUKS_CREDENTIAL_ID=$(fido2luks credential [NAME]) >> /etc/fido2luks.conf - -# Load config into env -set -a -. /etc/fido2luks.conf - -# Repeat for each luks volume -# You can also use the `--token` flag when using LUKS2 which will then store the credential in the LUKS header, -# enabling you to use `fido2luks open-token` without passing a credential as parameter -sudo -E fido2luks -i add-key /dev/disk/by-uuid/ - -# Test(only works if the luks container isn't active) -sudo -E fido2luks -i open /dev/disk/by-uuid/ luks- - -``` - -### Dracut - -``` -cd dracut - -sudo make install -``` - -### Grub - -Add `rd.luks.2fa=:` to `GRUB_CMDLINE_LINUX` in /etc/default/grub - -Note: This is only required for your root disk, systemd will try to unlock all other LUKS partions using the same key if you added it using `fido2luks add-key` - -``` -grub2-mkconfig > /boot/grub2/grub.cfg -``` - -I'd also recommend to copy the executable onto /boot so that it is accessible in case you have to access your disk from a rescue system - -``` -mkdir /boot/fido2luks/ -cp /usr/bin/fido2luks /boot/fido2luks/ -cp /etc/fido2luks.conf /boot/fido2luks/ -``` - -## Testing - -Just reboot and see if it works, if that's the case you should remove your old less secure password from your LUKS header: - -``` -# Recommend in case you lose your authenticator, store this backupfile somewhere safe -cryptsetup luksHeaderBackup /dev/disk/by-uuid/ --header-backup-file luks_backup_ -# There is no turning back if you mess this up, make sure you made a backup -# You can also pass `--token` if you're using LUKS2 which will then store the credential in the LUKS header, -# which will enable you to use `fido2luks open-token` without passing a credential as parameter -fido2luks -i add-key --exclusive /dev/disk/by-uuid/ -``` - -## Addtional settings - -### Password less - -Remove your previous secret as described in the next section, in case you've already added one. - -Open `/etc/fido2luks.conf` and replace `FIDO2LUKS_SALT=Ask` with `FIDO2LUKS_SALT=string:` -but be warned that this password will be included to into your initramfs. - -Import the new config into env: - -``` -set -a -. /etc/fido2luks.conf -``` - -Then add the new secret to each device and update dracut afterwards `dracut -f` - -### Multiple keys - -Additional/backup keys are supported, Multiple fido2luks credentials can be added to your /etc/fido2luks.conf file. Credential tokens are comma separated. -``` -FIDO2LUKS_CREDENTIAL_ID=,, -``` - -## Removal - -Remove `rd.luks.2fa` from `GRUB_CMDLINE_LINUX` in /etc/default/grub - -``` -set -a -. fido2luks.conf -sudo -E fido2luks -i replace-key /dev/disk/by-uuid/ - -sudo rm -rf /usr/lib/dracut/modules.d/96luks-2fa /etc/dracut.conf.d/luks-2fa.conf /etc/fido2luks.conf -``` - -## License - -Licensed under - - * Mozilla Public License 2.0, ([LICENSE-MPL](LICENSE-MPL) or https://www.mozilla.org/en-US/MPL/2.0/) - -### Contribution - -Unless you explicitly state otherwise, any contribution intentionally -submitted for inclusion in the work by you, as defined in the MPL 2.0 -license, shall be licensed as above, without any additional terms or -conditions. +## 0.3.0-alpha +This is just the program itself, all intitrid scripts are still taylored to the latest 0.2.x version and will most likely not work with 0.3.0 due to breaking changes in the CLI interface. +I've decided it release the version in this state since I just do not have the time now or in the forseeable future to tewak all scripts since it's quite an tedious tasks which involves rebooting VMs countless times. +If you're interested to adapt or write scripts for an particular distro I'd be more than happy to accept pull requests. diff --git a/build.rs b/build.rs index c520b10..c6bd9c0 100644 --- a/build.rs +++ b/build.rs @@ -19,6 +19,10 @@ use structopt::StructOpt; fn main() { // generate completion scripts, zsh does panic for some reason for shell in Shell::variants().iter().filter(|shell| **shell != "zsh") { - Args::clap().gen_completions(env!("CARGO_PKG_NAME"), Shell::from_str(shell).unwrap(), "."); + Args::clap().gen_completions( + env!("CARGO_PKG_NAME"), + Shell::from_str(shell).unwrap(), + env!("CARGO_MANIFEST_DIR"), + ); } } diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..29d2eda --- /dev/null +++ b/flake.lock @@ -0,0 +1,62 @@ +{ + "nodes": { + "naersk": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1639051343, + "narHash": "sha256-62qARP+5Q0GmudcpuQHJP3/yXIgmUVoHR4orD/+FAC4=", + "owner": "nmattia", + "repo": "naersk", + "rev": "ebde51ec0eec82dc71eaca03bc24cf8eb44a3d74", + "type": "github" + }, + "original": { + "owner": "nmattia", + "repo": "naersk", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1638109994, + "narHash": "sha256-OpA37PTiPMIqoRJbufbl5rOLII7HeeGcA0yl7FoyCIE=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "a284564b7f75ac4db73607db02076e8da9d42c9d", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "type": "indirect" + } + }, + "root": { + "inputs": { + "naersk": "naersk", + "nixpkgs": "nixpkgs", + "utils": "utils" + } + }, + "utils": { + "locked": { + "lastModified": 1638122382, + "narHash": "sha256-sQzZzAbvKEqN9s0bzWuYmRaA03v40gaJ4+iL1LXjaeI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "74f7e4319258e287b0f9cb95426c9853b282730b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..c9f1d05 --- /dev/null +++ b/flake.nix @@ -0,0 +1,63 @@ +{ + description = "Decrypt your LUKS partition using a FIDO2 compatible authenticator"; + + inputs = { + utils.url = "github:numtide/flake-utils"; + naersk = { + url = "github:nmattia/naersk"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + }; + + outputs = { self, nixpkgs, utils, naersk }: + let + root = ./.; + pname = (builtins.fromTOML (builtins.readFile ./Cargo.toml)).package.name; + forPkgs = pkgs: + let + naersk-lib = naersk.lib."${pkgs.system}"; + buildInputs = with pkgs; [ cryptsetup ]; + LIBCLANG_PATH = "${pkgs.clang.cc.lib}/lib"; + nativeBuildInputs = with pkgs; [ + pkgconfig + clang + ]; + in + rec { + # `nix build` + packages.${pname} = naersk-lib.buildPackage { + inherit pname root buildInputs nativeBuildInputs LIBCLANG_PATH; + }; + defaultPackage = packages.${pname}; + + # `nix run` + apps.${pname} = utils.lib.mkApp { + drv = packages.${pname}; + }; + defaultApp = apps.${pname}; + + # `nix flake check` + checks = { + fmt = with pkgs; runCommandLocal "${pname}-fmt" { buildInputs = [ cargo rustfmt nixpkgs-fmt ]; } '' + cd ${root} + cargo fmt -- --check + nixpkgs-fmt --check *.nix + touch $out + ''; + }; + + hydraJobs = checks // packages; + + # `nix develop` + devShell = pkgs.mkShell { + nativeBuildInputs = with pkgs; [ rustc cargo rustfmt nixpkgs-fmt ] ++ nativeBuildInputs; + inherit buildInputs LIBCLANG_PATH; + }; + }; + forSystem = system: forPkgs nixpkgs.legacyPackages."${system}"; + in + (utils.lib.eachSystem [ "aarch64-linux" "i686-linux" "x86_64-linux" ] forSystem) // { + overlay = final: prev: (forPkgs final).packages; + }; + +} diff --git a/initcpio/Makefile b/initcpio/Makefile new file mode 100644 index 0000000..b752589 --- /dev/null +++ b/initcpio/Makefile @@ -0,0 +1,18 @@ +.PHONY: install remove + +install: + install -Dm644 hooks/fido2luks -t /usr/lib/initcpio/hooks + install -Dm644 install/fido2luks -t /usr/lib/initcpio/install +ifdef preset + mkinitcpio -p $(preset) +else + mkinitcpio -P +endif + +remove: + rm /usr/lib/initcpio/{hooks,install}/fido2luks +ifdef preset + mkinitcpio -p $(preset) +else + mkinitcpio -P +endif diff --git a/initcpio/README.md b/initcpio/README.md new file mode 100644 index 0000000..f29ddab --- /dev/null +++ b/initcpio/README.md @@ -0,0 +1,52 @@ +## fido2luks hook for mkinitcpio (ArchLinux and derivatives) + +> ⚠️ Before proceeding, it is very advised to [backup your existing LUKS2 header](https://wiki.archlinux.org/title/dm-crypt/Device_encryption#Backup_using_cryptsetup) to external storage + +### Setup + +1. Connect your FIDO2 authenticator +2. Generate credential id + +```shell +fido2luks credential +``` + +3. Generate salt (random string) + +```shell +pwgen 48 1 +``` + +4. Add key to your LUKS2 device + +```shell +fido2luks add-key -Pt --salt +``` + +`-P` - request PIN to unlock the authenticator +`-t` - add token (including credential id) to the LUKS2 header +`-e` - wipe all other keys + +For the full list of options see `fido2luks add-key --help` + +5. Edit [/etc/fido2luks.conf](/initcpio/fido2luks.conf) + +Keyslot (`FIDO2LUKS_DEVICE_SLOT`) can be obtained from the output of + +```shell +cryptsetup luksDump +``` + +6. Add fido2luks hook to /etc/mkinitcpio.conf + +Before or instead of `encrypt` hook, for example: + +```shell +HOOKS=(base udev autodetect modconf keyboard block fido2luks filesystems fsck) +``` + +7. Recreate initial ramdisk + +```shell +mkinitcpio -p +``` diff --git a/initcpio/fido2luks.conf b/initcpio/fido2luks.conf new file mode 100644 index 0000000..b2fb6fa --- /dev/null +++ b/initcpio/fido2luks.conf @@ -0,0 +1,18 @@ +# Set credential *ONLY IF* it's not embedded in the LUKS2 header +FIDO2LUKS_CREDENTIAL_ID= + +# Encrypted device and its name under /dev/mapper +# Can be overridden by `cryptdevice` kernel parameter +FIDO2LUKS_DEVICE= +FIDO2LUKS_MAPPER_NAME= + +FIDO2LUKS_SALT=string: + +# Use specific keyslot (ignore all other slots) +FIDO2LUKS_DEVICE_SLOT= + +# Await for an authenticator to be connected (in seconds) +FIDO2LUKS_DEVICE_AWAIT= + +# Set to 1 if PIN is required to unlock the authenticator +FIDO2LUKS_ASK_PIN= diff --git a/initcpio/hooks/fido2luks b/initcpio/hooks/fido2luks new file mode 100644 index 0000000..f96be78 --- /dev/null +++ b/initcpio/hooks/fido2luks @@ -0,0 +1,55 @@ +#!/usr/bin/ash + +run_hook() { + modprobe -a -q dm-crypt >/dev/null 2>&1 + . /etc/fido2luks.conf + + if [ -z "$cryptdevice" ]; then + device="$FIDO2LUKS_DEVICE" + dmname="$FIDO2LUKS_MAPPER_NAME" + else + IFS=: read cryptdev dmname _cryptoptions < m4_ignore([ +### START OF CODE GENERATED BY Argbash v2.9.0 one line above ### +# Argbash is a bash code generator used to get arguments parsing right. +# Argbash is FREE SOFTWARE, see https://argbash.io for more info +# Generated online by https://argbash.io/generate + + +die() +{ + local _ret="${2:-1}" + test "${_PRINT_HELP:-no}" = yes && print_help >&2 + echo "$1" >&2 + exit "${_ret}" +} + + +begins_with_short_option() +{ + local first_option all_short_options='cdmash' + first_option="${1:0:1}" + test "$all_short_options" = "${all_short_options/$first_option/}" && return 1 || return 0 +} + +# THE DEFAULTS INITIALIZATION - POSITIONALS +_positionals=() +# THE DEFAULTS INITIALIZATION - OPTIONALS +_arg_credentials_type= +_arg_device= +_arg_mount_point= +_arg_ask_pin="off" +_arg_salt="" + + +print_help() +{ + printf '%s\n' "Unlocks/Locks a LUKS volume and mount/unmount it in the given mount point." + printf 'Usage: %s [-c|--credentials-type ] [-d|--device ] [-m|--mount-point ] [-a|--(no-)ask-pin] [-s|--salt ] [-h|--help] \n' "$0" + printf '\t%s\n' ": Operation to perform (mount|umount)" + printf '\t%s\n' "-c, --credentials-type: Type of the credentials to use (external|embedded) (no default)" + printf '\t%s\n' "-d, --device: Name of the device to create (no default)" + printf '\t%s\n' "-m, --mount-point: Path of the mount point to use (no default)" + printf '\t%s\n' "-a, --ask-pin, --no-ask-pin: Ask for a pin (off by default)" + printf '\t%s\n' "-s, --salt: Salt to use (default: '""')" + printf '\t%s\n' "-h, --help: Prints help" +} + + +parse_commandline() +{ + _positionals_count=0 + while test $# -gt 0 + do + _key="$1" + case "$_key" in + -c|--credentials-type) + test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1 + _arg_credentials_type="$2" + shift + ;; + --credentials-type=*) + _arg_credentials_type="${_key##--credentials-type=}" + ;; + -c*) + _arg_credentials_type="${_key##-c}" + ;; + -d|--device) + test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1 + _arg_device="$2" + shift + ;; + --device=*) + _arg_device="${_key##--device=}" + ;; + -d*) + _arg_device="${_key##-d}" + ;; + -m|--mount-point) + test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1 + _arg_mount_point="$2" + shift + ;; + --mount-point=*) + _arg_mount_point="${_key##--mount-point=}" + ;; + -m*) + _arg_mount_point="${_key##-m}" + ;; + -a|--no-ask-pin|--ask-pin) + _arg_ask_pin="on" + test "${1:0:5}" = "--no-" && _arg_ask_pin="off" + ;; + -a*) + _arg_ask_pin="on" + _next="${_key##-a}" + if test -n "$_next" -a "$_next" != "$_key" + then + { begins_with_short_option "$_next" && shift && set -- "-a" "-${_next}" "$@"; } || die "The short option '$_key' can't be decomposed to ${_key:0:2} and -${_key:2}, because ${_key:0:2} doesn't accept value and '-${_key:2:1}' doesn't correspond to a short option." + fi + ;; + -s|--salt) + test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1 + _arg_salt="$2" + shift + ;; + --salt=*) + _arg_salt="${_key##--salt=}" + ;; + -s*) + _arg_salt="${_key##-s}" + ;; + -h|--help) + print_help + exit 0 + ;; + -h*) + print_help + exit 0 + ;; + *) + _last_positional="$1" + _positionals+=("$_last_positional") + _positionals_count=$((_positionals_count + 1)) + ;; + esac + shift + done +} + + +handle_passed_args_count() +{ + local _required_args_string="'operation'" + test "${_positionals_count}" -ge 1 || _PRINT_HELP=yes die "FATAL ERROR: Not enough positional arguments - we require exactly 1 (namely: $_required_args_string), but got only ${_positionals_count}." 1 + test "${_positionals_count}" -le 1 || _PRINT_HELP=yes die "FATAL ERROR: There were spurious positional arguments --- we expect exactly 1 (namely: $_required_args_string), but got ${_positionals_count} (the last one was: '${_last_positional}')." 1 +} + + +assign_positional_args() +{ + local _positional_name _shift_for=$1 + _positional_names="_arg_operation " + + shift "$_shift_for" + for _positional_name in ${_positional_names} + do + test $# -gt 0 || break + eval "$_positional_name=\${1}" || die "Error during argument parsing, possibly an Argbash bug." 1 + shift + done +} + +parse_commandline "$@" +handle_passed_args_count +assign_positional_args 1 "${_positionals[@]}" + +# OTHER STUFF GENERATED BY Argbash + +### END OF CODE GENERATED BY Argbash (sortof) ### ]) +# [ <-- needed because of Argbash + +if [ -z ${_arg_mount_point} ]; then + die "Missing '--mount-point' argument" +fi + +if [ -z ${_arg_device} ]; then + die "Missing '--device' argument" +fi + +ASK_PIN=${_arg_ask_pin} +OPERATION=${_arg_operation} +DEVICE=${_arg_device} +DEVICE_NAME=$(sed "s|/|_|g" <<< ${DEVICE}) +MOUNT_POINT=${_arg_mount_point} +CREDENTIALS_TYPE=${_arg_credentials_type} +SALT=${_arg_salt} +CONF_FILE_PATH="/etc/fido2luksmounthelper.conf" + +if [ "${OPERATION}" == "mount" ]; then + if [ "${CREDENTIALS_TYPE}" == "external" ]; then + if [ -f ${CONF_FILE_PATH} ]; then + if [ "${ASK_PIN}" == "on" ]; then + read PASSWORD + fi + CREDENTIALS=$(<${CONF_FILE_PATH}) + else + die "The configuration file '${CONF_FILE_PATH}' is missing. Please create it or use embedded credentials." + fi + printf ${PASSWORD} | fido2luks open --salt string:${SALT} --pin --pin-source /dev/stdin ${DEVICE} ${DEVICE_NAME} ${CREDENTIALS} + elif [ "${CREDENTIALS_TYPE}" == "embedded" ]; then + if [ "${ASK_PIN}" == "on" ]; then + read PASSWORD + fi + printf ${PASSWORD} | fido2luks open-token --salt string:${SALT} --pin --pin-source /dev/stdin ${DEVICE} ${DEVICE_NAME} + else + die "Given credential-type '${CREDENTIALS_TYPE}' is invalid. It must be 'external' or 'embedded'" + fi + mount /dev/mapper/${DEVICE_NAME} ${MOUNT_POINT} +elif [ "${OPERATION}" == "umount" ]; then + umount ${MOUNT_POINT} + cryptsetup luksClose ${DEVICE_NAME} +else + die "Given operation '${OPERATION}' is invalid. It must be 'mount' or 'unmount'" +fi + +exit 0 + +# ] <-- needed because of Argbash \ No newline at end of file diff --git a/src/cli.rs b/src/cli.rs index 06522fd..68b45de 100644 --- a/src/cli.rs +++ b/src/cli.rs @@ -2,35 +2,23 @@ use crate::error::*; use crate::luks::{Fido2LuksToken, LuksDevice}; use crate::util::sha256; use crate::*; +pub use cli_args::Args; use cli_args::*; - -use structopt::clap::Shell; -use structopt::StructOpt; - use ctap::{FidoCredential, FidoErrorKind}; - -use std::io::{Read, Write}; +use std::borrow::Cow; +use std::collections::HashSet; +use std::io::Write; +use std::iter::FromIterator; +use std::path::Path; use std::str::FromStr; use std::thread; use std::time::Duration; - -use std::borrow::Cow; -use std::collections::HashSet; -use std::fs::File; use std::time::SystemTime; +use structopt::clap::Shell; +use structopt::StructOpt; -pub use cli_args::Args; -use std::iter::FromIterator; -use std::path::PathBuf; - -fn read_pin(ap: &AuthenticatorParameters) -> Fido2LuksResult { - if let Some(src) = ap.pin_source.as_ref() { - let mut pin = String::new(); - File::open(src)?.read_to_string(&mut pin)?; - Ok(pin.trim_end_matches("\n").to_string()) //remove trailing newline - } else { - util::read_password("Authenticator PIN", false) - } +fn read_pin() -> Fido2LuksResult { + util::read_password_tty("Authenticator PIN", false) } fn derive_secret( @@ -39,6 +27,9 @@ fn derive_secret( timeout: u64, pin: Option<&str>, ) -> Fido2LuksResult<([u8; 32], FidoCredential)> { + if credentials.is_empty() { + return Err(Fido2LuksError::InsufficientCredentials); + } let timeout = Duration::from_secs(timeout); let start = SystemTime::now(); @@ -74,20 +65,62 @@ pub fn extend_creds_device( creds: &[HexEncoded], luks_dev: &mut LuksDevice, ) -> Fido2LuksResult> { - let mut additional = HashSet::from_iter(creds.iter().cloned()); + let mut additional = HashSet::new(); + additional.extend(creds.iter().cloned()); for token in luks_dev.tokens()? { for cred in token?.1.credential { - let parsed = HexEncoded::from_str(cred.as_str())?; + let parsed = HexEncoded::from_str(cred.as_str()).map_err(|_e| { + Fido2LuksError::HexEncodingError { + string: cred.clone(), + } + })?; additional.insert(parsed); } } Ok(Vec::from_iter(additional.into_iter())) } -pub fn read_password_pin_prefixed( - reader: impl Fn() -> Fido2LuksResult, +pub fn get_input( + secret: &SecretParameters, + authenticator: &AuthenticatorParameters, + interactive: bool, + q: &str, + verify: bool, ) -> Fido2LuksResult<(Option, [u8; 32])> { - let read = reader()?; + let password_helper = secret + .password_helper + .as_ref() + .map(|helper| move || helper.obtain()); + let salt = &secret.salt; + Ok(if interactive { + ( + if authenticator.pin && may_require_pin()? { + Some(read_pin()?) + } else { + None + }, + salt.obtain_sha256(Some(|| util::read_password_tty(q, verify)))?, + ) + } else { + match ( + authenticator.pin && may_require_pin()?, + authenticator.pin_prefixed, + ) { + (true, false) => (Some(read_pin()?), salt.obtain_sha256(password_helper)?), + (true, true) => read_password_pin_prefixed(|| { + salt.obtain(password_helper).and_then(|secret| { + String::from_utf8(secret).map_err(|e| Fido2LuksError::from(e)) + }) + })?, + (false, _) => (None, salt.obtain_sha256(password_helper)?), + } + }) +} + +pub fn read_password_pin_prefixed( + prefixed: impl Fn() -> Fido2LuksResult, +) -> Fido2LuksResult<(Option, [u8; 32])> { + let read = prefixed()?; let separator = ':'; let mut parts = read.split(separator); let pin = parts.next().filter(|p| p.len() > 0).map(|p| p.to_string()); @@ -95,18 +128,47 @@ pub fn read_password_pin_prefixed( Some(ref pin) if read.len() > pin.len() => { read.chars().skip(pin.len() + 1).collect::() } - _ => String::new(), + Some(_) => String::new(), + _ => read + .chars() + .skip(read.chars().next().map(|c| c == separator).unwrap_or(false) as usize) + .collect::(), }; Ok((pin, util::sha256(&[password.as_bytes()]))) } +/// generate an more readable name from common paths +pub fn derive_credential_name(path: &Path) -> String { + match path.file_name() { + Some(name) + if path + .iter() + .any(|p| p == "by-label" || p == "by-partlabel" || p == "by-uuid") => + { + name.to_string_lossy().as_ref().to_string() + } + _ => path.display().to_string(), + } +} + pub fn parse_cmdline() -> Args { Args::from_args() } +pub fn prompt_interaction(interactive: bool) { + if interactive { + println!("Authorize using your FIDO device"); + } +} + pub fn run_cli() -> Fido2LuksResult<()> { let mut stdout = io::stdout(); let args = parse_cmdline(); + let log = |message: &dyn Fn() -> String| { + if args.verbose { + eprintln!("{}", &*message()); + } + }; let interactive = args.interactive; match &args.command { Command::Credential { @@ -114,13 +176,13 @@ pub fn run_cli() -> Fido2LuksResult<()> { name, } => { let pin_string; - let pin = if authenticator.pin { - pin_string = read_pin(authenticator)?; + let pin = if authenticator.pin && may_require_pin()? { + pin_string = read_pin()?; Some(pin_string.as_ref()) } else { None }; - let cred = make_credential_id(name.as_ref().map(|n| n.as_ref()), pin)?; + let cred = make_credential_id(Some(name.as_ref()), pin)?; println!("{}", hex::encode(&cred.id)); Ok(()) } @@ -131,50 +193,42 @@ pub fn run_cli() -> Fido2LuksResult<()> { secret, device, } => { - let pin_string; - let pin = if authenticator.pin { - pin_string = read_pin(authenticator)?; - Some(pin_string.as_ref()) + let (pin, salt) = + get_input(&secret, &authenticator, args.interactive, "Password", false)?; + let credentials = if let Some(path) = device { + let mut dev = LuksDevice::load(path)?; + let luks2 = dev.is_luks2()?; + log(&|| format!("luks2 supported: {}", luks2)); + extend_creds_device( + credentials + .ids + .clone() + .map(|cs| cs.0) + .unwrap_or_default() + .as_slice(), + &mut dev, + )? } else { - None + credentials.ids.clone().map(|cs| cs.0).unwrap_or_default() }; - let (pin, salt) = match ( - &secret.password_helper, - authenticator.pin, - authenticator.pin_prefixed, - args.interactive, - ) { - (Some(phelper), true, true, false) => { - read_password_pin_prefixed(|| phelper.obtain())? - } - (Some(phelper), false, false, false) => (None, secret.salt.obtain_sha256(&phelper)), - - (phelper, pin, _, true) => ( - if pin { - pin_string = read_pin(authenticator)?; - Some(pin_string.as_ref()) - } else { - None - }, - match phelper { - None | Some(PasswordHelper::Stdin) => { - util::read_password_hashed("Password", false) - } - Some(phelper) => secret.salt.obtain_sha256(&phelper), - }?, - ), - }; - let credentials = if let Some(dev) = device { - extend_creds_device(credentials.ids.0.as_slice(), &mut LuksDevice::load(dev)?)? - } else { - credentials.ids.0 - }; - let (secret, _cred) = derive_secret( - credentials.as_slice(), + log(&|| { + format!( + "credentials: {}", + credentials + .iter() + .map(ToString::to_string) + .collect::>() + .join(", ") + ) + }); + prompt_interaction(interactive); + let (secret, cred) = derive_secret( + &credentials, &salt, authenticator.await_time, pin.as_deref(), )?; + log(&|| format!("credential used: {}", hex::encode(&cred.id))); if *binary { stdout.write_all(&secret[..])?; } else { @@ -189,7 +243,6 @@ pub fn run_cli() -> Fido2LuksResult<()> { secret, luks_mod, existing_secret: other_secret, - auto_credential, .. } | Command::ReplaceKey { @@ -199,21 +252,41 @@ pub fn run_cli() -> Fido2LuksResult<()> { secret, luks_mod, replacement: other_secret, - remove_cred, .. } => { - let pin = if authenticator.pin { - Some(read_pin(authenticator)?) + let mut luks_dev = LuksDevice::load(&luks.device)?; + + let luks2 = luks_dev.is_luks2()?; + + log(&|| format!("luks2 supported: {}", luks2)); + + let credentials = if !luks.disable_token && luks2 { + extend_creds_device( + credentials + .ids + .clone() + .map(|cs| cs.0) + .unwrap_or_default() + .as_slice(), + &mut luks_dev, + )? } else { - None + credentials.ids.clone().map(|cs| cs.0).unwrap_or_default() }; - let salt = |q: &str, verify: bool| -> Fido2LuksResult<[u8; 32]> { - if interactive || secret.password_helper == PasswordHelper::Stdin { - util::read_password_hashed(q, verify) - } else { - secret.salt.obtain_sha256(&secret.password_helper) - } + log(&|| { + format!( + "credentials: {}", + credentials + .iter() + .map(ToString::to_string) + .collect::>() + .join(", ") + ) + }); + let inputs = |q: &str, verify: bool| -> Fido2LuksResult<(Option, [u8; 32])> { + get_input(&secret, &authenticator, args.interactive, q, verify) }; + let other_secret = |salt_q: &str, verify: bool| -> Fido2LuksResult<(Vec, Option)> { @@ -224,38 +297,70 @@ pub fn run_cli() -> Fido2LuksResult<()> { } => Ok((util::read_keyfile(file)?, None)), OtherSecret { fido_device: true, .. - } => Ok(derive_secret( - &credentials.ids.0, - &salt(salt_q, verify)?, - authenticator.await_time, - pin.as_deref(), - ) - .map(|(secret, cred)| (secret[..].to_vec(), Some(cred)))?), + } => { + let (pin, salt) = inputs(salt_q, verify)?; + prompt_interaction(interactive); + Ok(derive_secret( + &credentials, + &salt, + authenticator.await_time, + pin.as_deref(), + ) + .map(|(secret, cred)| (secret[..].to_vec(), Some(cred)))?) + } _ => Ok(( - util::read_password(salt_q, verify)?.as_bytes().to_vec(), + util::read_password_tty(salt_q, verify)?.as_bytes().to_vec(), None, )), } }; - let secret = |verify: bool| -> Fido2LuksResult<([u8; 32], FidoCredential)> { - derive_secret( - &credentials.ids.0, - &salt("Password", verify)?, - authenticator.await_time, - pin.as_deref(), - ) + let secret = |q: &str, + verify: bool, + credentials: &[HexEncoded]| + -> Fido2LuksResult<([u8; 32], FidoCredential)> { + let (pin, salt) = inputs(q, verify)?; + prompt_interaction(interactive); + derive_secret(credentials, &salt, authenticator.await_time, pin.as_deref()) }; - let mut luks_dev = LuksDevice::load(&luks.device)?; // Non overlap match &args.command { - Command::AddKey { exclusive, .. } => { + Command::AddKey { + exclusive, + generate_credential, + .. + } => { let (existing_secret, _) = other_secret("Current password", false)?; - let (new_secret, cred) = secret(true)?; + let (new_secret, cred) = if *generate_credential && luks2 { + let cred = make_credential_id( + Some(derive_credential_name(luks.device.as_path()).as_str()), + (if authenticator.pin && may_require_pin()? { + //TODO: not ideal since it ignores pin-prefixed + Some(read_pin()?) + } else { + None + }) + .as_deref(), + )?; + log(&|| { + format!( + "generated credential: {}\ncredential username: {:?}", + hex::encode(&cred.id), + derive_credential_name(luks.device.as_path()) + ) + }); + let creds = vec![HexEncoded(cred.id)]; + secret("Password to be added", true, &creds) + } else { + secret("Password to be added", true, &credentials) + }?; + log(&|| format!("credential used: {}", hex::encode(&cred.id))); let added_slot = luks_dev.add_key( &new_secret, &existing_secret[..], luks_mod.kdf_time.or(Some(10)), - Some(&cred.id[..]).filter(|_| *token), + Some(&cred.id[..]) + .filter(|_| !luks.disable_token || *generate_credential) + .filter(|_| luks2), )?; if *exclusive { let destroyed = luks_dev.remove_keyslots(&[added_slot])?; @@ -274,24 +379,42 @@ pub fn run_cli() -> Fido2LuksResult<()> { } Ok(()) } - Command::ReplaceKey { add_password, .. } => { - let (existing_secret, _) = secret(false)?; + Command::ReplaceKey { + add_password, + remove_cred, + .. + } => { + let (existing_secret, _prev_cred) = + secret("Current password", false, &credentials)?; let (replacement_secret, cred) = other_secret("Replacement password", true)?; let slot = if *add_password { luks_dev.add_key( &replacement_secret[..], &existing_secret, luks_mod.kdf_time, - cred.as_ref().filter(|_| *token).map(|cred| &cred.id[..]), + cred.as_ref() + .filter(|_| !luks.disable_token) + .filter(|_| luks2) + .map(|cred| &cred.id[..]), ) } else { - luks_dev.replace_key( + let slot = luks_dev.replace_key( &replacement_secret[..], &existing_secret, luks_mod.kdf_time, - cred.as_ref().filter(|_| *token).map(|cred| &cred.id[..]), - ) + cred.as_ref() + .filter(|_| !luks.disable_token) + .filter(|_| luks2) + .map(|cred| &cred.id[..]), + )?; + if *remove_cred && cred.is_none() { + luks_dev.remove_token_slot(slot)?; + } + Ok(slot) }?; + if let Some(cred) = cred { + log(&|| format!("credential used: {}", hex::encode(&cred.id))); + } println!( "Added to password to device {}, slot: {}", luks.device.display(), @@ -307,62 +430,71 @@ pub fn run_cli() -> Fido2LuksResult<()> { authenticator, secret, name, + credentials, retries, - .. - } - | Command::OpenToken { - luks, - authenticator, - secret, - name, - retries, + dry_run, } => { - let pin_string; - let pin = if authenticator.pin { - pin_string = read_pin(authenticator)?; - Some(pin_string.as_ref()) - } else { - None - }; - let salt = |q: &str, verify: bool| -> Fido2LuksResult<[u8; 32]> { - if interactive || secret.password_helper == PasswordHelper::Stdin { - util::read_password_hashed(q, verify) - } else { - secret.salt.obtain_sha256(&secret.password_helper) - } + let inputs = |q: &str, verify: bool| -> Fido2LuksResult<(Option, [u8; 32])> { + get_input(&secret, &authenticator, args.interactive, q, verify) }; // Cow shouldn't be necessary let secret = |credentials: Cow<'_, Vec>| { + let (pin, salt) = inputs("Password", false)?; + prompt_interaction(interactive); derive_secret( credentials.as_ref(), - &salt("Password", false)?, + &salt, authenticator.await_time, - pin, + pin.as_deref(), ) }; let mut retries = *retries; let mut luks_dev = LuksDevice::load(&luks.device)?; + let luks2 = luks_dev.is_luks2()?; + log(&|| format!("luks2 supported: {}", luks2)); loop { - let secret = match &args.command { - Command::Open { credentials, .. } => secret(Cow::Borrowed(&credentials.ids.0)) - .and_then(|(secret, _cred)| luks_dev.activate(&name, &secret, luks.slot)), - Command::OpenToken { .. } => luks_dev.activate_token( + let slot = if let Some(ref credentials) = credentials.ids { + log(&|| { + format!( + "credentials: {}", + credentials + .0 + .iter() + .map(ToString::to_string) + .collect::>() + .join(", ") + ) + }); + secret(Cow::Borrowed(&credentials.0)).and_then(|(secret, cred)| { + log(&|| format!("credential used: {}", hex::encode(&cred.id))); + luks_dev.activate(&name, &secret, luks.slot, *dry_run) + }) + } else if luks2 && !luks.disable_token { + luks_dev.activate_token( &name, Box::new(|credentials: Vec| { + log(&|| format!("credentials: {}", credentials.join(", "))); let creds = credentials .into_iter() .flat_map(|cred| HexEncoded::from_str(cred.as_ref()).ok()) .collect::>(); - secret(Cow::Owned(creds)) - .map(|(secret, cred)| (secret, hex::encode(&cred.id))) + secret(Cow::Owned(creds)).map(|(secret, cred)| { + log(&|| format!("credential used: {}", hex::encode(&cred.id))); + (secret, hex::encode(&cred.id)) + }) }), luks.slot, - ), - _ => unreachable!(), + *dry_run, + ) + } else if luks_dev.is_luks2()? && luks.disable_token { + // disable-token is mostly cosmetic in this instance + return Err(Fido2LuksError::InsufficientCredentials); + } else { + return Err(Fido2LuksError::WrongSecret); }; - match secret { + match slot { Err(e) => { match e { Fido2LuksError::WrongSecret if retries > 0 => {} @@ -370,11 +502,14 @@ pub fn run_cli() -> Fido2LuksResult<()> { if cause.kind() == FidoErrorKind::Timeout && retries > 0 => {} e => return Err(e), - } + }; retries -= 1; eprintln!("{}", e); } - res => break res.map(|_| ()), + Ok(slot) => { + log(&|| format!("keyslot: {}", slot)); + break Ok(()); + } } } } @@ -444,7 +579,7 @@ pub fn run_cli() -> Fido2LuksResult<()> { } } let count = if tokens.is_empty() { - dev.add_token(&Fido2LuksToken::with_credentials(&credentials.ids.0, *slot))?; + dev.add_token(&Fido2LuksToken::with_credentials(&credentials.0, *slot))?; 1 } else { tokens.len() @@ -452,7 +587,7 @@ pub fn run_cli() -> Fido2LuksResult<()> { for (id, mut token) in tokens { token .credential - .extend(credentials.ids.0.iter().map(|h| h.to_string())); + .extend(credentials.0.iter().map(|h| h.to_string())); dev.update_token(id, &token)?; } println!("Updated {} tokens", count); @@ -480,7 +615,7 @@ pub fn run_cli() -> Fido2LuksResult<()> { token.credential = token .credential .into_iter() - .filter(|cred| !credentials.ids.0.iter().any(|h| &h.to_string() == cred)) + .filter(|cred| !credentials.0.iter().any(|h| &h.to_string() == cred)) .collect(); dev.update_token(id, &token)?; } @@ -510,15 +645,25 @@ pub fn run_cli() -> Fido2LuksResult<()> { } }, Command::GenerateCompletions { shell, out_dir } => { - Args::clap().gen_completions( - env!("CARGO_PKG_NAME"), - match shell.as_ref() { - "bash" => Shell::Bash, - "fish" => Shell::Fish, - _ => unreachable!("structopt shouldn't allow us to reach this point"), - }, - &out_dir, - ); + // zsh won't work atm https://github.com/clap-rs/clap/issues/1822 + if let Some(s) = shell { + if s.as_str() == "zsh" { + unimplemented!("zsh completions are broken atm: see https://github.com/clap-rs/clap/issues/1822") + } + } + for variant in Shell::variants().iter().filter(|v| *v != &"zsh") { + if let Some(s) = shell { + if *variant != s.as_str() { + break; + } + } + Args::clap().gen_completions( + env!("CARGO_PKG_NAME"), + Shell::from_str(variant) + .expect("structopt shouldn't allow us to reach this point"), + &out_dir, + ); + } Ok(()) } } @@ -531,20 +676,33 @@ mod test { #[test] fn test_read_password_pin_prefixed() { + // 1234:test -> PIN: 1234, password: test assert_eq!( - read_password_pin_prefixed(|| OK("1234:test")), - Ok((Some("1234".to_string()), util::sha256(&["test".as_bytes()]))) + read_password_pin_prefixed(|| Ok("1234:test".into())).unwrap(), + (Some("1234".to_string()), util::sha256(&["test".as_bytes()])) ); + // :test -> PIN: None, password: test assert_eq!( - read_password_pin_prefixed(|| OK(":test")), - Ok((None, util::sha256(&["test".as_bytes()]))) + read_password_pin_prefixed(|| Ok(":test".into())).unwrap(), + (None, util::sha256(&["test".as_bytes()])) ); + // 1234::test -> PIN: 1234, password: :test assert_eq!( - read_password_pin_prefixed(|| OK("1234::test")), - Ok(( + read_password_pin_prefixed(|| Ok("1234::test".into())).unwrap(), + ( Some("1234".to_string()), util::sha256(&[":test".as_bytes()]) - )) + ) + ); + // 1234 -> PIN: 1234, password: empty + assert_eq!( + read_password_pin_prefixed(|| Ok("1234".into())).unwrap(), + (Some("1234".to_string()), util::sha256(&["".as_bytes()])) + ); + // 1234:test -> PIN: None, password: test + assert_eq!( + read_password_pin_prefixed(|| Ok(":test".into())).unwrap(), + (None, util::sha256(&["test".as_bytes()])) ); } } diff --git a/src/cli_args/config.rs b/src/cli_args/config.rs index d2ef46c..12298c8 100644 --- a/src/cli_args/config.rs +++ b/src/cli_args/config.rs @@ -7,6 +7,7 @@ use std::fs::File; use std::io::Read; use std::path::PathBuf; use std::process::Command; +use std::process::Stdio; use std::str::FromStr; #[derive(Debug, Clone, PartialEq)] @@ -55,11 +56,17 @@ impl fmt::Display for SecretInput { } impl SecretInput { - pub fn obtain_string(&self, password_helper: &PasswordHelper) -> Fido2LuksResult { + pub fn obtain_string( + &self, + password_helper: Option Fido2LuksResult>, + ) -> Fido2LuksResult { Ok(String::from_utf8(self.obtain(password_helper)?)?) } - pub fn obtain(&self, password_helper: &PasswordHelper) -> Fido2LuksResult> { + pub fn obtain( + &self, + password_helper: Option Fido2LuksResult>, + ) -> Fido2LuksResult> { let mut secret = Vec::new(); match self { SecretInput::File { path } => { @@ -67,16 +74,22 @@ impl SecretInput { let mut do_io = || File::open(path)?.read_to_end(&mut secret); do_io().map_err(|cause| Fido2LuksError::KeyfileError { cause })?; } - SecretInput::AskPassword => { - secret.extend_from_slice(password_helper.obtain()?.as_bytes()) - } + SecretInput::AskPassword => secret.extend_from_slice( + password_helper.ok_or_else(|| Fido2LuksError::AskPassError { + cause: AskPassError::FailedHelper, + })?()? + .as_bytes(), + ), SecretInput::String(s) => secret.extend_from_slice(s.as_bytes()), } Ok(secret) } - pub fn obtain_sha256(&self, password_helper: &PasswordHelper) -> Fido2LuksResult<[u8; 32]> { + pub fn obtain_sha256( + &self, + password_helper: Option Fido2LuksResult>, + ) -> Fido2LuksResult<[u8; 32]> { let mut digest = digest::Context::new(&digest::SHA256); match self { SecretInput::File { path } => { @@ -151,11 +164,13 @@ impl PasswordHelper { use PasswordHelper::*; match self { Systemd => unimplemented!(), - Stdin => Ok(util::read_password("Password", true)?), + Stdin => Ok(util::read_password("Password", true, false)?), Script(password_helper) => { let password = Command::new("sh") .arg("-c") .arg(&password_helper) + .stdin(Stdio::inherit()) + .stderr(Stdio::inherit()) .output() .map_err(|e| Fido2LuksError::AskPassError { cause: error::AskPassError::IO(e), @@ -198,7 +213,7 @@ mod test { fn input_salt_obtain() { assert_eq!( SecretInput::String("abc".into()) - .obtain(&PasswordHelper::Stdin) + .obtain_sha256(Some(|| Ok("123456".to_string()))) .unwrap(), [ 186, 120, 22, 191, 143, 1, 207, 234, 65, 65, 64, 222, 93, 174, 34, 35, 176, 3, 97, diff --git a/src/cli_args/mod.rs b/src/cli_args/mod.rs index fffadce..935cc51 100644 --- a/src/cli_args/mod.rs +++ b/src/cli_args/mod.rs @@ -1,7 +1,8 @@ use std::fmt::{Display, Error, Formatter}; +use std::hash::{Hash, Hasher}; use std::path::PathBuf; use std::str::FromStr; -use structopt::clap::AppSettings; +use structopt::clap::{AppSettings, Shell}; use structopt::StructOpt; mod config; @@ -31,6 +32,12 @@ impl FromStr for HexEncoded { } } +impl Hash for HexEncoded { + fn hash(&self, state: &mut H) { + self.0.hash(state) + } +} + #[derive(Debug, Eq, PartialEq, Clone)] pub struct CommaSeparated(pub Vec); @@ -69,7 +76,7 @@ pub struct Credentials { #[derive(Debug, StructOpt)] pub struct AuthenticatorParameters { - /// Request a PIN to unlock the authenticator + /// Request a PIN to unlock the authenticator if required #[structopt(short = "P", long = "pin")] pub pin: bool, @@ -97,7 +104,10 @@ pub struct LuksParameters { pub slot: Option, /// Disable implicit use of LUKS2 tokens - #[structopt(long = "disable-token", env = "FIDO2LUKS_DISABLE_TOKEN")] + #[structopt( + long = "disable-token", + // env = "FIDO2LUKS_DISABLE_TOKEN" // unfortunately clap will convert flags into args if they have an env attribute + )] pub disable_token: bool, } @@ -128,8 +138,7 @@ pub struct SecretParameters { #[structopt( name = "password-helper", env = "FIDO2LUKS_PASSWORD_HELPER", - long = "password-helper", - default_value = "/usr/bin/env systemd-ask-password 'Please enter second factor for LUKS disk encryption!'" + long = "password-helper" )] pub password_helper: Option, } @@ -138,6 +147,8 @@ pub struct Args { /// Request passwords via Stdin instead of using the password helper #[structopt(short = "i", long = "interactive")] pub interactive: bool, + #[structopt(short = "v", long = "verbose")] + pub verbose: bool, #[structopt(subcommand)] pub command: Command, } @@ -185,9 +196,9 @@ pub enum Command { /// Will wipe all other keys #[structopt(short = "e", long = "exclusive")] exclusive: bool, - /// Will generate an credential for only this device - #[structopt(short = "a", long = "auto-cred")] - auto_credential: bool, + /// Will generate an credential while adding a new key to this LUKS device if supported + #[structopt(short = "g", long = "gen-cred")] + generate_credential: bool, #[structopt(flatten)] existing_secret: OtherSecret, #[structopt(flatten)] @@ -207,7 +218,7 @@ pub enum Command { /// Add the password and keep the key #[structopt(short = "a", long = "add-password")] add_password: bool, - /// Remove the affected credential for device header + /// Remove the affected credential from LUKS header #[structopt(short = "r", long = "remove-cred")] remove_cred: bool, #[structopt(flatten)] @@ -216,7 +227,7 @@ pub enum Command { luks_mod: LuksModParameters, }, /// Open the LUKS device - #[structopt(name = "open")] + #[structopt(name = "open", alias = "open-token")] Open { #[structopt(flatten)] luks: LuksParameters, @@ -230,26 +241,30 @@ pub enum Command { secret: SecretParameters, #[structopt(short = "r", long = "max-retries", default_value = "0")] retries: i32, + /// Perform the whole procedure without mounting the LUKS volume on success + #[structopt(long = "dry-run")] + dry_run: bool, }, /// Generate a new FIDO credential #[structopt(name = "credential")] Credential { #[structopt(flatten)] authenticator: AuthenticatorParameters, - /// Name to be displayed on the authenticator if it has a display - #[structopt(env = "FIDO2LUKS_CREDENTIAL_NAME")] - name: Option, + /// Name to be displayed on the authenticator display + #[structopt(env = "FIDO2LUKS_CREDENTIAL_NAME", default_value = "fido2luks")] + name: String, }, /// Check if an authenticator is connected #[structopt(name = "connected")] Connected, Token(TokenCommand), /// Generate bash completion scripts + /// Example: fido2luks completions --shell bash /usr/share/bash-completion/completions #[structopt(name = "completions", setting = AppSettings::Hidden)] GenerateCompletions { - /// Shell to generate completions for: bash, fish - #[structopt(possible_values = &["bash", "fish"])] - shell: String, + /// Shell to generate completions for + #[structopt(short = "s", long = "shell",possible_values = &Shell::variants()[..])] + shell: Option, out_dir: PathBuf, }, } @@ -269,8 +284,14 @@ pub enum TokenCommand { Add { #[structopt(env = "FIDO2LUKS_DEVICE")] device: PathBuf, - #[structopt(flatten)] - credentials: Credentials, + /// FIDO credential ids, separated by ',' generate using fido2luks credential + #[structopt( + name = "credential-ids", + env = "FIDO2LUKS_CREDENTIAL_ID", + short = "c", + long = "creds" + )] + credentials: CommaSeparated, /// Slot to which the credentials will be added #[structopt(long = "slot", env = "FIDO2LUKS_DEVICE_SLOT")] slot: u32, @@ -279,8 +300,14 @@ pub enum TokenCommand { Remove { #[structopt(env = "FIDO2LUKS_DEVICE")] device: PathBuf, - #[structopt(flatten)] - credentials: Credentials, + /// FIDO credential ids, separated by ',' generate using fido2luks credential + #[structopt( + name = "credential-ids", + env = "FIDO2LUKS_CREDENTIAL_ID", + short = "c", + long = "creds" + )] + credentials: CommaSeparated, /// Token from which the credentials will be removed #[structopt(long = "token")] token_id: Option, diff --git a/src/device.rs b/src/device.rs index 99ac2a7..e735165 100644 --- a/src/device.rs +++ b/src/device.rs @@ -19,7 +19,7 @@ pub fn make_credential_id( } let request = request.build().unwrap(); let make_credential = |device: &mut FidoDevice| { - if let Some(pin) = pin { + if let Some(pin) = pin.filter(|_| device.needs_pin()) { device.unlock(pin)?; } device.make_hmac_credential(&request) @@ -44,7 +44,7 @@ pub fn perform_challenge<'a>( .build() .unwrap(); let get_assertion = |device: &mut FidoDevice| { - if let Some(pin) = pin { + if let Some(pin) = pin.filter(|_| device.needs_pin()) { device.unlock(pin)?; } device.get_hmac_assertion(&request, &util::sha256(&[&salt[..]]), None) @@ -58,6 +58,17 @@ pub fn perform_challenge<'a>( Ok((secret, credential)) } +pub fn may_require_pin() -> Fido2LuksResult { + for di in ctap::get_devices()? { + if let Ok(dev) = FidoDevice::new(&di) { + if dev.needs_pin() { + return Ok(true); + } + } + } + Ok(false) +} + pub fn get_devices() -> Fido2LuksResult> { let mut devices = Vec::with_capacity(2); for di in ctap::get_devices()? { diff --git a/src/error.rs b/src/error.rs index 03d9741..f451f1c 100644 --- a/src/error.rs +++ b/src/error.rs @@ -29,6 +29,10 @@ pub enum Fido2LuksError { WrongSecret, #[fail(display = "not an utf8 string")] StringEncodingError { cause: FromUtf8Error }, + #[fail(display = "not an hex string: {}", string)] + HexEncodingError { string: String }, + #[fail(display = "couldn't obtain at least one credential")] + InsufficientCredentials, } impl Fido2LuksError { @@ -50,6 +54,8 @@ pub enum AskPassError { IO(io::Error), #[fail(display = "provided passwords don't match")] Mismatch, + #[fail(display = "failed to call password helper")] + FailedHelper, } #[derive(Debug, Fail)] diff --git a/src/luks.rs b/src/luks.rs index 6996eef..fc40183 100644 --- a/src/luks.rs +++ b/src/luks.rs @@ -111,6 +111,20 @@ impl LuksDevice { Ok(()) } + pub fn remove_token_slot(&mut self, slot: u32) -> Fido2LuksResult<()> { + let mut remove = HashSet::new(); + for token in self.tokens()? { + let (id, token) = token?; + if token.keyslots.contains(&slot.to_string()) { + remove.insert(id); + } + } + for rm in remove { + self.remove_token(rm)?; + } + Ok(()) + } + pub fn update_token(&mut self, token: u32, data: &Fido2LuksToken) -> Fido2LuksResult<()> { self.require_luks2()?; self.device @@ -192,7 +206,9 @@ impl LuksDevice { old_secret, CryptActivateFlags::empty(), )?; - self.device.keyslot_handle().change_by_passphrase( + + // slot should stay the same but better be safe than sorry + let slot = self.device.keyslot_handle().change_by_passphrase( Some(slot), Some(slot), old_secret, @@ -221,10 +237,16 @@ impl LuksDevice { name: &str, secret: &[u8], slot_hint: Option, + dry_run: bool, ) -> Fido2LuksResult { self.device .activate_handle() - .activate_by_passphrase(Some(name), slot_hint, secret, CryptActivateFlags::empty()) + .activate_by_passphrase( + Some(name).filter(|_| !dry_run), + slot_hint, + secret, + CryptActivateFlags::empty(), + ) .map_err(LuksError::activate) } @@ -233,6 +255,7 @@ impl LuksDevice { name: &str, secret: impl Fn(Vec) -> Fido2LuksResult<([u8; 32], String)>, slot_hint: Option, + dry_run: bool, ) -> Fido2LuksResult { if !self.is_luks2()? { return Err(LuksError::Luks2Required.into()); @@ -276,7 +299,7 @@ impl LuksDevice { .chain(std::iter::once(None).take(slots.is_empty() as usize)), // Try all slots as last resort ); for slot in slots { - match self.activate(name, &secret, slot) { + match self.activate(name, &secret, slot, dry_run) { Err(Fido2LuksError::WrongSecret) => (), res => return res, } diff --git a/src/util.rs b/src/util.rs index 3676480..5ca21ff 100644 --- a/src/util.rs +++ b/src/util.rs @@ -13,9 +13,17 @@ pub fn sha256(messages: &[&[u8]]) -> [u8; 32] { secret.as_mut().copy_from_slice(digest.finish().as_ref()); secret } - -pub fn read_password(q: &str, verify: bool) -> Fido2LuksResult { - match rpassword::read_password_from_tty(Some(&[q, ": "].join("")))? { +pub fn read_password_tty(q: &str, verify: bool) -> Fido2LuksResult { + read_password(q, verify, true) +} +pub fn read_password(q: &str, verify: bool, tty: bool) -> Fido2LuksResult { + let res = if tty { + rpassword::read_password_from_tty(Some(&[q, ": "].join(""))) + } else { + print!("{}: ", q); + rpassword::read_password() + }?; + match res { ref pass if verify && &rpassword::read_password_from_tty(Some(&[q, "(again): "].join(" ")))? @@ -29,10 +37,6 @@ pub fn read_password(q: &str, verify: bool) -> Fido2LuksResult { } } -pub fn read_password_hashed(q: &str, verify: bool) -> Fido2LuksResult<[u8; 32]> { - read_password(q, verify).map(|pass| sha256(&[pass.as_bytes()])) -} - pub fn read_keyfile>(path: P) -> Fido2LuksResult> { let mut file = File::open(path.into())?; let mut key = Vec::new();