1

2020-10-11 18:33:59 +02:00
parent 0ec859f4a6
commit e9510216ef
4 changed files with 216 additions and 94 deletions
--- a/src/cli.rs
+++ b/src/cli.rs
@@ -20,6 +20,8 @@ use std::fs::File;
 use std::time::SystemTime;

 pub use cli_args::Args;
+use std::iter::FromIterator;
+use std::path::PathBuf;

 fn read_pin(ap: &AuthenticatorParameters) -> Fido2LuksResult<String> {
    if let Some(src) = ap.pin_source.as_ref() {
@@ -64,7 +66,38 @@ fn derive_secret(
    let (unsalted, cred) =
        perform_challenge(&credentials, salt, timeout - start.elapsed().unwrap(), pin)?;

-    Ok((sha256(&[salt, &unsalted[..]]), cred.clone()))
+    let binary = sha256(&[salt, &unsalted[..]]);
+    Ok((binary, cred.clone()))
+}
+
+pub fn extend_creds_device(
+    creds: &[HexEncoded],
+    luks_dev: &mut LuksDevice,
+) -> Fido2LuksResult<Vec<HexEncoded>> {
+    let mut additional = HashSet::from_iter(creds.iter().cloned());
+    for token in luks_dev.tokens()? {
+        for cred in token?.1.credential {
+            let parsed = HexEncoded::from_str(cred.as_str())?;
+            additional.insert(parsed);
+        }
+    }
+    Ok(Vec::from_iter(additional.into_iter()))
+}
+
+pub fn read_password_pin_prefixed(
+    reader: impl Fn() -> Fido2LuksResult<String>,
+) -> Fido2LuksResult<(Option<String>, [u8; 32])> {
+    let read = reader()?;
+    let separator = ':';
+    let mut parts = read.split(separator);
+    let pin = parts.next().filter(|p| p.len() > 0).map(|p| p.to_string());
+    let password = match pin {
+        Some(ref pin) if read.len() > pin.len() => {
+            read.chars().skip(pin.len() + 1).collect::<String>()
+        }
+        _ => String::new(),
+    };
+    Ok((pin, util::sha256(&[password.as_bytes()])))
 }

 pub fn parse_cmdline() -> Args {
@@ -96,6 +129,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
            authenticator,
            credentials,
            secret,
+            device,
        } => {
            let pin_string;
            let pin = if authenticator.pin {
@@ -104,16 +138,42 @@ pub fn run_cli() -> Fido2LuksResult<()> {
            } else {
                None
            };
-            let salt = if interactive || secret.password_helper == PasswordHelper::Stdin {
-                util::read_password_hashed("Password", false)
+            let (pin, salt) = match (
+                &secret.password_helper,
+                authenticator.pin,
+                authenticator.pin_prefixed,
+                args.interactive,
+            ) {
+                (Some(phelper), true, true, false) => {
+                    read_password_pin_prefixed(|| phelper.obtain())?
+                }
+                (Some(phelper), false, false, false) => (None, secret.salt.obtain_sha256(&phelper)),
+
+                (phelper, pin, _, true) => (
+                    if pin {
+                        pin_string = read_pin(authenticator)?;
+                        Some(pin_string.as_ref())
+                    } else {
+                        None
+                    },
+                    match phelper {
+                        None | Some(PasswordHelper::Stdin) => {
+                            util::read_password_hashed("Password", false)
+                        }
+                        Some(phelper) => secret.salt.obtain_sha256(&phelper),
+                    }?,
+                ),
+            };
+            let credentials = if let Some(dev) = device {
+                extend_creds_device(credentials.ids.0.as_slice(), &mut LuksDevice::load(dev)?)?
            } else {
-                secret.salt.obtain_sha256(&secret.password_helper)
-            }?;
+                credentials.ids.0
+            };
            let (secret, _cred) = derive_secret(
-                credentials.ids.0.as_slice(),
+                credentials.as_slice(),
                &salt,
                authenticator.await_time,
-                pin,
+                pin.as_deref(),
            )?;
            if *binary {
                stdout.write_all(&secret[..])?;
@@ -129,7 +189,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
            secret,
            luks_mod,
            existing_secret: other_secret,
-            token,
+            auto_credential,
            ..
        }
        | Command::ReplaceKey {
@@ -139,7 +199,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
            secret,
            luks_mod,
            replacement: other_secret,
-            token,
+            remove_cred,
            ..
        } => {
            let pin = if authenticator.pin {
@@ -463,3 +523,28 @@ pub fn run_cli() -> Fido2LuksResult<()> {
        }
    }
 }
+
+#[cfg(test)]
+mod test {
+
+    use super::*;
+
+    #[test]
+    fn test_read_password_pin_prefixed() {
+        assert_eq!(
+            read_password_pin_prefixed(|| OK("1234:test")),
+            Ok((Some("1234".to_string()), util::sha256(&["test".as_bytes()])))
+        );
+        assert_eq!(
+            read_password_pin_prefixed(|| OK(":test")),
+            Ok((None, util::sha256(&["test".as_bytes()])))
+        );
+        assert_eq!(
+            read_password_pin_prefixed(|| OK("1234::test")),
+            Ok((
+                Some("1234".to_string()),
+                util::sha256(&[":test".as_bytes()])
+            ))
+        );
+    }
+}
--- a/src/cli_args/mod.rs
+++ b/src/cli_args/mod.rs
@@ -58,8 +58,13 @@ impl<T: Display + FromStr> FromStr for CommaSeparated<T> {
 #[derive(Debug, StructOpt)]
 pub struct Credentials {
    /// FIDO credential ids, separated by ',' generate using fido2luks credential
-    #[structopt(name = "credential-id", env = "FIDO2LUKS_CREDENTIAL_ID")]
-    pub ids: CommaSeparated<HexEncoded>,
+    #[structopt(
+        name = "credential-ids",
+        env = "FIDO2LUKS_CREDENTIAL_ID",
+        short = "c",
+        long = "creds"
+    )]
+    pub ids: Option<CommaSeparated<HexEncoded>>,
 }

 #[derive(Debug, StructOpt)]
@@ -68,9 +73,9 @@ pub struct AuthenticatorParameters {
    #[structopt(short = "P", long = "pin")]
    pub pin: bool,

-    /// Location to read PIN from
-    #[structopt(long = "pin-source", env = "FIDO2LUKS_PIN_SOURCE")]
-    pub pin_source: Option<PathBuf>,
+    /// Request PIN and password combined `pin:password` when using an password helper
+    #[structopt(long = "pin-prefixed")]
+    pub pin_prefixed: bool,

    /// Await for an authenticator to be connected, timeout after n seconds
    #[structopt(
@@ -90,13 +95,17 @@ pub struct LuksParameters {
    /// Try to unlock the device using a specifc keyslot, ignore all other slots
    #[structopt(long = "slot", env = "FIDO2LUKS_DEVICE_SLOT")]
    pub slot: Option<u32>,
+
+    /// Disable implicit use of LUKS2 tokens
+    #[structopt(long = "disable-token", env = "FIDO2LUKS_DISABLE_TOKEN")]
+    pub disable_token: bool,
 }

 #[derive(Debug, StructOpt, Clone)]
 pub struct LuksModParameters {
    /// Number of milliseconds required to derive the volume decryption key
    /// Defaults to 10ms when using an authenticator or the default by cryptsetup when using a password
-    #[structopt(long = "kdf-time", name = "kdf-time")]
+    #[structopt(long = "kdf-time", name = "kdf-time", env = "FIDO2LUKS_KDF_TIME")]
    pub kdf_time: Option<u64>,
 }

@@ -119,9 +128,10 @@ pub struct SecretParameters {
    #[structopt(
        name = "password-helper",
        env = "FIDO2LUKS_PASSWORD_HELPER",
+        long = "password-helper",
        default_value = "/usr/bin/env systemd-ask-password 'Please enter second factor for LUKS disk encryption!'"
    )]
-    pub password_helper: PasswordHelper,
+    pub password_helper: Option<PasswordHelper>,
 }
 #[derive(Debug, StructOpt)]
 pub struct Args {
@@ -138,7 +148,7 @@ pub struct OtherSecret {
    #[structopt(short = "d", long = "keyfile", conflicts_with = "fido_device")]
    pub keyfile: Option<PathBuf>,
    /// Use another fido device instead of a password
-    /// Note: this requires for the credential fot the other device to be passed as argument as well
+    /// Note: this requires for the credential for the other device to be passed as argument as well
    #[structopt(short = "f", long = "fido-device", conflicts_with = "keyfile")]
    pub fido_device: bool,
 }
@@ -147,8 +157,9 @@ pub struct OtherSecret {
 pub enum Command {
    #[structopt(name = "print-secret")]
    PrintSecret {
+        // version 0.3.0 will store use the lower case ascii encoded hex string making binary output unnecessary
        /// Prints the secret as binary instead of hex encoded
-        #[structopt(short = "b", long = "bin")]
+        #[structopt(hidden = true, short = "b", long = "bin")]
        binary: bool,
        #[structopt(flatten)]
        credentials: Credentials,
@@ -156,6 +167,9 @@ pub enum Command {
        authenticator: AuthenticatorParameters,
        #[structopt(flatten)]
        secret: SecretParameters,
+        /// Load credentials from LUKS header
+        #[structopt(env = "FIDO2LUKS_DEVICE")]
+        device: Option<PathBuf>,
    },
    /// Adds a generated key to the specified LUKS device
    #[structopt(name = "add-key")]
@@ -171,9 +185,9 @@ pub enum Command {
        /// Will wipe all other keys
        #[structopt(short = "e", long = "exclusive")]
        exclusive: bool,
-        /// Will add an token to your LUKS 2 header, including the credential id
-        #[structopt(short = "t", long = "token")]
-        token: bool,
+        /// Will generate an credential for only this device
+        #[structopt(short = "a", long = "auto-cred")]
+        auto_credential: bool,
        #[structopt(flatten)]
        existing_secret: OtherSecret,
        #[structopt(flatten)]
@@ -193,9 +207,9 @@ pub enum Command {
        /// Add the password and keep the key
        #[structopt(short = "a", long = "add-password")]
        add_password: bool,
-        /// Will add an token to your LUKS 2 header, including the credential id
-        #[structopt(short = "t", long = "token")]
-        token: bool,
+        /// Remove the affected credential for device header
+        #[structopt(short = "r", long = "remove-cred")]
+        remove_cred: bool,
        #[structopt(flatten)]
        replacement: OtherSecret,
        #[structopt(flatten)]
@@ -217,20 +231,6 @@ pub enum Command {
        #[structopt(short = "r", long = "max-retries", default_value = "0")]
        retries: i32,
    },
-    /// Open the LUKS device using credentials embedded in the LUKS 2 header
-    #[structopt(name = "open-token")]
-    OpenToken {
-        #[structopt(flatten)]
-        luks: LuksParameters,
-        #[structopt(env = "FIDO2LUKS_MAPPER_NAME")]
-        name: String,
-        #[structopt(flatten)]
-        authenticator: AuthenticatorParameters,
-        #[structopt(flatten)]
-        secret: SecretParameters,
-        #[structopt(short = "r", long = "max-retries", default_value = "0")]
-        retries: i32,
-    },
    /// Generate a new FIDO credential
    #[structopt(name = "credential")]
    Credential {