shimun/fido2luks
1
0
Fork 0
Code Issues Pull Requests 3 Releases Wiki Activity

open works
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse Source
This commit is contained in:
shimunn 2019-09-16 15:34:10 +02:00
parent 801805224b
commit f7b7617e0e
Signed by: shimun
GPG Key ID: E81D8382DC2F971B
2 changed files with 146 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
src/error.rs
View File

@ -1,49 +1,50 @@
use std::io;
use ctap::FidoError; use ctap::FidoError;
use std::io;
pub type Fido2LuksResult<T> = Result<T, Fido2LuksError>; pub type Fido2LuksResult<T> = Result<T, Fido2LuksError>;
#[derive(Debug, Fail)] #[derive(Debug, Fail)]
pub enum Fido2LuksError { pub enum Fido2LuksError {
#[fail(display = "unable to retrieve password: {}", cause)] #[fail(display = "unable to retrieve password: {}", cause)]
AskPassError{ cause: io::Error }, AskPassError { cause: io::Error },
#[fail(display = "unable to read keyfile: {}", cause)] #[fail(display = "unable to read keyfile: {}", cause)]
KeyfileError { cause: io::Error }, KeyfileError { cause: io::Error },
#[fail(display = "authenticator error: {}", cause)] #[fail(display = "authenticator error: {}", cause)]
AuthenticatorError { cause: ctap::FidoError }, AuthenticatorError { cause: ctap::FidoError },
#[fail(display = "no authenticator found, please ensure you device is plugged in")] #[fail(display = "no authenticator found, please ensure you device is plugged in")]
NoAuthenticatorError, NoAuthenticatorError,
#[fail(display = "no authenticator found, please ensure you device is plugged in")] #[fail(display = "luks err")]
LuksError { cause: cryptsetup_rs::device::Error }, LuksError { cause: cryptsetup_rs::device::Error },
#[fail(display = "no authenticator found, please ensure you device is plugged in")] #[fail(display = "no authenticator found, please ensure you device is plugged in")]
IoError { cause: io::Error }, IoError { cause: io::Error },
#[fail(display = "failed to parse config, please check formatting and contents")] #[fail(display = "failed to parse config, please check formatting and contents")]
ConfigurationError { cause: serde_json::error::Error }, ConfigurationError { cause: serde_json::error::Error },
#[fail(display = "the submitted secret is not applicable to this luks device")]
WrongSecret,
} }
use Fido2LuksError::*; use Fido2LuksError::*;
impl From<FidoError> for Fido2LuksError { impl From<FidoError> for Fido2LuksError {
fn from(e: FidoError) -> Self { fn from(e: FidoError) -> Self {
AuthenticatorError { cause: e} AuthenticatorError { cause: e }
} }
} }
impl From<cryptsetup_rs::device::Error> for Fido2LuksError { impl From<cryptsetup_rs::device::Error> for Fido2LuksError {
fn from(e : cryptsetup_rs::device::Error) -> Self { fn from(e: cryptsetup_rs::device::Error) -> Self {
LuksError { cause: e } LuksError { cause: e }
} }
} }
impl From<io::Error> for Fido2LuksError { impl From<io::Error> for Fido2LuksError {
fn from(e : io::Error) -> Self { fn from(e: io::Error) -> Self {
IoError { cause: e } IoError { cause: e }
} }
} }
impl From<serde_json::error::Error> for Fido2LuksError { impl From<serde_json::error::Error> for Fido2LuksError {
fn from(e : serde_json::error::Error) -> Self { fn from(e: serde_json::error::Error) -> Self {
ConfigurationError { cause: e } ConfigurationError { cause: e }
} }
} }

182
src/main.rs
View File

@ -1,18 +1,25 @@
#[macro_use] extern crate failure; #[macro_use]
#[macro_use] extern crate serde_derive; extern crate failure;
#[macro_use]
extern crate serde_derive;
use crate::error::*; use crate::error::*;
use crypto::digest::Digest; use crypto::digest::Digest;
use crypto::sha2::Sha256; use crypto::sha2::Sha256;
use cryptsetup_rs as luks;
use cryptsetup_rs::api::{CryptDeviceHandle, CryptDeviceOpenBuilder, Luks1Params};
use cryptsetup_rs::Luks1CryptDevice;
use ctap;
use ctap::extensions::hmac::{FidoHmacCredential, HmacExtension};
use ctap::FidoDevice;
use luks::device::Error::CryptsetupError;
use serde_derive::{Deserialize, Serialize};
use std::collections::HashMap;
use std::env;
use std::fs::File; use std::fs::File;
use std::io::{Read, Write}; use std::io::{Read, Write};
use std::path::{PathBuf, Path}; use std::path::{Path, PathBuf};
use ctap::extensions::hmac::{HmacExtension, FidoHmacCredential};
use ctap;
use ctap::FidoDevice;
use cryptsetup_rs as luks;
use cryptsetup_rs::Luks1CryptDevice;
use serde_derive::{Serialize, Deserialize};
use std::process::Command; use std::process::Command;
mod error; mod error;
#[derive(Debug, Deserialize, Serialize)] #[derive(Debug, Deserialize, Serialize)]
@ -21,18 +28,39 @@ pub struct Config {
pub input_salt: InputSalt, pub input_salt: InputSalt,
pub device: PathBuf, pub device: PathBuf,
pub mapper_name: String, pub mapper_name: String,
pub password_helper: PathBuf, pub password_helper: String,
}
impl Config {
pub fn load_default_location() -> Fido2LuksResult<Config> {
Self::load_config(
&mut File::open(
env::vars()
.collect::<HashMap<_, _>>()
.get("FIDO2LUKS_CONFIG")
.unwrap_or(&"/etc/fido2luks.json".to_owned()),
)
.or(File::open("fido2luks.json"))?,
)
}
pub fn load_config(reader: &mut dyn Read) -> Fido2LuksResult<Config> {
let mut conf_str = String::new();
reader.read_to_string(&mut conf_str)?;
Ok(serde_json::from_str(&conf_str)?)
}
} }
impl Default for Config { impl Default for Config {
fn default() -> Self { fn default() -> Self {
Config { Config {
credential_id: "generate using solo key make-credential".into(), credential_id: "generate using solo key make-credential".into(),
input_salt: Default::default(), input_salt: Default::default(),
device: "/dev/some-vg/my-volume".into(), device: "/dev/some-vg/my-volume".into(),
mapper_name: "2fa-secured-luks".into(), mapper_name: "2fa-secured-luks".into(),
password_helper: "/lib/cryptsetup/askpass".into() password_helper: "/usr/bin/systemd-ask-password --no-tty --no-output --id='fido2luks' --keyname='fido2luks' 'Please enter second factor for LUKS disk encryption!'".into(),
} }
} }
} }
@ -45,12 +73,12 @@ pub enum InputSalt {
impl Default for InputSalt { impl Default for InputSalt {
fn default() -> Self { fn default() -> Self {
InputSalt::AskPassword InputSalt::AskPassword
} }
} }
impl InputSalt { impl InputSalt {
fn obtain(&self, password_helper: &PathBuf) -> Fido2LuksResult<[u8; 32]> { fn obtain(&self, password_helper: &str) -> Fido2LuksResult<[u8; 32]> {
let mut digest = Sha256::new(); let mut digest = Sha256::new();
match self { match self {
InputSalt::File { path } => { InputSalt::File { path } => {
@ -69,10 +97,16 @@ impl InputSalt {
do_io().map_err(|cause| Fido2LuksError::KeyfileError { cause })?; do_io().map_err(|cause| Fido2LuksError::KeyfileError { cause })?;
} }
InputSalt::AskPassword => { InputSalt::AskPassword => {
let password =Command::new(password_helper).arg("FIDO2 Password salt:").output().map_err(|e| Fido2LuksError::AskPassError{ cause: e })?.stdout; let mut helper_parts = password_helper.split(" ");
let password = Command::new((&mut helper_parts).next().unwrap())
.args(helper_parts)
.output()
.map_err(|e| Fido2LuksError::AskPassError { cause: e })?
.stdout;
digest.input(&password); digest.input(&password);
} }
InputSalt::Both { path} => { InputSalt::Both { path } => {
digest.input(&InputSalt::AskPassword.obtain(password_helper)?); digest.input(&InputSalt::AskPassword.obtain(password_helper)?);
digest.input(&InputSalt::File { path: path.clone() }.obtain(password_helper)?) digest.input(&InputSalt::File { path: path.clone() }.obtain(password_helper)?)
} }
@ -84,15 +118,15 @@ impl InputSalt {
} }
fn open_container(device: &PathBuf, name: &str, secret: &[u8; 32]) -> Fido2LuksResult<()> { fn open_container(device: &PathBuf, name: &str, secret: &[u8; 32]) -> Fido2LuksResult<()> {
let mut handle = luks::open(device)?.luks1()?; let mut handle = luks::open(device.canonicalize()?)?.luks1()?;
let _slot = handle.activate(name, &secret[..])?; let _slot = handle.activate(name, &secret[..])?;
Ok(()) Ok(())
} }
fn perform_challenge(credential_id: &str, salt: &[u8; 32]) -> Fido2LuksResult<[u8; 32]> { fn perform_challenge(credential_id: &str, salt: &[u8; 32]) -> Fido2LuksResult<[u8; 32]> {
let cred = FidoHmacCredential{ let cred = FidoHmacCredential {
id: hex::decode(credential_id).unwrap(), id: hex::decode(credential_id).unwrap(),
rp_id: "hmac".to_string() rp_id: "hmac".to_string(),
}; };
let mut errs = Vec::new(); let mut errs = Vec::new();
for di in ctap::get_devices()? { for di in ctap::get_devices()? {
@ -109,25 +143,33 @@ fn perform_challenge(credential_id: &str, salt: &[u8; 32]) -> Fido2LuksResult<[u
Err(errs.pop().ok_or(Fido2LuksError::NoAuthenticatorError)?)? Err(errs.pop().ok_or(Fido2LuksError::NoAuthenticatorError)?)?
} }
fn load_config(reader: &mut dyn Read) -> Fido2LuksResult<Config> { fn assemble_secret(hmac_result: &[u8], salt: &[u8]) -> [u8; 32] {
let mut conf_str = String::new(); let mut digest = Sha256::new();
reader.read_to_string(&mut conf_str)?; digest.input(salt);
digest.input(hmac_result);
Ok(serde_json::from_str((&conf_str))?) let mut secret = [0u8; 32];
digest.result(&mut secret);
secret
} }
fn setup() { fn setup() -> Fido2LuksResult<()> {
let mut config = Config::default(); let mut config = Config::default();
let save_config = |c: &Config| { let save_config = |c: &Config| {
File::create("fido2luks.json").expect("Failed to save config").write_all(serde_json::to_string_pretty(c).unwrap().as_bytes()).expect("Failed to save config"); File::create("fido2luks.json")
.expect("Failed to save config")
.write_all(serde_json::to_string_pretty(c).unwrap().as_bytes())
.expect("Failed to save config");
}; };
fn ask_str(q: &str) -> String { fn ask_str(q: &str) -> String {
let stdin = std::io::stdin(); let stdin = std::io::stdin();
let mut s = String::new(); let mut s = String::new();
print!("{}", q); print!("{}", q);
std::io::stdout().flush().ok().expect("Could not flush stdout"); std::io::stdout()
.flush()
.ok()
.expect("Could not flush stdout");
stdin.read_line(&mut s).expect("Failed to read rom stdin"); stdin.read_line(&mut s).expect("Failed to read rom stdin");
s.trim().to_owned() s.trim().to_owned()
} }
@ -145,7 +187,7 @@ fn setup() {
ccred = Some(cred); ccred = Some(cred);
break; break;
} }
Err(e) => println!("Failed to to obtain credential trying next device(if applicable)"), Err(_e) => println!("Failed to to obtain credential trying next device(if applicable)"),
} }
} }
config.credential_id = hex::encode(ccred.expect("No credential could be obtained").id); config.credential_id = hex::encode(ccred.expect("No credential could be obtained").id);
@ -153,8 +195,10 @@ fn setup() {
loop { loop {
let device = ask_str("Path to your luks device: "); let device = ask_str("Path to your luks device: ");
if Path::new(&device).exists() || ask_bool(&format!("{} does not exist, save anyway?", device)) { if Path::new(&device).exists()
config.device = device.into(); || ask_bool(&format!("{} does not exist, save anyway?", device))
{
config.device = device.into();
break; break;
} }
} }
@ -166,22 +210,70 @@ fn setup() {
save_config(&config); save_config(&config);
println!("Config saved to: fido2luks.json"); println!("Config saved to: fido2luks.json");
Ok(())
} }
fn main() -> Fido2LuksResult<()> { fn add_key_to_luks(conf: &Config) -> Fido2LuksResult<u8> {
let conf = load_config(&mut File::open("/etc/fido2luks.json").or(File::open("fido2luks.json"))?)?; fn offer_format(
_dev: CryptDeviceOpenBuilder,
) -> Fido2LuksResult<CryptDeviceHandle<Luks1Params>> {
unimplemented!()
}
let dev = || -> luks::device::Result<CryptDeviceOpenBuilder> {
luks::open(&conf.device.canonicalize()?)
};
let mut handle = match dev()?.luks1() {
Ok(handle) => handle,
Err(luks::device::Error::BlkidError(_)) => offer_format(dev()?)?,
Err(luks::device::Error::CryptsetupError(errno)) => {
//if i32::from(errno) == 555
dbg!(errno);
offer_format(dev()?)?
} //TODO: find correct errorno and offer to format as luks
err => err?,
};
let secret = {
let salt = conf.input_salt.obtain(&conf.password_helper)?;
assemble_secret(&perform_challenge(&conf.credential_id, &salt)?, &salt)
};
dbg!("Adding key");
let slot = handle.add_keyslot(&secret, None, None)?;
Ok(slot)
}
fn open() -> Fido2LuksResult<()> {
let conf = Config::load_default_location()?;
let salt = conf.input_salt.obtain(&conf.password_helper)?; let salt = conf.input_salt.obtain(&conf.password_helper)?;
dbg!(hex::encode(&salt)); dbg!(hex::encode(&salt));
let secret = { let secret = {
let mut digest = Sha256::new(); let salt = conf.input_salt.obtain(&conf.password_helper)?;
digest.input(&salt);
digest.input(&perform_challenge(&conf.credential_id, &salt)?); assemble_secret(&perform_challenge(&conf.credential_id, &salt)?, &salt)
let mut secret = [0u8; 32];
digest.result(&mut secret);
secret
}; };
dbg!(hex::encode(&secret)); dbg!(hex::encode(&secret));
open_container(&conf.device, &conf.mapper_name,&secret)?; match open_container(&conf.device, &conf.mapper_name, &secret) {
Err(Fido2LuksError::LuksError {
cause: CryptsetupError(errno),
}) if errno.0 == 1 => Err(Fido2LuksError::WrongSecret)?,
e => e?,
};
Ok(()) Ok(())
} }
fn main() -> Fido2LuksResult<()> {
let args: Vec<_> = env::args().skip(1).collect(); //Ignore program name -> Vec
if args.is_empty() {
open()
} else {
match args.first().map(|s| s.as_ref()).unwrap() {
"addkey" => add_key_to_luks(&Config::load_default_location()?).map(|_| ()),
"setup" => setup(),
_ => {
eprintln!("Usage: setup | addkey");
Ok(())
}
}
}
}