Compare commits
14 Commits
0.2.2
...
request_mu
| Author | SHA1 | Date | |
|---|---|---|---|
d5c0d48f03
|
|||
|
ad2451f548
|
|||
|
1658800553
|
|||
|
a394b7d1d1
|
|||
|
c4f781e6e3
|
|||
|
f6de4a033e
|
|||
|
f5880346b9
|
|||
|
6089b254b4
|
|||
|
03e34ec790
|
|||
|
a437106fcb
|
|||
|
7ed948d53b
|
|||
|
c4e08413c0
|
|||
|
7429706920 | ||
|
|
a5fd5fa9f6 |
719
Cargo.lock
generated
719
Cargo.lock
generated
File diff suppressed because it is too large
Load Diff
10
Cargo.toml
10
Cargo.toml
@@ -1,6 +1,6 @@
|
||||
[package]
|
||||
name = "fido2luks"
|
||||
version = "0.2.2"
|
||||
version = "0.2.6"
|
||||
authors = ["shimunn <shimun@shimun.net>"]
|
||||
edition = "2018"
|
||||
|
||||
@@ -14,17 +14,13 @@ categories = ["command-line-utilities"]
|
||||
license-file = "LICENSE"
|
||||
|
||||
[dependencies]
|
||||
#ctap = "0.1.0"
|
||||
ctap_hmac = "0.2.1"
|
||||
cryptsetup-rs = "0.2.1"
|
||||
libcryptsetup-sys = "0.1.2"
|
||||
|
||||
|
||||
ctap_hmac = { version="0.4.1", features = ["request_multiple"] }
|
||||
hex = "0.3.2"
|
||||
ring = "0.13.5"
|
||||
failure = "0.1.5"
|
||||
rpassword = "4.0.1"
|
||||
structopt = "0.3.2"
|
||||
libcryptsetup-rs = { git = "https://github.com/shimunn/libcryptsetup-rs.git", branch = "crypt_load_ptr_null" }
|
||||
|
||||
[profile.release]
|
||||
lto = true
|
||||
|
||||
21
README.md
21
README.md
@@ -18,12 +18,16 @@ dnf install cargo cryptsetup-devel -y
|
||||
git clone https://github.com/shimunn/fido2luks.git && cd fido2luks
|
||||
|
||||
# Alternativly cargo build --release && sudo cp target/release/fido2luks /usr/bin/
|
||||
CARGO_INSTALL_ROOT=/usr sudo -E cargo install -f --path .
|
||||
sudo -E cargo install -f --path . --root /usr
|
||||
|
||||
echo FIDO2LUKS_CREDENTIAL_ID=$(fido2luks credential) >> dracut/96luks-2fa/fido2luks.conf
|
||||
# Copy template
|
||||
cp dracut/96luks-2fa/fido2luks.conf /etc/
|
||||
# Name is optional but useful if your authenticator has a display
|
||||
echo FIDO2LUKS_CREDENTIAL_ID=$(fido2luks credential [NAME]) >> /etc/fido2luks.conf
|
||||
|
||||
# Load config into env
|
||||
set -a
|
||||
. dracut/96luks-2fa/fido2luks.conf
|
||||
. /etc/fido2luks.conf
|
||||
|
||||
# Repeat for each luks volume
|
||||
sudo -E fido2luks -i add-key /dev/disk/by-uuid/<DISK_UUID>
|
||||
@@ -45,13 +49,13 @@ sudo make install
|
||||
|
||||
Add `rd.luks.2fa=<CREDENTIAL_ID>:<DISK_UUID>` to `GRUB_CMDLINE_LINUX` in /etc/default/grub
|
||||
|
||||
Note: This is only required for your root disk, systemd will try to unlock all other luks partions using the same key if you added it using `fido2luks add-key`
|
||||
Note: This is only required for your root disk, systemd will try to unlock all other LUKS partions using the same key if you added it using `fido2luks add-key`
|
||||
|
||||
```
|
||||
grub2-mkconfig > /boot/grub2/grub.cfg
|
||||
```
|
||||
|
||||
I'd also recommend to copy the executable onto /boot so that it is accessible in case you have to access your disk from a live system
|
||||
I'd also recommend to copy the executable onto /boot so that it is accessible in case you have to access your disk from a rescue system
|
||||
|
||||
```
|
||||
mkdir /boot/fido2luks/
|
||||
@@ -61,7 +65,7 @@ cp /etc/fido2luks.conf /boot/fido2luks/
|
||||
|
||||
## Test
|
||||
|
||||
Just reboot and see if it works, if thats the case you should remove your old less secure password from your luks header:
|
||||
Just reboot and see if it works, if that's the case you should remove your old less secure password from your LUKS header:
|
||||
|
||||
```
|
||||
# Recommend in case you lose your authenticator, store this backupfile somewhere safe
|
||||
@@ -74,9 +78,10 @@ fido2luks -i add-key --exclusive /dev/disk/by-uuid/<DISK_UUID>
|
||||
|
||||
### Password less
|
||||
|
||||
Remove your previous secret as described in the next section, incase you already added one.
|
||||
Remove your previous secret as described in the next section, in case you've already added one.
|
||||
|
||||
Open `/etc/fido2luks.conf` and replace `FIDO2LUKS_SALT=Ask` with `FIDO2LUKS_SALT=string:<YOUR_RANDOM_STRING>`
|
||||
but be warned that this password will be included to into your initramfs.
|
||||
|
||||
Import the new config into env:
|
||||
|
||||
@@ -96,5 +101,5 @@ set -a
|
||||
. fido2luks.conf
|
||||
sudo -E fido2luks -i replace-key /dev/disk/by-uuid/<DISK_UUID>
|
||||
|
||||
sudo rm -rf /usr/lib/dracut/modules.d/96luks-2fa /etc/dracut.conf.d/luks-2fa.conf
|
||||
sudo rm -rf /usr/lib/dracut/modules.d/96luks-2fa /etc/dracut.conf.d/luks-2fa.conf /etc/fido2luks.conf
|
||||
```
|
||||
|
||||
@@ -9,7 +9,7 @@ MOUNT=$(command -v mount)
|
||||
UMOUNT=$(command -v umount)
|
||||
|
||||
TIMEOUT=120
|
||||
CON_MSG="Please connect your authenicator"
|
||||
CON_MSG="Please connect your authenticator"
|
||||
|
||||
generate_service () {
|
||||
local credential_id=$1 target_uuid=$2 timeout=$3 sd_dir=${4:-$NORMAL_DIR}
|
||||
@@ -19,6 +19,10 @@ generate_service () {
|
||||
|
||||
local crypto_target_service="systemd-cryptsetup@luks\x2d${sd_target_uuid}.service"
|
||||
local sd_service="${sd_dir}/luks-2fa@luks\x2d${sd_target_uuid}.service"
|
||||
local fido2luks_args="--bin"
|
||||
if [ ! -z "$timeout" ]; then
|
||||
fido2luks_args="$fido2luks_args --await-dev ${timeout}"
|
||||
fi
|
||||
{
|
||||
printf -- "[Unit]"
|
||||
printf -- "\nDescription=%s" "2fa for luks"
|
||||
@@ -27,18 +31,15 @@ generate_service () {
|
||||
printf -- "\nBefore=%s umount.target luks-2fa.target" "$crypto_target_service"
|
||||
printf -- "\nConflicts=umount.target"
|
||||
printf -- "\nDefaultDependencies=no"
|
||||
printf -- "\nJobTimeoutSec=%s" "$timeout"
|
||||
|
||||
[ ! -z "$timeout" ] && printf -- "\nJobTimeoutSec=%s" "$timeout"
|
||||
printf -- "\n\n[Service]"
|
||||
printf -- "\nType=oneshot"
|
||||
printf -- "\nRemainAfterExit=yes"
|
||||
printf -- "\nEnvironmentFile=%s" "/etc/fido2luks.conf"
|
||||
printf -- "\nEnvironment=FIDO2LUKS_CREDENTIAL_ID='%s'" "$credential_id"
|
||||
[ ! -z "$credential_id" ] && printf -- "\nEnvironment=FIDO2LUKS_CREDENTIAL_ID='%s'" "$credential_id"
|
||||
printf -- "\nKeyringMode=%s" "shared"
|
||||
printf -- "\nExecStartPre=-/usr/bin/plymouth display-message --text \"${CON_MSG}\""
|
||||
printf -- "\nExecStartPre=-/bin/bash -c \"while ! ${FIDO2LUKS} connected; do /usr/bin/sleep 1; done\""
|
||||
printf -- "\nExecStartPre=-/usr/bin/plymouth hide-message --text \"${CON_MSG}\""
|
||||
printf -- "\nExecStart=/bin/bash -c \"${FIDO2LUKS} print-secret --bin | ${CRYPTSETUP} attach 'luks-%s' '/dev/disk/by-uuid/%s' '/dev/stdin'\"" "$target_uuid" "$target_uuid"
|
||||
printf -- "\nExecStart=/bin/bash -c \"${FIDO2LUKS} print-secret $fido2luks_args | ${CRYPTSETUP} attach 'luks-%s' '/dev/disk/by-uuid/%s' '/dev/stdin'\"" "$target_uuid" "$target_uuid"
|
||||
printf -- "\nExecStop=${CRYPTSETUP} detach 'luks-%s'" "$target_uuid"
|
||||
} > "$sd_service"
|
||||
|
||||
|
||||
266
src/cli.rs
266
src/cli.rs
@@ -1,73 +1,57 @@
|
||||
use crate::error::*;
|
||||
use crate::luks;
|
||||
use crate::*;
|
||||
|
||||
use cryptsetup_rs as luks;
|
||||
use cryptsetup_rs::api::{CryptDeviceHandle, CryptDeviceOpenBuilder, Luks1Params};
|
||||
use cryptsetup_rs::{CryptDevice, Luks1CryptDevice};
|
||||
|
||||
use libcryptsetup_sys::crypt_keyslot_info;
|
||||
use structopt::StructOpt;
|
||||
|
||||
use ctap::{FidoCredential, FidoErrorKind};
|
||||
use failure::_core::fmt::{Display, Error, Formatter};
|
||||
use failure::_core::str::FromStr;
|
||||
use failure::_core::time::Duration;
|
||||
use std::io::Write;
|
||||
use std::process::exit;
|
||||
use std::thread;
|
||||
|
||||
pub fn add_key_to_luks(
|
||||
device: PathBuf,
|
||||
secret: &[u8; 32],
|
||||
old_secret: Box<dyn Fn() -> Fido2LuksResult<Vec<u8>>>,
|
||||
exclusive: bool,
|
||||
) -> Fido2LuksResult<u8> {
|
||||
fn offer_format(
|
||||
_dev: CryptDeviceOpenBuilder,
|
||||
) -> Fido2LuksResult<CryptDeviceHandle<Luks1Params>> {
|
||||
unimplemented!()
|
||||
}
|
||||
let dev =
|
||||
|| -> luks::device::Result<CryptDeviceOpenBuilder> { luks::open(&device.canonicalize()?) };
|
||||
use std::time::SystemTime;
|
||||
#[derive(Debug, Eq, PartialEq, Clone)]
|
||||
pub struct HexEncoded(pub Vec<u8>);
|
||||
|
||||
let prev_key = old_secret()?;
|
||||
|
||||
let mut handle = match dev()?.luks1() {
|
||||
Ok(handle) => handle,
|
||||
Err(luks::device::Error::BlkidError(_)) => offer_format(dev()?)?,
|
||||
Err(luks::device::Error::CryptsetupError(errno)) => {
|
||||
//if i32::from(errno) == 555
|
||||
dbg!(errno);
|
||||
offer_format(dev()?)?
|
||||
} //TODO: find correct errorno and offer to format as luks
|
||||
err => err?,
|
||||
};
|
||||
handle.set_iteration_time(50);
|
||||
let slot = handle.add_keyslot(secret, Some(prev_key.as_slice()), None)?;
|
||||
if exclusive {
|
||||
for old_slot in 0..8u8 {
|
||||
if old_slot != slot
|
||||
&& (handle.keyslot_status(old_slot.into()) == crypt_keyslot_info::CRYPT_SLOT_ACTIVE
|
||||
|| handle.keyslot_status(old_slot.into())
|
||||
== crypt_keyslot_info::CRYPT_SLOT_ACTIVE_LAST)
|
||||
{
|
||||
handle.destroy_keyslot(old_slot)?;
|
||||
impl Display for HexEncoded {
|
||||
fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error> {
|
||||
f.write_str(&hex::encode(&self.0))
|
||||
}
|
||||
}
|
||||
}
|
||||
Ok(slot)
|
||||
}
|
||||
|
||||
pub fn add_password_to_luks(
|
||||
device: PathBuf,
|
||||
secret: &[u8; 32],
|
||||
new_secret: Box<dyn Fn() -> Fido2LuksResult<Vec<u8>>>,
|
||||
add_password: bool,
|
||||
) -> Fido2LuksResult<u8> {
|
||||
let dev = luks::open(&device.canonicalize()?)?;
|
||||
let mut handle = dev.luks1()?;
|
||||
let prev_slot = if add_password {
|
||||
Some(handle.add_keyslot(&secret[..], Some(&secret[..]), None)?)
|
||||
} else {
|
||||
None
|
||||
};
|
||||
let slot = handle.update_keyslot(&new_secret()?[..], &secret[..], prev_slot)?;
|
||||
Ok(slot)
|
||||
impl FromStr for HexEncoded {
|
||||
type Err = hex::FromHexError;
|
||||
|
||||
fn from_str(s: &str) -> Result<Self, Self::Err> {
|
||||
Ok(HexEncoded(hex::decode(s)?))
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Debug, Eq, PartialEq, Clone)]
|
||||
pub struct CommaSeparated<T: FromStr + Display>(pub Vec<T>);
|
||||
|
||||
impl<T: Display + FromStr> Display for CommaSeparated<T> {
|
||||
fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error> {
|
||||
for i in &self.0 {
|
||||
f.write_str(&i.to_string())?;
|
||||
f.write_str(",")?;
|
||||
}
|
||||
Ok(())
|
||||
}
|
||||
}
|
||||
|
||||
impl<T: Display + FromStr> FromStr for CommaSeparated<T> {
|
||||
type Err = <T as FromStr>::Err;
|
||||
fn from_str(s: &str) -> Result<Self, Self::Err> {
|
||||
Ok(CommaSeparated(
|
||||
s.split(',')
|
||||
.map(|part| <T as FromStr>::from_str(part))
|
||||
.collect::<Result<Vec<_>, _>>()?,
|
||||
))
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Debug, StructOpt)]
|
||||
@@ -81,13 +65,13 @@ pub struct Args {
|
||||
|
||||
#[derive(Debug, StructOpt, Clone)]
|
||||
pub struct SecretGeneration {
|
||||
/// FIDO credential id, generate using fido2luks credential
|
||||
/// FIDO credential ids, seperated by ',' generate using fido2luks credential
|
||||
#[structopt(name = "credential-id", env = "FIDO2LUKS_CREDENTIAL_ID")]
|
||||
pub credential_id: String,
|
||||
pub credential_ids: CommaSeparated<HexEncoded>,
|
||||
/// Salt for secret generation, defaults to 'ask'
|
||||
///
|
||||
/// Options:{n}
|
||||
/// - ask : Promt user using password helper{n}
|
||||
/// - ask : Prompt user using password helper{n}
|
||||
/// - file:<PATH> : Will read <FILE>{n}
|
||||
/// - string:<STRING> : Will use <STRING>, which will be handled like a password provided to the 'ask' option{n}
|
||||
#[structopt(
|
||||
@@ -104,6 +88,15 @@ pub struct SecretGeneration {
|
||||
default_value = "/usr/bin/env systemd-ask-password 'Please enter second factor for LUKS disk encryption!'"
|
||||
)]
|
||||
pub password_helper: PasswordHelper,
|
||||
|
||||
/// Await for an authenticator to be connected, timeout after n seconds
|
||||
#[structopt(
|
||||
long = "await-dev",
|
||||
name = "await-dev",
|
||||
env = "FIDO2LUKS_DEVICE_AWAIT",
|
||||
default_value = "15"
|
||||
)]
|
||||
pub await_authenticator: u64,
|
||||
}
|
||||
|
||||
impl SecretGeneration {
|
||||
@@ -117,13 +110,73 @@ impl SecretGeneration {
|
||||
|
||||
pub fn obtain_secret(&self) -> Fido2LuksResult<[u8; 32]> {
|
||||
let salt = self.salt.obtain(&self.password_helper)?;
|
||||
let timeout = Duration::from_secs(self.await_authenticator);
|
||||
let start = SystemTime::now();
|
||||
|
||||
while let Ok(el) = start.elapsed() {
|
||||
if el > timeout {
|
||||
Err(error::Fido2LuksError::NoAuthenticatorError)?;
|
||||
}
|
||||
if get_devices()
|
||||
.map(|devices| !devices.is_empty())
|
||||
.unwrap_or(false)
|
||||
{
|
||||
break;
|
||||
}
|
||||
thread::sleep(Duration::from_millis(500));
|
||||
}
|
||||
let credentials = &self
|
||||
.credential_ids
|
||||
.0
|
||||
.iter()
|
||||
.map(|HexEncoded(id)| FidoCredential {
|
||||
id: id.to_vec(),
|
||||
public_key: None,
|
||||
})
|
||||
.collect::<Vec<_>>();
|
||||
let credentials = credentials.iter().collect::<Vec<_>>();
|
||||
Ok(assemble_secret(
|
||||
&perform_challenge(&self.credential_id, &salt)?,
|
||||
&perform_challenge(&credentials[..], &salt, timeout - start.elapsed().unwrap())?,
|
||||
&salt,
|
||||
))
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Debug, StructOpt, Clone)]
|
||||
pub struct LuksSettings {
|
||||
/// Number of milliseconds required to derive the volume decryption key
|
||||
/// Defaults to 10ms when using an authenticator or the default by cryptsetup when using a password
|
||||
#[structopt(long = "kdf-time", name = "kdf-time")]
|
||||
kdf_time: Option<u64>,
|
||||
}
|
||||
|
||||
#[derive(Debug, StructOpt, Clone)]
|
||||
pub struct OtherSecret {
|
||||
/// Use a keyfile instead of a password
|
||||
#[structopt(short = "d", long = "keyfile", conflicts_with = "fido_device")]
|
||||
keyfile: Option<PathBuf>,
|
||||
/// Use another fido device instead of a password
|
||||
/// Note: this requires for the credential fot the other device to be passed as argument as well
|
||||
#[structopt(short = "f", long = "fido-device", conflicts_with = "keyfile")]
|
||||
fido_device: bool,
|
||||
}
|
||||
|
||||
impl OtherSecret {
|
||||
pub fn obtain(
|
||||
&self,
|
||||
secret_gen: &SecretGeneration,
|
||||
verify_password: bool,
|
||||
password_question: &str,
|
||||
) -> Fido2LuksResult<Vec<u8>> {
|
||||
match &self.keyfile {
|
||||
Some(keyfile) => util::read_keyfile(keyfile.clone()),
|
||||
None if self.fido_device => Ok(Vec::from(&secret_gen.obtain_secret()?[..])),
|
||||
None => util::read_password(password_question, verify_password)
|
||||
.map(|p| p.as_bytes().to_vec()),
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Debug, StructOpt)]
|
||||
pub enum Command {
|
||||
#[structopt(name = "print-secret")]
|
||||
@@ -142,13 +195,13 @@ pub enum Command {
|
||||
/// Will wipe all other keys
|
||||
#[structopt(short = "e", long = "exclusive")]
|
||||
exclusive: bool,
|
||||
/// Use a keyfile instead of a password
|
||||
#[structopt(short = "d", long = "keyfile")]
|
||||
keyfile: Option<PathBuf>,
|
||||
#[structopt(flatten)]
|
||||
existing_secret: OtherSecret,
|
||||
#[structopt(flatten)]
|
||||
secret_gen: SecretGeneration,
|
||||
#[structopt(flatten)]
|
||||
luks_settings: LuksSettings,
|
||||
},
|
||||
|
||||
/// Replace a previously added key with a password
|
||||
#[structopt(name = "replace-key")]
|
||||
ReplaceKey {
|
||||
@@ -157,11 +210,12 @@ pub enum Command {
|
||||
/// Add the password and keep the key
|
||||
#[structopt(short = "a", long = "add-password")]
|
||||
add_password: bool,
|
||||
/// Use a keyfile instead of a password
|
||||
#[structopt(short = "d", long = "keyfile")]
|
||||
keyfile: Option<PathBuf>,
|
||||
#[structopt(flatten)]
|
||||
replacement: OtherSecret,
|
||||
#[structopt(flatten)]
|
||||
secret_gen: SecretGeneration,
|
||||
#[structopt(flatten)]
|
||||
luks_settings: LuksSettings,
|
||||
},
|
||||
/// Open the LUKS device
|
||||
#[structopt(name = "open")]
|
||||
@@ -215,48 +269,51 @@ pub fn run_cli() -> Fido2LuksResult<()> {
|
||||
Command::AddKey {
|
||||
device,
|
||||
exclusive,
|
||||
keyfile,
|
||||
existing_secret,
|
||||
ref secret_gen,
|
||||
luks_settings,
|
||||
} => {
|
||||
let secret = secret_gen.patch(&args).obtain_secret()?;
|
||||
let slot = add_key_to_luks(
|
||||
let secret_gen = secret_gen.patch(&args);
|
||||
let old_secret = existing_secret.obtain(&secret_gen, false, "Existing password")?;
|
||||
let secret = secret_gen.obtain_secret()?;
|
||||
let added_slot = luks::add_key(
|
||||
device.clone(),
|
||||
&secret,
|
||||
if let Some(keyfile) = keyfile.clone() {
|
||||
Box::new(move || util::read_keyfile(keyfile.clone()))
|
||||
} else {
|
||||
Box::new(|| {
|
||||
util::read_password("Old password", true).map(|p| p.as_bytes().to_vec())
|
||||
})
|
||||
},
|
||||
*exclusive,
|
||||
&old_secret[..],
|
||||
luks_settings.kdf_time.or(Some(10)),
|
||||
)?;
|
||||
if *exclusive {
|
||||
let destroyed = luks::remove_keyslots(&device, &[added_slot])?;
|
||||
println!(
|
||||
"Added to key to device {}, slot: {}\nRemoved {} old keys",
|
||||
device.display(),
|
||||
added_slot,
|
||||
destroyed
|
||||
);
|
||||
} else {
|
||||
println!(
|
||||
"Added to key to device {}, slot: {}",
|
||||
device.display(),
|
||||
slot
|
||||
added_slot
|
||||
);
|
||||
}
|
||||
Ok(())
|
||||
}
|
||||
Command::ReplaceKey {
|
||||
device,
|
||||
add_password,
|
||||
keyfile,
|
||||
replacement,
|
||||
ref secret_gen,
|
||||
luks_settings,
|
||||
} => {
|
||||
let secret_gen = secret_gen.patch(&args);
|
||||
let secret = secret_gen.patch(&args).obtain_secret()?;
|
||||
let slot = add_password_to_luks(
|
||||
device.clone(),
|
||||
&secret,
|
||||
if let Some(keyfile) = keyfile.clone() {
|
||||
Box::new(move || util::read_keyfile(keyfile.clone()))
|
||||
let new_secret = replacement.obtain(&secret_gen, true, "Replacement password")?;
|
||||
let slot = if *add_password {
|
||||
luks::add_key(device, &new_secret[..], &secret, luks_settings.kdf_time)
|
||||
} else {
|
||||
Box::new(|| {
|
||||
util::read_password("Password to add", true).map(|p| p.as_bytes().to_vec())
|
||||
})
|
||||
},
|
||||
*add_password,
|
||||
)?;
|
||||
luks::replace_key(device, &new_secret[..], &secret, luks_settings.kdf_time)
|
||||
}?;
|
||||
println!(
|
||||
"Added to password to device {}, slot: {}",
|
||||
device.display(),
|
||||
@@ -272,16 +329,25 @@ pub fn run_cli() -> Fido2LuksResult<()> {
|
||||
} => {
|
||||
let mut retries = *retries;
|
||||
loop {
|
||||
let secret = secret_gen.patch(&args).obtain_secret()?;
|
||||
match open_container(&device, &name, &secret) {
|
||||
Err(e) => match e {
|
||||
Fido2LuksError::WrongSecret if retries > 0 => {
|
||||
match secret_gen
|
||||
.patch(&args)
|
||||
.obtain_secret()
|
||||
.and_then(|secret| luks::open_container(&device, &name, &secret))
|
||||
{
|
||||
Err(e) => {
|
||||
match e {
|
||||
Fido2LuksError::WrongSecret if retries > 0 => (),
|
||||
Fido2LuksError::AuthenticatorError { ref cause }
|
||||
if cause.kind() == FidoErrorKind::Timeout && retries > 0 =>
|
||||
{
|
||||
()
|
||||
}
|
||||
|
||||
e => break Err(e)?,
|
||||
}
|
||||
retries -= 1;
|
||||
eprintln!("{}", e);
|
||||
continue;
|
||||
}
|
||||
e => Err(e)?,
|
||||
},
|
||||
res => break res,
|
||||
}
|
||||
}
|
||||
|
||||
113
src/device.rs
113
src/device.rs
@@ -1,91 +1,46 @@
|
||||
use crate::error::*;
|
||||
use crate::util::sha256;
|
||||
|
||||
use ctap::{
|
||||
self,
|
||||
extensions::hmac::{FidoHmacCredential, HmacExtension},
|
||||
AuthenticatorOptions, FidoDevice, FidoError, FidoErrorKind, PublicKeyCredentialRpEntity,
|
||||
PublicKeyCredentialUserEntity,
|
||||
self, extensions::hmac::HmacExtension, request_multiple_devices, FidoAssertionRequestBuilder,
|
||||
FidoCredential, FidoCredentialRequestBuilder, FidoDevice, FidoError, FidoErrorKind,
|
||||
};
|
||||
use std::time::Duration;
|
||||
|
||||
const RP_ID: &'static str = "fido2luks";
|
||||
|
||||
fn authenticator_options() -> Option<AuthenticatorOptions> {
|
||||
Some(AuthenticatorOptions {
|
||||
uv: false, //TODO: should get this from config
|
||||
rk: true,
|
||||
})
|
||||
pub fn make_credential_id(name: Option<&str>) -> Fido2LuksResult<FidoCredential> {
|
||||
let mut request = FidoCredentialRequestBuilder::default().rp_id(RP_ID);
|
||||
if let Some(user_name) = name {
|
||||
request = request.user_name(user_name);
|
||||
}
|
||||
let request = request.build().unwrap();
|
||||
let make_credential = |device: &mut FidoDevice| device.make_hmac_credential(&request);
|
||||
Ok(request_multiple_devices(
|
||||
get_devices()?
|
||||
.iter_mut()
|
||||
.map(|device| (device, &make_credential)),
|
||||
None,
|
||||
)?)
|
||||
}
|
||||
|
||||
fn authenticator_rp() -> PublicKeyCredentialRpEntity<'static> {
|
||||
PublicKeyCredentialRpEntity {
|
||||
id: RP_ID,
|
||||
name: None,
|
||||
icon: None,
|
||||
}
|
||||
}
|
||||
|
||||
fn authenticator_user(name: Option<&str>) -> PublicKeyCredentialUserEntity {
|
||||
PublicKeyCredentialUserEntity {
|
||||
id: &[0u8],
|
||||
name: name.unwrap_or(""),
|
||||
icon: None,
|
||||
display_name: name,
|
||||
}
|
||||
}
|
||||
|
||||
pub fn make_credential_id(name: Option<&str>) -> Fido2LuksResult<FidoHmacCredential> {
|
||||
let mut errs = Vec::new();
|
||||
match get_devices()? {
|
||||
ref devs if devs.is_empty() => Err(Fido2LuksError::NoAuthenticatorError)?,
|
||||
devs => {
|
||||
for mut dev in devs.into_iter() {
|
||||
match dev
|
||||
.make_hmac_credential_full(
|
||||
authenticator_rp(),
|
||||
authenticator_user(name),
|
||||
&[0u8; 32],
|
||||
&[],
|
||||
authenticator_options(),
|
||||
)
|
||||
.map(|cred| cred.into())
|
||||
{
|
||||
//TODO: make credentials device specific
|
||||
Ok(cred) => {
|
||||
return Ok(cred);
|
||||
}
|
||||
Err(e) => {
|
||||
errs.push(e);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
Err(errs.pop().ok_or(Fido2LuksError::NoAuthenticatorError)?)?
|
||||
}
|
||||
|
||||
pub fn perform_challenge(credential_id: &str, salt: &[u8; 32]) -> Fido2LuksResult<[u8; 32]> {
|
||||
let cred = FidoHmacCredential {
|
||||
id: hex::decode(credential_id).unwrap(),
|
||||
rp_id: RP_ID.to_string(),
|
||||
};
|
||||
let mut errs = Vec::new();
|
||||
match get_devices()? {
|
||||
ref devs if devs.is_empty() => Err(Fido2LuksError::NoAuthenticatorError)?,
|
||||
devs => {
|
||||
for mut dev in devs.into_iter() {
|
||||
match dev.get_hmac_assertion(&cred, &sha256(&[&salt[..]]), None, None) {
|
||||
Ok(secret) => {
|
||||
return Ok(secret.0);
|
||||
}
|
||||
Err(e) => {
|
||||
errs.push(e);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
Err(errs.pop().ok_or(Fido2LuksError::NoAuthenticatorError)?)?
|
||||
pub fn perform_challenge(
|
||||
credentials: &[&FidoCredential],
|
||||
salt: &[u8; 32],
|
||||
timeout: Duration,
|
||||
) -> Fido2LuksResult<[u8; 32]> {
|
||||
let request = FidoAssertionRequestBuilder::default()
|
||||
.rp_id(RP_ID)
|
||||
.credentials(credentials)
|
||||
.build()
|
||||
.unwrap();
|
||||
let get_assertion = |device: &mut FidoDevice| device.get_hmac_assertion(&request, &salt, None);
|
||||
let (_, (secret, _)) = request_multiple_devices(
|
||||
get_devices()?
|
||||
.iter_mut()
|
||||
.map(|device| (device, &get_assertion)),
|
||||
Some(timeout),
|
||||
)?;
|
||||
Ok(secret)
|
||||
}
|
||||
|
||||
pub fn get_devices() -> Fido2LuksResult<Vec<FidoDevice>> {
|
||||
|
||||
18
src/error.rs
18
src/error.rs
@@ -11,11 +11,13 @@ pub enum Fido2LuksError {
|
||||
KeyfileError { cause: io::Error },
|
||||
#[fail(display = "authenticator error: {}", cause)]
|
||||
AuthenticatorError { cause: ctap::FidoError },
|
||||
#[fail(display = "no authenticator found, please ensure you device is plugged in")]
|
||||
#[fail(display = "no authenticator found, please ensure your device is plugged in")]
|
||||
NoAuthenticatorError,
|
||||
#[fail(display = "luks err")]
|
||||
LuksError { cause: cryptsetup_rs::device::Error },
|
||||
#[fail(display = "no authenticator found, please ensure you device is plugged in")]
|
||||
LuksError {
|
||||
cause: libcryptsetup_rs::LibcryptErr,
|
||||
},
|
||||
#[fail(display = "no authenticator found, please ensure your device is plugged in")]
|
||||
IoError { cause: io::Error },
|
||||
#[fail(display = "supplied secret isn't valid for this device")]
|
||||
WrongSecret,
|
||||
@@ -44,6 +46,7 @@ pub enum AskPassError {
|
||||
Mismatch,
|
||||
}
|
||||
|
||||
use libcryptsetup_rs::LibcryptErr;
|
||||
use std::string::FromUtf8Error;
|
||||
use Fido2LuksError::*;
|
||||
|
||||
@@ -53,17 +56,16 @@ impl From<FidoError> for Fido2LuksError {
|
||||
}
|
||||
}
|
||||
|
||||
impl From<cryptsetup_rs::device::Error> for Fido2LuksError {
|
||||
fn from(e: cryptsetup_rs::device::Error) -> Self {
|
||||
impl From<LibcryptErr> for Fido2LuksError {
|
||||
fn from(e: LibcryptErr) -> Self {
|
||||
match e {
|
||||
cryptsetup_rs::device::Error::CryptsetupError(error_no) if error_no.0 == 1i32 => {
|
||||
LibcryptErr::IOError(e) if e.raw_os_error().iter().any(|code| code == &1i32) => {
|
||||
WrongSecret
|
||||
}
|
||||
e => LuksError { cause: e },
|
||||
_ => LuksError { cause: e },
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
impl From<io::Error> for Fido2LuksError {
|
||||
fn from(e: io::Error) -> Self {
|
||||
IoError { cause: e }
|
||||
|
||||
73
src/luks.rs
Normal file
73
src/luks.rs
Normal file
@@ -0,0 +1,73 @@
|
||||
use crate::error::*;
|
||||
|
||||
use libcryptsetup_rs::{CryptActivateFlags, CryptDevice, CryptInit, KeyslotInfo};
|
||||
use std::path::Path;
|
||||
|
||||
fn load_device_handle<P: AsRef<Path>>(path: P) -> Fido2LuksResult<CryptDevice> {
|
||||
let mut device = CryptInit::init(path.as_ref())?;
|
||||
Ok(device.context_handle().load::<()>(None, None).map(|_| device)?)
|
||||
}
|
||||
|
||||
pub fn open_container<P: AsRef<Path>>(path: P, name: &str, secret: &[u8]) -> Fido2LuksResult<()> {
|
||||
let mut device = load_device_handle(path)?;
|
||||
device
|
||||
.activate_handle()
|
||||
.activate_by_passphrase(Some(name), None, secret, CryptActivateFlags::empty())
|
||||
.map(|_slot| ())
|
||||
.map_err(|_e| Fido2LuksError::WrongSecret)
|
||||
}
|
||||
|
||||
pub fn add_key<P: AsRef<Path>>(
|
||||
path: P,
|
||||
secret: &[u8],
|
||||
old_secret: &[u8],
|
||||
iteration_time: Option<u64>,
|
||||
) -> Fido2LuksResult<u32> {
|
||||
let mut device = load_device_handle(path)?;
|
||||
if let Some(millis) = iteration_time {
|
||||
device.settings_handle().set_iteration_time(millis)
|
||||
}
|
||||
let slot = device
|
||||
.keyslot_handle()
|
||||
.add_by_passphrase(None,old_secret, secret)?;
|
||||
Ok(slot)
|
||||
}
|
||||
|
||||
pub fn remove_keyslots<P: AsRef<Path>>(path: P, exclude: &[u32]) -> Fido2LuksResult<u32> {
|
||||
let mut device = load_device_handle(path)?;
|
||||
let mut handle = device.keyslot_handle();
|
||||
let mut destroyed = 0;
|
||||
//TODO: detect how many keyslots there are instead of trying within a given range
|
||||
for slot in 0..1024 {
|
||||
|
||||
match handle.status(slot)? {
|
||||
KeyslotInfo::Inactive => continue,
|
||||
KeyslotInfo::Active if !exclude.contains(&slot) => {
|
||||
handle.destroy(slot)?;
|
||||
destroyed += 1;
|
||||
}
|
||||
_ => (),
|
||||
}
|
||||
match handle.status(slot)? {
|
||||
KeyslotInfo::ActiveLast => break,
|
||||
_ => (),
|
||||
}
|
||||
}
|
||||
Ok(destroyed)
|
||||
}
|
||||
|
||||
pub fn replace_key<P: AsRef<Path>>(
|
||||
path: P,
|
||||
secret: &[u8],
|
||||
old_secret: &[u8],
|
||||
iteration_time: Option<u64>,
|
||||
) -> Fido2LuksResult<u32> {
|
||||
let mut device = load_device_handle(path)?;
|
||||
// Set iteration time not sure wether this applies to luks2 as well
|
||||
if let Some(millis) = iteration_time {
|
||||
device.settings_handle().set_iteration_time(millis)
|
||||
}
|
||||
Ok(device
|
||||
.keyslot_handle()
|
||||
.change_by_passphrase(None, None, old_secret, secret)? as u32)
|
||||
}
|
||||
10
src/main.rs
10
src/main.rs
@@ -5,9 +5,6 @@ use crate::cli::*;
|
||||
use crate::config::*;
|
||||
use crate::device::*;
|
||||
use crate::error::*;
|
||||
use cryptsetup_rs as luks;
|
||||
use cryptsetup_rs::Luks1CryptDevice;
|
||||
|
||||
use std::io;
|
||||
use std::path::PathBuf;
|
||||
use std::process::exit;
|
||||
@@ -16,14 +13,9 @@ mod cli;
|
||||
mod config;
|
||||
mod device;
|
||||
mod error;
|
||||
mod luks;
|
||||
mod util;
|
||||
|
||||
fn open_container(device: &PathBuf, name: &str, secret: &[u8; 32]) -> Fido2LuksResult<()> {
|
||||
let mut handle = luks::open(device.canonicalize()?)?.luks1()?;
|
||||
let _slot = handle.activate(name, &secret[..])?;
|
||||
Ok(())
|
||||
}
|
||||
|
||||
fn assemble_secret(hmac_result: &[u8], salt: &[u8]) -> [u8; 32] {
|
||||
util::sha256(&[salt, hmac_result])
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user