Compare commits
22 Commits
0.2.4
...
luks2_toke
| Author | SHA1 | Date | |
|---|---|---|---|
c1a82b9ae6
|
|||
|
f774580c9c
|
|||
|
0b19760175
|
|||
|
2ec8679c47
|
|||
|
65e1dead8b
|
|||
|
478fb5e036
|
|||
|
1547f5e199
|
|||
|
5c0364587e
|
|||
|
9307503bdc
|
|||
|
b94f45d1ff
|
|||
|
c8fb636846
|
|||
|
49e2835f60
|
|||
|
d5c0d48f03
|
|||
|
ad2451f548
|
|||
|
bb7ee7c1ce
|
|||
|
0ba77963d2
|
|||
|
1658800553
|
|||
|
a394b7d1d1
|
|||
|
c4f781e6e3
|
|||
|
f6de4a033e
|
|||
|
f5880346b9
|
|||
|
6089b254b4
|
843
Cargo.lock
generated
843
Cargo.lock
generated
File diff suppressed because it is too large
Load Diff
11
Cargo.toml
11
Cargo.toml
@@ -1,6 +1,6 @@
|
||||
[package]
|
||||
name = "fido2luks"
|
||||
version = "0.2.4"
|
||||
version = "0.2.8"
|
||||
authors = ["shimunn <shimun@shimun.net>"]
|
||||
edition = "2018"
|
||||
|
||||
@@ -14,15 +14,16 @@ categories = ["command-line-utilities"]
|
||||
license-file = "LICENSE"
|
||||
|
||||
[dependencies]
|
||||
ctap_hmac = "0.2.1"
|
||||
|
||||
|
||||
ctap_hmac = { version="0.4.2", features = ["request_multiple"] }
|
||||
hex = "0.3.2"
|
||||
ring = "0.13.5"
|
||||
failure = "0.1.5"
|
||||
rpassword = "4.0.1"
|
||||
structopt = "0.3.2"
|
||||
libcryptsetup-rs = "0.2.0"
|
||||
libcryptsetup-rs = "0.4.0"
|
||||
serde_json = "1.0.51"
|
||||
serde_derive = "1.0.106"
|
||||
serde = "1.0.106"
|
||||
|
||||
[profile.release]
|
||||
lto = true
|
||||
|
||||
@@ -9,7 +9,7 @@ Note: This has only been tested under Fedora 31 using a Solo Key, Trezor Model T
|
||||
### Prerequisites
|
||||
|
||||
```
|
||||
dnf install cargo cryptsetup-devel -y
|
||||
dnf install clang cargo cryptsetup-devel -y
|
||||
```
|
||||
|
||||
### Device
|
||||
|
||||
267
src/cli.rs
267
src/cli.rs
@@ -4,19 +4,21 @@ use crate::*;
|
||||
|
||||
use structopt::StructOpt;
|
||||
|
||||
use failure::_core::fmt::{Error, Formatter};
|
||||
use ctap::{FidoCredential, FidoErrorKind};
|
||||
use failure::_core::fmt::{Display, Error, Formatter};
|
||||
use failure::_core::str::FromStr;
|
||||
use failure::_core::time::Duration;
|
||||
use std::io::Write;
|
||||
|
||||
use std::process::exit;
|
||||
use std::thread;
|
||||
|
||||
use crate::util::read_password;
|
||||
use std::time::SystemTime;
|
||||
#[derive(Debug, Eq, PartialEq, Clone)]
|
||||
pub struct HexEncoded(Vec<u8>);
|
||||
|
||||
impl std::fmt::Display for HexEncoded {
|
||||
#[derive(Debug, Eq, PartialEq, Clone)]
|
||||
pub struct HexEncoded(pub Vec<u8>);
|
||||
|
||||
impl Display for HexEncoded {
|
||||
fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error> {
|
||||
f.write_str(&hex::encode(&self.0))
|
||||
}
|
||||
@@ -30,6 +32,30 @@ impl FromStr for HexEncoded {
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Debug, Eq, PartialEq, Clone)]
|
||||
pub struct CommaSeparated<T: FromStr + Display>(pub Vec<T>);
|
||||
|
||||
impl<T: Display + FromStr> Display for CommaSeparated<T> {
|
||||
fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error> {
|
||||
for i in &self.0 {
|
||||
f.write_str(&i.to_string())?;
|
||||
f.write_str(",")?;
|
||||
}
|
||||
Ok(())
|
||||
}
|
||||
}
|
||||
|
||||
impl<T: Display + FromStr> FromStr for CommaSeparated<T> {
|
||||
type Err = <T as FromStr>::Err;
|
||||
fn from_str(s: &str) -> Result<Self, Self::Err> {
|
||||
Ok(CommaSeparated(
|
||||
s.split(',')
|
||||
.map(|part| <T as FromStr>::from_str(part))
|
||||
.collect::<Result<Vec<_>, _>>()?,
|
||||
))
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Debug, StructOpt)]
|
||||
pub struct Args {
|
||||
/// Request passwords via Stdin instead of using the password helper
|
||||
@@ -41,9 +67,9 @@ pub struct Args {
|
||||
|
||||
#[derive(Debug, StructOpt, Clone)]
|
||||
pub struct SecretGeneration {
|
||||
/// FIDO credential id, generate using fido2luks credential
|
||||
/// FIDO credential ids, seperated by ',' generate using fido2luks credential
|
||||
#[structopt(name = "credential-id", env = "FIDO2LUKS_CREDENTIAL_ID")]
|
||||
pub credential_id: HexEncoded,
|
||||
pub credential_ids: CommaSeparated<HexEncoded>,
|
||||
/// Salt for secret generation, defaults to 'ask'
|
||||
///
|
||||
/// Options:{n}
|
||||
@@ -73,25 +99,54 @@ pub struct SecretGeneration {
|
||||
default_value = "15"
|
||||
)]
|
||||
pub await_authenticator: u64,
|
||||
|
||||
/// Request the password twice to ensure it being correct
|
||||
#[structopt(
|
||||
long = "verify-password",
|
||||
env = "FIDO2LUKS_VERIFY_PASSWORD",
|
||||
hidden = true
|
||||
)]
|
||||
pub verify_password: Option<bool>,
|
||||
}
|
||||
|
||||
impl SecretGeneration {
|
||||
pub fn patch(&self, args: &Args) -> Self {
|
||||
pub fn patch(&self, args: &Args, verify_password: Option<bool>) -> Self {
|
||||
let mut me = self.clone();
|
||||
if args.interactive {
|
||||
me.password_helper = PasswordHelper::Stdin;
|
||||
}
|
||||
me.verify_password = me.verify_password.or(verify_password);
|
||||
me
|
||||
}
|
||||
|
||||
pub fn obtain_secret(&self) -> Fido2LuksResult<[u8; 32]> {
|
||||
let salt = self.salt.obtain(&self.password_helper)?;
|
||||
pub fn obtain_secret(&self, password_query: &str) -> Fido2LuksResult<[u8; 32]> {
|
||||
self.obtain_secret_and_credential(password_query)
|
||||
.map(|(secret, _)| secret)
|
||||
}
|
||||
|
||||
pub fn obtain_secret_and_credential(
|
||||
&self,
|
||||
password_query: &str,
|
||||
) -> Fido2LuksResult<([u8; 32], FidoCredential)> {
|
||||
let mut salt = [0u8; 32];
|
||||
match self.password_helper {
|
||||
PasswordHelper::Stdin if !self.verify_password.unwrap_or(true) => {
|
||||
salt.copy_from_slice(&util::sha256(&[&read_password(
|
||||
password_query,
|
||||
self.verify_password.unwrap_or(true),
|
||||
)?
|
||||
.as_bytes()[..]]));
|
||||
}
|
||||
_ => {
|
||||
salt = self.salt.obtain(&self.password_helper)?;
|
||||
}
|
||||
}
|
||||
let timeout = Duration::from_secs(self.await_authenticator);
|
||||
let start = SystemTime::now();
|
||||
|
||||
while let Ok(el) = start.elapsed() {
|
||||
if el > timeout {
|
||||
Err(error::Fido2LuksError::NoAuthenticatorError)?;
|
||||
return Err(error::Fido2LuksError::NoAuthenticatorError);
|
||||
}
|
||||
if get_devices()
|
||||
.map(|devices| !devices.is_empty())
|
||||
@@ -101,10 +156,56 @@ impl SecretGeneration {
|
||||
}
|
||||
thread::sleep(Duration::from_millis(500));
|
||||
}
|
||||
Ok(assemble_secret(
|
||||
&perform_challenge(&self.credential_id.0, &salt)?,
|
||||
&salt,
|
||||
))
|
||||
let credentials = &self
|
||||
.credential_ids
|
||||
.0
|
||||
.iter()
|
||||
.map(|HexEncoded(id)| FidoCredential {
|
||||
id: id.to_vec(),
|
||||
public_key: None,
|
||||
})
|
||||
.collect::<Vec<_>>();
|
||||
let credentials = credentials.iter().collect::<Vec<_>>();
|
||||
let (secret, credential) =
|
||||
perform_challenge(&credentials[..], &salt, timeout - start.elapsed().unwrap())?;
|
||||
Ok((assemble_secret(&secret, &salt), credential.clone()))
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Debug, StructOpt, Clone)]
|
||||
pub struct LuksSettings {
|
||||
/// Number of milliseconds required to derive the volume decryption key
|
||||
/// Defaults to 10ms when using an authenticator or the default by cryptsetup when using a password
|
||||
#[structopt(long = "kdf-time", name = "kdf-time")]
|
||||
kdf_time: Option<u64>,
|
||||
}
|
||||
|
||||
#[derive(Debug, StructOpt, Clone)]
|
||||
pub struct OtherSecret {
|
||||
/// Use a keyfile instead of a password
|
||||
#[structopt(short = "d", long = "keyfile", conflicts_with = "fido_device")]
|
||||
keyfile: Option<PathBuf>,
|
||||
/// Use another fido device instead of a password
|
||||
/// Note: this requires for the credential fot the other device to be passed as argument as well
|
||||
#[structopt(short = "f", long = "fido-device", conflicts_with = "keyfile")]
|
||||
fido_device: bool,
|
||||
}
|
||||
|
||||
impl OtherSecret {
|
||||
pub fn obtain(
|
||||
&self,
|
||||
secret_gen: &SecretGeneration,
|
||||
verify_password: bool,
|
||||
password_question: &str,
|
||||
) -> Fido2LuksResult<Vec<u8>> {
|
||||
match &self.keyfile {
|
||||
Some(keyfile) => util::read_keyfile(keyfile.clone()),
|
||||
None if self.fido_device => {
|
||||
Ok(Vec::from(&secret_gen.obtain_secret(password_question)?[..]))
|
||||
}
|
||||
None => util::read_password(password_question, verify_password)
|
||||
.map(|p| p.as_bytes().to_vec()),
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -126,11 +227,15 @@ pub enum Command {
|
||||
/// Will wipe all other keys
|
||||
#[structopt(short = "e", long = "exclusive")]
|
||||
exclusive: bool,
|
||||
/// Use a keyfile instead of typing a previous password
|
||||
#[structopt(short = "d", long = "keyfile")]
|
||||
keyfile: Option<PathBuf>,
|
||||
/// Will add an token to your LUKS 2 header, including the credential id
|
||||
#[structopt(short = "t", long = "token")]
|
||||
token: bool,
|
||||
#[structopt(flatten)]
|
||||
existing_secret: OtherSecret,
|
||||
#[structopt(flatten)]
|
||||
secret_gen: SecretGeneration,
|
||||
#[structopt(flatten)]
|
||||
luks_settings: LuksSettings,
|
||||
},
|
||||
/// Replace a previously added key with a password
|
||||
#[structopt(name = "replace-key")]
|
||||
@@ -140,11 +245,15 @@ pub enum Command {
|
||||
/// Add the password and keep the key
|
||||
#[structopt(short = "a", long = "add-password")]
|
||||
add_password: bool,
|
||||
/// Use a keyfile instead of typing a previous password
|
||||
#[structopt(short = "d", long = "keyfile")]
|
||||
keyfile: Option<PathBuf>,
|
||||
// /// Will add an token to your LUKS 2 header, including the credential id
|
||||
// #[structopt(short = "t", long = "token")]
|
||||
// token: bool,
|
||||
#[structopt(flatten)]
|
||||
replacement: OtherSecret,
|
||||
#[structopt(flatten)]
|
||||
secret_gen: SecretGeneration,
|
||||
#[structopt(flatten)]
|
||||
luks_settings: LuksSettings,
|
||||
},
|
||||
/// Open the LUKS device
|
||||
#[structopt(name = "open")]
|
||||
@@ -158,6 +267,15 @@ pub enum Command {
|
||||
#[structopt(flatten)]
|
||||
secret_gen: SecretGeneration,
|
||||
},
|
||||
/// Open the LUKS device using information embedded into the LUKS 2 header
|
||||
#[structopt(name = "open-token")]
|
||||
OpenToken {
|
||||
#[structopt(env = "FIDO2LUKS_DEVICE")]
|
||||
device: PathBuf,
|
||||
#[structopt(env = "FIDO2LUKS_MAPPER_NAME")]
|
||||
name: String,
|
||||
salt: String,
|
||||
},
|
||||
/// Generate a new FIDO credential
|
||||
#[structopt(name = "credential")]
|
||||
Credential {
|
||||
@@ -187,27 +305,34 @@ pub fn run_cli() -> Fido2LuksResult<()> {
|
||||
binary,
|
||||
ref secret_gen,
|
||||
} => {
|
||||
let secret = secret_gen.patch(&args).obtain_secret()?;
|
||||
let secret = secret_gen
|
||||
.patch(&args, Some(false))
|
||||
.obtain_secret("Password")?;
|
||||
if *binary {
|
||||
stdout.write(&secret[..])?;
|
||||
stdout.write_all(&secret[..])?;
|
||||
} else {
|
||||
stdout.write(hex::encode(&secret[..]).as_bytes())?;
|
||||
stdout.write_all(hex::encode(&secret[..]).as_bytes())?;
|
||||
}
|
||||
Ok(stdout.flush()?)
|
||||
}
|
||||
Command::AddKey {
|
||||
device,
|
||||
exclusive,
|
||||
keyfile,
|
||||
token,
|
||||
existing_secret,
|
||||
ref secret_gen,
|
||||
luks_settings,
|
||||
} => {
|
||||
let secret = secret_gen.patch(&args).obtain_secret()?;
|
||||
let old_secret = if let Some(keyfile) = keyfile.clone() {
|
||||
util::read_keyfile(keyfile.clone())
|
||||
} else {
|
||||
util::read_password("Old password", false).map(|p| p.as_bytes().to_vec())
|
||||
}?;
|
||||
let added_slot = luks::add_key(device.clone(), &secret, &old_secret[..], Some(10))?;
|
||||
let secret_gen = secret_gen.patch(&args, None);
|
||||
let old_secret = existing_secret.obtain(&secret_gen, false, "Existing password")?;
|
||||
let (secret, credential) = secret_gen.obtain_secret_and_credential("Password")?;
|
||||
let added_slot = luks::add_key(
|
||||
device.clone(),
|
||||
&secret,
|
||||
&old_secret[..],
|
||||
luks_settings.kdf_time.or(Some(10)),
|
||||
Some(&credential.id[..]).filter(|_| *token),
|
||||
)?;
|
||||
if *exclusive {
|
||||
let destroyed = luks::remove_keyslots(&device, &[added_slot])?;
|
||||
println!(
|
||||
@@ -228,19 +353,30 @@ pub fn run_cli() -> Fido2LuksResult<()> {
|
||||
Command::ReplaceKey {
|
||||
device,
|
||||
add_password,
|
||||
keyfile,
|
||||
//token,
|
||||
replacement,
|
||||
ref secret_gen,
|
||||
luks_settings,
|
||||
} => {
|
||||
let secret = secret_gen.patch(&args).obtain_secret()?;
|
||||
let new_secret = if let Some(keyfile) = keyfile.clone() {
|
||||
util::read_keyfile(keyfile.clone())
|
||||
} else {
|
||||
util::read_password("Password to add", *add_password).map(|p| p.as_bytes().to_vec())
|
||||
}?;
|
||||
let secret_gen = secret_gen.patch(&args, Some(false));
|
||||
let secret = secret_gen.obtain_secret("Password")?;
|
||||
let new_secret = replacement.obtain(&secret_gen, true, "Replacement password")?;
|
||||
let slot = if *add_password {
|
||||
luks::add_key(device, &new_secret[..], &secret, None)
|
||||
luks::add_key(
|
||||
device,
|
||||
&new_secret[..],
|
||||
&secret,
|
||||
luks_settings.kdf_time,
|
||||
None,
|
||||
)
|
||||
} else {
|
||||
luks::replace_key(device, &new_secret[..], &secret, Some(5))
|
||||
luks::replace_key(
|
||||
device,
|
||||
&new_secret[..],
|
||||
&secret,
|
||||
luks_settings.kdf_time,
|
||||
None,
|
||||
)
|
||||
}?;
|
||||
println!(
|
||||
"Added to password to device {}, slot: {}",
|
||||
@@ -257,20 +393,51 @@ pub fn run_cli() -> Fido2LuksResult<()> {
|
||||
} => {
|
||||
let mut retries = *retries;
|
||||
loop {
|
||||
let secret = secret_gen.patch(&args).obtain_secret()?;
|
||||
match luks::open_container(&device, &name, &secret) {
|
||||
Err(e) => match e {
|
||||
Fido2LuksError::WrongSecret if retries > 0 => {
|
||||
retries -= 1;
|
||||
eprintln!("{}", e);
|
||||
continue;
|
||||
match secret_gen
|
||||
.patch(&args, Some(false))
|
||||
.obtain_secret("Password")
|
||||
.and_then(|secret| luks::open_container(&device, &name, &secret))
|
||||
{
|
||||
Err(e) => {
|
||||
match e {
|
||||
Fido2LuksError::WrongSecret if retries > 0 => {}
|
||||
Fido2LuksError::AuthenticatorError { ref cause }
|
||||
if cause.kind() == FidoErrorKind::Timeout && retries > 0 => {}
|
||||
|
||||
e => return Err(e),
|
||||
}
|
||||
e => Err(e)?,
|
||||
},
|
||||
retries -= 1;
|
||||
eprintln!("{}", e);
|
||||
}
|
||||
res => break res,
|
||||
}
|
||||
}
|
||||
}
|
||||
// TODO: utilise salt
|
||||
Command::OpenToken {
|
||||
device,
|
||||
name,
|
||||
salt: _,
|
||||
} => luks::open_container_token(
|
||||
device,
|
||||
&name[..],
|
||||
Box::new(|creds| {
|
||||
let (secret, cred) = SecretGeneration {
|
||||
credential_ids: CommaSeparated(
|
||||
creds
|
||||
.iter()
|
||||
.map(|c| HexEncoded::from_str(&c[..]).unwrap())
|
||||
.collect(),
|
||||
),
|
||||
salt: InputSalt::String("".into()),
|
||||
password_helper: Default::default(),
|
||||
await_authenticator: 100,
|
||||
verify_password: None,
|
||||
}
|
||||
.obtain_secret_and_credential("Password")?;
|
||||
Ok((secret, hex::encode(cred.id)))
|
||||
}),
|
||||
),
|
||||
Command::Connected => match get_devices() {
|
||||
Ok(ref devs) if !devs.is_empty() => {
|
||||
println!("Found {} devices", devs.len());
|
||||
|
||||
@@ -24,7 +24,7 @@ impl Default for InputSalt {
|
||||
|
||||
impl From<&str> for InputSalt {
|
||||
fn from(s: &str) -> Self {
|
||||
let mut parts = s.split(":").into_iter();
|
||||
let mut parts = s.split(':');
|
||||
match parts.next() {
|
||||
Some("ask") | Some("Ask") => InputSalt::AskPassword,
|
||||
Some("file") => InputSalt::File {
|
||||
@@ -87,6 +87,7 @@ impl InputSalt {
|
||||
#[derive(Debug, Clone)]
|
||||
pub enum PasswordHelper {
|
||||
Script(String),
|
||||
#[allow(dead_code)]
|
||||
Systemd,
|
||||
Stdin,
|
||||
}
|
||||
@@ -134,7 +135,7 @@ impl PasswordHelper {
|
||||
Systemd => unimplemented!(),
|
||||
Stdin => Ok(util::read_password("Password", true)?),
|
||||
Script(password_helper) => {
|
||||
let mut helper_parts = password_helper.split(" ");
|
||||
let mut helper_parts = password_helper.split(' ');
|
||||
|
||||
let password = Command::new((&mut helper_parts).next().unwrap())
|
||||
.args(helper_parts)
|
||||
|
||||
116
src/device.rs
116
src/device.rs
@@ -1,91 +1,49 @@
|
||||
use crate::error::*;
|
||||
use crate::util::sha256;
|
||||
|
||||
use crate::util;
|
||||
use ctap::{
|
||||
self,
|
||||
extensions::hmac::{FidoHmacCredential, HmacExtension},
|
||||
AuthenticatorOptions, FidoDevice, FidoError, FidoErrorKind, PublicKeyCredentialRpEntity,
|
||||
PublicKeyCredentialUserEntity,
|
||||
self, extensions::hmac::HmacExtension, request_multiple_devices, FidoAssertionRequestBuilder,
|
||||
FidoCredential, FidoCredentialRequestBuilder, FidoDevice, FidoError, FidoErrorKind,
|
||||
};
|
||||
use std::time::Duration;
|
||||
|
||||
const RP_ID: &'static str = "fido2luks";
|
||||
const RP_ID: &str = "fido2luks";
|
||||
|
||||
fn authenticator_options() -> Option<AuthenticatorOptions> {
|
||||
Some(AuthenticatorOptions {
|
||||
uv: false, //TODO: should get this from config
|
||||
rk: true,
|
||||
})
|
||||
}
|
||||
|
||||
fn authenticator_rp() -> PublicKeyCredentialRpEntity<'static> {
|
||||
PublicKeyCredentialRpEntity {
|
||||
id: RP_ID,
|
||||
name: None,
|
||||
icon: None,
|
||||
pub fn make_credential_id(name: Option<&str>) -> Fido2LuksResult<FidoCredential> {
|
||||
let mut request = FidoCredentialRequestBuilder::default().rp_id(RP_ID);
|
||||
if let Some(user_name) = name {
|
||||
request = request.user_name(user_name);
|
||||
}
|
||||
let request = request.build().unwrap();
|
||||
let make_credential = |device: &mut FidoDevice| device.make_hmac_credential(&request);
|
||||
Ok(request_multiple_devices(
|
||||
get_devices()?
|
||||
.iter_mut()
|
||||
.map(|device| (device, &make_credential)),
|
||||
None,
|
||||
)?)
|
||||
}
|
||||
|
||||
fn authenticator_user(name: Option<&str>) -> PublicKeyCredentialUserEntity {
|
||||
PublicKeyCredentialUserEntity {
|
||||
id: &[0u8],
|
||||
name: name.unwrap_or(""),
|
||||
icon: None,
|
||||
display_name: name,
|
||||
}
|
||||
}
|
||||
|
||||
pub fn make_credential_id(name: Option<&str>) -> Fido2LuksResult<FidoHmacCredential> {
|
||||
let mut errs = Vec::new();
|
||||
match get_devices()? {
|
||||
ref devs if devs.is_empty() => Err(Fido2LuksError::NoAuthenticatorError)?,
|
||||
devs => {
|
||||
for mut dev in devs.into_iter() {
|
||||
match dev
|
||||
.make_hmac_credential_full(
|
||||
authenticator_rp(),
|
||||
authenticator_user(name),
|
||||
&[0u8; 32],
|
||||
&[],
|
||||
authenticator_options(),
|
||||
)
|
||||
.map(|cred| cred.into())
|
||||
{
|
||||
//TODO: make credentials device specific
|
||||
Ok(cred) => {
|
||||
return Ok(cred);
|
||||
}
|
||||
Err(e) => {
|
||||
errs.push(e);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
Err(errs.pop().ok_or(Fido2LuksError::NoAuthenticatorError)?)?
|
||||
}
|
||||
|
||||
pub fn perform_challenge(credential_id: &[u8], salt: &[u8; 32]) -> Fido2LuksResult<[u8; 32]> {
|
||||
let cred = FidoHmacCredential {
|
||||
id: credential_id.to_vec(),
|
||||
rp_id: RP_ID.to_string(),
|
||||
pub fn perform_challenge<'a>(
|
||||
credentials: &'a [&'a FidoCredential],
|
||||
salt: &[u8; 32],
|
||||
timeout: Duration,
|
||||
) -> Fido2LuksResult<([u8; 32], &'a FidoCredential)> {
|
||||
let request = FidoAssertionRequestBuilder::default()
|
||||
.rp_id(RP_ID)
|
||||
.credentials(credentials)
|
||||
.build()
|
||||
.unwrap();
|
||||
let get_assertion = |device: &mut FidoDevice| {
|
||||
device.get_hmac_assertion(&request, &util::sha256(&[&salt[..]]), None)
|
||||
};
|
||||
let mut errs = Vec::new();
|
||||
match get_devices()? {
|
||||
ref devs if devs.is_empty() => Err(Fido2LuksError::NoAuthenticatorError)?,
|
||||
devs => {
|
||||
for mut dev in devs.into_iter() {
|
||||
match dev.get_hmac_assertion(&cred, &sha256(&[&salt[..]]), None, None) {
|
||||
Ok(secret) => {
|
||||
return Ok(secret.0);
|
||||
}
|
||||
Err(e) => {
|
||||
errs.push(e);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
Err(errs.pop().ok_or(Fido2LuksError::NoAuthenticatorError)?)?
|
||||
let (credential, (secret, _)) = request_multiple_devices(
|
||||
get_devices()?
|
||||
.iter_mut()
|
||||
.map(|device| (device, &get_assertion)),
|
||||
Some(timeout),
|
||||
)?;
|
||||
Ok((secret, credential))
|
||||
}
|
||||
|
||||
pub fn get_devices() -> Fido2LuksResult<Vec<FidoDevice>> {
|
||||
@@ -94,7 +52,7 @@ pub fn get_devices() -> Fido2LuksResult<Vec<FidoDevice>> {
|
||||
match FidoDevice::new(&di) {
|
||||
Err(e) => match e.kind() {
|
||||
FidoErrorKind::ParseCtap | FidoErrorKind::DeviceUnsupported => (),
|
||||
err => Err(FidoError::from(err))?,
|
||||
err => return Err(FidoError::from(err).into()),
|
||||
},
|
||||
Ok(dev) => devices.push(dev),
|
||||
}
|
||||
|
||||
38
src/error.rs
38
src/error.rs
@@ -13,11 +13,13 @@ pub enum Fido2LuksError {
|
||||
AuthenticatorError { cause: ctap::FidoError },
|
||||
#[fail(display = "no authenticator found, please ensure your device is plugged in")]
|
||||
NoAuthenticatorError,
|
||||
#[fail(display = "luks err")]
|
||||
LuksError {
|
||||
#[fail(display = " {}", cause)]
|
||||
CryptsetupError {
|
||||
cause: libcryptsetup_rs::LibcryptErr,
|
||||
},
|
||||
#[fail(display = "no authenticator found, please ensure your device is plugged in")]
|
||||
#[fail(display = "{}", cause)]
|
||||
LuksError { cause: LuksError },
|
||||
#[fail(display = "{}", cause)]
|
||||
IoError { cause: io::Error },
|
||||
#[fail(display = "supplied secret isn't valid for this device")]
|
||||
WrongSecret,
|
||||
@@ -46,7 +48,35 @@ pub enum AskPassError {
|
||||
Mismatch,
|
||||
}
|
||||
|
||||
#[derive(Debug, Fail)]
|
||||
pub enum LuksError {
|
||||
#[fail(display = "This feature requires to the LUKS device to be formatted as LUKS 2")]
|
||||
Luks2Required,
|
||||
#[fail(display = "Invalid token: {}", _0)]
|
||||
InvalidToken(String),
|
||||
#[fail(display = "No token found")]
|
||||
NoToken,
|
||||
#[fail(display = "The device already exists")]
|
||||
DeviceExists,
|
||||
}
|
||||
|
||||
impl LuksError {
|
||||
pub fn activate(e: LibcryptErr) -> Fido2LuksError {
|
||||
match e {
|
||||
LibcryptErr::IOError(ref io) => match io.raw_os_error() {
|
||||
Some(1) if io.kind() == ErrorKind::PermissionDenied => Fido2LuksError::WrongSecret,
|
||||
Some(17) => Fido2LuksError::LuksError {
|
||||
cause: LuksError::DeviceExists,
|
||||
},
|
||||
_ => return Fido2LuksError::CryptsetupError { cause: e },
|
||||
},
|
||||
_ => Fido2LuksError::CryptsetupError { cause: e },
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
use libcryptsetup_rs::LibcryptErr;
|
||||
use std::io::ErrorKind;
|
||||
use std::string::FromUtf8Error;
|
||||
use Fido2LuksError::*;
|
||||
|
||||
@@ -62,7 +92,7 @@ impl From<LibcryptErr> for Fido2LuksError {
|
||||
LibcryptErr::IOError(e) if e.raw_os_error().iter().any(|code| code == &1i32) => {
|
||||
WrongSecret
|
||||
}
|
||||
_ => LuksError { cause: e },
|
||||
_ => CryptsetupError { cause: e },
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
204
src/luks.rs
204
src/luks.rs
@@ -1,23 +1,45 @@
|
||||
use crate::error::*;
|
||||
|
||||
use libcryptsetup_rs::{CryptActivateFlags, CryptDevice, CryptInit, EncryptionFormat, KeyslotInfo};
|
||||
use libcryptsetup_rs::{
|
||||
CryptActivateFlags, CryptDevice, CryptInit, CryptTokenInfo, EncryptionFormat, KeyslotInfo,
|
||||
TokenInput,
|
||||
};
|
||||
use std::collections::{HashMap, HashSet};
|
||||
use std::path::Path;
|
||||
|
||||
fn load_device_handle<P: AsRef<Path>>(path: P) -> Fido2LuksResult<CryptDevice> {
|
||||
let mut device = CryptInit::init(path.as_ref())?;
|
||||
//TODO: determine luks version some way other way than just trying
|
||||
let mut load = |format| device.context_handle().load::<()>(format, None).map(|_| ());
|
||||
vec![EncryptionFormat::Luks2, EncryptionFormat::Luks1]
|
||||
.into_iter()
|
||||
.fold(None, |res, format| match res {
|
||||
Some(Ok(())) => res,
|
||||
Some(e) => Some(e.or(load(format))),
|
||||
None => Some(load(format)),
|
||||
})
|
||||
.unwrap()?;
|
||||
device.context_handle().load::<()>(None, None)?;
|
||||
Ok(device)
|
||||
}
|
||||
|
||||
fn check_luks2(device: &mut CryptDevice) -> Fido2LuksResult<()> {
|
||||
match device.format_handle().get_type()? {
|
||||
EncryptionFormat::Luks2 => Ok(()),
|
||||
_ => Err(Fido2LuksError::LuksError {
|
||||
cause: LuksError::Luks2Required,
|
||||
}),
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Debug, Clone, Serialize, Deserialize)]
|
||||
struct Fido2LuksToken {
|
||||
#[serde(rename = "type")]
|
||||
type_: String,
|
||||
credential: Vec<String>,
|
||||
keyslots: Vec<String>,
|
||||
}
|
||||
|
||||
impl Fido2LuksToken {
|
||||
fn new(credential_id: impl AsRef<[u8]>, slot: u32) -> Self {
|
||||
Self {
|
||||
type_: "fido2luks\0".into(), // Doubles as c style string
|
||||
credential: vec![hex::encode(credential_id)],
|
||||
keyslots: vec![slot.to_string()],
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
pub fn open_container<P: AsRef<Path>>(path: P, name: &str, secret: &[u8]) -> Fido2LuksResult<()> {
|
||||
let mut device = load_device_handle(path)?;
|
||||
device
|
||||
@@ -27,42 +49,157 @@ pub fn open_container<P: AsRef<Path>>(path: P, name: &str, secret: &[u8]) -> Fid
|
||||
.map_err(|_e| Fido2LuksError::WrongSecret)
|
||||
}
|
||||
|
||||
pub fn open_container_token<P: AsRef<Path>>(
|
||||
path: P,
|
||||
name: &str,
|
||||
secret: Box<dyn Fn(Vec<String>) -> Fido2LuksResult<([u8; 32], String)>>,
|
||||
) -> Fido2LuksResult<()> {
|
||||
let mut device = load_device_handle(path)?;
|
||||
check_luks2(&mut device)?;
|
||||
|
||||
let mut creds = HashMap::new();
|
||||
for i in 0..256 {
|
||||
let status = device.token_handle().status(i)?;
|
||||
match status {
|
||||
CryptTokenInfo::Inactive => break,
|
||||
CryptTokenInfo::Internal(s)
|
||||
| CryptTokenInfo::InternalUnknown(s)
|
||||
| CryptTokenInfo::ExternalUnknown(s)
|
||||
| CryptTokenInfo::External(s)
|
||||
if &s != "fido2luks" =>
|
||||
{
|
||||
continue
|
||||
}
|
||||
_ => (),
|
||||
};
|
||||
let json = device.token_handle().json_get(i)?;
|
||||
let info: Fido2LuksToken =
|
||||
serde_json::from_value(json.clone()).map_err(|_| Fido2LuksError::LuksError {
|
||||
cause: LuksError::InvalidToken(json.to_string()),
|
||||
})?;
|
||||
let slots = || {
|
||||
info.keyslots
|
||||
.iter()
|
||||
.filter_map(|slot| slot.parse::<u32>().ok())
|
||||
};
|
||||
for cred in info.credential.iter().cloned() {
|
||||
creds
|
||||
.entry(cred)
|
||||
.or_insert_with(|| slots().collect::<HashSet<u32>>())
|
||||
.extend(slots());
|
||||
}
|
||||
}
|
||||
if creds.is_empty() {
|
||||
return Err(Fido2LuksError::LuksError {
|
||||
cause: LuksError::NoToken,
|
||||
});
|
||||
}
|
||||
let (secret, credential) = secret(creds.keys().cloned().collect())?;
|
||||
let slots = creds.get(&credential).unwrap();
|
||||
let slots = slots
|
||||
.iter()
|
||||
.cloned()
|
||||
.map(Option::Some)
|
||||
.chain(std::iter::once(None).take(slots.is_empty() as usize));
|
||||
for slot in slots {
|
||||
match device
|
||||
.activate_handle()
|
||||
.activate_by_passphrase(Some(name), slot, &secret, CryptActivateFlags::empty())
|
||||
.map(|_slot| ())
|
||||
.map_err(LuksError::activate)
|
||||
{
|
||||
Err(Fido2LuksError::WrongSecret) => (),
|
||||
res => return res,
|
||||
}
|
||||
}
|
||||
Err(Fido2LuksError::WrongSecret)
|
||||
}
|
||||
|
||||
pub fn add_key<P: AsRef<Path>>(
|
||||
path: P,
|
||||
secret: &[u8],
|
||||
old_secret: &[u8],
|
||||
iteration_time: Option<u64>,
|
||||
credential_id: Option<&[u8]>,
|
||||
) -> Fido2LuksResult<u32> {
|
||||
let mut device = load_device_handle(path)?;
|
||||
// Set iteration time not sure wether this applies to luks2 as well
|
||||
if let Some(millis) = iteration_time {
|
||||
device.settings_handle().set_iteration_time(millis)
|
||||
}
|
||||
let slot = device
|
||||
.keyslot_handle(None)
|
||||
.add_by_passphrase(old_secret, secret)?;
|
||||
.keyslot_handle()
|
||||
.add_by_passphrase(None, old_secret, secret)?;
|
||||
if let Some(id) = credential_id {
|
||||
/* if let e @ Err(_) = check_luks2(&mut device) {
|
||||
//rollback
|
||||
device.keyslot_handle(Some(slot)).destroy()?;
|
||||
return e.map(|_| 0u32);
|
||||
}*/
|
||||
device.token_handle().json_set(TokenInput::AddToken(
|
||||
&serde_json::to_value(&Fido2LuksToken::new(id, slot)).unwrap(),
|
||||
))?;
|
||||
}
|
||||
|
||||
Ok(slot)
|
||||
}
|
||||
|
||||
fn find_token(
|
||||
device: &mut CryptDevice,
|
||||
slot: u32,
|
||||
) -> Fido2LuksResult<Option<(u32, Fido2LuksToken)>> {
|
||||
for i in 0..256 {
|
||||
let status = device.token_handle().status(i)?;
|
||||
match status {
|
||||
CryptTokenInfo::Inactive => break,
|
||||
CryptTokenInfo::Internal(s)
|
||||
| CryptTokenInfo::InternalUnknown(s)
|
||||
| CryptTokenInfo::ExternalUnknown(s)
|
||||
| CryptTokenInfo::External(s)
|
||||
if &s != "fido2luks" =>
|
||||
{
|
||||
continue
|
||||
}
|
||||
_ => (),
|
||||
};
|
||||
let json = device.token_handle().json_get(i)?;
|
||||
let info: Fido2LuksToken =
|
||||
serde_json::from_value(json.clone()).map_err(|_| Fido2LuksError::LuksError {
|
||||
cause: LuksError::InvalidToken(json.to_string()),
|
||||
})?;
|
||||
if info.keyslots.contains(&slot.to_string()) {
|
||||
return Ok(Some((i, info)));
|
||||
}
|
||||
}
|
||||
Ok(None)
|
||||
}
|
||||
|
||||
pub fn remove_keyslots<P: AsRef<Path>>(path: P, exclude: &[u32]) -> Fido2LuksResult<u32> {
|
||||
let mut device = load_device_handle(path)?;
|
||||
let mut handle;
|
||||
let mut destroyed = 0;
|
||||
//TODO: detect how many keyslots there are instead of trying within a given range
|
||||
for slot in 0..1024 {
|
||||
handle = device.keyslot_handle(Some(slot));
|
||||
match handle.status()? {
|
||||
let mut tokens = Vec::new();
|
||||
for slot in 0..256 {
|
||||
match device.keyslot_handle().status(slot)? {
|
||||
KeyslotInfo::Inactive => continue,
|
||||
KeyslotInfo::Active if !exclude.contains(&slot) => {
|
||||
handle.destroy()?;
|
||||
KeyslotInfo::Active | KeyslotInfo::ActiveLast if !exclude.contains(&slot) => {
|
||||
if let Ok(_) = check_luks2(&mut device) {
|
||||
if let Some((token, _)) = dbg!(find_token(&mut device, slot))? {
|
||||
tokens.push(token);
|
||||
}
|
||||
}
|
||||
device.keyslot_handle().destroy(slot)?;
|
||||
destroyed += 1;
|
||||
}
|
||||
_ => (),
|
||||
}
|
||||
match handle.status()? {
|
||||
KeyslotInfo::ActiveLast => break,
|
||||
_ => (),
|
||||
}
|
||||
if device.keyslot_handle().status(slot)? == KeyslotInfo::ActiveLast {
|
||||
break;
|
||||
}
|
||||
}
|
||||
for token in tokens.iter() {
|
||||
device
|
||||
.token_handle()
|
||||
.json_set(TokenInput::RemoveToken(*token))?;
|
||||
}
|
||||
Ok(destroyed)
|
||||
}
|
||||
@@ -72,13 +209,26 @@ pub fn replace_key<P: AsRef<Path>>(
|
||||
secret: &[u8],
|
||||
old_secret: &[u8],
|
||||
iteration_time: Option<u64>,
|
||||
credential_id: Option<&[u8]>,
|
||||
) -> Fido2LuksResult<u32> {
|
||||
let mut device = load_device_handle(path)?;
|
||||
// Set iteration time not sure wether this applies to luks2 as well
|
||||
if let Some(millis) = iteration_time {
|
||||
device.settings_handle().set_iteration_time(millis)
|
||||
}
|
||||
Ok(device
|
||||
.keyslot_handle(None)
|
||||
.change_by_passphrase(None, None, old_secret, secret)? as u32)
|
||||
let slot = device
|
||||
.keyslot_handle()
|
||||
.change_by_passphrase(None, None, old_secret, secret)? as u32;
|
||||
if let Some(id) = credential_id {
|
||||
if check_luks2(&mut device).is_ok() {
|
||||
let token = find_token(&mut device, slot)?.map(|(t, _)| t);
|
||||
if let Some(token) = token {
|
||||
device.token_handle().json_set(TokenInput::ReplaceToken(
|
||||
token,
|
||||
&serde_json::to_value(&Fido2LuksToken::new(id, slot)).unwrap(),
|
||||
))?;
|
||||
}
|
||||
}
|
||||
}
|
||||
Ok(slot)
|
||||
}
|
||||
|
||||
@@ -1,6 +1,8 @@
|
||||
#[macro_use]
|
||||
extern crate failure;
|
||||
extern crate ctap_hmac as ctap;
|
||||
#[macro_use]
|
||||
extern crate serde_derive;
|
||||
use crate::cli::*;
|
||||
use crate::config::*;
|
||||
use crate::device::*;
|
||||
|
||||
@@ -4,7 +4,7 @@ use std::fs::File;
|
||||
use std::io::Read;
|
||||
use std::path::PathBuf;
|
||||
|
||||
pub fn sha256<'a>(messages: &[&[u8]]) -> [u8; 32] {
|
||||
pub fn sha256(messages: &[&[u8]]) -> [u8; 32] {
|
||||
let mut digest = digest::Context::new(&digest::SHA256);
|
||||
for m in messages.iter() {
|
||||
digest.update(m);
|
||||
@@ -23,7 +23,7 @@ pub fn read_password(q: &str, verify: bool) -> Fido2LuksResult<String> {
|
||||
{
|
||||
Err(Fido2LuksError::AskPassError {
|
||||
cause: AskPassError::Mismatch,
|
||||
})?
|
||||
})
|
||||
}
|
||||
pass => Ok(pass),
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user