shimun/fido2luks
1
0
Fork 0
Code Issues Pull Requests 3 Releases Wiki Activity

Compare commits

base: shimun:0.2.6
Branches Tags
shimun:master shimun:0.3.0-alpha shimun:ctap-hid-fido2 shimun:retry_pin shimun:0.3.0 shimun:debVM shimun:flake shimun:password_promt shimun:dracut shimun:initcpio shimun:pam_mod shimun:setup shimun:completions shimun:pkgbuild shimun:pin_source shimun:relicense shimun:deb shimun:initramfs-tools shimun:luks_refr shimun:0.2.8 shimun:luks2_token shimun:cli_reorg shimun:request_multiple shimun:luks2 shimun:cratesio shimun:isalt shimun:connected shimun:keyutils
shimun:0.2.20 shimun:0.2.19 shimun:0.2.18 shimun:0.2.17 shimun:0.2.16 shimun:0.2.15 shimun:0.2.14 shimun:0.2.13 shimun:0.2.12 shimun:0.2.11 shimun:0.2.10 shimun:0.2.9 shimun:0.2.8 shimun:0.2.7 shimun:0.2.6 shimun:0.2.5 shimun:0.2.4 shimun:0.2.3 shimun:0.2.2 shimun:0.2.1 shimun:0.2.0
..
compare: shimun:cli_reorg
Branches Tags
shimun:0.3.0-alpha shimun:ctap-hid-fido2 shimun:retry_pin shimun:master shimun:0.3.0 shimun:debVM shimun:flake shimun:password_promt shimun:dracut shimun:initcpio shimun:pam_mod shimun:setup shimun:completions shimun:pkgbuild shimun:pin_source shimun:relicense shimun:deb shimun:initramfs-tools shimun:luks_refr shimun:0.2.8 shimun:luks2_token shimun:cli_reorg shimun:request_multiple shimun:luks2 shimun:cratesio shimun:isalt shimun:connected shimun:keyutils
shimun:0.2.20 shimun:0.2.19 shimun:0.2.18 shimun:0.2.17 shimun:0.2.16 shimun:0.2.15 shimun:0.2.14 shimun:0.2.13 shimun:0.2.12 shimun:0.2.11 shimun:0.2.10 shimun:0.2.9 shimun:0.2.8 shimun:0.2.7 shimun:0.2.6 shimun:0.2.5 shimun:0.2.4 shimun:0.2.3 shimun:0.2.2 shimun:0.2.1 shimun:0.2.0

7 Commits
0.2.6 ... cli_reorg

Author SHA1 Message Date
shimun
a26b79bcd6 reduced redundant code 2020-05-05 23:53:50 +02:00
shimun
69732a1ad6 restore order 2020-04-29 20:33:28 +02:00
shimun
b8ae9d91f0 rudimentary pin support 2020-04-29 19:56:18 +02:00
shimun
fcdd2a2d3d add option to specify keyslot 2020-04-29 18:55:25 +02:00
shimun
c3d6425e2d reorganised cli 2020-04-29 18:50:55 +02:00
shimun
5c0364587e update ctap 2020-04-26 18:58:37 +02:00
shimun
9307503bdc applied clippy lints 2020-04-07 20:06:24 +02:00
8 changed files with 329 additions and 230 deletions
Expand all files Collapse all files

6
Cargo.lock generated
View File

@@ -247,9 +247,9 @@ dependencies = [
[[package]] [[package]]
name = "ctap_hmac" name = "ctap_hmac"
version = "0.4.1" version = "0.4.2"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6b22457233b74539c53c10658eb3effb7c3d50907276dab6b5fbd8391d2b4351" checksum = "c5fec79b66e3a7bc6a7ace0f4c98f0748892b36d3c5c317fadfce0344fd185dc"
dependencies = [ dependencies = [
"byteorder", "byteorder",
"cbor-codec", "cbor-codec",
@@ -369,7 +369,7 @@ dependencies = [
[[package]] [[package]]
name = "fido2luks" name = "fido2luks"
version = "0.2.6" version = "0.2.7"
dependencies = [ dependencies = [
"ctap_hmac", "ctap_hmac",
"failure", "failure",

4
Cargo.toml
View File

@@ -1,6 +1,6 @@
[package] [package]
name = "fido2luks" name = "fido2luks"
version = "0.2.6" version = "0.2.7"
authors = ["shimunn <shimun@shimun.net>"] authors = ["shimunn <shimun@shimun.net>"]
edition = "2018" edition = "2018"
@@ -14,7 +14,7 @@ categories = ["command-line-utilities"]
license-file = "LICENSE" license-file = "LICENSE"
[dependencies] [dependencies]
ctap_hmac = { version="0.4.1", features = ["request_multiple"] } ctap_hmac = { version="0.4.2", features = ["request_multiple"] }
hex = "0.3.2" hex = "0.3.2"
ring = "0.13.5" ring = "0.13.5"
failure = "0.1.5" failure = "0.1.5"

482
src/cli.rs
View File

@@ -12,7 +12,7 @@ use std::io::Write;
use std::process::exit; use std::process::exit;
use std::thread; use std::thread;
use crate::util::read_password; use crate::util::sha256;
use std::time::SystemTime; use std::time::SystemTime;
#[derive(Debug, Eq, PartialEq, Clone)] #[derive(Debug, Eq, PartialEq, Clone)]
@@ -57,19 +57,48 @@ impl<T: Display + FromStr> FromStr for CommaSeparated<T> {
} }
#[derive(Debug, StructOpt)] #[derive(Debug, StructOpt)]
pub struct Args { pub struct Credentials {
/// Request passwords via Stdin instead of using the password helper /// FIDO credential ids, seperated by ',' generate using fido2luks credential
#[structopt(short = "i", long = "interactive")] #[structopt(name = "credential-id", env = "FIDO2LUKS_CREDENTIAL_ID")]
pub interactive: bool, pub ids: CommaSeparated<HexEncoded>,
#[structopt(subcommand)] }
pub command: Command,
#[derive(Debug, StructOpt)]
pub struct AuthenticatorParameters {
/// Request a PIN to unlock the authenticator
#[structopt(short = "P", long = "pin")]
pub pin: bool,
/// Await for an authenticator to be connected, timeout after n seconds
#[structopt(
long = "await-dev",
name = "await-dev",
env = "FIDO2LUKS_DEVICE_AWAIT",
default_value = "15"
)]
pub await_time: u64,
}
#[derive(Debug, StructOpt)]
pub struct LuksParameters {
#[structopt(env = "FIDO2LUKS_DEVICE")]
device: PathBuf,
/// Try to unlock the device using a specifc keyslot, ignore all other slots
#[structopt(long = "slot", env = "FIDO2LUKS_DEVICE_SLOT")]
slot: Option<u32>,
} }
#[derive(Debug, StructOpt, Clone)] #[derive(Debug, StructOpt, Clone)]
pub struct SecretGeneration { pub struct LuksModParameters {
/// FIDO credential ids, seperated by ',' generate using fido2luks credential /// Number of milliseconds required to derive the volume decryption key
#[structopt(name = "credential-id", env = "FIDO2LUKS_CREDENTIAL_ID")] /// Defaults to 10ms when using an authenticator or the default by cryptsetup when using a password
pub credential_ids: CommaSeparated<HexEncoded>, #[structopt(long = "kdf-time", name = "kdf-time")]
kdf_time: Option<u64>,
}
#[derive(Debug, StructOpt)]
pub struct SecretParameters {
/// Salt for secret generation, defaults to 'ask' /// Salt for secret generation, defaults to 'ask'
/// ///
/// Options:{n} /// Options:{n}
@@ -90,87 +119,60 @@ pub struct SecretGeneration {
default_value = "/usr/bin/env systemd-ask-password 'Please enter second factor for LUKS disk encryption!'" default_value = "/usr/bin/env systemd-ask-password 'Please enter second factor for LUKS disk encryption!'"
)] )]
pub password_helper: PasswordHelper, pub password_helper: PasswordHelper,
/// Await for an authenticator to be connected, timeout after n seconds
#[structopt(
long = "await-dev",
name = "await-dev",
env = "FIDO2LUKS_DEVICE_AWAIT",
default_value = "15"
)]
pub await_authenticator: u64,
/// Request the password twice to ensure it being correct
#[structopt(
long = "verify-password",
env = "FIDO2LUKS_VERIFY_PASSWORD",
hidden = true
)]
pub verify_password: Option<bool>,
} }
impl SecretGeneration { fn derive_secret(
pub fn patch(&self, args: &Args, verify_password: Option<bool>) -> Self { credentials: &[HexEncoded],
let mut me = self.clone(); salt: &[u8; 32],
if args.interactive { timeout: u64,
me.password_helper = PasswordHelper::Stdin; pin: Option<&str>,
) -> Fido2LuksResult<[u8; 32]> {
let timeout = Duration::from_secs(timeout);
let start = SystemTime::now();
while let Ok(el) = start.elapsed() {
if el > timeout {
return Err(error::Fido2LuksError::NoAuthenticatorError);
} }
me.verify_password = me.verify_password.or(verify_password); if get_devices()
me .map(|devices| !devices.is_empty())
.unwrap_or(false)
{
break;
}
thread::sleep(Duration::from_millis(500));
} }
pub fn obtain_secret(&self, password_query: &str) -> Fido2LuksResult<[u8; 32]> { Ok(sha256(&[
let mut salt = [0u8; 32]; &perform_challenge(
match self.password_helper { &credentials
PasswordHelper::Stdin if !self.verify_password.unwrap_or(true) => { .iter()
salt.copy_from_slice(&util::sha256(&[&read_password( .map(|hex| FidoCredential {
password_query, id: hex.0.clone(),
self.verify_password.unwrap_or(true), public_key: None,
)? })
.as_bytes()[..]])); .collect::<Vec<_>>()
} .iter()
_ => { .collect::<Vec<_>>()[..],
salt = self.salt.obtain(&self.password_helper)?; salt,
} timeout - start.elapsed().unwrap(),
} pin,
let timeout = Duration::from_secs(self.await_authenticator); )?[..],
let start = SystemTime::now(); salt,
]))
while let Ok(el) = start.elapsed() {
if el > timeout {
Err(error::Fido2LuksError::NoAuthenticatorError)?;
}
if get_devices()
.map(|devices| !devices.is_empty())
.unwrap_or(false)
{
break;
}
thread::sleep(Duration::from_millis(500));
}
let credentials = &self
.credential_ids
.0
.iter()
.map(|HexEncoded(id)| FidoCredential {
id: id.to_vec(),
public_key: None,
})
.collect::<Vec<_>>();
let credentials = credentials.iter().collect::<Vec<_>>();
Ok(assemble_secret(
&perform_challenge(&credentials[..], &salt, timeout - start.elapsed().unwrap())?,
&salt,
))
}
} }
#[derive(Debug, StructOpt, Clone)] fn read_pin() -> Fido2LuksResult<String> {
pub struct LuksSettings { util::read_password("Authenticator PIN", false)
/// Number of milliseconds required to derive the volume decryption key }
/// Defaults to 10ms when using an authenticator or the default by cryptsetup when using a password
#[structopt(long = "kdf-time", name = "kdf-time")] #[derive(Debug, StructOpt)]
kdf_time: Option<u64>, pub struct Args {
/// Request passwords via Stdin instead of using the password helper
#[structopt(short = "i", long = "interactive")]
pub interactive: bool,
#[structopt(subcommand)]
pub command: Command,
} }
#[derive(Debug, StructOpt, Clone)] #[derive(Debug, StructOpt, Clone)]
@@ -184,24 +186,6 @@ pub struct OtherSecret {
fido_device: bool, fido_device: bool,
} }
impl OtherSecret {
pub fn obtain(
&self,
secret_gen: &SecretGeneration,
verify_password: bool,
password_question: &str,
) -> Fido2LuksResult<Vec<u8>> {
match &self.keyfile {
Some(keyfile) => util::read_keyfile(keyfile.clone()),
None if self.fido_device => {
Ok(Vec::from(&secret_gen.obtain_secret(password_question)?[..]))
}
None => util::read_password(password_question, verify_password)
.map(|p| p.as_bytes().to_vec()),
}
}
}
#[derive(Debug, StructOpt)] #[derive(Debug, StructOpt)]
pub enum Command { pub enum Command {
#[structopt(name = "print-secret")] #[structopt(name = "print-secret")]
@@ -210,53 +194,72 @@ pub enum Command {
#[structopt(short = "b", long = "bin")] #[structopt(short = "b", long = "bin")]
binary: bool, binary: bool,
#[structopt(flatten)] #[structopt(flatten)]
secret_gen: SecretGeneration, credentials: Credentials,
#[structopt(flatten)]
authenticator: AuthenticatorParameters,
#[structopt(flatten)]
secret: SecretParameters,
}, },
/// Adds a generated key to the specified LUKS device /// Adds a generated key to the specified LUKS device
#[structopt(name = "add-key")] #[structopt(name = "add-key")]
AddKey { AddKey {
#[structopt(env = "FIDO2LUKS_DEVICE")] #[structopt(flatten)]
device: PathBuf, luks: LuksParameters,
#[structopt(flatten)]
credentials: Credentials,
#[structopt(flatten)]
authenticator: AuthenticatorParameters,
#[structopt(flatten)]
secret: SecretParameters,
/// Will wipe all other keys /// Will wipe all other keys
#[structopt(short = "e", long = "exclusive")] #[structopt(short = "e", long = "exclusive")]
exclusive: bool, exclusive: bool,
#[structopt(flatten)] #[structopt(flatten)]
existing_secret: OtherSecret, existing_secret: OtherSecret,
#[structopt(flatten)] #[structopt(flatten)]
secret_gen: SecretGeneration, luks_mod: LuksModParameters,
#[structopt(flatten)]
luks_settings: LuksSettings,
}, },
/// Replace a previously added key with a password /// Replace a previously added key with a password
#[structopt(name = "replace-key")] #[structopt(name = "replace-key")]
ReplaceKey { ReplaceKey {
#[structopt(env = "FIDO2LUKS_DEVICE")] #[structopt(flatten)]
device: PathBuf, luks: LuksParameters,
#[structopt(flatten)]
credentials: Credentials,
#[structopt(flatten)]
authenticator: AuthenticatorParameters,
#[structopt(flatten)]
secret: SecretParameters,
/// Add the password and keep the key /// Add the password and keep the key
#[structopt(short = "a", long = "add-password")] #[structopt(short = "a", long = "add-password")]
add_password: bool, add_password: bool,
#[structopt(flatten)] #[structopt(flatten)]
replacement: OtherSecret, replacement: OtherSecret,
#[structopt(flatten)] #[structopt(flatten)]
secret_gen: SecretGeneration, luks_mod: LuksModParameters,
#[structopt(flatten)]
luks_settings: LuksSettings,
}, },
/// Open the LUKS device /// Open the LUKS device
#[structopt(name = "open")] #[structopt(name = "open")]
Open { Open {
#[structopt(env = "FIDO2LUKS_DEVICE")] #[structopt(flatten)]
device: PathBuf, luks: LuksParameters,
#[structopt(env = "FIDO2LUKS_MAPPER_NAME")] #[structopt(env = "FIDO2LUKS_MAPPER_NAME")]
name: String, name: String,
#[structopt(flatten)]
credentials: Credentials,
#[structopt(flatten)]
authenticator: AuthenticatorParameters,
#[structopt(flatten)]
secret: SecretParameters,
#[structopt(short = "r", long = "max-retries", default_value = "0")] #[structopt(short = "r", long = "max-retries", default_value = "0")]
retries: i32, retries: i32,
#[structopt(flatten)]
secret_gen: SecretGeneration,
}, },
/// Generate a new FIDO credential /// Generate a new FIDO credential
#[structopt(name = "credential")] #[structopt(name = "credential")]
Credential { Credential {
#[structopt(flatten)]
authenticator: AuthenticatorParameters,
/// Name to be displayed on the authenticator if it has a display /// Name to be displayed on the authenticator if it has a display
#[structopt(env = "FIDO2LUKS_CREDENTIAL_NAME")] #[structopt(env = "FIDO2LUKS_CREDENTIAL_NAME")]
name: Option<String>, name: Option<String>,
@@ -273,104 +276,205 @@ pub fn parse_cmdline() -> Args {
pub fn run_cli() -> Fido2LuksResult<()> { pub fn run_cli() -> Fido2LuksResult<()> {
let mut stdout = io::stdout(); let mut stdout = io::stdout();
let args = parse_cmdline(); let args = parse_cmdline();
let interactive = args.interactive;
match &args.command { match &args.command {
Command::Credential { name } => { Command::Credential {
let cred = make_credential_id(name.as_ref().map(|n| n.as_ref()))?; authenticator,
name,
} => {
let pin_string;
let pin = if authenticator.pin {
pin_string = read_pin()?;
Some(pin_string.as_ref())
} else {
None
};
let cred = make_credential_id(name.as_ref().map(|n| n.as_ref()), pin)?;
println!("{}", hex::encode(&cred.id)); println!("{}", hex::encode(&cred.id));
Ok(()) Ok(())
} }
Command::PrintSecret { Command::PrintSecret {
binary, binary,
ref secret_gen, authenticator,
credentials,
secret,
} => { } => {
let secret = secret_gen let pin_string;
.patch(&args, Some(false)) let pin = if authenticator.pin {
.obtain_secret("Password")?; pin_string = read_pin()?;
if *binary { Some(pin_string.as_ref())
stdout.write(&secret[..])?;
} else { } else {
stdout.write(hex::encode(&secret[..]).as_bytes())?; None
};
let salt = if interactive || secret.password_helper == PasswordHelper::Stdin {
util::read_password_hashed("Password", false)
} else {
secret.salt.obtain(&secret.password_helper)
}?;
let secret = derive_secret(
credentials.ids.0.as_slice(),
&salt,
authenticator.await_time,
pin,
)?;
if *binary {
stdout.write_all(&secret[..])?;
} else {
stdout.write_all(hex::encode(&secret[..]).as_bytes())?;
} }
Ok(stdout.flush()?) Ok(stdout.flush()?)
} }
Command::AddKey { Command::AddKey {
device, luks,
exclusive, authenticator,
existing_secret, credentials,
ref secret_gen, secret,
luks_settings, luks_mod,
} => { existing_secret: other_secret,
let secret_gen = secret_gen.patch(&args, None); ..
let old_secret = existing_secret.obtain(&secret_gen, false, "Existing password")?;
let secret = secret_gen.obtain_secret("Password")?;
let added_slot = luks::add_key(
device.clone(),
&secret,
&old_secret[..],
luks_settings.kdf_time.or(Some(10)),
)?;
if *exclusive {
let destroyed = luks::remove_keyslots(&device, &[added_slot])?;
println!(
"Added to key to device {}, slot: {}\nRemoved {} old keys",
device.display(),
added_slot,
destroyed
);
} else {
println!(
"Added to key to device {}, slot: {}",
device.display(),
added_slot
);
}
Ok(())
} }
Command::ReplaceKey { | Command::ReplaceKey {
device, luks,
add_password, authenticator,
replacement, credentials,
ref secret_gen, secret,
luks_settings, luks_mod,
replacement: other_secret,
..
} => { } => {
let secret_gen = secret_gen.patch(&args, Some(false)); let pin = if authenticator.pin {
let secret = secret_gen.obtain_secret("Password")?; Some(read_pin()?)
let new_secret = replacement.obtain(&secret_gen, true, "Replacement password")?;
let slot = if *add_password {
luks::add_key(device, &new_secret[..], &secret, luks_settings.kdf_time)
} else { } else {
luks::replace_key(device, &new_secret[..], &secret, luks_settings.kdf_time) None
}?; };
println!( let salt = |q: &str, verify: bool| -> Fido2LuksResult<[u8; 32]> {
"Added to password to device {}, slot: {}", if interactive || secret.password_helper == PasswordHelper::Stdin {
device.display(), util::read_password_hashed(q, verify)
slot } else {
); secret.salt.obtain(&secret.password_helper)
Ok(()) }
};
let other_secret = |salt_q: &str, verify: bool| -> Fido2LuksResult<Vec<u8>> {
match other_secret {
OtherSecret {
keyfile: Some(file),
..
} => util::read_keyfile(file),
OtherSecret {
fido_device: true, ..
} => Ok(derive_secret(
&credentials.ids.0,
&salt(salt_q, verify)?,
authenticator.await_time,
pin.as_deref(),
)?[..]
.to_vec()),
_ => Ok(util::read_password(salt_q, verify)?.as_bytes().to_vec()),
}
};
let secret = |verify: bool| -> Fido2LuksResult<[u8; 32]> {
derive_secret(
&credentials.ids.0,
&salt("Password", verify)?,
authenticator.await_time,
pin.as_deref(),
)
};
// Non overlap
match &args.command {
Command::AddKey { exclusive, .. } => {
let existing_secret = other_secret("Current password", false)?;
let new_secret = secret(true)?;
let added_slot = luks::add_key(
&luks.device,
&new_secret,
&existing_secret[..],
luks_mod.kdf_time.or(Some(10)),
)?;
if *exclusive {
let destroyed = luks::remove_keyslots(&luks.device, &[added_slot])?;
println!(
"Added to key to device {}, slot: {}\nRemoved {} old keys",
luks.device.display(),
added_slot,
destroyed
);
} else {
println!(
"Added to key to device {}, slot: {}",
luks.device.display(),
added_slot
);
}
Ok(())
}
Command::ReplaceKey { add_password, .. } => {
let existing_secret = secret(false)?;
let replacement_secret = other_secret("Replacement password", true)?;
let slot = if *add_password {
luks::add_key(
&luks.device,
&replacement_secret[..],
&existing_secret,
luks_mod.kdf_time,
)
} else {
luks::replace_key(
&luks.device,
&replacement_secret[..],
&existing_secret,
luks_mod.kdf_time,
)
}?;
println!(
"Added to password to device {}, slot: {}",
luks.device.display(),
slot
);
Ok(())
}
_ => unreachable!(),
}
} }
Command::Open { Command::Open {
device, luks,
authenticator,
credentials,
secret,
name, name,
retries, retries,
ref secret_gen,
} => { } => {
let pin_string;
let pin = if authenticator.pin {
pin_string = read_pin()?;
Some(pin_string.as_ref())
} else {
None
};
let salt = |q: &str, verify: bool| -> Fido2LuksResult<[u8; 32]> {
if interactive || secret.password_helper == PasswordHelper::Stdin {
util::read_password_hashed(q, verify)
} else {
secret.salt.obtain(&secret.password_helper)
}
};
let mut retries = *retries; let mut retries = *retries;
loop { loop {
match secret_gen match derive_secret(
.patch(&args, Some(false)) &credentials.ids.0,
.obtain_secret("Password") &salt("Password", false)?,
.and_then(|secret| luks::open_container(&device, &name, &secret)) authenticator.await_time,
pin,
)
.and_then(|secret| luks::open_container(&luks.device, &name, &secret, luks.slot))
{ {
Err(e) => { Err(e) => {
match e { match e {
Fido2LuksError::WrongSecret if retries > 0 => (), Fido2LuksError::WrongSecret if retries > 0 => {}
Fido2LuksError::AuthenticatorError { ref cause } Fido2LuksError::AuthenticatorError { ref cause }
if cause.kind() == FidoErrorKind::Timeout && retries > 0 => if cause.kind() == FidoErrorKind::Timeout && retries > 0 => {}
{
()
}
e => break Err(e)?, e => return Err(e),
} }
retries -= 1; retries -= 1;
eprintln!("{}", e); eprintln!("{}", e);

7
src/config.rs
View File

@@ -24,7 +24,7 @@ impl Default for InputSalt {
impl From<&str> for InputSalt { impl From<&str> for InputSalt {
fn from(s: &str) -> Self { fn from(s: &str) -> Self {
let mut parts = s.split(":").into_iter(); let mut parts = s.split(':');
match parts.next() { match parts.next() {
Some("ask") | Some("Ask") => InputSalt::AskPassword, Some("ask") | Some("Ask") => InputSalt::AskPassword,
Some("file") => InputSalt::File { Some("file") => InputSalt::File {
@@ -84,9 +84,10 @@ impl InputSalt {
} }
} }
#[derive(Debug, Clone)] #[derive(Debug, Clone, PartialEq, Eq)]
pub enum PasswordHelper { pub enum PasswordHelper {
Script(String), Script(String),
#[allow(dead_code)]
Systemd, Systemd,
Stdin, Stdin,
} }
@@ -134,7 +135,7 @@ impl PasswordHelper {
Systemd => unimplemented!(), Systemd => unimplemented!(),
Stdin => Ok(util::read_password("Password", true)?), Stdin => Ok(util::read_password("Password", true)?),
Script(password_helper) => { Script(password_helper) => {
let mut helper_parts = password_helper.split(" "); let mut helper_parts = password_helper.split(' ');
let password = Command::new((&mut helper_parts).next().unwrap()) let password = Command::new((&mut helper_parts).next().unwrap())
.args(helper_parts) .args(helper_parts)

20
src/device.rs
View File

@@ -7,15 +7,23 @@ use ctap::{
}; };
use std::time::Duration; use std::time::Duration;
const RP_ID: &'static str = "fido2luks"; const RP_ID: &str = "fido2luks";
pub fn make_credential_id(name: Option<&str>) -> Fido2LuksResult<FidoCredential> { pub fn make_credential_id(
name: Option<&str>,
pin: Option<&str>,
) -> Fido2LuksResult<FidoCredential> {
let mut request = FidoCredentialRequestBuilder::default().rp_id(RP_ID); let mut request = FidoCredentialRequestBuilder::default().rp_id(RP_ID);
if let Some(user_name) = name { if let Some(user_name) = name {
request = request.user_name(user_name); request = request.user_name(user_name);
} }
let request = request.build().unwrap(); let request = request.build().unwrap();
let make_credential = |device: &mut FidoDevice| device.make_hmac_credential(&request); let make_credential = |device: &mut FidoDevice| {
if let Some(pin) = pin {
device.unlock(pin)?;
}
device.make_hmac_credential(&request)
};
Ok(request_multiple_devices( Ok(request_multiple_devices(
get_devices()? get_devices()?
.iter_mut() .iter_mut()
@@ -28,6 +36,7 @@ pub fn perform_challenge(
credentials: &[&FidoCredential], credentials: &[&FidoCredential],
salt: &[u8; 32], salt: &[u8; 32],
timeout: Duration, timeout: Duration,
pin: Option<&str>,
) -> Fido2LuksResult<[u8; 32]> { ) -> Fido2LuksResult<[u8; 32]> {
let request = FidoAssertionRequestBuilder::default() let request = FidoAssertionRequestBuilder::default()
.rp_id(RP_ID) .rp_id(RP_ID)
@@ -35,6 +44,9 @@ pub fn perform_challenge(
.build() .build()
.unwrap(); .unwrap();
let get_assertion = |device: &mut FidoDevice| { let get_assertion = |device: &mut FidoDevice| {
if let Some(pin) = pin {
device.unlock(pin)?;
}
device.get_hmac_assertion(&request, &util::sha256(&[&salt[..]]), None) device.get_hmac_assertion(&request, &util::sha256(&[&salt[..]]), None)
}; };
let (_, (secret, _)) = request_multiple_devices( let (_, (secret, _)) = request_multiple_devices(
@@ -52,7 +64,7 @@ pub fn get_devices() -> Fido2LuksResult<Vec<FidoDevice>> {
match FidoDevice::new(&di) { match FidoDevice::new(&di) {
Err(e) => match e.kind() { Err(e) => match e.kind() {
FidoErrorKind::ParseCtap | FidoErrorKind::DeviceUnsupported => (), FidoErrorKind::ParseCtap | FidoErrorKind::DeviceUnsupported => (),
err => Err(FidoError::from(err))?, err => return Err(FidoError::from(err).into()),
}, },
Ok(dev) => devices.push(dev), Ok(dev) => devices.push(dev),
} }

11
src/luks.rs
View File

@@ -11,18 +11,18 @@ fn load_device_handle<P: AsRef<Path>>(path: P) -> Fido2LuksResult<CryptDevice> {
.into_iter() .into_iter()
.fold(None, |res, format| match res { .fold(None, |res, format| match res {
Some(Ok(())) => res, Some(Ok(())) => res,
Some(e) => Some(e.or(load(format))), Some(e) => Some(e.or_else(|_| load(format))),
None => Some(load(format)), None => Some(load(format)),
}) })
.unwrap()?; .unwrap()?;
Ok(device) Ok(device)
} }
pub fn open_container<P: AsRef<Path>>(path: P, name: &str, secret: &[u8]) -> Fido2LuksResult<()> { pub fn open_container<P: AsRef<Path>>(path: P, name: &str, secret: &[u8], slot_hint: Option<u32>) -> Fido2LuksResult<()> {
let mut device = load_device_handle(path)?; let mut device = load_device_handle(path)?;
device device
.activate_handle() .activate_handle()
.activate_by_passphrase(Some(name), None, secret, CryptActivateFlags::empty()) .activate_by_passphrase(Some(name), slot_hint, secret, CryptActivateFlags::empty())
.map(|_slot| ()) .map(|_slot| ())
.map_err(|_e| Fido2LuksError::WrongSecret) .map_err(|_e| Fido2LuksError::WrongSecret)
} }
@@ -58,9 +58,8 @@ pub fn remove_keyslots<P: AsRef<Path>>(path: P, exclude: &[u32]) -> Fido2LuksRes
} }
_ => (), _ => (),
} }
match handle.status()? { if let KeyslotInfo::ActiveLast = handle.status()? {
KeyslotInfo::ActiveLast => break, break;
_ => (),
} }
} }
Ok(destroyed) Ok(destroyed)

21
src/main.rs
View File

@@ -16,10 +16,6 @@ mod error;
mod luks; mod luks;
mod util; mod util;
fn assemble_secret(hmac_result: &[u8], salt: &[u8]) -> [u8; 32] {
util::sha256(&[salt, hmac_result])
}
fn main() -> Fido2LuksResult<()> { fn main() -> Fido2LuksResult<()> {
match run_cli() { match run_cli() {
Err(e) => { Err(e) => {
@@ -32,20 +28,3 @@ fn main() -> Fido2LuksResult<()> {
_ => exit(0), _ => exit(0),
} }
} }
#[cfg(test)]
mod test {
use super::*;
#[test]
fn test_assemble_secret() {
assert_eq!(
assemble_secret(b"abc", b"def"),
[
46, 82, 82, 140, 142, 159, 249, 196, 227, 160, 142, 72, 151, 77, 59, 62, 180, 36,
33, 47, 241, 94, 17, 232, 133, 103, 247, 32, 152, 253, 43, 19
]
)
}
}

8
src/util.rs
View File

@@ -4,7 +4,7 @@ use std::fs::File;
use std::io::Read; use std::io::Read;
use std::path::PathBuf; use std::path::PathBuf;
pub fn sha256<'a>(messages: &[&[u8]]) -> [u8; 32] { pub fn sha256(messages: &[&[u8]]) -> [u8; 32] {
let mut digest = digest::Context::new(&digest::SHA256); let mut digest = digest::Context::new(&digest::SHA256);
for m in messages.iter() { for m in messages.iter() {
digest.update(m); digest.update(m);
@@ -23,12 +23,16 @@ pub fn read_password(q: &str, verify: bool) -> Fido2LuksResult<String> {
{ {
Err(Fido2LuksError::AskPassError { Err(Fido2LuksError::AskPassError {
cause: AskPassError::Mismatch, cause: AskPassError::Mismatch,
})? })
} }
pass => Ok(pass), pass => Ok(pass),
} }
} }
pub fn read_password_hashed(q: &str, verify: bool) -> Fido2LuksResult<[u8; 32]> {
read_password(q, verify).map(|pass| sha256(&[pass.as_bytes()]))
}
pub fn read_keyfile<P: Into<PathBuf>>(path: P) -> Fido2LuksResult<Vec<u8>> { pub fn read_keyfile<P: Into<PathBuf>>(path: P) -> Fido2LuksResult<Vec<u8>> {
let mut file = File::open(path.into())?; let mut file = File::open(path.into())?;
let mut key = Vec::new(); let mut key = Vec::new();