shimun/fido2luks
1
0
Fork 0
Code Issues Pull Requests 3 Releases Wiki Activity

Compare commits

merge into: shimun:0.2.8
Branches Tags
shimun:master shimun:0.3.0-alpha shimun:ctap-hid-fido2 shimun:retry_pin shimun:0.3.0 shimun:debVM shimun:flake shimun:password_promt shimun:dracut shimun:initcpio shimun:pam_mod shimun:setup shimun:completions shimun:pkgbuild shimun:pin_source shimun:relicense shimun:deb shimun:initramfs-tools shimun:luks_refr shimun:0.2.8 shimun:luks2_token shimun:cli_reorg shimun:request_multiple shimun:luks2 shimun:cratesio shimun:isalt shimun:connected shimun:keyutils
shimun:0.2.20 shimun:0.2.19 shimun:0.2.18 shimun:0.2.17 shimun:0.2.16 shimun:0.2.15 shimun:0.2.14 shimun:0.2.13 shimun:0.2.12 shimun:0.2.11 shimun:0.2.10 shimun:0.2.9 shimun:0.2.8 shimun:0.2.7 shimun:0.2.6 shimun:0.2.5 shimun:0.2.4 shimun:0.2.3 shimun:0.2.2 shimun:0.2.1 shimun:0.2.0
...
pull from: shimun:pkgbuild
Branches Tags
shimun:0.3.0-alpha shimun:ctap-hid-fido2 shimun:retry_pin shimun:master shimun:0.3.0 shimun:debVM shimun:flake shimun:password_promt shimun:dracut shimun:initcpio shimun:pam_mod shimun:setup shimun:completions shimun:pkgbuild shimun:pin_source shimun:relicense shimun:deb shimun:initramfs-tools shimun:luks_refr shimun:0.2.8 shimun:luks2_token shimun:cli_reorg shimun:request_multiple shimun:luks2 shimun:cratesio shimun:isalt shimun:connected shimun:keyutils
shimun:0.2.20 shimun:0.2.19 shimun:0.2.18 shimun:0.2.17 shimun:0.2.16 shimun:0.2.15 shimun:0.2.14 shimun:0.2.13 shimun:0.2.12 shimun:0.2.11 shimun:0.2.10 shimun:0.2.9 shimun:0.2.8 shimun:0.2.7 shimun:0.2.6 shimun:0.2.5 shimun:0.2.4 shimun:0.2.3 shimun:0.2.2 shimun:0.2.1 shimun:0.2.0

26 Commits
0.2.8 ... pkgbuild

Author SHA1 Message Date
shimun
b2506fd950 detect current version
All checks were successful
continuous-integration/drone/push Build is passing
Details
2020-09-03 14:19:26 +02:00
shimun
8811cff6d1 0.2.12
All checks were successful
continuous-integration/drone/tag Build is passing
Details
2020-08-31 00:04:24 +02:00
shimun
99787b614c Merge branch 'pin_source' into master
Some checks reported errors
continuous-integration/drone/push Build encountered an error
Details
2020-08-31 00:00:42 +02:00
shimun
ee28f87148 always print the full error message
All checks were successful
continuous-integration/drone/push Build is passing
Details
2020-08-30 17:09:57 +02:00
shimun
196356fe3b structopt does not allow for flags to be linked to env atm 2020-08-25 21:47:25 +02:00
shimun
3ff7e698bd add flag to read pin from alternate source
Some checks reported errors
continuous-integration/drone/push Build encountered an error
Details
2020-08-25 21:26:30 +02:00
shimun
04d0d60fb3 use ubuntu as base image
Some checks reported errors
continuous-integration/drone/tag Build is passing
Details
continuous-integration/drone/push Build was killed
Details
2020-08-16 15:30:20 +02:00
shimun
e64f777c54 use sh to run password helper 2020-08-16 13:42:54 +02:00
shimun
8465949b44 spell promPt correctly 2020-08-16 13:42:35 +02:00
shimunn
06bed03e7b Merge pull request #13 from Andrew-Finn/master 
Added documentation and tweaked readme
 2020-08-14 12:40:02 +02:00
Andrew-Finn
36f82e7c3a Added and edited documentation 2020-08-14 11:36:25 +01:00
shimun
cd90564f60 protect fido2luks.conf from being overwritten
Some checks failed
continuous-integration/drone/push Build is failing
Details
continuous-integration/drone/tag Build is failing
Details
2020-08-11 23:08:12 +02:00
shimun
0f6d79a7e4 get plymouth to display a message
Some checks failed
continuous-integration/drone/push Build is failing
Details
2020-08-11 22:41:21 +02:00
shimun
4136b1bfad relicense to MPL
Some checks failed
continuous-integration/drone/push Build is failing
Details
2020-07-27 09:22:02 +02:00
shimun
81016a1a42 require MPL for new contributions
Some checks failed
continuous-integration/drone/push Build is failing
Details
2020-07-26 21:11:03 +02:00
shimun
840868468b cargo-deb meta
All checks were successful
continuous-integration/drone/push Build is passing
Details
2020-07-04 21:32:21 +02:00
shimun
97880e4f41 refuse removal while crypttab depends on keyscript
All checks were successful
continuous-integration/drone/push Build is passing
Details
2020-07-03 16:21:35 +02:00
shimun
e798ba5c70 remove keyscript aswell
All checks were successful
continuous-integration/drone/push Build is passing
Details
2020-07-03 15:59:12 +02:00
shimun
298e05fed7 initramfs-tools
All checks were successful
continuous-integration/drone/push Build is passing
Details
2020-07-03 15:55:23 +02:00
shimun
a498e1416f automate cargo publish
Some checks failed
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/tag Build is failing
Details
2020-06-23 23:55:07 +02:00
shimun
92e413de50 refactored luks operations
All checks were successful
continuous-integration/drone/push Build is passing
Details
2020-06-22 20:47:19 +00:00
shimun
023399bb14 use unstable cryptsetup
Some checks failed
continuous-integration/drone/push Build is failing
Details
2020-06-22 18:17:10 +02:00
shimun
a53a430c23 update drone
Some checks failed
continuous-integration/drone/push Build is failing
Details
2020-06-21 22:16:45 +02:00
shimun
5f107cd337 add non existing token
Some checks failed
continuous-integration/drone/push Build is failing
Details
2020-06-19 20:09:36 +02:00
shimun
ddfd24a098 ensure replace_key uses the same slot 2020-06-19 20:05:05 +02:00
shimun
743edf668a document --token 2020-06-13 14:35:46 +02:00
17 changed files with 1542 additions and 1096 deletions
Expand all files Collapse all files

41
.drone.yml
View File

@@ -3,32 +3,27 @@ name: default
steps: steps:
- name: fmt - name: fmt
image: rust:1.37.0 image: rust:1.43.0
commands: commands:
- rustup component add rustfmt - rustup component add rustfmt
- cargo fmt --all -- --check - cargo fmt --all -- --check
- name: test - name: test
image: rust:1.37.0 image: ubuntu:focal
environment:
DEBIAN_FRONTEND: noninteractive
commands: commands:
- apt update && apt install -y libcryptsetup-dev libkeyutils-dev - apt update && apt install -y cargo libkeyutils-dev libclang-dev clang pkg-config libcryptsetup-dev
- cargo test - cargo test --locked
- name: publish
- name: build image: ubuntu:focal
image: rust:1.37.0 environment:
DEBIAN_FRONTEND: noninteractive
CARGO_REGISTRY_TOKEN:
from_secret: cargo_tkn
commands: commands:
- apt update && apt install -y libcryptsetup-dev libkeyutils-dev - grep -E 'version ?= ?"${DRONE_TAG}"' -i Cargo.toml || (printf "incorrect crate/tag version" && exit 1)
- cargo install -f --path . --root . - apt update && apt install -y cargo libkeyutils-dev libclang-dev clang pkg-config libcryptsetup-dev
- cargo package --all-features
- cargo publish --all-features
when: when:
event: tag event: tag
- name: publish
image: plugins/github-release
settings:
api_key:
from_secret: github_release
files:
- bin/fido2luks
checksum:
- md5
- sha256
when:
event: tag

304
Cargo.lock generated
View File

@@ -1,10 +1,25 @@
# This file is automatically @generated by Cargo. # This file is automatically @generated by Cargo.
# It is not intended for manual editing. # It is not intended for manual editing.
[[package]] [[package]]
name = "aho-corasick" name = "addr2line"
version = "0.7.10" version = "0.13.0"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8716408b8bc624ed7f65d223ddb9ac2d044c0547b6fa4b0d554f3a9540496ada" checksum = "1b6a2d3371669ab3ca9797670853d61402b03d0b4b9ebf33d677dfa720203072"
dependencies = [
"gimli",
]
[[package]]
name = "adler"
version = "0.2.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ee2a4ec343196209d6594e19543ae87a39f96d5534d7174822a3ad825dd6ed7e"
[[package]]
name = "aho-corasick"
version = "0.7.13"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "043164d8ba5c4c3035fec9bbee8647c0261d788f3474306f93bb65901cae0e86"
dependencies = [ dependencies = [
"memchr", "memchr",
] ]
@@ -43,31 +58,23 @@ checksum = "f8aac770f1885fd7e387acedd76065302551364496e46b3dd00860b2f8359b9d"
[[package]] [[package]]
name = "backtrace" name = "backtrace"
version = "0.3.46" version = "0.3.50"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b1e692897359247cc6bb902933361652380af0f1b7651ae5c5013407f30e109e" checksum = "46254cf2fdcdf1badb5934448c1bcbe046a56537b3987d96c51a7afc5d03f293"
dependencies = [ dependencies = [
"backtrace-sys", "addr2line",
"cfg-if", "cfg-if",
"libc", "libc",
"miniz_oxide",
"object",
"rustc-demangle", "rustc-demangle",
] ]
[[package]]
name = "backtrace-sys"
version = "0.1.36"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "78848718ee1255a2485d1309ad9cdecfc2e7d0362dd11c6829364c6b35ae1bc7"
dependencies = [
"cc",
"libc",
]
[[package]] [[package]]
name = "bindgen" name = "bindgen"
version = "0.53.2" version = "0.54.1"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6bb26d6a69a335b8cb0e7c7e9775cd5666611dc50a37177c3f2cedcfc040e8c8" checksum = "f4d49b80beb70d76cdac92f5681e666f9a697c737c4f4117a67229a0386dc736"
dependencies = [ dependencies = [
"bitflags", "bitflags",
"cexpr", "cexpr",
@@ -79,8 +86,8 @@ dependencies = [
"lazycell", "lazycell",
"log", "log",
"peeking_take_while", "peeking_take_while",
"proc-macro2 1.0.10", "proc-macro2 1.0.19",
"quote 1.0.3", "quote 1.0.7",
"regex", "regex",
"rustc-hash", "rustc-hash",
"shlex", "shlex",
@@ -111,9 +118,9 @@ dependencies = [
[[package]] [[package]]
name = "cc" name = "cc"
version = "1.0.52" version = "1.0.58"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c3d87b23d6a92cd03af510a5ade527033f6aa6fa92161e2d5863a907d4c5e31d" checksum = "f9a06fb2e53271d7c279ec1efea6ab691c35a2ae67ec0d91d7acec0caf13b518"
[[package]] [[package]]
name = "cexpr" name = "cexpr"
@@ -143,9 +150,9 @@ dependencies = [
[[package]] [[package]]
name = "clap" name = "clap"
version = "2.33.0" version = "2.33.2"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5067f5bb2d80ef5d68b4c87db81601f0b75bca627bc2ef76b141d7b846a3c6d9" checksum = "10040cdf04294b565d9e0319955430099ec3813a64c952b86a41200ad714ae48"
dependencies = [ dependencies = [
"ansi_term", "ansi_term",
"atty", "atty",
@@ -181,12 +188,12 @@ dependencies = [
[[package]] [[package]]
name = "crossbeam-channel" name = "crossbeam-channel"
version = "0.4.2" version = "0.4.3"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "cced8691919c02aac3cb0a1bc2e9b73d89e832bf9a06fc579d4e71b68a2da061" checksum = "09ee0cc8804d5393478d743b035099520087a5186f3b93fa58cec08fa62407b6"
dependencies = [ dependencies = [
"cfg-if",
"crossbeam-utils", "crossbeam-utils",
"maybe-uninit",
] ]
[[package]] [[package]]
@@ -217,12 +224,13 @@ dependencies = [
[[package]] [[package]]
name = "crossbeam-queue" name = "crossbeam-queue"
version = "0.2.1" version = "0.2.3"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c695eeca1e7173472a32221542ae469b3e9aac3a4fc81f7696bcad82029493db" checksum = "774ba60a54c213d409d5353bda12d49cd68d14e45036a285234c8d6f91f92570"
dependencies = [ dependencies = [
"cfg-if", "cfg-if",
"crossbeam-utils", "crossbeam-utils",
"maybe-uninit",
] ]
[[package]] [[package]]
@@ -284,10 +292,10 @@ checksum = "f0c960ae2da4de88a91b2d920c2a7233b400bc33cb28453a2987822d8392519b"
dependencies = [ dependencies = [
"fnv", "fnv",
"ident_case", "ident_case",
"proc-macro2 1.0.10", "proc-macro2 1.0.19",
"quote 1.0.3", "quote 1.0.7",
"strsim 0.9.3", "strsim 0.9.3",
"syn 1.0.18", "syn 1.0.38",
] ]
[[package]] [[package]]
@@ -297,8 +305,8 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d9b5a2f4ac4969822c62224815d069952656cadc7084fdca9751e6d959189b72" checksum = "d9b5a2f4ac4969822c62224815d069952656cadc7084fdca9751e6d959189b72"
dependencies = [ dependencies = [
"darling_core", "darling_core",
"quote 1.0.3", "quote 1.0.7",
"syn 1.0.18", "syn 1.0.38",
] ]
[[package]] [[package]]
@@ -309,9 +317,9 @@ checksum = "a2658621297f2cf68762a6f7dc0bb7e1ff2cfd6583daef8ee0fed6f7ec468ec0"
dependencies = [ dependencies = [
"darling", "darling",
"derive_builder_core", "derive_builder_core",
"proc-macro2 1.0.10", "proc-macro2 1.0.19",
"quote 1.0.3", "quote 1.0.7",
"syn 1.0.18", "syn 1.0.38",
] ]
[[package]] [[package]]
@@ -321,16 +329,16 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2791ea3e372c8495c0bc2033991d76b512cd799d07491fbd6890124db9458bef" checksum = "2791ea3e372c8495c0bc2033991d76b512cd799d07491fbd6890124db9458bef"
dependencies = [ dependencies = [
"darling", "darling",
"proc-macro2 1.0.10", "proc-macro2 1.0.19",
"quote 1.0.3", "quote 1.0.7",
"syn 1.0.18", "syn 1.0.38",
] ]
[[package]] [[package]]
name = "either" name = "either"
version = "1.5.3" version = "1.6.0"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "bb1f6b1ce1c140482ea30ddd3335fc0024ac7ee112895426e0a629a6c20adfe3" checksum = "cd56b59865bce947ac5958779cfa508f6c3b9497cc762b7e24a12d11ccde2c4f"
[[package]] [[package]]
name = "env_logger" name = "env_logger"
@@ -347,9 +355,9 @@ dependencies = [
[[package]] [[package]]
name = "failure" name = "failure"
version = "0.1.7" version = "0.1.8"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b8529c2421efa3066a5cbd8063d2244603824daccb6936b079010bb2aa89464b" checksum = "d32e9bd16cc02eae7db7ef620b392808b89f6a5e16bb3497d159c6b92a0f4f86"
dependencies = [ dependencies = [
"backtrace", "backtrace",
"failure_derive", "failure_derive",
@@ -357,19 +365,19 @@ dependencies = [
[[package]] [[package]]
name = "failure_derive" name = "failure_derive"
version = "0.1.7" version = "0.1.8"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "030a733c8287d6213886dd487564ff5c8f6aae10278b3588ed177f9d18f8d231" checksum = "aa4da3c766cd7a0db8242e326e9e4e081edd567072893ed320008189715366a4"
dependencies = [ dependencies = [
"proc-macro2 1.0.10", "proc-macro2 1.0.19",
"quote 1.0.3", "quote 1.0.7",
"syn 1.0.18", "syn 1.0.38",
"synstructure", "synstructure",
] ]
[[package]] [[package]]
name = "fido2luks" name = "fido2luks"
version = "0.2.8" version = "0.2.12"
dependencies = [ dependencies = [
"ctap_hmac", "ctap_hmac",
"failure", "failure",
@@ -385,9 +393,9 @@ dependencies = [
[[package]] [[package]]
name = "fnv" name = "fnv"
version = "1.0.6" version = "1.0.7"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2fad85553e09a6f881f739c29f0b00b0f01357c743266d478b68951ce23285f3" checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1"
[[package]] [[package]]
name = "fuchsia-cprng" name = "fuchsia-cprng"
@@ -401,6 +409,12 @@ version = "0.3.55"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8f5f3913fa0bfe7ee1fd8248b6b9f42a5af4b9d65ec2dd2c3c26132b950ecfc2" checksum = "8f5f3913fa0bfe7ee1fd8248b6b9f42a5af4b9d65ec2dd2c3c26132b950ecfc2"
[[package]]
name = "gimli"
version = "0.22.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "aaf91faf136cb47367fa430cd46e37a788775e7fa104f8b4bcb3861dc389b724"
[[package]] [[package]]
name = "glob" name = "glob"
version = "0.3.0" version = "0.3.0"
@@ -418,9 +432,9 @@ dependencies = [
[[package]] [[package]]
name = "hermit-abi" name = "hermit-abi"
version = "0.1.12" version = "0.1.15"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "61565ff7aaace3525556587bd2dc31d4a07071957be715e63ce7b1eccf51a8f4" checksum = "3deed196b6e7f9e44a2ae8d94225d80302d81208b1bb673fd21fe634645c85a9"
dependencies = [ dependencies = [
"libc", "libc",
] ]
@@ -448,9 +462,9 @@ checksum = "b9e0384b61958566e926dc50660321d12159025e767c18e043daf26b70104c39"
[[package]] [[package]]
name = "itoa" name = "itoa"
version = "0.4.5" version = "0.4.6"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b8b7a7c0c47db5545ed3fef7468ee7bb5b74691498139e4b3f6a20685dc6dd8e" checksum = "dc6f3ad7b9d11a0c00842ff8de1b60ee58661048eb8049ed33c73594f359d7e6"
[[package]] [[package]]
name = "lazy_static" name = "lazy_static"
@@ -466,15 +480,15 @@ checksum = "b294d6fa9ee409a054354afc4352b0b9ef7ca222c69b8812cbea9e7d2bf3783f"
[[package]] [[package]]
name = "libc" name = "libc"
version = "0.2.69" version = "0.2.74"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "99e85c08494b21a9054e7fe1374a732aeadaff3980b6990b94bfd3a70f690005" checksum = "a2f02823cf78b754822df5f7f268fb59822e7296276d3e069d8e8cb26a14bd10"
[[package]] [[package]]
name = "libcryptsetup-rs" name = "libcryptsetup-rs"
version = "0.4.1" version = "0.4.2"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "38cd24132ee0239515bc895782f65ab3e382a0f78e7cee30417159e5c6f81b6b" checksum = "b9042dbf4b7e4309494949696496e230c9052af64559d3441627d639898c172c"
dependencies = [ dependencies = [
"either", "either",
"libc", "libc",
@@ -487,9 +501,9 @@ dependencies = [
[[package]] [[package]]
name = "libcryptsetup-rs-sys" name = "libcryptsetup-rs-sys"
version = "0.1.2" version = "0.1.4"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0c605998e81e2a99c1f4c5d0be45ea1df6f1dc45dc64f5ca2847b0dbebf49ae7" checksum = "4b75a2b946509fb39fdb4b232c973166da14be373d09a43eb36b82f775d8244e"
dependencies = [ dependencies = [
"bindgen", "bindgen",
"cc", "cc",
@@ -509,9 +523,9 @@ dependencies = [
[[package]] [[package]]
name = "log" name = "log"
version = "0.4.8" version = "0.4.11"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "14b6052be84e6b71ab17edffc2eeabf5c2c3ae1fdb464aae35ac50c67a44e1f7" checksum = "4fabed175da42fed1fa0746b0ea71f412aa9d35e76e95e59b192c64b9dc2bf8b"
dependencies = [ dependencies = [
"cfg-if", "cfg-if",
] ]
@@ -530,18 +544,27 @@ checksum = "3728d817d99e5ac407411fa471ff9800a778d88a24685968b36824eaf4bee400"
[[package]] [[package]]
name = "memoffset" name = "memoffset"
version = "0.5.4" version = "0.5.5"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b4fc2c02a7e374099d4ee95a193111f72d2110197fe200272371758f6c3643d8" checksum = "c198b026e1bbf08a937e94c6c60f9ec4a2267f5b0d2eec9c1b21b061ce2be55f"
dependencies = [ dependencies = [
"autocfg 1.0.0", "autocfg 1.0.0",
] ]
[[package]] [[package]]
name = "nom" name = "miniz_oxide"
version = "5.1.1" version = "0.4.0"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0b471253da97532da4b61552249c521e01e736071f71c1a4f7ebbfbf0a06aad6" checksum = "be0f75932c1f6cfae3c04000e40114adf955636e19040f9c0a2c380702aa1c7f"
dependencies = [
"adler",
]
[[package]]
name = "nom"
version = "5.1.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ffb4262d26ed83a1c0a33a38fe2bb15797329c85770da05e6b828ddb782627af"
dependencies = [ dependencies = [
"memchr", "memchr",
"version_check", "version_check",
@@ -560,13 +583,19 @@ dependencies = [
[[package]] [[package]]
name = "num-traits" name = "num-traits"
version = "0.2.11" version = "0.2.12"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c62be47e61d1842b9170f0fdeec8eba98e60e90e5446449a0545e5152acd7096" checksum = "ac267bcc07f48ee5f8935ab0d24f316fb722d7a1292e2913f0cc196b29ffd611"
dependencies = [ dependencies = [
"autocfg 1.0.0", "autocfg 1.0.0",
] ]
[[package]]
name = "object"
version = "0.20.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1ab52be62400ca80aa00285d25253d7f7c437b7375c4de678f5405d3afe82ca5"
[[package]] [[package]]
name = "peeking_take_while" name = "peeking_take_while"
version = "0.1.2" version = "0.1.2"
@@ -575,33 +604,31 @@ checksum = "19b17cddbe7ec3f8bc800887bab5e717348c95ea2ca0b1bf0837fb964dc67099"
[[package]] [[package]]
name = "pkg-config" name = "pkg-config"
version = "0.3.17" version = "0.3.18"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "05da548ad6865900e60eaba7f589cc0783590a92e940c26953ff81ddbab2d677" checksum = "d36492546b6af1463394d46f0c834346f31548646f6ba10849802c9c9a27ac33"
[[package]] [[package]]
name = "proc-macro-error" name = "proc-macro-error"
version = "1.0.2" version = "1.0.4"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "98e9e4b82e0ef281812565ea4751049f1bdcdfccda7d3f459f2e138a40c08678" checksum = "da25490ff9892aab3fcf7c36f08cfb902dd3e71ca0f9f9517bea02a73a5ce38c"
dependencies = [ dependencies = [
"proc-macro-error-attr", "proc-macro-error-attr",
"proc-macro2 1.0.10", "proc-macro2 1.0.19",
"quote 1.0.3", "quote 1.0.7",
"syn 1.0.18", "syn 1.0.38",
"version_check", "version_check",
] ]
[[package]] [[package]]
name = "proc-macro-error-attr" name = "proc-macro-error-attr"
version = "1.0.2" version = "1.0.4"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4f5444ead4e9935abd7f27dc51f7e852a0569ac888096d5ec2499470794e2e53" checksum = "a1be40180e52ecc98ad80b184934baf3d0d29f979574e439af5a55274b35f869"
dependencies = [ dependencies = [
"proc-macro2 1.0.10", "proc-macro2 1.0.19",
"quote 1.0.3", "quote 1.0.7",
"syn 1.0.18",
"syn-mid",
"version_check", "version_check",
] ]
@@ -616,11 +643,11 @@ dependencies = [
[[package]] [[package]]
name = "proc-macro2" name = "proc-macro2"
version = "1.0.10" version = "1.0.19"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "df246d292ff63439fea9bc8c0a270bed0e390d5ebd4db4ba15aba81111b5abe3" checksum = "04f5f085b5d71e2188cb8271e5da0161ad52c3f227a661a3c135fdf28e258b12"
dependencies = [ dependencies = [
"unicode-xid 0.2.0", "unicode-xid 0.2.1",
] ]
[[package]] [[package]]
@@ -640,11 +667,11 @@ dependencies = [
[[package]] [[package]]
name = "quote" name = "quote"
version = "1.0.3" version = "1.0.7"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2bdc6c187c65bca4260c9011c9e3132efe4909da44726bad24cf7572ae338d7f" checksum = "aa563d17ecb180e500da1cfd2b028310ac758de548efdd203e18f283af693f37"
dependencies = [ dependencies = [
"proc-macro2 1.0.10", "proc-macro2 1.0.19",
] ]
[[package]] [[package]]
@@ -787,9 +814,9 @@ dependencies = [
[[package]] [[package]]
name = "regex" name = "regex"
version = "1.3.7" version = "1.3.9"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a6020f034922e3194c711b82a627453881bc4682166cabb07134a10c26ba7692" checksum = "9c3780fcf44b193bc4d09f36d2a3c87b251da4a046c87795a0d35f4f927ad8e6"
dependencies = [ dependencies = [
"aho-corasick", "aho-corasick",
"memchr", "memchr",
@@ -799,9 +826,9 @@ dependencies = [
[[package]] [[package]]
name = "regex-syntax" name = "regex-syntax"
version = "0.6.17" version = "0.6.18"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7fe5bd57d1d7414c6b5ed48563a2c855d995ff777729dcd91c369ec7fea395ae" checksum = "26412eb97c6b088a6997e05f69403a802a92d520de2f8e63c2b65f9e0f47c4e8"
[[package]] [[package]]
name = "ring" name = "ring"
@@ -858,9 +885,9 @@ checksum = "dcf128d1287d2ea9d80910b5f1120d0b8eede3fbf1abe91c40d39ea7d51e6fda"
[[package]] [[package]]
name = "ryu" name = "ryu"
version = "1.0.4" version = "1.0.5"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ed3d612bc64430efeb3f7ee6ef26d590dce0c43249217bddc62112540c7941e1" checksum = "71d301d4193d031abdd79ff7e3dd721168a9572ef3fe51a1517aba235bd8f86e"
[[package]] [[package]]
name = "scopeguard" name = "scopeguard"
@@ -885,26 +912,26 @@ checksum = "388a1df253eca08550bef6c72392cfe7c30914bf41df5269b68cbd6ff8f570a3"
[[package]] [[package]]
name = "serde" name = "serde"
version = "1.0.106" version = "1.0.115"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "36df6ac6412072f67cf767ebbde4133a5b2e88e76dc6187fa7104cd16f783399" checksum = "e54c9a88f2da7238af84b5101443f0c0d0a3bbdc455e34a5c9497b1903ed55d5"
[[package]] [[package]]
name = "serde_derive" name = "serde_derive"
version = "1.0.106" version = "1.0.115"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9e549e3abf4fb8621bd1609f11dfc9f5e50320802273b12f3811a67e6716ea6c" checksum = "609feed1d0a73cc36a0182a840a9b37b4a82f0b1150369f0536a9e3f2a31dc48"
dependencies = [ dependencies = [
"proc-macro2 1.0.10", "proc-macro2 1.0.19",
"quote 1.0.3", "quote 1.0.7",
"syn 1.0.18", "syn 1.0.38",
] ]
[[package]] [[package]]
name = "serde_json" name = "serde_json"
version = "1.0.51" version = "1.0.57"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "da07b57ee2623368351e9a0488bb0b261322a15a6e0ae53e243cbdc0f4208da9" checksum = "164eacbdb13512ec2745fb09d51fd5b22b0d65ed294a1dcf7285a360c80a675c"
dependencies = [ dependencies = [
"itoa", "itoa",
"ryu", "ryu",
@@ -931,9 +958,9 @@ checksum = "6446ced80d6c486436db5c078dde11a9f73d42b57fb273121e160b84f63d894c"
[[package]] [[package]]
name = "structopt" name = "structopt"
version = "0.3.14" version = "0.3.16"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "863246aaf5ddd0d6928dfeb1a9ca65f505599e4e1b399935ef7e75107516b4ef" checksum = "de5472fb24d7e80ae84a7801b7978f95a19ec32cb1876faea59ab711eb901976"
dependencies = [ dependencies = [
"clap", "clap",
"lazy_static", "lazy_static",
@@ -942,15 +969,15 @@ dependencies = [
[[package]] [[package]]
name = "structopt-derive" name = "structopt-derive"
version = "0.4.7" version = "0.4.9"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d239ca4b13aee7a2142e6795cbd69e457665ff8037aed33b3effdc430d2f927a" checksum = "1e0eb37335aeeebe51be42e2dc07f031163fbabfa6ac67d7ea68b5c2f68d5f99"
dependencies = [ dependencies = [
"heck", "heck",
"proc-macro-error", "proc-macro-error",
"proc-macro2 1.0.10", "proc-macro2 1.0.19",
"quote 1.0.3", "quote 1.0.7",
"syn 1.0.18", "syn 1.0.38",
] ]
[[package]] [[package]]
@@ -966,36 +993,25 @@ dependencies = [
[[package]] [[package]]
name = "syn" name = "syn"
version = "1.0.18" version = "1.0.38"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "410a7488c0a728c7ceb4ad59b9567eb4053d02e8cc7f5c0e0eeeb39518369213" checksum = "e69abc24912995b3038597a7a593be5053eb0fb44f3cc5beec0deb421790c1f4"
dependencies = [ dependencies = [
"proc-macro2 1.0.10", "proc-macro2 1.0.19",
"quote 1.0.3", "quote 1.0.7",
"unicode-xid 0.2.0", "unicode-xid 0.2.1",
]
[[package]]
name = "syn-mid"
version = "0.5.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7be3539f6c128a931cf19dcee741c1af532c7fd387baa739c03dd2e96479338a"
dependencies = [
"proc-macro2 1.0.10",
"quote 1.0.3",
"syn 1.0.18",
] ]
[[package]] [[package]]
name = "synstructure" name = "synstructure"
version = "0.12.3" version = "0.12.4"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "67656ea1dc1b41b1451851562ea232ec2e5a80242139f7e679ceccfb5d61f545" checksum = "b834f2d66f734cb897113e34aaff2f1ab4719ca946f9a7358dba8f8064148701"
dependencies = [ dependencies = [
"proc-macro2 1.0.10", "proc-macro2 1.0.19",
"quote 1.0.3", "quote 1.0.7",
"syn 1.0.18", "syn 1.0.38",
"unicode-xid 0.2.0", "unicode-xid 0.2.1",
] ]
[[package]] [[package]]
@@ -1043,9 +1059,9 @@ checksum = "e83e153d1053cbb5a118eeff7fd5be06ed99153f00dbcd8ae310c5fb2b22edc0"
[[package]] [[package]]
name = "unicode-width" name = "unicode-width"
version = "0.1.7" version = "0.1.8"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "caaa9d531767d1ff2150b9332433f32a24622147e5ebb1f26409d5da67afd479" checksum = "9337591893a19b88d8d87f2cec1e73fad5cdfd10e5a6f349f498ad6ea2ffb1e3"
[[package]] [[package]]
name = "unicode-xid" name = "unicode-xid"
@@ -1055,9 +1071,9 @@ checksum = "fc72304796d0818e357ead4e000d19c9c174ab23dc11093ac919054d20a6a7fc"
[[package]] [[package]]
name = "unicode-xid" name = "unicode-xid"
version = "0.2.0" version = "0.2.1"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "826e7639553986605ec5979c7dd957c7895e93eabed50ab2ffa7f6128a75097c" checksum = "f7fe0bb3479651439c9112f72b6c505038574c9fbb575ed1bf3b797fa39dd564"
[[package]] [[package]]
name = "untrusted" name = "untrusted"
@@ -1076,15 +1092,15 @@ dependencies = [
[[package]] [[package]]
name = "vec_map" name = "vec_map"
version = "0.8.1" version = "0.8.2"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "05c78687fb1a80548ae3250346c3db86a80a7cdd77bda190189f2d0a0987c81a" checksum = "f1bddf1187be692e79c5ffeab891132dfb0f236ed36a43c7ed39f1165ee20191"
[[package]] [[package]]
name = "version_check" name = "version_check"
version = "0.9.1" version = "0.9.2"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "078775d0255232fb988e6fccf26ddc9d1ac274299aaedcedce21c6f72cc533ce" checksum = "b5a972e5669d67ba988ce3dc826706fb0a8b01471c088cb0b6110b805cc36aed"
[[package]] [[package]]
name = "which" name = "which"
@@ -1097,9 +1113,9 @@ dependencies = [
[[package]] [[package]]
name = "winapi" name = "winapi"
version = "0.3.8" version = "0.3.9"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8093091eeb260906a183e6ae1abdba2ef5ef2257a21801128899c3fc699229c6" checksum = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419"
dependencies = [ dependencies = [
"winapi-i686-pc-windows-gnu", "winapi-i686-pc-windows-gnu",
"winapi-x86_64-pc-windows-gnu", "winapi-x86_64-pc-windows-gnu",

16
Cargo.toml
View File

@@ -1,6 +1,6 @@
[package] [package]
name = "fido2luks" name = "fido2luks"
version = "0.2.8" version = "0.2.12"
authors = ["shimunn <shimun@shimun.net>"] authors = ["shimunn <shimun@shimun.net>"]
edition = "2018" edition = "2018"
@@ -11,7 +11,7 @@ repository = "https://github.com/shimunn/fido2luks"
readme = "README.md" readme = "README.md"
keywords = ["luks", "fido2", "u2f"] keywords = ["luks", "fido2", "u2f"]
categories = ["command-line-utilities"] categories = ["command-line-utilities"]
license-file = "LICENSE" license = "MPL-2.0"
[dependencies] [dependencies]
ctap_hmac = { version="0.4.2", features = ["request_multiple"] } ctap_hmac = { version="0.4.2", features = ["request_multiple"] }
@@ -31,3 +31,15 @@ opt-level = 'z'
panic = 'abort' panic = 'abort'
incremental = false incremental = false
overflow-checks = false overflow-checks = false
[package.metadata.deb]
depends = "$auto, cryptsetup"
build-depends = "libclang-dev, libcryptsetup-dev"
extended-description = "Decrypt your LUKS partition using a FIDO2 compatible authenticator"
assets = [
["target/release/fido2luks", "usr/bin/", "755"],
["initramfs-tools/keyscript.sh", "/lib/cryptsetup/scripts/fido2luks", "755" ],
["initramfs-tools/hook/fido2luks.sh", "etc/initramfs-tools/hooks/", "755" ],
["initramfs-tools/fido2luks.conf", "etc/", "644"],
]
conf-files = ["/etc/fido2luks.conf"]

1047
LICENSE
View File

File diff suppressed because it is too large Load Diff

24
PKGBUILD Normal file
View File

@@ -0,0 +1,24 @@
# Maintainer: shimunn <shimun@shimun.net>
pkgname=fido2luks
pkgver=0.2.12
pkgrel=1
makedepends=('rust' 'cargo' 'cryptsetup' 'clang')
depends=('cryptsetup')
arch=('i686' 'x86_64' 'armv6h' 'armv7h')
pkgdesc="Decrypt your LUKS partition using a FIDO2 compatible authenticator"
url="https://github.com/shimunn/fido2luks"
license=('MPL-2.0')
pkgver() {
# Use tag version if possible otherwise concat project version and git ref
git describe --exact-match --tags HEAD 2> /dev/null || \
echo "$(cargo pkgid | cut -d':' -f3).$(git describe --always)"
}
build() {
cargo build --release --locked --all-features --target-dir=target
}
package() {
install -Dm 755 target/release/${pkgname} -t "${pkgdir}/usr/bin"
}

31
README.md
View File

@@ -1,8 +1,8 @@
# fido2luks [![Crates.io Version](https://img.shields.io/crates/v/fido2luks.svg)](https://crates.io/crates/fido2luks) # fido2luks [![Crates.io Version](https://img.shields.io/crates/v/fido2luks.svg)](https://crates.io/crates/fido2luks)
This will allow you to unlock your luks encrypted disk with an fido2 compatible key This will allow you to unlock your LUKS encrypted disk with an FIDO2 compatible key.
Note: This has only been tested under Fedora 31 using a Solo Key, Trezor Model T Note: This has only been tested under Fedora 31, [Ubuntu 20.04](initramfs-tools/), [NixOS](https://nixos.org/nixos/manual/#sec-luks-file-systems-fido2) using a Solo Key, Trezor Model T
## Setup ## Setup
@@ -30,6 +30,8 @@ set -a
. /etc/fido2luks.conf . /etc/fido2luks.conf
# Repeat for each luks volume # Repeat for each luks volume
# You can also use the `--token` flag when using LUKS2 which will then store the credential in the LUKS header,
# enabling you to use `fido2luks open-token` without passing a credential as parameter
sudo -E fido2luks -i add-key /dev/disk/by-uuid/<DISK_UUID> sudo -E fido2luks -i add-key /dev/disk/by-uuid/<DISK_UUID>
# Test(only works if the luks container isn't active) # Test(only works if the luks container isn't active)
@@ -63,7 +65,7 @@ cp /usr/bin/fido2luks /boot/fido2luks/
cp /etc/fido2luks.conf /boot/fido2luks/ cp /etc/fido2luks.conf /boot/fido2luks/
``` ```
## Test ## Testing
Just reboot and see if it works, if that's the case you should remove your old less secure password from your LUKS header: Just reboot and see if it works, if that's the case you should remove your old less secure password from your LUKS header:
@@ -71,6 +73,8 @@ Just reboot and see if it works, if that's the case you should remove your old l
# Recommend in case you lose your authenticator, store this backupfile somewhere safe # Recommend in case you lose your authenticator, store this backupfile somewhere safe
cryptsetup luksHeaderBackup /dev/disk/by-uuid/<DISK_UUID> --header-backup-file luks_backup_<DISK_UUID> cryptsetup luksHeaderBackup /dev/disk/by-uuid/<DISK_UUID> --header-backup-file luks_backup_<DISK_UUID>
# There is no turning back if you mess this up, make sure you made a backup # There is no turning back if you mess this up, make sure you made a backup
# You can also pass `--token` if you're using LUKS2 which will then store the credential in the LUKS header,
# which will enable you to use `fido2luks open-token` without passing a credential as parameter
fido2luks -i add-key --exclusive /dev/disk/by-uuid/<DISK_UUID> fido2luks -i add-key --exclusive /dev/disk/by-uuid/<DISK_UUID>
``` ```
@@ -92,6 +96,13 @@ set -a
Then add the new secret to each device and update dracut afterwards `dracut -f` Then add the new secret to each device and update dracut afterwards `dracut -f`
### Multiple keys
Additional/backup keys are supported, Multiple fido2luks credentials can be added to your /etc/fido2luks.conf file. Credential tokens are comma separated.
```
FIDO2LUKS_CREDENTIAL_ID=<CREDENTIAL1>,<CREDENTIAL2>,<CREDENTIAL3>
```
## Removal ## Removal
Remove `rd.luks.2fa` from `GRUB_CMDLINE_LINUX` in /etc/default/grub Remove `rd.luks.2fa` from `GRUB_CMDLINE_LINUX` in /etc/default/grub
@@ -103,3 +114,17 @@ sudo -E fido2luks -i replace-key /dev/disk/by-uuid/<DISK_UUID>
sudo rm -rf /usr/lib/dracut/modules.d/96luks-2fa /etc/dracut.conf.d/luks-2fa.conf /etc/fido2luks.conf sudo rm -rf /usr/lib/dracut/modules.d/96luks-2fa /etc/dracut.conf.d/luks-2fa.conf /etc/fido2luks.conf
``` ```
## License
Licensed under
* Mozilla Public License 2.0, ([LICENSE-MPL](LICENSE-MPL) or https://www.mozilla.org/en-US/MPL/2.0/)
### Contribution
Unless you explicitly state otherwise, any contribution intentionally
submitted for inclusion in the work by you, as defined in the MPL 2.0
license, shall be licensed as above, without any additional terms or
conditions.

11
initramfs-tools/Makefile Normal file
View File

@@ -0,0 +1,11 @@
.PHONY: install
install:
chmod +x hook/fido2luks.sh keyscript.sh
cp -f hook/fido2luks.sh /etc/initramfs-tools/hooks/
mkdir -p /usr/share/fido2luks
cp -f keyscript.sh /lib/cryptsetup/scripts/fido2luks
update-initramfs -u
remove:
sh -c "grep 'keyscript=fido2luks' -i /etc/crypttab && ( echo 'ERROR: your system is still setup to use fido2luks during boot' && exit 1) || exit 0"
rm /etc/initramfs-tools/hooks/fido2luks.sh /lib/cryptsetup/scripts/fido2luks
update-initramfs -u

34
initramfs-tools/README.md Normal file
View File

@@ -0,0 +1,34 @@
## Initramfs-tools based systems(Ubuntu and derivatives)
For easiest installation [download and install the precompiled deb from releases.](https://github.com/shimunn/fido2luks/releases). However it is possible to build from source via the instructions on the main readme.
```
sudo -s
# Insert FIDO key.
fido2luks credential
# Tap FIDO key
# Copy returned string <CREDENTIAL>
nano /etc/fido2luks.conf
# Insert <CREDENTIAL>
# FIDO2LUKS_CREDENTIAL_ID=<CREDENTIAL>
set -a
. /etc/fido2luks.conf
fido2luks -i add-key /dev/<LUKS PARTITION>
# Current password: <Any current LUKS password>
# Password: <Password used as FIDO challange>
# Tap FIDO key
nano /etc/crypttab
# Append to end ",discard,initramfs,keyscript=fido2luks"
# E.g. sda6_crypt UUID=XXXXXXXXXX none luks,discard,initramfs,keyscript=fido2luks
update-initramfs -u
```
[Recording showing part of the setup](https://shimun.net/fido2luks/setup.svg)

3
initramfs-tools/fido2luks.conf Normal file
View File

@@ -0,0 +1,3 @@
FIDO2LUKS_SALT=Ask
#FIDO2LUKS_PASSWORD_HELPER="/usr/bin/plymouth ask-for-password --prompt 'FIDO2 password salt'"
FIDO2LUKS_CREDENTIAL_ID=

14
initramfs-tools/hook/fido2luks.sh Executable file
View File

@@ -0,0 +1,14 @@
#!/bin/sh
case "$1" in
prereqs)
echo ""
exit 0
;;
esac
. /usr/share/initramfs-tools/hook-functions
copy_file config /etc/fido2luks.conf /etc/fido2luks.conf
copy_exec /usr/bin/fido2luks
exit 0

10
initramfs-tools/keyscript.sh Executable file
View File

@@ -0,0 +1,10 @@
#!/bin/sh
set -a
. /etc/fido2luks.conf
if [ -z "$FIDO2LUKS_PASSWORD_HELPER" ]; then
MSG="FIDO2 password salt for $CRYPTTAB_NAME"
export FIDO2LUKS_PASSWORD_HELPER="plymouth ask-for-password --prompt '$MSG'"
fi
fido2luks print-secret --bin

332
initramfs-tools/setup.svg Normal file
View File

File diff suppressed because one or more lines are too long
Side by Side

After

Width:  |  Height:  |  Size: 550 KiB

241
src/cli.rs
View File

@@ -1,5 +1,4 @@
use crate::error::*; use crate::error::*;
use crate::luks;
use crate::*; use crate::*;
use structopt::StructOpt; use structopt::StructOpt;
@@ -8,12 +7,15 @@ use ctap::{FidoCredential, FidoErrorKind};
use failure::_core::fmt::{Display, Error, Formatter}; use failure::_core::fmt::{Display, Error, Formatter};
use failure::_core::str::FromStr; use failure::_core::str::FromStr;
use failure::_core::time::Duration; use failure::_core::time::Duration;
use std::io::Write; use std::io::{Read, Write};
use std::process::exit; use std::process::exit;
use std::thread; use std::thread;
use crate::luks::{Fido2LuksToken, LuksDevice};
use crate::util::sha256; use crate::util::sha256;
use std::borrow::Cow; use std::borrow::Cow;
use std::collections::HashSet;
use std::fs::File;
use std::time::SystemTime; use std::time::SystemTime;
#[derive(Debug, Eq, PartialEq, Clone)] #[derive(Debug, Eq, PartialEq, Clone)]
@@ -25,6 +27,12 @@ impl Display for HexEncoded {
} }
} }
impl AsRef<[u8]> for HexEncoded {
fn as_ref(&self) -> &[u8] {
&self.0[..]
}
}
impl FromStr for HexEncoded { impl FromStr for HexEncoded {
type Err = hex::FromHexError; type Err = hex::FromHexError;
@@ -59,7 +67,7 @@ impl<T: Display + FromStr> FromStr for CommaSeparated<T> {
#[derive(Debug, StructOpt)] #[derive(Debug, StructOpt)]
pub struct Credentials { pub struct Credentials {
/// FIDO credential ids, seperated by ',' generate using fido2luks credential /// FIDO credential ids, separated by ',' generate using fido2luks credential
#[structopt(name = "credential-id", env = "FIDO2LUKS_CREDENTIAL_ID")] #[structopt(name = "credential-id", env = "FIDO2LUKS_CREDENTIAL_ID")]
pub ids: CommaSeparated<HexEncoded>, pub ids: CommaSeparated<HexEncoded>,
} }
@@ -70,6 +78,10 @@ pub struct AuthenticatorParameters {
#[structopt(short = "P", long = "pin")] #[structopt(short = "P", long = "pin")]
pub pin: bool, pub pin: bool,
/// Location to read PIN from
#[structopt(long = "pin-source", env = "FIDO2LUKS_PIN_SOURCE")]
pub pin_source: Option<PathBuf>,
/// Await for an authenticator to be connected, timeout after n seconds /// Await for an authenticator to be connected, timeout after n seconds
#[structopt( #[structopt(
long = "await-dev", long = "await-dev",
@@ -80,6 +92,18 @@ pub struct AuthenticatorParameters {
pub await_time: u64, pub await_time: u64,
} }
impl AuthenticatorParameters {
fn read_pin(&self) -> Fido2LuksResult<String> {
if let Some(src) = self.pin_source.as_ref() {
let mut pin = String::new();
File::open(src)?.read_to_string(&mut pin)?;
Ok(pin)
} else {
util::read_password("Authenticator PIN", false)
}
}
}
#[derive(Debug, StructOpt)] #[derive(Debug, StructOpt)]
pub struct LuksParameters { pub struct LuksParameters {
#[structopt(env = "FIDO2LUKS_DEVICE")] #[structopt(env = "FIDO2LUKS_DEVICE")]
@@ -158,10 +182,6 @@ fn derive_secret(
Ok((sha256(&[salt, &unsalted[..]]), cred.clone())) Ok((sha256(&[salt, &unsalted[..]]), cred.clone()))
} }
fn read_pin() -> Fido2LuksResult<String> {
util::read_password("Authenticator PIN", false)
}
#[derive(Debug, StructOpt)] #[derive(Debug, StructOpt)]
pub struct Args { pub struct Args {
/// Request passwords via Stdin instead of using the password helper /// Request passwords via Stdin instead of using the password helper
@@ -282,6 +302,45 @@ pub enum Command {
/// Check if an authenticator is connected /// Check if an authenticator is connected
#[structopt(name = "connected")] #[structopt(name = "connected")]
Connected, Connected,
Token(TokenCommand),
}
///LUKS2 token related operations
#[derive(Debug, StructOpt)]
pub enum TokenCommand {
/// List all tokens associated with the specified device
List {
#[structopt(env = "FIDO2LUKS_DEVICE")]
device: PathBuf,
/// Dump all credentials as CSV
#[structopt(long = "csv")]
csv: bool,
},
/// Add credential to a keyslot
Add {
#[structopt(env = "FIDO2LUKS_DEVICE")]
device: PathBuf,
#[structopt(flatten)]
credentials: Credentials,
/// Slot to which the credentials will be added
#[structopt(long = "slot", env = "FIDO2LUKS_DEVICE_SLOT")]
slot: u32,
},
/// Remove credentials from token(s)
Remove {
#[structopt(env = "FIDO2LUKS_DEVICE")]
device: PathBuf,
#[structopt(flatten)]
credentials: Credentials,
/// Token from which the credentials will be removed
#[structopt(long = "token")]
token_id: Option<u32>,
},
/// Remove all unassigned tokens
GC {
#[structopt(env = "FIDO2LUKS_DEVICE")]
device: PathBuf,
},
} }
pub fn parse_cmdline() -> Args { pub fn parse_cmdline() -> Args {
@@ -299,7 +358,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
} => { } => {
let pin_string; let pin_string;
let pin = if authenticator.pin { let pin = if authenticator.pin {
pin_string = read_pin()?; pin_string = authenticator.read_pin()?;
Some(pin_string.as_ref()) Some(pin_string.as_ref())
} else { } else {
None None
@@ -316,7 +375,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
} => { } => {
let pin_string; let pin_string;
let pin = if authenticator.pin { let pin = if authenticator.pin {
pin_string = read_pin()?; pin_string = authenticator.read_pin()?;
Some(pin_string.as_ref()) Some(pin_string.as_ref())
} else { } else {
None None
@@ -360,7 +419,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
.. ..
} => { } => {
let pin = if authenticator.pin { let pin = if authenticator.pin {
Some(read_pin()?) Some(authenticator.read_pin()?)
} else { } else {
None None
}; };
@@ -371,7 +430,9 @@ pub fn run_cli() -> Fido2LuksResult<()> {
secret.salt.obtain(&secret.password_helper) secret.salt.obtain(&secret.password_helper)
} }
}; };
let other_secret = |salt_q: &str, verify: bool| -> Fido2LuksResult<(Vec<u8>, Option<FidoCredential>)> { let other_secret = |salt_q: &str,
verify: bool|
-> Fido2LuksResult<(Vec<u8>, Option<FidoCredential>)> {
match other_secret { match other_secret {
OtherSecret { OtherSecret {
keyfile: Some(file), keyfile: Some(file),
@@ -386,7 +447,10 @@ pub fn run_cli() -> Fido2LuksResult<()> {
pin.as_deref(), pin.as_deref(),
) )
.map(|(secret, cred)| (secret[..].to_vec(), Some(cred)))?), .map(|(secret, cred)| (secret[..].to_vec(), Some(cred)))?),
_ => Ok((util::read_password(salt_q, verify)?.as_bytes().to_vec(), None)), _ => Ok((
util::read_password(salt_q, verify)?.as_bytes().to_vec(),
None,
)),
} }
}; };
let secret = |verify: bool| -> Fido2LuksResult<([u8; 32], FidoCredential)> { let secret = |verify: bool| -> Fido2LuksResult<([u8; 32], FidoCredential)> {
@@ -397,22 +461,20 @@ pub fn run_cli() -> Fido2LuksResult<()> {
pin.as_deref(), pin.as_deref(),
) )
}; };
let mut luks_dev = LuksDevice::load(&luks.device)?;
// Non overlap // Non overlap
match &args.command { match &args.command {
Command::AddKey { Command::AddKey { exclusive, .. } => {
exclusive, ..
} => {
let (existing_secret, _) = other_secret("Current password", false)?; let (existing_secret, _) = other_secret("Current password", false)?;
let (new_secret, cred) = secret(true)?; let (new_secret, cred) = secret(true)?;
let added_slot = luks::add_key( let added_slot = luks_dev.add_key(
&luks.device,
&new_secret, &new_secret,
&existing_secret[..], &existing_secret[..],
luks_mod.kdf_time.or(Some(10)), luks_mod.kdf_time.or(Some(10)),
Some(&cred.id[..]).filter(|_| *token), Some(&cred.id[..]).filter(|_| *token),
)?; )?;
if *exclusive { if *exclusive {
let destroyed = luks::remove_keyslots(&luks.device, &[added_slot])?; let destroyed = luks_dev.remove_keyslots(&[added_slot])?;
println!( println!(
"Added to key to device {}, slot: {}\nRemoved {} old keys", "Added to key to device {}, slot: {}\nRemoved {} old keys",
luks.device.display(), luks.device.display(),
@@ -432,16 +494,14 @@ pub fn run_cli() -> Fido2LuksResult<()> {
let (existing_secret, _) = secret(false)?; let (existing_secret, _) = secret(false)?;
let (replacement_secret, cred) = other_secret("Replacement password", true)?; let (replacement_secret, cred) = other_secret("Replacement password", true)?;
let slot = if *add_password { let slot = if *add_password {
luks::add_key( luks_dev.add_key(
&luks.device,
&replacement_secret[..], &replacement_secret[..],
&existing_secret, &existing_secret,
luks_mod.kdf_time, luks_mod.kdf_time,
cred.as_ref().filter(|_| *token).map(|cred| &cred.id[..]), cred.as_ref().filter(|_| *token).map(|cred| &cred.id[..]),
) )
} else { } else {
luks::replace_key( luks_dev.replace_key(
&luks.device,
&replacement_secret[..], &replacement_secret[..],
&existing_secret, &existing_secret,
luks_mod.kdf_time, luks_mod.kdf_time,
@@ -475,7 +535,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
} => { } => {
let pin_string; let pin_string;
let pin = if authenticator.pin { let pin = if authenticator.pin {
pin_string = read_pin()?; pin_string = authenticator.read_pin()?;
Some(pin_string.as_ref()) Some(pin_string.as_ref())
} else { } else {
None None
@@ -499,14 +559,12 @@ pub fn run_cli() -> Fido2LuksResult<()> {
}; };
let mut retries = *retries; let mut retries = *retries;
let mut luks_dev = LuksDevice::load(&luks.device)?;
loop { loop {
let secret = match &args.command { let secret = match &args.command {
Command::Open { credentials, .. } => secret(Cow::Borrowed(&credentials.ids.0)) Command::Open { credentials, .. } => secret(Cow::Borrowed(&credentials.ids.0))
.and_then(|(secret, _cred)| { .and_then(|(secret, _cred)| luks_dev.activate(&name, &secret, luks.slot)),
luks::open_container(&luks.device, &name, &secret, luks.slot) Command::OpenToken { .. } => luks_dev.activate_token(
}),
Command::OpenToken { .. } => luks::open_container_token(
&luks.device,
&name, &name,
Box::new(|credentials: Vec<String>| { Box::new(|credentials: Vec<String>| {
let creds = credentials let creds = credentials
@@ -516,6 +574,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
secret(Cow::Owned(creds)) secret(Cow::Owned(creds))
.map(|(secret, cred)| (secret, hex::encode(&cred.id))) .map(|(secret, cred)| (secret, hex::encode(&cred.id)))
}), }),
luks.slot,
), ),
_ => unreachable!(), _ => unreachable!(),
}; };
@@ -531,7 +590,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
retries -= 1; retries -= 1;
eprintln!("{}", e); eprintln!("{}", e);
} }
res => break res, res => break res.map(|_| ()),
} }
} }
} }
@@ -542,5 +601,129 @@ pub fn run_cli() -> Fido2LuksResult<()> {
} }
_ => exit(1), _ => exit(1),
}, },
Command::Token(cmd) => match cmd {
TokenCommand::List {
device,
csv: dump_credentials,
} => {
let mut dev = LuksDevice::load(device)?;
let mut creds = Vec::new();
for token in dev.tokens()? {
let (id, token) = token?;
for cred in token.credential.iter() {
if !creds.contains(cred) {
creds.push(cred.clone());
if *dump_credentials {
print!("{}{}", if creds.len() == 1 { "" } else { "," }, cred);
}
}
}
if *dump_credentials {
continue;
}
println!(
"{}:\n\tSlots: {}\n\tCredentials: {}",
id,
if token.keyslots.is_empty() {
"None".into()
} else {
token.keyslots.iter().cloned().collect::<Vec<_>>().join(",")
},
token
.credential
.iter()
.map(|cred| format!(
"{} ({})",
cred,
creds.iter().position(|c| c == cred).unwrap().to_string()
))
.collect::<Vec<_>>()
.join(",")
);
}
if *dump_credentials {
println!();
}
Ok(())
}
TokenCommand::Add {
device,
credentials,
slot,
} => {
let mut dev = LuksDevice::load(device)?;
let mut tokens = Vec::new();
for token in dev.tokens()? {
let (id, token) = token?;
if token.keyslots.contains(&slot.to_string()) {
tokens.push((id, token));
}
}
let count = if tokens.is_empty() {
dev.add_token(&Fido2LuksToken::with_credentials(&credentials.ids.0, *slot))?;
1
} else {
tokens.len()
};
for (id, mut token) in tokens {
token
.credential
.extend(credentials.ids.0.iter().map(|h| h.to_string()));
dev.update_token(id, &token)?;
}
println!("Updated {} tokens", count);
Ok(())
}
TokenCommand::Remove {
device,
credentials,
token_id,
} => {
let mut dev = LuksDevice::load(device)?;
let mut tokens = Vec::new();
for token in dev.tokens()? {
let (id, token) = token?;
if let Some(token_id) = token_id {
if id == *token_id {
tokens.push((id, token));
}
} else {
tokens.push((id, token));
}
}
let count = tokens.len();
for (id, mut token) in tokens {
token.credential = token
.credential
.into_iter()
.filter(|cred| !credentials.ids.0.iter().any(|h| &h.to_string() == cred))
.collect();
dev.update_token(id, &token)?;
}
println!("Updated {} tokens", count);
Ok(())
}
TokenCommand::GC { device } => {
let mut dev = LuksDevice::load(device)?;
let mut creds: HashSet<String> = HashSet::new();
let mut remove = Vec::new();
for token in dev.tokens()? {
let (id, token) = token?;
if token.keyslots.is_empty() || token.credential.is_empty() {
creds.extend(token.credential);
remove.push(id);
}
}
for id in remove.iter().rev() {
dev.remove_token(*id)?;
}
println!(
"Removed {} tokens, affected credentials: {}",
remove.len(),
creds.into_iter().collect::<Vec<_>>().join(",")
);
Ok(())
}
},
} }
} }

7
src/config.rs
View File

@@ -135,10 +135,9 @@ impl PasswordHelper {
Systemd => unimplemented!(), Systemd => unimplemented!(),
Stdin => Ok(util::read_password("Password", true)?), Stdin => Ok(util::read_password("Password", true)?),
Script(password_helper) => { Script(password_helper) => {
let mut helper_parts = password_helper.split(' '); let password = Command::new("sh")
.arg("-c")
let password = Command::new((&mut helper_parts).next().unwrap()) .arg(&password_helper)
.args(helper_parts)
.output() .output()
.map_err(|e| Fido2LuksError::AskPassError { .map_err(|e| Fido2LuksError::AskPassError {
cause: error::AskPassError::IO(e), cause: error::AskPassError::IO(e),

6
src/error.rs
View File

@@ -75,6 +75,12 @@ impl LuksError {
} }
} }
impl From<LuksError> for Fido2LuksError {
fn from(e: LuksError) -> Self {
Fido2LuksError::LuksError { cause: e }
}
}
use libcryptsetup_rs::LibcryptErr; use libcryptsetup_rs::LibcryptErr;
use std::io::ErrorKind; use std::io::ErrorKind;
use std::string::FromUtf8Error; use std::string::FromUtf8Error;

514
src/luks.rs
View File

@@ -7,235 +7,321 @@ use libcryptsetup_rs::{
use std::collections::{HashMap, HashSet}; use std::collections::{HashMap, HashSet};
use std::path::Path; use std::path::Path;
fn load_device_handle<P: AsRef<Path>>(path: P) -> Fido2LuksResult<CryptDevice> { pub struct LuksDevice {
let mut device = CryptInit::init(path.as_ref())?; device: CryptDevice,
device.context_handle().load::<()>(None, None)?; luks2: Option<bool>,
Ok(device)
} }
fn check_luks2(device: &mut CryptDevice) -> Fido2LuksResult<()> { impl LuksDevice {
match device.format_handle().get_type()? { pub fn load<P: AsRef<Path>>(path: P) -> Fido2LuksResult<LuksDevice> {
EncryptionFormat::Luks2 => Ok(()), let mut device = CryptInit::init(path.as_ref())?;
_ => Err(Fido2LuksError::LuksError { device.context_handle().load::<()>(None, None)?;
cause: LuksError::Luks2Required, Ok(Self {
}), device,
luks2: None,
})
}
pub fn is_luks2(&mut self) -> Fido2LuksResult<bool> {
if let Some(luks2) = self.luks2 {
Ok(luks2)
} else {
self.luks2 = Some(match self.device.format_handle().get_type()? {
EncryptionFormat::Luks2 => true,
_ => false,
});
self.is_luks2()
}
}
fn require_luks2(&mut self) -> Fido2LuksResult<()> {
if !self.is_luks2()? {
return Err(LuksError::Luks2Required.into());
}
Ok(())
}
pub fn tokens<'a>(
&'a mut self,
) -> Fido2LuksResult<Box<dyn Iterator<Item = Fido2LuksResult<(u32, Fido2LuksToken)>> + 'a>>
{
self.require_luks2()?;
Ok(Box::new(
(0..32)
.map(move |i| {
let status = match self.device.token_handle().status(i) {
Ok(status) => status,
Err(err) => return Some(Err(Fido2LuksError::from(err))),
};
match status {
CryptTokenInfo::Inactive => return None,
CryptTokenInfo::Internal(s)
| CryptTokenInfo::InternalUnknown(s)
| CryptTokenInfo::ExternalUnknown(s)
| CryptTokenInfo::External(s)
if &s != Fido2LuksToken::default_type() =>
{
return None
}
_ => (),
};
let json = match self.device.token_handle().json_get(i) {
Ok(json) => json,
Err(err) => return Some(Err(Fido2LuksError::from(err))),
};
let info: Fido2LuksToken =
match serde_json::from_value(json.clone()).map_err(|_| {
Fido2LuksError::LuksError {
cause: LuksError::InvalidToken(json.to_string()),
}
}) {
Ok(info) => info,
Err(err) => return Some(Err(Fido2LuksError::from(err))),
};
Some(Ok((i, info)))
})
.filter_map(|o| o),
))
}
pub fn find_token(&mut self, slot: u32) -> Fido2LuksResult<Option<(u32, Fido2LuksToken)>> {
let slot_str = slot.to_string();
for token in self.tokens()? {
let (id, token) = token?;
if token.keyslots.contains(&slot_str) {
return Ok(Some((id, token)));
}
}
Ok(None)
}
pub fn add_token(&mut self, data: &Fido2LuksToken) -> Fido2LuksResult<()> {
self.require_luks2()?;
self.device
.token_handle()
.json_set(TokenInput::AddToken(&serde_json::to_value(&data).unwrap()))?;
Ok(())
}
pub fn remove_token(&mut self, token: u32) -> Fido2LuksResult<()> {
self.require_luks2()?;
self.device
.token_handle()
.json_set(TokenInput::RemoveToken(token))?;
Ok(())
}
pub fn update_token(&mut self, token: u32, data: &Fido2LuksToken) -> Fido2LuksResult<()> {
self.require_luks2()?;
self.device
.token_handle()
.json_set(TokenInput::ReplaceToken(
token,
&serde_json::to_value(&data).unwrap(),
))?;
Ok(())
}
pub fn add_key(
&mut self,
secret: &[u8],
old_secret: &[u8],
iteration_time: Option<u64>,
credential_id: Option<&[u8]>,
) -> Fido2LuksResult<u32> {
if let Some(millis) = iteration_time {
self.device.settings_handle().set_iteration_time(millis)
}
let slot = self
.device
.keyslot_handle()
.add_by_passphrase(None, old_secret, secret)?;
if let Some(id) = credential_id {
self.device.token_handle().json_set(TokenInput::AddToken(
&serde_json::to_value(&Fido2LuksToken::new(id, slot)).unwrap(),
))?;
}
Ok(slot)
}
pub fn remove_keyslots(&mut self, exclude: &[u32]) -> Fido2LuksResult<u32> {
let mut destroyed = 0;
let mut tokens = Vec::new();
for slot in 0..256 {
match self.device.keyslot_handle().status(slot)? {
KeyslotInfo::Inactive => continue,
KeyslotInfo::Active | KeyslotInfo::ActiveLast if !exclude.contains(&slot) => {
if self.is_luks2()? {
if let Some((id, _token)) = self.find_token(slot)? {
tokens.push(id);
}
}
self.device.keyslot_handle().destroy(slot)?;
destroyed += 1;
}
KeyslotInfo::ActiveLast => break,
_ => (),
}
if self.device.keyslot_handle().status(slot)? == KeyslotInfo::ActiveLast {
break;
}
}
// Ensure indices stay valid
tokens.sort();
for token in tokens.iter().rev() {
self.remove_token(*token)?;
}
Ok(destroyed)
}
pub fn replace_key(
&mut self,
secret: &[u8],
old_secret: &[u8],
iteration_time: Option<u64>,
credential_id: Option<&[u8]>,
) -> Fido2LuksResult<u32> {
if let Some(millis) = iteration_time {
self.device.settings_handle().set_iteration_time(millis)
}
// Use activate dry-run to locate keyslot
let slot = self.device.activate_handle().activate_by_passphrase(
None,
None,
old_secret,
CryptActivateFlags::empty(),
)?;
self.device.keyslot_handle().change_by_passphrase(
Some(slot),
Some(slot),
old_secret,
secret,
)? as u32;
if let Some(id) = credential_id {
if self.is_luks2()? {
let token = self.find_token(slot)?.map(|(t, _)| t);
let json = serde_json::to_value(&Fido2LuksToken::new(id, slot)).unwrap();
if let Some(token) = token {
self.device
.token_handle()
.json_set(TokenInput::ReplaceToken(token, &json))?;
} else {
self.device
.token_handle()
.json_set(TokenInput::AddToken(&json))?;
}
}
}
Ok(slot)
}
pub fn activate(
&mut self,
name: &str,
secret: &[u8],
slot_hint: Option<u32>,
) -> Fido2LuksResult<u32> {
self.device
.activate_handle()
.activate_by_passphrase(Some(name), slot_hint, secret, CryptActivateFlags::empty())
.map_err(LuksError::activate)
}
pub fn activate_token(
&mut self,
name: &str,
secret: impl Fn(Vec<String>) -> Fido2LuksResult<([u8; 32], String)>,
slot_hint: Option<u32>,
) -> Fido2LuksResult<u32> {
if !self.is_luks2()? {
return Err(LuksError::Luks2Required.into());
}
let mut creds: HashMap<String, HashSet<u32>> = HashMap::new();
for token in self.tokens()? {
let token = match token {
Ok((_id, t)) => t,
_ => continue, // An corrupted token should't lock the user out
};
let slots = || {
token
.keyslots
.iter()
.filter_map(|slot| slot.parse::<u32>().ok())
};
for cred in token.credential.iter() {
creds
.entry(cred.clone())
.or_insert_with(|| slots().collect::<HashSet<u32>>())
.extend(slots());
}
}
if creds.is_empty() {
return Err(Fido2LuksError::LuksError {
cause: LuksError::NoToken,
});
}
let (secret, credential) = secret(creds.keys().cloned().collect())?;
let empty;
let slots = if let Some(slots) = creds.get(&credential) {
slots
} else {
empty = HashSet::new();
&empty
};
//Try slots associated with the credential used
let slots = slots.iter().cloned().map(Option::Some).chain(
std::iter::once(slot_hint) // Try slot hint if there is one
.take(slot_hint.is_some() as usize)
.chain(std::iter::once(None).take(slots.is_empty() as usize)), // Try all slots as last resort
);
for slot in slots {
match self.activate(name, &secret, slot) {
Err(Fido2LuksError::WrongSecret) => (),
res => return res,
}
}
Err(Fido2LuksError::WrongSecret)
} }
} }
#[derive(Debug, Clone, Serialize, Deserialize)] #[derive(Debug, Clone, Serialize, Deserialize)]
struct Fido2LuksToken { pub struct Fido2LuksToken {
#[serde(rename = "type")] #[serde(rename = "type")]
type_: String, pub type_: String,
credential: Vec<String>, pub credential: HashSet<String>,
keyslots: Vec<String>, pub keyslots: HashSet<String>,
} }
impl Fido2LuksToken { impl Fido2LuksToken {
fn new(credential_id: impl AsRef<[u8]>, slot: u32) -> Self { pub fn new(credential_id: impl AsRef<[u8]>, slot: u32) -> Self {
Self::with_credentials(std::iter::once(credential_id), slot)
}
pub fn with_credentials<I: IntoIterator<Item = B>, B: AsRef<[u8]>>(
credentials: I,
slot: u32,
) -> Self {
Self { Self {
type_: "fido2luks\0".into(), // Doubles as c style string credential: credentials
credential: vec![hex::encode(credential_id)], .into_iter()
keyslots: vec![slot.to_string()], .map(|cred| hex::encode(cred.as_ref()))
.collect(),
keyslots: vec![slot.to_string()].into_iter().collect(),
..Default::default()
} }
} }
pub fn default_type() -> &'static str {
"fido2luks"
}
} }
pub fn open_container<P: AsRef<Path>>( impl Default for Fido2LuksToken {
path: P, fn default() -> Self {
name: &str, Self {
secret: &[u8], type_: Self::default_type().into(),
slot_hint: Option<u32>, credential: HashSet::new(),
) -> Fido2LuksResult<()> { keyslots: HashSet::new(),
let mut device = load_device_handle(path)?;
device
.activate_handle()
.activate_by_passphrase(Some(name), slot_hint, secret, CryptActivateFlags::empty())
.map(|_slot| ())
.map_err(|_e| Fido2LuksError::WrongSecret)
}
pub fn open_container_token<P: AsRef<Path>>(
path: P,
name: &str,
secret: impl Fn(Vec<String>) -> Fido2LuksResult<([u8; 32], String)>,
) -> Fido2LuksResult<()> {
let mut device = load_device_handle(path)?;
check_luks2(&mut device)?;
let mut creds = HashMap::new();
for i in 0..256 {
let status = device.token_handle().status(i)?;
match status {
CryptTokenInfo::Inactive => break,
CryptTokenInfo::Internal(s)
| CryptTokenInfo::InternalUnknown(s)
| CryptTokenInfo::ExternalUnknown(s)
| CryptTokenInfo::External(s)
if &s != "fido2luks" =>
{
continue
}
_ => (),
};
let json = device.token_handle().json_get(i)?;
let info: Fido2LuksToken =
serde_json::from_value(json.clone()).map_err(|_| Fido2LuksError::LuksError {
cause: LuksError::InvalidToken(json.to_string()),
})?;
let slots = || {
info.keyslots
.iter()
.filter_map(|slot| slot.parse::<u32>().ok())
};
for cred in info.credential.iter().cloned() {
creds
.entry(cred)
.or_insert_with(|| slots().collect::<HashSet<u32>>())
.extend(slots());
} }
} }
if creds.is_empty() {
return Err(Fido2LuksError::LuksError {
cause: LuksError::NoToken,
});
}
let (secret, credential) = secret(creds.keys().cloned().collect())?;
let slots = creds.get(&credential).unwrap();
let slots = slots
.iter()
.cloned()
.map(Option::Some)
.chain(std::iter::once(None).take(slots.is_empty() as usize));
for slot in slots {
match device
.activate_handle()
.activate_by_passphrase(Some(name), slot, &secret, CryptActivateFlags::empty())
.map(|_slot| ())
.map_err(LuksError::activate)
{
Err(Fido2LuksError::WrongSecret) => (),
res => return res,
}
}
Err(Fido2LuksError::WrongSecret)
}
pub fn add_key<P: AsRef<Path>>(
path: P,
secret: &[u8],
old_secret: &[u8],
iteration_time: Option<u64>,
credential_id: Option<&[u8]>,
) -> Fido2LuksResult<u32> {
let mut device = load_device_handle(path)?;
if let Some(millis) = iteration_time {
device.settings_handle().set_iteration_time(millis)
}
let slot = device
.keyslot_handle()
.add_by_passphrase(None, old_secret, secret)?;
if let Some(id) = credential_id {
/* if let e @ Err(_) = check_luks2(&mut device) {
//rollback
device.keyslot_handle(Some(slot)).destroy()?;
return e.map(|_| 0u32);
}*/
device.token_handle().json_set(TokenInput::AddToken(
&serde_json::to_value(&Fido2LuksToken::new(id, slot)).unwrap(),
))?;
}
Ok(slot)
}
fn find_token(
device: &mut CryptDevice,
slot: u32,
) -> Fido2LuksResult<Option<(u32, Fido2LuksToken)>> {
for i in 0..256 {
let status = device.token_handle().status(i)?;
match status {
CryptTokenInfo::Inactive => break,
CryptTokenInfo::Internal(s)
| CryptTokenInfo::InternalUnknown(s)
| CryptTokenInfo::ExternalUnknown(s)
| CryptTokenInfo::External(s)
if &s != "fido2luks" =>
{
continue
}
_ => (),
};
let json = device.token_handle().json_get(i)?;
let info: Fido2LuksToken =
serde_json::from_value(json.clone()).map_err(|_| Fido2LuksError::LuksError {
cause: LuksError::InvalidToken(json.to_string()),
})?;
if info.keyslots.contains(&slot.to_string()) {
return Ok(Some((i, info)));
}
}
Ok(None)
}
pub fn remove_keyslots<P: AsRef<Path>>(path: P, exclude: &[u32]) -> Fido2LuksResult<u32> {
let mut device = load_device_handle(path)?;
let mut destroyed = 0;
let mut tokens = Vec::new();
for slot in 0..256 {
match device.keyslot_handle().status(slot)? {
KeyslotInfo::Inactive => continue,
KeyslotInfo::Active | KeyslotInfo::ActiveLast if !exclude.contains(&slot) => {
if let Ok(_) = check_luks2(&mut device) {
if let Some((token, _)) = find_token(&mut device, slot)? {
tokens.push(token);
}
}
device.keyslot_handle().destroy(slot)?;
destroyed += 1;
}
KeyslotInfo::ActiveLast => break,
_ => (),
}
if device.keyslot_handle().status(slot)? == KeyslotInfo::ActiveLast {
break;
}
}
// Ensure indices stay valid
tokens.sort();
for token in tokens.iter().rev() {
device
.token_handle()
.json_set(TokenInput::RemoveToken(*token))?;
}
Ok(destroyed)
}
pub fn replace_key<P: AsRef<Path>>(
path: P,
secret: &[u8],
old_secret: &[u8],
iteration_time: Option<u64>,
credential_id: Option<&[u8]>,
) -> Fido2LuksResult<u32> {
let mut device = load_device_handle(path)?;
// Set iteration time not sure wether this applies to luks2 as well
if let Some(millis) = iteration_time {
device.settings_handle().set_iteration_time(millis)
}
let slot = device
.keyslot_handle()
.change_by_passphrase(None, None, old_secret, secret)? as u32;
if let Some(id) = credential_id {
if check_luks2(&mut device).is_ok() {
let token = find_token(&mut device, slot)?.map(|(t, _)| t);
if let Some(token) = token {
device.token_handle().json_set(TokenInput::ReplaceToken(
token,
&serde_json::to_value(&Fido2LuksToken::new(id, slot)).unwrap(),
))?;
}
}
}
Ok(slot)
} }

3
src/main.rs
View File

@@ -21,10 +21,7 @@ mod util;
fn main() -> Fido2LuksResult<()> { fn main() -> Fido2LuksResult<()> {
match run_cli() { match run_cli() {
Err(e) => { Err(e) => {
#[cfg(debug_assertions)]
eprintln!("{:?}", e); eprintln!("{:?}", e);
#[cfg(not(debug_assertions))]
eprintln!("{}", e);
exit(e.exit_code()) exit(e.exit_code())
} }
_ => exit(0), _ => exit(0),