shimun/fido2luks
1
0
Fork 0
Code Issues Pull Requests 3 Releases Wiki Activity

Compare commits

base: shimun:0.3.0-alpha
Branches Tags
shimun:master shimun:0.3.0-alpha shimun:ctap-hid-fido2 shimun:retry_pin shimun:0.3.0 shimun:debVM shimun:flake shimun:password_promt shimun:dracut shimun:initcpio shimun:pam_mod shimun:setup shimun:completions shimun:pkgbuild shimun:pin_source shimun:relicense shimun:deb shimun:initramfs-tools shimun:luks_refr shimun:0.2.8 shimun:luks2_token shimun:cli_reorg shimun:request_multiple shimun:luks2 shimun:cratesio shimun:isalt shimun:connected shimun:keyutils
shimun:0.2.20 shimun:0.2.19 shimun:0.2.18 shimun:0.2.17 shimun:0.2.16 shimun:0.2.15 shimun:0.2.14 shimun:0.2.13 shimun:0.2.12 shimun:0.2.11 shimun:0.2.10 shimun:0.2.9 shimun:0.2.8 shimun:0.2.7 shimun:0.2.6 shimun:0.2.5 shimun:0.2.4 shimun:0.2.3 shimun:0.2.2 shimun:0.2.1 shimun:0.2.0
..
compare: shimun:retry_pin
Branches Tags
shimun:0.3.0-alpha shimun:ctap-hid-fido2 shimun:retry_pin shimun:master shimun:0.3.0 shimun:debVM shimun:flake shimun:password_promt shimun:dracut shimun:initcpio shimun:pam_mod shimun:setup shimun:completions shimun:pkgbuild shimun:pin_source shimun:relicense shimun:deb shimun:initramfs-tools shimun:luks_refr shimun:0.2.8 shimun:luks2_token shimun:cli_reorg shimun:request_multiple shimun:luks2 shimun:cratesio shimun:isalt shimun:connected shimun:keyutils
shimun:0.2.20 shimun:0.2.19 shimun:0.2.18 shimun:0.2.17 shimun:0.2.16 shimun:0.2.15 shimun:0.2.14 shimun:0.2.13 shimun:0.2.12 shimun:0.2.11 shimun:0.2.10 shimun:0.2.9 shimun:0.2.8 shimun:0.2.7 shimun:0.2.6 shimun:0.2.5 shimun:0.2.4 shimun:0.2.3 shimun:0.2.2 shimun:0.2.1 shimun:0.2.0

2 Commits
0.3.0-alph ... retry_pin

Author SHA1 Message Date
shimun
4ee5965bfa added: retry pin 2022-01-24 14:36:07 +01:00
shimun
b939e9efcd added: allow-discards env var 2022-01-24 14:19:04 +01:00
13 changed files with 781 additions and 941 deletions
Expand all files Collapse all files

32
.github/workflows/current.yml vendored
View File

@@ -1,32 +0,0 @@
# This is a basic workflow to help you get started with Actions
name: Current
# Controls when the workflow will run
on:
schedule:
- cron: '0 22 * * 6'
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
# This workflow contains a single job called "build"
build:
# The type of runner that the job will run on
runs-on: ubuntu-latest
# Steps represent a sequence of tasks that will be executed as part of the job
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- uses: actions/checkout@v3
- name: Install Nix
uses: DeterminateSystems/nix-installer-action@v4
- name: Setup Attic cache
uses: ryanccn/attic-action@v0
with:
endpoint: ${{ secrets.ATTIC_ENDPOINT }}
cache: ${{ secrets.ATTIC_CACHE }}
token: ${{ secrets.ATTIC_TOKEN }}
- name: Build Nix Package nixos-unstable
run: nix build --override-input nixpkgs github:nixos/nixpkgs/nixos-unstable --show-trace

33
.github/workflows/locked.yml vendored
View File

@@ -1,33 +0,0 @@
# This is a basic workflow to help you get started with Actions
name: Locked
# Controls when the workflow will run
on:
# Triggers the workflow on push or pull request events but only for the "master" branch
push:
branches: '*'
pull_request:
branches: '*'
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
# This workflow contains a single job called "build"
build:
# The type of runner that the job will run on
runs-on: ubuntu-latest
# Steps represent a sequence of tasks that will be executed as part of the job
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- uses: actions/checkout@v3
- name: Install Nix
uses: DeterminateSystems/nix-installer-action@v4
- name: Setup Attic cache
uses: ryanccn/attic-action@v0
with:
endpoint: ${{ secrets.ATTIC_ENDPOINT }}
cache: ${{ secrets.ATTIC_CACHE }}
token: ${{ secrets.ATTIC_TOKEN }}
- name: Build Nix Package
run: nix build -j 10 --show-trace

1253
Cargo.lock generated
View File

File diff suppressed because it is too large Load Diff

15
Cargo.toml
View File

@@ -1,6 +1,6 @@
[package] [package]
name = "fido2luks" name = "fido2luks"
version = "0.3.1-alpha" version = "0.3.0-alpha"
authors = ["shimunn <shimun@shimun.net>"] authors = ["shimunn <shimun@shimun.net>"]
edition = "2018" edition = "2018"
@@ -14,26 +14,25 @@ categories = ["command-line-utilities"]
license = "MPL-2.0" license = "MPL-2.0"
[dependencies] [dependencies]
ctap_hmac = { version="0.4.5", features = ["request_multiple"] }
hex = "0.3.2" hex = "0.3.2"
ring = "0.16.5" ring = "0.13.5"
failure = "0.1.5" failure = "0.1.5"
rpassword = "4.0.1" rpassword = "4.0.1"
structopt = "0.3.2" structopt = "0.3.2"
libcryptsetup-rs = "0.9.1" libcryptsetup-rs = "0.4.2"
serde_json = "1.0.51" serde_json = "1.0.51"
serde_derive = "1.0.116" serde_derive = "1.0.116"
serde = "1.0.116" serde = "1.0.116"
anyhow = "1.0.56"
ctap-hid-fido2 = "3.4.1"
[build-dependencies] [build-dependencies]
ctap_hmac = { version="0.4.5", features = ["request_multiple"] }
hex = "0.3.2" hex = "0.3.2"
ring = "0.16.5" ring = "0.13.5"
failure = "0.1.5" failure = "0.1.5"
rpassword = "4.0.1" rpassword = "4.0.1"
libcryptsetup-rs = "0.9.1" libcryptsetup-rs = "0.4.1"
structopt = "0.3.2" structopt = "0.3.2"
anyhow = "1.0.56"
[profile.release] [profile.release]
lto = true lto = true

8
build.rs
View File

@@ -1,6 +1,7 @@
#![allow(warnings)] #![allow(warnings)]
#[macro_use] #[macro_use]
extern crate failure; extern crate failure;
extern crate ctap_hmac as ctap;
#[path = "src/cli_args/mod.rs"] #[path = "src/cli_args/mod.rs"]
mod cli_args; mod cli_args;
@@ -11,22 +12,17 @@ mod util;
use cli_args::Args; use cli_args::Args;
use std::env; use std::env;
use std::fs;
use std::path::PathBuf;
use std::str::FromStr; use std::str::FromStr;
use structopt::clap::Shell; use structopt::clap::Shell;
use structopt::StructOpt; use structopt::StructOpt;
fn main() { fn main() {
let env_outdir = env::var_os("OUT_DIR").unwrap();
let outdir = PathBuf::from(PathBuf::from(env_outdir).ancestors().nth(3).unwrap());
fs::create_dir_all(&outdir).unwrap();
// generate completion scripts, zsh does panic for some reason // generate completion scripts, zsh does panic for some reason
for shell in Shell::variants().iter().filter(|shell| **shell != "zsh") { for shell in Shell::variants().iter().filter(|shell| **shell != "zsh") {
Args::clap().gen_completions( Args::clap().gen_completions(
env!("CARGO_PKG_NAME"), env!("CARGO_PKG_NAME"),
Shell::from_str(shell).unwrap(), Shell::from_str(shell).unwrap(),
&outdir, env!("CARGO_MANIFEST_DIR"),
); );
} }
} }

40
flake.lock generated
View File

@@ -7,26 +7,26 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1698420672, "lastModified": 1639051343,
"narHash": "sha256-/TdeHMPRjjdJub7p7+w55vyABrsJlt5QkznPYy55vKA=", "narHash": "sha256-62qARP+5Q0GmudcpuQHJP3/yXIgmUVoHR4orD/+FAC4=",
"owner": "nix-community", "owner": "nmattia",
"repo": "naersk", "repo": "naersk",
"rev": "aeb58d5e8faead8980a807c840232697982d47b9", "rev": "ebde51ec0eec82dc71eaca03bc24cf8eb44a3d74",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nix-community", "owner": "nmattia",
"repo": "naersk", "repo": "naersk",
"type": "github" "type": "github"
} }
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1705496572, "lastModified": 1638109994,
"narHash": "sha256-rPIe9G5EBLXdBdn9ilGc0nq082lzQd0xGGe092R/5QE=", "narHash": "sha256-OpA37PTiPMIqoRJbufbl5rOLII7HeeGcA0yl7FoyCIE=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "842d9d80cfd4560648c785f8a4e6f3b096790e19", "rev": "a284564b7f75ac4db73607db02076e8da9d42c9d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -41,31 +41,13 @@
"utils": "utils" "utils": "utils"
} }
}, },
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"utils": { "utils": {
"inputs": {
"systems": "systems"
},
"locked": { "locked": {
"lastModified": 1705309234, "lastModified": 1638122382,
"narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=", "narHash": "sha256-sQzZzAbvKEqN9s0bzWuYmRaA03v40gaJ4+iL1LXjaeI=",
"owner": "numtide", "owner": "numtide",
"repo": "flake-utils", "repo": "flake-utils",
"rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26", "rev": "74f7e4319258e287b0f9cb95426c9853b282730b",
"type": "github" "type": "github"
}, },
"original": { "original": {

12
flake.nix
View File

@@ -4,7 +4,7 @@
inputs = { inputs = {
utils.url = "github:numtide/flake-utils"; utils.url = "github:numtide/flake-utils";
naersk = { naersk = {
url = "github:nix-community/naersk"; url = "github:nmattia/naersk";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
}; };
@@ -16,17 +16,17 @@
forPkgs = pkgs: forPkgs = pkgs:
let let
naersk-lib = naersk.lib."${pkgs.system}"; naersk-lib = naersk.lib."${pkgs.system}";
buildInputs = with pkgs; [ cryptsetup cryptsetup.dev udev.dev ]; buildInputs = with pkgs; [ cryptsetup ];
LIBCLANG_PATH = "${pkgs.clang.cc.lib}/lib";
nativeBuildInputs = with pkgs; [ nativeBuildInputs = with pkgs; [
rustPlatform.bindgenHook pkgconfig
pkg-config
clang clang
]; ];
in in
rec { rec {
# `nix build` # `nix build`
packages.${pname} = naersk-lib.buildPackage { packages.${pname} = naersk-lib.buildPackage {
inherit pname root buildInputs nativeBuildInputs; inherit pname root buildInputs nativeBuildInputs LIBCLANG_PATH;
}; };
defaultPackage = packages.${pname}; defaultPackage = packages.${pname};
@@ -51,7 +51,7 @@
# `nix develop` # `nix develop`
devShell = pkgs.mkShell { devShell = pkgs.mkShell {
nativeBuildInputs = with pkgs; [ rustc cargo rustfmt nixpkgs-fmt ] ++ nativeBuildInputs; nativeBuildInputs = with pkgs; [ rustc cargo rustfmt nixpkgs-fmt ] ++ nativeBuildInputs;
inherit buildInputs; inherit buildInputs LIBCLANG_PATH;
}; };
}; };
forSystem = system: forPkgs nixpkgs.legacyPackages."${system}"; forSystem = system: forPkgs nixpkgs.legacyPackages."${system}";

101
src/cli.rs
View File

@@ -4,13 +4,14 @@ use crate::util::sha256;
use crate::*; use crate::*;
pub use cli_args::Args; pub use cli_args::Args;
use cli_args::*; use cli_args::*;
use ctap_hid_fido2::public_key_credential_descriptor::PublicKeyCredentialDescriptor; use ctap::{FidoCredential, FidoErrorKind};
use std::borrow::Cow; use std::borrow::Cow;
use std::collections::HashSet; use std::collections::HashSet;
use std::io::Write; use std::io::Write;
use std::iter::FromIterator; use std::iter::FromIterator;
use std::path::Path; use std::path::Path;
use std::str::FromStr; use std::str::FromStr;
use std::thread;
use std::time::Duration; use std::time::Duration;
use std::time::SystemTime; use std::time::SystemTime;
use structopt::clap::Shell; use structopt::clap::Shell;
@@ -25,31 +26,31 @@ fn derive_secret(
salt: &[u8; 32], salt: &[u8; 32],
timeout: u64, timeout: u64,
pin: Option<&str>, pin: Option<&str>,
) -> Fido2LuksResult<([u8; 32], PublicKeyCredentialDescriptor)> { ) -> Fido2LuksResult<([u8; 32], FidoCredential)> {
if credentials.is_empty() { if credentials.is_empty() {
return Err(Fido2LuksError::InsufficientCredentials); return Err(Fido2LuksError::InsufficientCredentials);
} }
let timeout = Duration::from_secs(timeout); let timeout = Duration::from_secs(timeout);
let start = SystemTime::now(); let start = SystemTime::now();
//while let Ok(el) = start.elapsed() { while let Ok(el) = start.elapsed() {
// if el > timeout { if el > timeout {
// return Err(error::Fido2LuksError::NoAuthenticatorError); return Err(error::Fido2LuksError::NoAuthenticatorError);
// } }
// if get_devices() if get_devices()
// .map(|devices| !devices.is_empty()) .map(|devices| !devices.is_empty())
// .unwrap_or(false) .unwrap_or(false)
// { {
// break; break;
// } }
// thread::sleep(Duration::from_millis(500)); thread::sleep(Duration::from_millis(500));
//} }
let credentials = credentials let credentials = credentials
.iter() .iter()
.map(|hex| PublicKeyCredentialDescriptor { .map(|hex| FidoCredential {
id: hex.0.clone(), id: hex.0.clone(),
ctype: Default::default(), public_key: None,
}) })
.collect::<Vec<_>>(); .collect::<Vec<_>>();
let credentials = credentials.iter().collect::<Vec<_>>(); let credentials = credentials.iter().collect::<Vec<_>>();
@@ -181,8 +182,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
} else { } else {
None None
}; };
let cred = let cred = make_credential_id(Some(name.as_ref()), pin)?;
make_credential_id(Some(name.as_str()).filter(|name| name.len() > 0), pin, &[])?;
println!("{}", hex::encode(&cred.id)); println!("{}", hex::encode(&cred.id));
Ok(()) Ok(())
} }
@@ -289,10 +289,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
let other_secret = |salt_q: &str, let other_secret = |salt_q: &str,
verify: bool| verify: bool|
-> Fido2LuksResult<( -> Fido2LuksResult<(Vec<u8>, Option<FidoCredential>)> {
Vec<u8>,
Option<PublicKeyCredentialDescriptor>,
)> {
match other_secret { match other_secret {
OtherSecret { OtherSecret {
keyfile: Some(file), keyfile: Some(file),
@@ -317,38 +314,22 @@ pub fn run_cli() -> Fido2LuksResult<()> {
)), )),
} }
}; };
let secret = let secret = |q: &str,
|q: &str, verify: bool,
verify: bool, credentials: &[HexEncoded]|
credentials: &[HexEncoded]| -> Fido2LuksResult<([u8; 32], FidoCredential)> {
-> Fido2LuksResult<([u8; 32], PublicKeyCredentialDescriptor)> { let (pin, salt) = inputs(q, verify)?;
let (pin, salt) = inputs(q, verify)?; prompt_interaction(interactive);
prompt_interaction(interactive); derive_secret(credentials, &salt, authenticator.await_time, pin.as_deref())
derive_secret(credentials, &salt, authenticator.await_time, pin.as_deref()) };
};
// Non overlap // Non overlap
match &args.command { match &args.command {
Command::AddKey { Command::AddKey {
exclusive, exclusive,
generate_credential, generate_credential,
comment,
.. ..
} => { } => {
let (existing_secret, existing_credential) = let (existing_secret, _) = other_secret("Current password", false)?;
other_secret("Current password", false)?;
let excluded_credential = existing_credential.as_ref();
let exclude_list = excluded_credential
.as_ref()
.map(core::slice::from_ref)
.unwrap_or_default();
existing_credential.iter().for_each(|cred| {
log(&|| {
format!(
"using credential to unlock container: {}",
hex::encode(&cred.id)
)
})
});
let (new_secret, cred) = if *generate_credential && luks2 { let (new_secret, cred) = if *generate_credential && luks2 {
let cred = make_credential_id( let cred = make_credential_id(
Some(derive_credential_name(luks.device.as_path()).as_str()), Some(derive_credential_name(luks.device.as_path()).as_str()),
@@ -359,7 +340,6 @@ pub fn run_cli() -> Fido2LuksResult<()> {
None None
}) })
.as_deref(), .as_deref(),
dbg!(exclude_list),
)?; )?;
log(&|| { log(&|| {
format!( format!(
@@ -381,7 +361,6 @@ pub fn run_cli() -> Fido2LuksResult<()> {
Some(&cred.id[..]) Some(&cred.id[..])
.filter(|_| !luks.disable_token || *generate_credential) .filter(|_| !luks.disable_token || *generate_credential)
.filter(|_| luks2), .filter(|_| luks2),
comment.as_deref().map(String::from),
)?; )?;
if *exclusive { if *exclusive {
let destroyed = luks_dev.remove_keyslots(&[added_slot])?; let destroyed = luks_dev.remove_keyslots(&[added_slot])?;
@@ -417,7 +396,6 @@ pub fn run_cli() -> Fido2LuksResult<()> {
.filter(|_| !luks.disable_token) .filter(|_| !luks.disable_token)
.filter(|_| luks2) .filter(|_| luks2)
.map(|cred| &cred.id[..]), .map(|cred| &cred.id[..]),
None,
) )
} else { } else {
let slot = luks_dev.replace_key( let slot = luks_dev.replace_key(
@@ -523,8 +501,13 @@ pub fn run_cli() -> Fido2LuksResult<()> {
Err(e) => { Err(e) => {
match e { match e {
Fido2LuksError::WrongSecret if retries > 0 => {} Fido2LuksError::WrongSecret if retries > 0 => {}
//Fido2LuksError::AuthenticatorError { ref cause } Fido2LuksError::AuthenticatorError { ref cause }
// if cause.kind() == FidoErrorKind::Timeout && retries > 0 => {} if match cause.kind() {
FidoErrorKind::Timeout => true,
FidoErrorKind::CborError(e) if e.code() == 0x33 => true,
_ => false,
} && retries > 0 => {}
e => return Err(e), e => return Err(e),
}; };
retries -= 1; retries -= 1;
@@ -565,13 +548,8 @@ pub fn run_cli() -> Fido2LuksResult<()> {
continue; continue;
} }
println!( println!(
"{}{}:\n\tSlots: {}\n\tCredentials: {}", "{}:\n\tSlots: {}\n\tCredentials: {}",
id, id,
token
.comment
.as_deref()
.map(|comment| format!(" - {}", comment))
.unwrap_or_default(),
if token.keyslots.is_empty() { if token.keyslots.is_empty() {
"None".into() "None".into()
} else { } else {
@@ -597,7 +575,6 @@ pub fn run_cli() -> Fido2LuksResult<()> {
TokenCommand::Add { TokenCommand::Add {
device, device,
credentials, credentials,
comment,
slot, slot,
} => { } => {
let mut dev = LuksDevice::load(device)?; let mut dev = LuksDevice::load(device)?;
@@ -609,11 +586,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
} }
} }
let count = if tokens.is_empty() { let count = if tokens.is_empty() {
dev.add_token(&Fido2LuksToken::with_credentials( dev.add_token(&Fido2LuksToken::with_credentials(&credentials.0, *slot))?;
&credentials.0,
*slot,
comment.as_deref().map(String::from),
))?;
1 1
} else { } else {
tokens.len() tokens.len()

10
src/cli_args/mod.rs
View File

@@ -189,9 +189,6 @@ pub enum Command {
luks: LuksParameters, luks: LuksParameters,
#[structopt(flatten)] #[structopt(flatten)]
credentials: Credentials, credentials: Credentials,
/// Comment to be associated with this credential
#[structopt(long = "comment")]
comment: Option<String>,
#[structopt(flatten)] #[structopt(flatten)]
authenticator: AuthenticatorParameters, authenticator: AuthenticatorParameters,
#[structopt(flatten)] #[structopt(flatten)]
@@ -248,7 +245,7 @@ pub enum Command {
#[structopt(long = "dry-run")] #[structopt(long = "dry-run")]
dry_run: bool, dry_run: bool,
/// Pass SSD trim instructions to the underlying block device /// Pass SSD trim instructions to the underlying block device
#[structopt(long = "allow-discards")] #[structopt(long = "allow-discards", env = "FIDO2LUKS_ALLOW_DISCARDS")]
allow_discards: bool, allow_discards: bool,
}, },
/// Generate a new FIDO credential /// Generate a new FIDO credential
@@ -257,7 +254,7 @@ pub enum Command {
#[structopt(flatten)] #[structopt(flatten)]
authenticator: AuthenticatorParameters, authenticator: AuthenticatorParameters,
/// Name to be displayed on the authenticator display /// Name to be displayed on the authenticator display
#[structopt(env = "FIDO2LUKS_CREDENTIAL_NAME", default_value = "")] #[structopt(env = "FIDO2LUKS_CREDENTIAL_NAME", default_value = "fido2luks")]
name: String, name: String,
}, },
/// Check if an authenticator is connected /// Check if an authenticator is connected
@@ -298,9 +295,6 @@ pub enum TokenCommand {
long = "creds" long = "creds"
)] )]
credentials: CommaSeparated<HexEncoded>, credentials: CommaSeparated<HexEncoded>,
/// Comment to be associated with this credential
#[structopt(long = "comment")]
comment: Option<String>,
/// Slot to which the credentials will be added /// Slot to which the credentials will be added
#[structopt(long = "slot", env = "FIDO2LUKS_DEVICE_SLOT")] #[structopt(long = "slot", env = "FIDO2LUKS_DEVICE_SLOT")]
slot: u32, slot: u32,

161
src/device.rs
View File

@@ -1,133 +1,84 @@
use crate::error::*; use crate::error::*;
use crate::util; use crate::util;
use ctap_hid_fido2; use ctap::{
use ctap_hid_fido2::fidokey::get_assertion::get_assertion_params; self, extensions::hmac::HmacExtension, request_multiple_devices, FidoAssertionRequestBuilder,
use ctap_hid_fido2::fidokey::make_credential::make_credential_params; FidoCredential, FidoCredentialRequestBuilder, FidoDevice, FidoError, FidoErrorKind,
use ctap_hid_fido2::fidokey::GetAssertionArgsBuilder; };
use ctap_hid_fido2::fidokey::MakeCredentialArgsBuilder;
use ctap_hid_fido2::get_fidokey_devices;
use ctap_hid_fido2::public_key_credential_descriptor::PublicKeyCredentialDescriptor;
use ctap_hid_fido2::public_key_credential_user_entity::PublicKeyCredentialUserEntity;
use ctap_hid_fido2::FidoKeyHidFactory;
use ctap_hid_fido2::HidInfo;
use ctap_hid_fido2::LibCfg;
use std::time::Duration; use std::time::Duration;
const RP_ID: &str = "fido2luks"; const RP_ID: &str = "fido2luks";
fn lib_cfg() -> LibCfg {
let mut cfg = LibCfg::init();
cfg.enable_log = false;
cfg.keep_alive_msg = String::new();
cfg
}
pub fn make_credential_id( pub fn make_credential_id(
name: Option<&str>, name: Option<&str>,
pin: Option<&str>, pin: Option<&str>,
exclude: &[&PublicKeyCredentialDescriptor], ) -> Fido2LuksResult<FidoCredential> {
) -> Fido2LuksResult<PublicKeyCredentialDescriptor> { let mut request = FidoCredentialRequestBuilder::default().rp_id(RP_ID);
let mut req = MakeCredentialArgsBuilder::new(RP_ID, &[]) if let Some(user_name) = name {
.extensions(&[make_credential_params::Extension::HmacSecret(Some(true))]); request = request.user_name(user_name);
if let Some(pin) = pin {
req = req.pin(pin);
} else {
req = req.without_pin_and_uv();
} }
for cred in exclude { let request = request.build().unwrap();
req = req.exclude_authenticator(cred.id.as_ref()); let make_credential = |device: &mut FidoDevice| {
} if let Some(pin) = pin.filter(|_| device.needs_pin()) {
if let Some(_) = name { device.unlock(pin)?;
req = req.user_entity(&PublicKeyCredentialUserEntity::new(
Some(b"00"),
name.clone(),
name,
));
}
let devices = get_devices()?;
let mut err: Option<Fido2LuksError> = None;
let req = req.build();
for dev in devices {
let handle = FidoKeyHidFactory::create_by_params(&vec![dev.param], &lib_cfg()).unwrap();
match handle.make_credential_with_args(&req) {
Ok(resp) => return Ok(resp.credential_descriptor),
Err(e) => err = Some(e.into()),
} }
} device.make_hmac_credential(&request)
Err(err.unwrap_or(Fido2LuksError::NoAuthenticatorError)) };
Ok(request_multiple_devices(
get_devices()?
.iter_mut()
.map(|device| (device, &make_credential)),
None,
)?)
} }
pub fn perform_challenge<'a>( pub fn perform_challenge<'a>(
credentials: &'a [&'a PublicKeyCredentialDescriptor], credentials: &'a [&'a FidoCredential],
salt: &[u8; 32], salt: &[u8; 32],
_timeout: Duration, timeout: Duration,
pin: Option<&str>, pin: Option<&str>,
) -> Fido2LuksResult<([u8; 32], &'a PublicKeyCredentialDescriptor)> { ) -> Fido2LuksResult<([u8; 32], &'a FidoCredential)> {
if credentials.is_empty() { let request = FidoAssertionRequestBuilder::default()
return Err(Fido2LuksError::InsufficientCredentials); .rp_id(RP_ID)
} .credentials(credentials)
let mut req = GetAssertionArgsBuilder::new(RP_ID, &[]).extensions(&[ .build()
get_assertion_params::Extension::HmacSecret(Some(util::sha256(&[&salt[..]]))), .unwrap();
]); let get_assertion = |device: &mut FidoDevice| {
for cred in credentials { if let Some(pin) = pin.filter(|_| device.needs_pin()) {
req = req.add_credential_id(&cred.id); device.unlock(pin)?;
}
if let Some(pin) = pin {
req = req.pin(pin);
} else {
req = req.without_pin_and_uv();
}
let process_response = |resp: Vec<get_assertion_params::Assertion>| -> Fido2LuksResult<([u8; 32], &'a PublicKeyCredentialDescriptor)> {
for att in resp {
for ext in att.extensions.iter() {
match ext {
get_assertion_params::Extension::HmacSecret(Some(secret)) => {
//TODO: eliminate unwrap
let cred_used = credentials
.iter()
.copied()
.find(|cred| {
att.credential_id == cred.id
})
.unwrap();
return Ok((secret.clone(), cred_used));
}
_ => continue,
}
} }
} device.get_hmac_assertion(&request, &util::sha256(&[&salt[..]]), None)
Err(Fido2LuksError::WrongSecret)
}; };
let (credential, (secret, _)) = request_multiple_devices(
let devices = get_devices()?; get_devices()?
let mut err: Option<Fido2LuksError> = None; .iter_mut()
let req = req.build(); .map(|device| (device, &get_assertion)),
for dev in devices { Some(timeout),
let handle = FidoKeyHidFactory::create_by_params(&vec![dev.param], &lib_cfg()).unwrap(); )?;
match handle.get_assertion_with_args(&req) { Ok((secret, credential))
Ok(resp) => return process_response(resp),
Err(e) => err = Some(e.into()),
}
}
Err(err.unwrap_or(Fido2LuksError::NoAuthenticatorError))
} }
pub fn may_require_pin() -> Fido2LuksResult<bool> { pub fn may_require_pin() -> Fido2LuksResult<bool> {
for dev in get_devices()? { for di in ctap::get_devices()? {
let handle = FidoKeyHidFactory::create_by_params(&vec![dev.param], &lib_cfg()).unwrap(); if let Ok(dev) = FidoDevice::new(&di) {
let info = handle.get_info()?; if dev.needs_pin() {
let needs_pin = info return Ok(true);
.options }
.iter()
.any(|(name, val)| &name[..] == "clientPin" && *val);
if needs_pin {
return Ok(true);
} }
} }
Ok(false) Ok(false)
} }
pub fn get_devices() -> Fido2LuksResult<Vec<HidInfo>> { pub fn get_devices() -> Fido2LuksResult<Vec<FidoDevice>> {
Ok(get_fidokey_devices()) let mut devices = Vec::with_capacity(2);
for di in ctap::get_devices()? {
match FidoDevice::new(&di) {
Err(e) => match e.kind() {
FidoErrorKind::ParseCtap | FidoErrorKind::DeviceUnsupported => (),
err => return Err(FidoError::from(err).into()),
},
Ok(dev) => devices.push(dev),
}
}
Ok(devices)
} }

16
src/error.rs
View File

@@ -1,4 +1,4 @@
use anyhow; use ctap::FidoError;
use libcryptsetup_rs::LibcryptErr; use libcryptsetup_rs::LibcryptErr;
use std::io; use std::io;
use std::io::ErrorKind; use std::io::ErrorKind;
@@ -14,7 +14,7 @@ pub enum Fido2LuksError {
#[fail(display = "unable to read keyfile: {}", cause)] #[fail(display = "unable to read keyfile: {}", cause)]
KeyfileError { cause: io::Error }, KeyfileError { cause: io::Error },
#[fail(display = "authenticator error: {}", cause)] #[fail(display = "authenticator error: {}", cause)]
AuthenticatorError { cause: anyhow::Error }, AuthenticatorError { cause: ctap::FidoError },
#[fail(display = "no authenticator found, please ensure your device is plugged in")] #[fail(display = "no authenticator found, please ensure your device is plugged in")]
NoAuthenticatorError, NoAuthenticatorError,
#[fail(display = " {}", cause)] #[fail(display = " {}", cause)]
@@ -35,12 +35,6 @@ pub enum Fido2LuksError {
InsufficientCredentials, InsufficientCredentials,
} }
impl From<anyhow::Error> for Fido2LuksError {
fn from(cause: anyhow::Error) -> Self {
Fido2LuksError::AuthenticatorError { cause }
}
}
impl Fido2LuksError { impl Fido2LuksError {
pub fn exit_code(&self) -> i32 { pub fn exit_code(&self) -> i32 {
use Fido2LuksError::*; use Fido2LuksError::*;
@@ -97,6 +91,12 @@ impl From<LuksError> for Fido2LuksError {
} }
} }
impl From<FidoError> for Fido2LuksError {
fn from(e: FidoError) -> Self {
AuthenticatorError { cause: e }
}
}
impl From<LibcryptErr> for Fido2LuksError { impl From<LibcryptErr> for Fido2LuksError {
fn from(e: LibcryptErr) -> Self { fn from(e: LibcryptErr) -> Self {
match e { match e {

40
src/luks.rs
View File

@@ -1,8 +1,9 @@
use crate::error::*; use crate::error::*;
use libcryptsetup_rs::consts::flags::CryptActivate; use libcryptsetup_rs::{
use libcryptsetup_rs::consts::vals::{EncryptionFormat, KeyslotInfo}; CryptActivateFlag, CryptActivateFlags, CryptDevice, CryptInit, CryptTokenInfo,
use libcryptsetup_rs::{CryptDevice, CryptInit, CryptTokenInfo, TokenInput}; EncryptionFormat, KeyslotInfo, TokenInput,
};
use std::collections::{HashMap, HashSet}; use std::collections::{HashMap, HashSet};
use std::path::Path; use std::path::Path;
@@ -141,7 +142,6 @@ impl LuksDevice {
old_secret: &[u8], old_secret: &[u8],
iteration_time: Option<u64>, iteration_time: Option<u64>,
credential_id: Option<&[u8]>, credential_id: Option<&[u8]>,
comment: Option<String>,
) -> Fido2LuksResult<u32> { ) -> Fido2LuksResult<u32> {
if let Some(millis) = iteration_time { if let Some(millis) = iteration_time {
self.device.settings_handle().set_iteration_time(millis) self.device.settings_handle().set_iteration_time(millis)
@@ -152,7 +152,7 @@ impl LuksDevice {
.add_by_passphrase(None, old_secret, secret)?; .add_by_passphrase(None, old_secret, secret)?;
if let Some(id) = credential_id { if let Some(id) = credential_id {
self.device.token_handle().json_set(TokenInput::AddToken( self.device.token_handle().json_set(TokenInput::AddToken(
&serde_json::to_value(&Fido2LuksToken::new(id, slot, comment)).unwrap(), &serde_json::to_value(&Fido2LuksToken::new(id, slot)).unwrap(),
))?; ))?;
} }
@@ -204,7 +204,7 @@ impl LuksDevice {
None, None,
None, None,
old_secret, old_secret,
CryptActivate::empty(), CryptActivateFlags::empty(),
)?; )?;
// slot should stay the same but better be safe than sorry // slot should stay the same but better be safe than sorry
@@ -216,18 +216,9 @@ impl LuksDevice {
)? as u32; )? as u32;
if let Some(id) = credential_id { if let Some(id) = credential_id {
if self.is_luks2()? { if self.is_luks2()? {
let (token_id, token_data) = match self.find_token(slot)? { let token = self.find_token(slot)?.map(|(t, _)| t);
Some((id, data)) => (Some(id), Some(data)), let json = serde_json::to_value(&Fido2LuksToken::new(id, slot)).unwrap();
_ => (None, None), if let Some(token) = token {
};
let json = serde_json::to_value(&Fido2LuksToken::new(
id,
slot,
// retain comment on replace
token_data.map(|data| data.comment).flatten(),
))
.unwrap();
if let Some(token) = token_id {
self.device self.device
.token_handle() .token_handle()
.json_set(TokenInput::ReplaceToken(token, &json))?; .json_set(TokenInput::ReplaceToken(token, &json))?;
@@ -249,9 +240,9 @@ impl LuksDevice {
dry_run: bool, dry_run: bool,
allow_discard: bool, allow_discard: bool,
) -> Fido2LuksResult<u32> { ) -> Fido2LuksResult<u32> {
let mut flags = CryptActivate::empty(); let mut flags = CryptActivateFlags::empty();
if allow_discard { if allow_discard {
flags = flags | CryptActivate::ALLOW_DISCARDS; flags = CryptActivateFlags::new(vec![CryptActivateFlag::AllowDiscards]);
} }
self.device self.device
.activate_handle() .activate_handle()
@@ -324,19 +315,16 @@ pub struct Fido2LuksToken {
pub type_: String, pub type_: String,
pub credential: HashSet<String>, pub credential: HashSet<String>,
pub keyslots: HashSet<String>, pub keyslots: HashSet<String>,
#[serde(skip_serializing_if = "Option::is_none")]
pub comment: Option<String>,
} }
impl Fido2LuksToken { impl Fido2LuksToken {
pub fn new(credential_id: impl AsRef<[u8]>, slot: u32, comment: Option<String>) -> Self { pub fn new(credential_id: impl AsRef<[u8]>, slot: u32) -> Self {
Self::with_credentials(std::iter::once(credential_id), slot, comment) Self::with_credentials(std::iter::once(credential_id), slot)
} }
pub fn with_credentials<I: IntoIterator<Item = B>, B: AsRef<[u8]>>( pub fn with_credentials<I: IntoIterator<Item = B>, B: AsRef<[u8]>>(
credentials: I, credentials: I,
slot: u32, slot: u32,
comment: Option<String>,
) -> Self { ) -> Self {
Self { Self {
credential: credentials credential: credentials
@@ -344,7 +332,6 @@ impl Fido2LuksToken {
.map(|cred| hex::encode(cred.as_ref())) .map(|cred| hex::encode(cred.as_ref()))
.collect(), .collect(),
keyslots: vec![slot.to_string()].into_iter().collect(), keyslots: vec![slot.to_string()].into_iter().collect(),
comment,
..Default::default() ..Default::default()
} }
} }
@@ -359,7 +346,6 @@ impl Default for Fido2LuksToken {
type_: Self::default_type().into(), type_: Self::default_type().into(),
credential: HashSet::new(), credential: HashSet::new(),
keyslots: HashSet::new(), keyslots: HashSet::new(),
comment: None,
} }
} }
} }

1
src/main.rs
View File

@@ -1,5 +1,6 @@
#[macro_use] #[macro_use]
extern crate failure; extern crate failure;
extern crate ctap_hmac as ctap;
#[macro_use] #[macro_use]
extern crate serde_derive; extern crate serde_derive;
use crate::cli::*; use crate::cli::*;