shimun/fido2luks
1
0
Fork 0
Code Issues Pull Requests 3 Releases Wiki Activity

Compare commits

base: shimun:0.3.0
Branches Tags
shimun:master shimun:0.3.0-alpha shimun:ctap-hid-fido2 shimun:retry_pin shimun:0.3.0 shimun:debVM shimun:flake shimun:password_promt shimun:dracut shimun:initcpio shimun:pam_mod shimun:setup shimun:completions shimun:pkgbuild shimun:pin_source shimun:relicense shimun:deb shimun:initramfs-tools shimun:luks_refr shimun:0.2.8 shimun:luks2_token shimun:cli_reorg shimun:request_multiple shimun:luks2 shimun:cratesio shimun:isalt shimun:connected shimun:keyutils
shimun:0.2.20 shimun:0.2.19 shimun:0.2.18 shimun:0.2.17 shimun:0.2.16 shimun:0.2.15 shimun:0.2.14 shimun:0.2.13 shimun:0.2.12 shimun:0.2.11 shimun:0.2.10 shimun:0.2.9 shimun:0.2.8 shimun:0.2.7 shimun:0.2.6 shimun:0.2.5 shimun:0.2.4 shimun:0.2.3 shimun:0.2.2 shimun:0.2.1 shimun:0.2.0
..
compare: shimun:ctap-hid-fido2
Branches Tags
shimun:0.3.0-alpha shimun:ctap-hid-fido2 shimun:retry_pin shimun:master shimun:0.3.0 shimun:debVM shimun:flake shimun:password_promt shimun:dracut shimun:initcpio shimun:pam_mod shimun:setup shimun:completions shimun:pkgbuild shimun:pin_source shimun:relicense shimun:deb shimun:initramfs-tools shimun:luks_refr shimun:0.2.8 shimun:luks2_token shimun:cli_reorg shimun:request_multiple shimun:luks2 shimun:cratesio shimun:isalt shimun:connected shimun:keyutils
shimun:0.2.20 shimun:0.2.19 shimun:0.2.18 shimun:0.2.17 shimun:0.2.16 shimun:0.2.15 shimun:0.2.14 shimun:0.2.13 shimun:0.2.12 shimun:0.2.11 shimun:0.2.10 shimun:0.2.9 shimun:0.2.8 shimun:0.2.7 shimun:0.2.6 shimun:0.2.5 shimun:0.2.4 shimun:0.2.3 shimun:0.2.2 shimun:0.2.1 shimun:0.2.0

16 Commits
0.3.0 ... ctap-hid-f

Author SHA1 Message Date
shimun
871b2863b2 fix: build env 2022-09-28 19:48:30 +02:00
shimun
f436ae538d chore: update 2022-07-28 15:10:28 +02:00
shimun
17c96090bd fix: ctap crate 2022-07-05 15:35:54 +02:00
shimun
fce6ea2e31 fix: use patched ctap-hid crate 2022-06-16 17:42:50 +02:00
shimun
b566af46f7 fix: prevent creation of rk credential 2022-06-15 01:16:06 +02:00
shimun
1f0d555cea added: comment field to luks header data 2022-04-15 17:06:11 +02:00
shimun
2255f224a5 bump version 2022-04-11 14:36:07 +02:00
shimun
581e1780d1 update ctap-hid 2022-04-10 17:23:25 +02:00
shimun
7daa5a3fdb use develop version 2022-04-04 10:57:57 +02:00
shimun
4e986b8f05 removed: keepalive msg 2022-03-29 15:58:51 +02:00
shimun
ca82293976 fix: reintroduce connected command 2022-03-29 15:58:16 +02:00
shimun
d5b043840f chore: migrate to ctap-hid-fido2 2022-03-27 10:00:12 +02:00
shimun
eb8d65eb4f switch to ctap-hid-fido2 2022-03-23 19:30:24 +01:00
shimun
f6c2bc4cdb added --allow-discards flag 2021-12-28 13:50:21 +01:00
shimun
4e7ef4b8b7 0.3.0-alpha notice 2021-12-11 11:52:40 +01:00
shimun
e1ad8b37c1 0.3.0-alpha 2021-12-11 11:51:07 +01:00
13 changed files with 914 additions and 1035 deletions
Expand all files Collapse all files

1240
Cargo.lock generated
View File

File diff suppressed because it is too large Load Diff

15
Cargo.toml
View File

@@ -1,6 +1,6 @@
[package]
name = "fido2luks"
version = "0.3.0"
version = "0.3.1-alpha"
authors = ["shimunn <shimun@shimun.net>"]
edition = "2018"
@@ -14,24 +14,25 @@ categories = ["command-line-utilities"]
license = "MPL-2.0"
[dependencies]
ctap_hmac = { version="0.4.5", features = ["request_multiple"] }
hex = "0.3.2"
ring = "0.13.5"
ring = "0.16.5"
failure = "0.1.5"
rpassword = "4.0.1"
structopt = "0.3.2"
libcryptsetup-rs = "0.4.2"
serde_json = "1.0.51"
serde_derive = "1.0.116"
serde = "1.0.116"
anyhow = "1.0.56"
ctap-hid-fido2 = "3.4.1"
libcryptsetup-rs = "0.5.1"
[build-dependencies]
ctap_hmac = { version="0.4.5", features = ["request_multiple"] }
hex = "0.3.2"
ring = "0.13.5"
ring = "0.16.5"
failure = "0.1.5"
rpassword = "4.0.1"
libcryptsetup-rs = "0.4.1"
anyhow = "1.0.56"
libcryptsetup-rs = "0.5.1"
structopt = "0.3.2"
[profile.release]

161
README.md
View File

@@ -1,160 +1,7 @@
# fido2luks [![Crates.io Version](https://img.shields.io/crates/v/fido2luks.svg)](https://crates.io/crates/fido2luks)
This will allow you to unlock your LUKS encrypted disk with an FIDO2 compatible key.
Note: This has only been tested under Fedora 31, [Ubuntu 20.04](initramfs-tools/), [NixOS](https://nixos.org/nixos/manual/#sec-luks-file-systems-fido2) using a Solo Key, Trezor Model T, YubiKey(fw >= [5.2.3](https://support.yubico.com/hc/en-us/articles/360016649319-YubiKey-5-2-3-Enhancements-to-FIDO-2-Support))
## Setup
### Prerequisites
```
dnf install clang cargo cryptsetup-devel -y
```
### Device
```
git clone https://github.com/shimunn/fido2luks.git && cd fido2luks
# Alternativly cargo build --release && sudo cp target/release/fido2luks /usr/bin/
sudo -E cargo install -f --path . --root /usr
# Copy template
cp dracut/96luks-2fa/fido2luks.conf /etc/
# Name is optional but useful if your authenticator has a display
echo FIDO2LUKS_CREDENTIAL_ID=$(fido2luks credential [NAME]) >> /etc/fido2luks.conf
# Load config into env
set -a
. /etc/fido2luks.conf
# Repeat for each luks volume
# You can also use the `--token` flag when using LUKS2 which will then store the credential in the LUKS header,
# enabling you to use `fido2luks open-token` without passing a credential as parameter
sudo -E fido2luks -i add-key /dev/disk/by-uuid/<DISK_UUID>
# Test(only works if the luks container isn't active)
sudo -E fido2luks -i open /dev/disk/by-uuid/<DISK_UUID> luks-<DISK_UUID>
```
### Dracut
```
cd dracut
sudo make install
```
### Grub
Add `rd.luks.2fa=<CREDENTIAL_ID>:<DISK_UUID>` to `GRUB_CMDLINE_LINUX` in /etc/default/grub
Note: This is only required for your root disk, systemd will try to unlock all other LUKS partions using the same key if you added it using `fido2luks add-key`
```
grub2-mkconfig > /boot/grub2/grub.cfg
```
I'd also recommend to copy the executable onto /boot so that it is accessible in case you have to access your disk from a rescue system
```
mkdir /boot/fido2luks/
cp /usr/bin/fido2luks /boot/fido2luks/
cp /etc/fido2luks.conf /boot/fido2luks/
```
## Testing
Just reboot and see if it works, if that's the case you should remove your old less secure password from your LUKS header:
```
# Recommend in case you lose your authenticator, store this backupfile somewhere safe
cryptsetup luksHeaderBackup /dev/disk/by-uuid/<DISK_UUID> --header-backup-file luks_backup_<DISK_UUID>
# There is no turning back if you mess this up, make sure you made a backup
# You can also pass `--token` if you're using LUKS2 which will then store the credential in the LUKS header,
# which will enable you to use `fido2luks open-token` without passing a credential as parameter
fido2luks -i add-key --exclusive /dev/disk/by-uuid/<DISK_UUID>
```
## Addtional settings
### Password less
Remove your previous secret as described in the next section, in case you've already added one.
Open `/etc/fido2luks.conf` and replace `FIDO2LUKS_SALT=Ask` with `FIDO2LUKS_SALT=string:<YOUR_RANDOM_STRING>`
but be warned that this password will be included to into your initramfs.
Import the new config into env:
```
set -a
. /etc/fido2luks.conf
```
Then add the new secret to each device and update dracut afterwards `dracut -f`
### Multiple keys
Additional/backup keys are supported, Multiple fido2luks credentials can be added to your /etc/fido2luks.conf file. Credential tokens are comma separated.
```
FIDO2LUKS_CREDENTIAL_ID=<CREDENTIAL1>,<CREDENTIAL2>,<CREDENTIAL3>
```
## Removal
Remove `rd.luks.2fa` from `GRUB_CMDLINE_LINUX` in /etc/default/grub
```
set -a
. fido2luks.conf
sudo -E fido2luks -i replace-key /dev/disk/by-uuid/<DISK_UUID>
sudo rm -rf /usr/lib/dracut/modules.d/96luks-2fa /etc/dracut.conf.d/luks-2fa.conf /etc/fido2luks.conf
```
## Theory of operation
fido2luks builds on two basic building blocks, LUKS as an abstraction over linux disk encryption and and the FIDO2 extension [`hmac-secret`](https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-client-to-authenticator-protocol-v2.0-rd-20180702.html#sctn-hmac-secret-extension).
The `hmac-secret` extension allows for an secret to be dervied on the FIDO2 device from two inputs, the user supplied salt/password/keyfile and another secret contained within the FID2 device. The output of the `hmac-secret` function will then be used to decrypt the LUKS header which in turn is used to decrypt the disk.
```
+-------------------------------------------------------------------------------+
| |
| +-----------------------------------------+ |
| | FIDO2 device | |
| | | |
| | | |
+-------+--------+ +------+ | +---------------+ | | +------------------------+
| Salt/Password +-> |sha256+------------------------> | | | v | LUKS header |
+----------------+ +------+ | | | | | | +---------------+
| | | | +--------+ +------------------------+--------> |Disk master key|
| | sha256_hmac +---------> | sha256 +-------> | Keyslot 1 | +---------------+
+----------------+ | +----------+ | | | +--------+ +------------------------+
| FIDO credential+---------------> |Credential| +----> | | | | Keyslot 2 |
+----------------+ | |secret | | | | +------------------------+
| +----------+ +---------------+ |
| |
| |
+-----------------------------------------+
```
Since all these components build upon each other losing or damaging just one of them will render the disk undecryptable, it's threfore of paramount importance to backup the LUKS header and ideally set an backup password
or utilise more than one FIDO2 device. Each additional credential and password combination will require it's own LUKS keyslot since the credential secret is randomly generated for each new credential and will thus result
in a completly different secret.
## License
Licensed under
* Mozilla Public License 2.0, ([LICENSE-MPL](LICENSE-MPL) or https://www.mozilla.org/en-US/MPL/2.0/)
### Contribution
Unless you explicitly state otherwise, any contribution intentionally
submitted for inclusion in the work by you, as defined in the MPL 2.0
license, shall be licensed as above, without any additional terms or
conditions.
## 0.3.0-alpha
This is just the program itself, all intitrid scripts are mostly taylored to the latest 0.2.x version and will most likely not work with 0.3.0 due to breaking changes in the CLI interface.
I've decided it release the version in this state since I just do not have the time now or in the forseeable future to tewak all scripts since it's quite an tedious tasks which involves rebooting VMs countless times.
If you're interested to adapt or write scripts for an particular distro I'd be more than happy to accept pull requests.

79
README_NEW.md
View File

@@ -1,79 +0,0 @@
# fido2luks [![Crates.io Version](https://img.shields.io/crates/v/fido2luks.svg)](https://crates.io/crates/fido2luks)
This will allow you to unlock your LUKS encrypted disk with an FIDO2 compatible key.
Note: This has only been tested under Fedora 31, [Ubuntu 20.04](initramfs-tools/), [NixOS](https://nixos.org/nixos/manual/#sec-luks-file-systems-fido2) using a Solo Key, Trezor Model T
## Installation
### From Source
Installing from source requires the following dependencies:
Ubuntu: `cargo, libclang-dev, libcryptsetup-dev >= 2.2`
Fedora: `cargo, clang-devel, cryptsetup-devel`
To compile the fido2luks binary you can simply run `sudo cargo install --root /usr fido2luks` but since you may want to install the scripts included it this repo as well,
it's recommended to clone the repo and install from there.
``
git clone https://github.com/shimunn/fido2luks.git
cargo install --root /usr --path fido2luks
``
Continue with further instructions for [Ubuntu](initramfs-tools) or [Fedora](dracut)
### From Package
Ubuntu: see [releases](https://github.com/shimunn/fido2luks/releases)
NixOS: https://nixos.org/nixos/manual/#sec-luks-file-systems-fido2
ArchLinux:
* [AUR](https://aur.archlinux.org/packages/fido2luks/)
* [Git](PKGBUILD)
Fedora: coming soon
## Credentials
Depending on the version of cryptsetup and the age of your installation your LUKS header might be in the LUKS2 format already if that's the case fido2luks will be able to spare you from dealing with just another config file by simply storeing all the required information within your LUKS header.
If your header is still using the LUKS1 format you may convert it:
```
cryptsetup convert --type luks2 <device>
```
if you want to keep using LUKS1 due to other software such as pam_mount not being compatible with LUKS2 at the moment, you will have to generate credentials by hand an add them to `/etc/fido2luks.conf` otherwise you can skip this step.
```
fido2luks credential [optional name]
```
the generated hexadecimal credential can then be added to `FIDO2LUKS_CREDENTIAL_ID=` in `/etc/fido2luks.conf` multiple credentials can be separated by comma.
## Adding a Key
If you had to generate a credential in the previous step you'll have to provide it to the following commands as a parameter or via an environment variable:
```
set -a
. /etc/fido2luks.conf
```
To then add the key you need to have your current password/keyfile ready:
without having generated a credential in the previous step: `fido2luks -i add-key --gen-cred <device>`
with a keyfile: `fido2luks -i add-key --keyfile <path-to-keyfile <device>`
if you've confirmed at a later stage that everything works as expected you may want to remove your keyfile/password by running the previous commands with the `--exclusive` flag which will remove all other keys from the device.
## Replacing a Key
with password: `fido2luks -i replace-key <device>`
with keyfile: `fido2luks -i replace-key -d <path-to-keyfile> <device>`
with another fido2 derived key: `fido2luks -i replace-key -f <device>`

8
build.rs
View File

@@ -1,7 +1,6 @@
#![allow(warnings)]
#[macro_use]
extern crate failure;
extern crate ctap_hmac as ctap;
#[path = "src/cli_args/mod.rs"]
mod cli_args;
@@ -12,17 +11,22 @@ mod util;
use cli_args::Args;
use std::env;
use std::fs;
use std::path::PathBuf;
use std::str::FromStr;
use structopt::clap::Shell;
use structopt::StructOpt;
fn main() {
let env_outdir = env::var_os("OUT_DIR").unwrap();
let outdir = PathBuf::from(PathBuf::from(env_outdir).ancestors().nth(3).unwrap());
fs::create_dir_all(&outdir).unwrap();
// generate completion scripts, zsh does panic for some reason
for shell in Shell::variants().iter().filter(|shell| **shell != "zsh") {
Args::clap().gen_completions(
env!("CARGO_PKG_NAME"),
Shell::from_str(shell).unwrap(),
env!("CARGO_MANIFEST_DIR"),
&outdir,
);
}
}

18
flake.lock generated
View File

@@ -7,11 +7,11 @@
]
},
"locked": {
"lastModified": 1639051343,
"narHash": "sha256-62qARP+5Q0GmudcpuQHJP3/yXIgmUVoHR4orD/+FAC4=",
"lastModified": 1639947939,
"narHash": "sha256-pGsM8haJadVP80GFq4xhnSpNitYNQpaXk4cnA796Cso=",
"owner": "nmattia",
"repo": "naersk",
"rev": "ebde51ec0eec82dc71eaca03bc24cf8eb44a3d74",
"rev": "2fc8ce9d3c025d59fee349c1f80be9785049d653",
"type": "github"
},
"original": {
@@ -22,11 +22,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1638109994,
"narHash": "sha256-OpA37PTiPMIqoRJbufbl5rOLII7HeeGcA0yl7FoyCIE=",
"lastModified": 1647282937,
"narHash": "sha256-K8Oo6QyFCfiEWTRpQVfzcwI3YNMKlz6Tu8rr+o3rzRQ=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "a284564b7f75ac4db73607db02076e8da9d42c9d",
"rev": "64fc73bd74f04d3e10cb4e70e1c65b92337e76db",
"type": "github"
},
"original": {
@@ -43,11 +43,11 @@
},
"utils": {
"locked": {
"lastModified": 1638122382,
"narHash": "sha256-sQzZzAbvKEqN9s0bzWuYmRaA03v40gaJ4+iL1LXjaeI=",
"lastModified": 1644229661,
"narHash": "sha256-1YdnJAsNy69bpcjuoKdOYQX0YxZBiCYZo4Twxerqv7k=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "74f7e4319258e287b0f9cb95426c9853b282730b",
"rev": "3cecb5b042f7f209c56ffd8371b2711a290ec797",
"type": "github"
},
"original": {

91
flake.nix
View File

@@ -9,32 +9,42 @@
};
};
outputs = { self, nixpkgs, utils, naersk }:
outputs = inputs @ { self, nixpkgs, utils, naersk, ... }:
let
root = ./.;
pname = (builtins.fromTOML (builtins.readFile ./Cargo.toml)).package.name;
forPkgs = pkgs:
let
naersk-lib = naersk.lib."${pkgs.system}";
buildInputs = with pkgs; [ cryptsetup ];
LIBCLANG_PATH = "${pkgs.clang.cc.lib}/lib";
nativeBuildInputs = with pkgs; [
pkgconfig
clang
];
in
root = inputs.source or self;
pname = (builtins.fromTOML (builtins.readFile (root + "/Cargo.toml"))).package.name;
# toolchains: stable, beta, default(nightly)
toolchain = pkgs: if inputs ? fenix then inputs.fenix.packages."${pkgs.system}".complete.toolchain
else with pkgs; symlinkJoin { name = "rust-toolchain"; paths = [ rustc cargo ]; };
forSystem = system:
let
pkgs = nixpkgs.legacyPackages."${system}";
in
rec {
# `nix build`
packages.${pname} = naersk-lib.buildPackage {
inherit pname root buildInputs nativeBuildInputs LIBCLANG_PATH;
};
defaultPackage = packages.${pname};
packages.${pname} = (self.overlay pkgs pkgs).${pname};
packages.dockerImage = pkgs.runCommandLocal "docker-${pname}.tar.gz" {} "${apps.streamDockerImage.program} | gzip --fast > $out";
packages.default = packages.${pname};
# `nix run`
apps.${pname} = utils.lib.mkApp {
drv = packages.${pname};
};
defaultApp = apps.${pname};
# `nix run .#streamDockerImage | docker load`
apps.streamDockerImage = utils.lib.mkApp {
drv = with pkgs; dockerTools.streamLayeredImage {
name = pname;
tag = self.shortRev or "latest";
config = {
Entrypoint = apps.default.program;
};
};
exePath = "";
};
apps.default = apps.${pname};
# `nix flake check`
checks = {
@@ -49,15 +59,42 @@
hydraJobs = checks // packages;
# `nix develop`
devShell = pkgs.mkShell {
nativeBuildInputs = with pkgs; [ rustc cargo rustfmt nixpkgs-fmt ] ++ nativeBuildInputs;
inherit buildInputs LIBCLANG_PATH;
devShell = pkgs.mkShell rec {
RUST_SRC_PATH = "${if inputs ? fenix then "${toolchain pkgs}/lib/rustlib" else pkgs.rustPlatform.rustLibSrc}";
nativeBuildInputs = with pkgs; [ (toolchain pkgs) cargo-edit rustfmt nixpkgs-fmt ] ++ packages.default.nativeBuildInputs;
inherit (packages.default) buildInputs LIBCLANG_PATH;
shellHook = ''
printf "Rust version:"
rustc --version
printf "\nbuild inputs: ${pkgs.lib.concatStringsSep ", " (map (bi: bi.name) (buildInputs ++ nativeBuildInputs))}"
'';
};
};
forSystem = system: forPkgs nixpkgs.legacyPackages."${system}";
in
(utils.lib.eachSystem [ "aarch64-linux" "i686-linux" "x86_64-linux" ] forSystem) // {
overlay = final: prev: (forPkgs final).packages;
};
};
in
(utils.lib.eachDefaultSystem forSystem) // {
overlays.pinned = final: prev: (self.overlay final (import nixpkgs {
inherit (final) localSystem;
})).packages;
overlay = final: prev:
let
naersk-lib = naersk.lib."${final.system}".override {
rustc = toolchain prev;
cargo = toolchain prev;
};
buildInputs = with prev; [
udev cryptsetup.dev
];
nativeBuildInputs = with prev; [
pkg-config clang
];
in
{
"${pname}" =
naersk-lib.buildPackage {
LIBCLANG_PATH = "${final.llvmPackages.libclang.lib}/lib";
inherit pname root buildInputs nativeBuildInputs;
};
};
};
}

102
src/cli.rs
View File

@@ -4,14 +4,13 @@ use crate::util::sha256;
use crate::*;
pub use cli_args::Args;
use cli_args::*;
use ctap::{FidoCredential, FidoErrorKind};
use ctap_hid_fido2::public_key_credential_descriptor::PublicKeyCredentialDescriptor;
use std::borrow::Cow;
use std::collections::HashSet;
use std::io::Write;
use std::iter::FromIterator;
use std::path::Path;
use std::str::FromStr;
use std::thread;
use std::time::Duration;
use std::time::SystemTime;
use structopt::clap::Shell;
@@ -26,31 +25,31 @@ fn derive_secret(
salt: &[u8; 32],
timeout: u64,
pin: Option<&str>,
) -> Fido2LuksResult<([u8; 32], FidoCredential)> {
) -> Fido2LuksResult<([u8; 32], PublicKeyCredentialDescriptor)> {
if credentials.is_empty() {
return Err(Fido2LuksError::InsufficientCredentials);
}
let timeout = Duration::from_secs(timeout);
let start = SystemTime::now();
while let Ok(el) = start.elapsed() {
if el > timeout {
return Err(error::Fido2LuksError::NoAuthenticatorError);
}
if get_devices()
.map(|devices| !devices.is_empty())
.unwrap_or(false)
{
break;
}
thread::sleep(Duration::from_millis(500));
}
//while let Ok(el) = start.elapsed() {
// if el > timeout {
// return Err(error::Fido2LuksError::NoAuthenticatorError);
// }
// if get_devices()
// .map(|devices| !devices.is_empty())
// .unwrap_or(false)
// {
// break;
// }
// thread::sleep(Duration::from_millis(500));
//}
let credentials = credentials
.iter()
.map(|hex| FidoCredential {
.map(|hex| PublicKeyCredentialDescriptor {
id: hex.0.clone(),
public_key: None,
ctype: Default::default(),
})
.collect::<Vec<_>>();
let credentials = credentials.iter().collect::<Vec<_>>();
@@ -182,7 +181,8 @@ pub fn run_cli() -> Fido2LuksResult<()> {
} else {
None
};
let cred = make_credential_id(Some(name.as_ref()), pin)?;
let cred =
make_credential_id(Some(name.as_str()).filter(|name| name.len() > 0), pin, &[])?;
println!("{}", hex::encode(&cred.id));
Ok(())
}
@@ -289,7 +289,10 @@ pub fn run_cli() -> Fido2LuksResult<()> {
let other_secret = |salt_q: &str,
verify: bool|
-> Fido2LuksResult<(Vec<u8>, Option<FidoCredential>)> {
-> Fido2LuksResult<(
Vec<u8>,
Option<PublicKeyCredentialDescriptor>,
)> {
match other_secret {
OtherSecret {
keyfile: Some(file),
@@ -314,22 +317,38 @@ pub fn run_cli() -> Fido2LuksResult<()> {
)),
}
};
let secret = |q: &str,
verify: bool,
credentials: &[HexEncoded]|
-> Fido2LuksResult<([u8; 32], FidoCredential)> {
let (pin, salt) = inputs(q, verify)?;
prompt_interaction(interactive);
derive_secret(credentials, &salt, authenticator.await_time, pin.as_deref())
};
let secret =
|q: &str,
verify: bool,
credentials: &[HexEncoded]|
-> Fido2LuksResult<([u8; 32], PublicKeyCredentialDescriptor)> {
let (pin, salt) = inputs(q, verify)?;
prompt_interaction(interactive);
derive_secret(credentials, &salt, authenticator.await_time, pin.as_deref())
};
// Non overlap
match &args.command {
Command::AddKey {
exclusive,
generate_credential,
comment,
..
} => {
let (existing_secret, _) = other_secret("Current password", false)?;
let (existing_secret, existing_credential) =
other_secret("Current password", false)?;
let excluded_credential = existing_credential.as_ref();
let exclude_list = excluded_credential
.as_ref()
.map(core::slice::from_ref)
.unwrap_or_default();
existing_credential.iter().for_each(|cred| {
log(&|| {
format!(
"using credential to unlock container: {}",
hex::encode(&cred.id)
)
})
});
let (new_secret, cred) = if *generate_credential && luks2 {
let cred = make_credential_id(
Some(derive_credential_name(luks.device.as_path()).as_str()),
@@ -340,6 +359,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
None
})
.as_deref(),
dbg!(exclude_list),
)?;
log(&|| {
format!(
@@ -361,6 +381,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
Some(&cred.id[..])
.filter(|_| !luks.disable_token || *generate_credential)
.filter(|_| luks2),
comment.as_deref().map(String::from),
)?;
if *exclusive {
let destroyed = luks_dev.remove_keyslots(&[added_slot])?;
@@ -396,6 +417,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
.filter(|_| !luks.disable_token)
.filter(|_| luks2)
.map(|cred| &cred.id[..]),
None,
)
} else {
let slot = luks_dev.replace_key(
@@ -433,6 +455,8 @@ pub fn run_cli() -> Fido2LuksResult<()> {
credentials,
retries,
dry_run,
allow_discards,
..
} => {
let inputs = |q: &str, verify: bool| -> Fido2LuksResult<(Option<String>, [u8; 32])> {
get_input(&secret, &authenticator, args.interactive, q, verify)
@@ -469,7 +493,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
});
secret(Cow::Borrowed(&credentials.0)).and_then(|(secret, cred)| {
log(&|| format!("credential used: {}", hex::encode(&cred.id)));
luks_dev.activate(&name, &secret, luks.slot, *dry_run)
luks_dev.activate(&name, &secret, luks.slot, *dry_run, *allow_discards)
})
} else if luks2 && !luks.disable_token {
luks_dev.activate_token(
@@ -487,6 +511,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
}),
luks.slot,
*dry_run,
*allow_discards,
)
} else if luks_dev.is_luks2()? && luks.disable_token {
// disable-token is mostly cosmetic in this instance
@@ -498,9 +523,8 @@ pub fn run_cli() -> Fido2LuksResult<()> {
Err(e) => {
match e {
Fido2LuksError::WrongSecret if retries > 0 => {}
Fido2LuksError::AuthenticatorError { ref cause }
if cause.kind() == FidoErrorKind::Timeout && retries > 0 => {}
//Fido2LuksError::AuthenticatorError { ref cause }
// if cause.kind() == FidoErrorKind::Timeout && retries > 0 => {}
e => return Err(e),
};
retries -= 1;
@@ -541,8 +565,13 @@ pub fn run_cli() -> Fido2LuksResult<()> {
continue;
}
println!(
"{}:\n\tSlots: {}\n\tCredentials: {}",
"{}{}:\n\tSlots: {}\n\tCredentials: {}",
id,
token
.comment
.as_deref()
.map(|comment| format!(" - {}", comment))
.unwrap_or_default(),
if token.keyslots.is_empty() {
"None".into()
} else {
@@ -568,6 +597,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
TokenCommand::Add {
device,
credentials,
comment,
slot,
} => {
let mut dev = LuksDevice::load(device)?;
@@ -579,7 +609,11 @@ pub fn run_cli() -> Fido2LuksResult<()> {
}
}
let count = if tokens.is_empty() {
dev.add_token(&Fido2LuksToken::with_credentials(&credentials.0, *slot))?;
dev.add_token(&Fido2LuksToken::with_credentials(
&credentials.0,
*slot,
comment.as_deref().map(String::from),
))?;
1
} else {
tokens.len()

11
src/cli_args/mod.rs
View File

@@ -189,6 +189,9 @@ pub enum Command {
luks: LuksParameters,
#[structopt(flatten)]
credentials: Credentials,
/// Comment to be associated with this credential
#[structopt(long = "comment")]
comment: Option<String>,
#[structopt(flatten)]
authenticator: AuthenticatorParameters,
#[structopt(flatten)]
@@ -244,6 +247,9 @@ pub enum Command {
/// Perform the whole procedure without mounting the LUKS volume on success
#[structopt(long = "dry-run")]
dry_run: bool,
/// Pass SSD trim instructions to the underlying block device
#[structopt(long = "allow-discards")]
allow_discards: bool,
},
/// Generate a new FIDO credential
#[structopt(name = "credential")]
@@ -251,7 +257,7 @@ pub enum Command {
#[structopt(flatten)]
authenticator: AuthenticatorParameters,
/// Name to be displayed on the authenticator display
#[structopt(env = "FIDO2LUKS_CREDENTIAL_NAME", default_value = "fido2luks")]
#[structopt(env = "FIDO2LUKS_CREDENTIAL_NAME", default_value = "")]
name: String,
},
/// Check if an authenticator is connected
@@ -292,6 +298,9 @@ pub enum TokenCommand {
long = "creds"
)]
credentials: CommaSeparated<HexEncoded>,
/// Comment to be associated with this credential
#[structopt(long = "comment")]
comment: Option<String>,
/// Slot to which the credentials will be added
#[structopt(long = "slot", env = "FIDO2LUKS_DEVICE_SLOT")]
slot: u32,

161
src/device.rs
View File

@@ -1,84 +1,133 @@
use crate::error::*;
use crate::util;
use ctap::{
self, extensions::hmac::HmacExtension, request_multiple_devices, FidoAssertionRequestBuilder,
FidoCredential, FidoCredentialRequestBuilder, FidoDevice, FidoError, FidoErrorKind,
};
use ctap_hid_fido2;
use ctap_hid_fido2::fidokey::get_assertion::get_assertion_params;
use ctap_hid_fido2::fidokey::make_credential::make_credential_params;
use ctap_hid_fido2::fidokey::GetAssertionArgsBuilder;
use ctap_hid_fido2::fidokey::MakeCredentialArgsBuilder;
use ctap_hid_fido2::get_fidokey_devices;
use ctap_hid_fido2::public_key_credential_descriptor::PublicKeyCredentialDescriptor;
use ctap_hid_fido2::public_key_credential_user_entity::PublicKeyCredentialUserEntity;
use ctap_hid_fido2::FidoKeyHidFactory;
use ctap_hid_fido2::HidInfo;
use ctap_hid_fido2::LibCfg;
use std::time::Duration;
const RP_ID: &str = "fido2luks";
fn lib_cfg() -> LibCfg {
let mut cfg = LibCfg::init();
cfg.enable_log = false;
cfg.keep_alive_msg = String::new();
cfg
}
pub fn make_credential_id(
name: Option<&str>,
pin: Option<&str>,
) -> Fido2LuksResult<FidoCredential> {
let mut request = FidoCredentialRequestBuilder::default().rp_id(RP_ID);
if let Some(user_name) = name {
request = request.user_name(user_name);
exclude: &[&PublicKeyCredentialDescriptor],
) -> Fido2LuksResult<PublicKeyCredentialDescriptor> {
let mut req = MakeCredentialArgsBuilder::new(RP_ID, &[])
.extensions(&[make_credential_params::Extension::HmacSecret(Some(true))]);
if let Some(pin) = pin {
req = req.pin(pin);
} else {
req = req.without_pin_and_uv();
}
let request = request.build().unwrap();
let make_credential = |device: &mut FidoDevice| {
if let Some(pin) = pin.filter(|_| device.needs_pin()) {
device.unlock(pin)?;
for cred in exclude {
req = req.exclude_authenticator(cred.id.as_ref());
}
if let Some(_) = name {
req = req.user_entity(&PublicKeyCredentialUserEntity::new(
Some(b"00"),
name.clone(),
name,
));
}
let devices = get_devices()?;
let mut err: Option<Fido2LuksError> = None;
let req = req.build();
for dev in devices {
let handle = FidoKeyHidFactory::create_by_params(&vec![dev.param], &lib_cfg()).unwrap();
match handle.make_credential_with_args(&req) {
Ok(resp) => return Ok(resp.credential_descriptor),
Err(e) => err = Some(e.into()),
}
device.make_hmac_credential(&request)
};
Ok(request_multiple_devices(
get_devices()?
.iter_mut()
.map(|device| (device, &make_credential)),
None,
)?)
}
Err(err.unwrap_or(Fido2LuksError::NoAuthenticatorError))
}
pub fn perform_challenge<'a>(
credentials: &'a [&'a FidoCredential],
credentials: &'a [&'a PublicKeyCredentialDescriptor],
salt: &[u8; 32],
timeout: Duration,
_timeout: Duration,
pin: Option<&str>,
) -> Fido2LuksResult<([u8; 32], &'a FidoCredential)> {
let request = FidoAssertionRequestBuilder::default()
.rp_id(RP_ID)
.credentials(credentials)
.build()
.unwrap();
let get_assertion = |device: &mut FidoDevice| {
if let Some(pin) = pin.filter(|_| device.needs_pin()) {
device.unlock(pin)?;
) -> Fido2LuksResult<([u8; 32], &'a PublicKeyCredentialDescriptor)> {
if credentials.is_empty() {
return Err(Fido2LuksError::InsufficientCredentials);
}
let mut req = GetAssertionArgsBuilder::new(RP_ID, &[]).extensions(&[
get_assertion_params::Extension::HmacSecret(Some(util::sha256(&[&salt[..]]))),
]);
for cred in credentials {
req = req.add_credential_id(&cred.id);
}
if let Some(pin) = pin {
req = req.pin(pin);
} else {
req = req.without_pin_and_uv();
}
let process_response = |resp: Vec<get_assertion_params::Assertion>| -> Fido2LuksResult<([u8; 32], &'a PublicKeyCredentialDescriptor)> {
for att in resp {
for ext in att.extensions.iter() {
match ext {
get_assertion_params::Extension::HmacSecret(Some(secret)) => {
//TODO: eliminate unwrap
let cred_used = credentials
.iter()
.copied()
.find(|cred| {
att.credential_id == cred.id
})
.unwrap();
return Ok((secret.clone(), cred_used));
}
_ => continue,
}
}
device.get_hmac_assertion(&request, &util::sha256(&[&salt[..]]), None)
}
Err(Fido2LuksError::WrongSecret)
};
let (credential, (secret, _)) = request_multiple_devices(
get_devices()?
.iter_mut()
.map(|device| (device, &get_assertion)),
Some(timeout),
)?;
Ok((secret, credential))
let devices = get_devices()?;
let mut err: Option<Fido2LuksError> = None;
let req = req.build();
for dev in devices {
let handle = FidoKeyHidFactory::create_by_params(&vec![dev.param], &lib_cfg()).unwrap();
match handle.get_assertion_with_args(&req) {
Ok(resp) => return process_response(resp),
Err(e) => err = Some(e.into()),
}
}
Err(err.unwrap_or(Fido2LuksError::NoAuthenticatorError))
}
pub fn may_require_pin() -> Fido2LuksResult<bool> {
for di in ctap::get_devices()? {
if let Ok(dev) = FidoDevice::new(&di) {
if dev.needs_pin() {
return Ok(true);
}
for dev in get_devices()? {
let handle = FidoKeyHidFactory::create_by_params(&vec![dev.param], &lib_cfg()).unwrap();
let info = handle.get_info()?;
let needs_pin = info
.options
.iter()
.any(|(name, val)| &name[..] == "clientPin" && *val);
if needs_pin {
return Ok(true);
}
}
Ok(false)
}
pub fn get_devices() -> Fido2LuksResult<Vec<FidoDevice>> {
let mut devices = Vec::with_capacity(2);
for di in ctap::get_devices()? {
match FidoDevice::new(&di) {
Err(e) => match e.kind() {
FidoErrorKind::ParseCtap | FidoErrorKind::DeviceUnsupported => (),
err => return Err(FidoError::from(err).into()),
},
Ok(dev) => devices.push(dev),
}
}
Ok(devices)
pub fn get_devices() -> Fido2LuksResult<Vec<HidInfo>> {
Ok(get_fidokey_devices())
}

16
src/error.rs
View File

@@ -1,4 +1,4 @@
use ctap::FidoError;
use anyhow;
use libcryptsetup_rs::LibcryptErr;
use std::io;
use std::io::ErrorKind;
@@ -14,7 +14,7 @@ pub enum Fido2LuksError {
#[fail(display = "unable to read keyfile: {}", cause)]
KeyfileError { cause: io::Error },
#[fail(display = "authenticator error: {}", cause)]
AuthenticatorError { cause: ctap::FidoError },
AuthenticatorError { cause: anyhow::Error },
#[fail(display = "no authenticator found, please ensure your device is plugged in")]
NoAuthenticatorError,
#[fail(display = " {}", cause)]
@@ -35,6 +35,12 @@ pub enum Fido2LuksError {
InsufficientCredentials,
}
impl From<anyhow::Error> for Fido2LuksError {
fn from(cause: anyhow::Error) -> Self {
Fido2LuksError::AuthenticatorError { cause }
}
}
impl Fido2LuksError {
pub fn exit_code(&self) -> i32 {
use Fido2LuksError::*;
@@ -91,12 +97,6 @@ impl From<LuksError> for Fido2LuksError {
}
}
impl From<FidoError> for Fido2LuksError {
fn from(e: FidoError) -> Self {
AuthenticatorError { cause: e }
}
}
impl From<LibcryptErr> for Fido2LuksError {
fn from(e: LibcryptErr) -> Self {
match e {

46
src/luks.rs
View File

@@ -1,8 +1,8 @@
use crate::error::*;
use libcryptsetup_rs::{
CryptActivateFlags, CryptDevice, CryptInit, CryptTokenInfo, EncryptionFormat, KeyslotInfo,
TokenInput,
CryptActivateFlag, CryptActivateFlags, CryptDevice, CryptInit, CryptTokenInfo,
EncryptionFormat, KeyslotInfo, TokenInput,
};
use std::collections::{HashMap, HashSet};
use std::path::Path;
@@ -142,6 +142,7 @@ impl LuksDevice {
old_secret: &[u8],
iteration_time: Option<u64>,
credential_id: Option<&[u8]>,
comment: Option<String>,
) -> Fido2LuksResult<u32> {
if let Some(millis) = iteration_time {
self.device.settings_handle().set_iteration_time(millis)
@@ -152,7 +153,7 @@ impl LuksDevice {
.add_by_passphrase(None, old_secret, secret)?;
if let Some(id) = credential_id {
self.device.token_handle().json_set(TokenInput::AddToken(
&serde_json::to_value(&Fido2LuksToken::new(id, slot)).unwrap(),
&serde_json::to_value(&Fido2LuksToken::new(id, slot, comment)).unwrap(),
))?;
}
@@ -216,9 +217,18 @@ impl LuksDevice {
)? as u32;
if let Some(id) = credential_id {
if self.is_luks2()? {
let token = self.find_token(slot)?.map(|(t, _)| t);
let json = serde_json::to_value(&Fido2LuksToken::new(id, slot)).unwrap();
if let Some(token) = token {
let (token_id, token_data) = match self.find_token(slot)? {
Some((id, data)) => (Some(id), Some(data)),
_ => (None, None),
};
let json = serde_json::to_value(&Fido2LuksToken::new(
id,
slot,
// retain comment on replace
token_data.map(|data| data.comment).flatten(),
))
.unwrap();
if let Some(token) = token_id {
self.device
.token_handle()
.json_set(TokenInput::ReplaceToken(token, &json))?;
@@ -238,15 +248,15 @@ impl LuksDevice {
secret: &[u8],
slot_hint: Option<u32>,
dry_run: bool,
allow_discard: bool,
) -> Fido2LuksResult<u32> {
let mut flags = CryptActivateFlags::empty();
if allow_discard {
flags = CryptActivateFlags::new(vec![CryptActivateFlag::AllowDiscards]);
}
self.device
.activate_handle()
.activate_by_passphrase(
Some(name).filter(|_| !dry_run),
slot_hint,
secret,
CryptActivateFlags::empty(),
)
.activate_by_passphrase(Some(name).filter(|_| !dry_run), slot_hint, secret, flags)
.map_err(LuksError::activate)
}
@@ -256,6 +266,7 @@ impl LuksDevice {
secret: impl Fn(Vec<String>) -> Fido2LuksResult<([u8; 32], String)>,
slot_hint: Option<u32>,
dry_run: bool,
allow_discard: bool,
) -> Fido2LuksResult<u32> {
if !self.is_luks2()? {
return Err(LuksError::Luks2Required.into());
@@ -299,7 +310,7 @@ impl LuksDevice {
.chain(std::iter::once(None).take(slots.is_empty() as usize)), // Try all slots as last resort
);
for slot in slots {
match self.activate(name, &secret, slot, dry_run) {
match self.activate(name, &secret, slot, dry_run, allow_discard) {
Err(Fido2LuksError::WrongSecret) => (),
res => return res,
}
@@ -314,16 +325,19 @@ pub struct Fido2LuksToken {
pub type_: String,
pub credential: HashSet<String>,
pub keyslots: HashSet<String>,
#[serde(skip_serializing_if = "Option::is_none")]
pub comment: Option<String>,
}
impl Fido2LuksToken {
pub fn new(credential_id: impl AsRef<[u8]>, slot: u32) -> Self {
Self::with_credentials(std::iter::once(credential_id), slot)
pub fn new(credential_id: impl AsRef<[u8]>, slot: u32, comment: Option<String>) -> Self {
Self::with_credentials(std::iter::once(credential_id), slot, comment)
}
pub fn with_credentials<I: IntoIterator<Item = B>, B: AsRef<[u8]>>(
credentials: I,
slot: u32,
comment: Option<String>,
) -> Self {
Self {
credential: credentials
@@ -331,6 +345,7 @@ impl Fido2LuksToken {
.map(|cred| hex::encode(cred.as_ref()))
.collect(),
keyslots: vec![slot.to_string()].into_iter().collect(),
comment,
..Default::default()
}
}
@@ -345,6 +360,7 @@ impl Default for Fido2LuksToken {
type_: Self::default_type().into(),
credential: HashSet::new(),
keyslots: HashSet::new(),
comment: None,
}
}
}

1
src/main.rs
View File

@@ -1,6 +1,5 @@
#[macro_use]
extern crate failure;
extern crate ctap_hmac as ctap;
#[macro_use]
extern crate serde_derive;
use crate::cli::*;