shimun/fido2luks
1
0
Fork 0
Code Issues Pull Requests 3 Releases Wiki Activity

Compare commits

merge into: shimun:cli_reorg
Branches Tags
shimun:master shimun:0.3.0-alpha shimun:ctap-hid-fido2 shimun:retry_pin shimun:0.3.0 shimun:debVM shimun:flake shimun:password_promt shimun:dracut shimun:initcpio shimun:pam_mod shimun:setup shimun:completions shimun:pkgbuild shimun:pin_source shimun:relicense shimun:deb shimun:initramfs-tools shimun:luks_refr shimun:0.2.8 shimun:luks2_token shimun:cli_reorg shimun:request_multiple shimun:luks2 shimun:cratesio shimun:isalt shimun:connected shimun:keyutils
shimun:0.2.20 shimun:0.2.19 shimun:0.2.18 shimun:0.2.17 shimun:0.2.16 shimun:0.2.15 shimun:0.2.14 shimun:0.2.13 shimun:0.2.12 shimun:0.2.11 shimun:0.2.10 shimun:0.2.9 shimun:0.2.8 shimun:0.2.7 shimun:0.2.6 shimun:0.2.5 shimun:0.2.4 shimun:0.2.3 shimun:0.2.2 shimun:0.2.1 shimun:0.2.0
...
pull from: shimun:initramfs-tools
Branches Tags
shimun:0.3.0-alpha shimun:ctap-hid-fido2 shimun:retry_pin shimun:master shimun:0.3.0 shimun:debVM shimun:flake shimun:password_promt shimun:dracut shimun:initcpio shimun:pam_mod shimun:setup shimun:completions shimun:pkgbuild shimun:pin_source shimun:relicense shimun:deb shimun:initramfs-tools shimun:luks_refr shimun:0.2.8 shimun:luks2_token shimun:cli_reorg shimun:request_multiple shimun:luks2 shimun:cratesio shimun:isalt shimun:connected shimun:keyutils
shimun:0.2.20 shimun:0.2.19 shimun:0.2.18 shimun:0.2.17 shimun:0.2.16 shimun:0.2.15 shimun:0.2.14 shimun:0.2.13 shimun:0.2.12 shimun:0.2.11 shimun:0.2.10 shimun:0.2.9 shimun:0.2.8 shimun:0.2.7 shimun:0.2.6 shimun:0.2.5 shimun:0.2.4 shimun:0.2.3 shimun:0.2.2 shimun:0.2.1 shimun:0.2.0

22 Commits
cli_reorg ... initramfs-

Author SHA1 Message Date
shimun
720b53511d readme
Some checks failed
continuous-integration/drone/pr Build is failing
Details
continuous-integration/drone/push Build is passing
Details
2020-07-03 15:53:07 +02:00
shimun
962ad2a380 initramfs-tools
All checks were successful
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/pr Build is passing
Details
2020-07-03 15:09:52 +02:00
shimun
a498e1416f automate cargo publish
Some checks failed
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/tag Build is failing
Details
2020-06-23 23:55:07 +02:00
shimun
92e413de50 refactored luks operations
All checks were successful
continuous-integration/drone/push Build is passing
Details
2020-06-22 20:47:19 +00:00
shimun
023399bb14 use unstable cryptsetup
Some checks failed
continuous-integration/drone/push Build is failing
Details
2020-06-22 18:17:10 +02:00
shimun
a53a430c23 update drone
Some checks failed
continuous-integration/drone/push Build is failing
Details
2020-06-21 22:16:45 +02:00
shimun
5f107cd337 add non existing token
Some checks failed
continuous-integration/drone/push Build is failing
Details
2020-06-19 20:09:36 +02:00
shimun
ddfd24a098 ensure replace_key uses the same slot 2020-06-19 20:05:05 +02:00
shimun
743edf668a document --token 2020-06-13 14:35:46 +02:00
shimun
4507107fac update libcryptsetup-rs 2020-06-10 13:50:28 +02:00
shimun
a8482c50a2 handle tokens when replacing 2020-06-08 19:22:19 +02:00
shimun
09be5ef551 assemble secret in correct order 2020-06-08 18:08:24 +02:00
shimun
6f6c84ddba skip luks2 check until underlying issue is fixed 2020-06-07 14:14:51 +02:00
shimun
5a05cad695 more precise description 2020-06-06 23:39:23 +02:00
shimun
d8d24b40f5 Merge branch 'cli_reorg' 2020-06-06 23:37:22 +02:00
shimun
c1a82b9ae6 update libcryptsetup_rs to 0.4.0 2020-06-06 22:43:18 +02:00
shimun
f774580c9c update to current api 2020-05-05 23:28:44 +02:00
shimun
0b19760175 hint slots 2020-04-28 19:09:53 +02:00
shimun
2ec8679c47 open token 2020-04-28 14:27:14 +02:00
shimun
65e1dead8b remove token 2020-04-27 22:07:00 +02:00
shimun
478fb5e036 store luks token 2020-04-27 19:26:21 +02:00
shimun
1547f5e199 get format 2020-04-27 18:12:06 +02:00
15 changed files with 1102 additions and 193 deletions
Expand all files Collapse all files

33
.drone.yml
View File

@@ -3,32 +3,27 @@ name: default
steps: steps:
- name: fmt - name: fmt
image: rust:1.37.0 image: rust:1.43.0
commands: commands:
- rustup component add rustfmt - rustup component add rustfmt
- cargo fmt --all -- --check - cargo fmt --all -- --check
- name: test - name: test
image: rust:1.37.0 image: rust:1.43.0
commands: commands:
- apt update && apt install -y libcryptsetup-dev libkeyutils-dev - apt update && apt install -y libkeyutils-dev libclang-dev clang pkg-config
- echo 'deb http://http.us.debian.org/debian unstable main non-free contrib' >> /etc/apt/sources.list.d/unstable.list && apt update && apt install -y libcryptsetup-dev
- cargo test - cargo test
- name: build
image: rust:1.37.0
commands:
- apt update && apt install -y libcryptsetup-dev libkeyutils-dev
- cargo install -f --path . --root .
when:
event: tag
- name: publish - name: publish
image: plugins/github-release image: rust:1.43.0
settings: environment:
api_key: CARGO_REGISTRY_TOKEN:
from_secret: github_release from_secret: cargo_tkn
files: commands:
- bin/fido2luks - grep -E 'version ?= ?"${DRONE_TAG}"' -i Cargo.toml || (printf "incorrect crate/tag version" && exit 1)
checksum: - apt update && apt install -y libkeyutils-dev libclang-dev clang pkg-config
- md5 - echo 'deb http://http.us.debian.org/debian unstable main non-free contrib' >> /etc/apt/sources.list.d/unstable.list && apt update && apt install -y libcryptsetup-dev
- sha256 - cargo package --all-features
- cargo publish --all-features
when: when:
event: tag event: tag

100
Cargo.lock generated
View File

@@ -55,9 +55,9 @@ dependencies = [
[[package]] [[package]]
name = "backtrace-sys" name = "backtrace-sys"
version = "0.1.35" version = "0.1.36"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7de8aba10a69c8e8d7622c5710229485ec32e9d55fdad160ea559c086fdcd118" checksum = "78848718ee1255a2485d1309ad9cdecfc2e7d0362dd11c6829364c6b35ae1bc7"
dependencies = [ dependencies = [
"cc", "cc",
"libc", "libc",
@@ -111,9 +111,9 @@ dependencies = [
[[package]] [[package]]
name = "cc" name = "cc"
version = "1.0.50" version = "1.0.52"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "95e28fa049fda1c330bcf9d723be7663a899c4679724b34c81e9f5a326aab8cd" checksum = "c3d87b23d6a92cd03af510a5ade527033f6aa6fa92161e2d5863a907d4c5e31d"
[[package]] [[package]]
name = "cexpr" name = "cexpr"
@@ -287,7 +287,7 @@ dependencies = [
"proc-macro2 1.0.10", "proc-macro2 1.0.10",
"quote 1.0.3", "quote 1.0.3",
"strsim 0.9.3", "strsim 0.9.3",
"syn 1.0.17", "syn 1.0.18",
] ]
[[package]] [[package]]
@@ -298,7 +298,7 @@ checksum = "d9b5a2f4ac4969822c62224815d069952656cadc7084fdca9751e6d959189b72"
dependencies = [ dependencies = [
"darling_core", "darling_core",
"quote 1.0.3", "quote 1.0.3",
"syn 1.0.17", "syn 1.0.18",
] ]
[[package]] [[package]]
@@ -311,7 +311,7 @@ dependencies = [
"derive_builder_core", "derive_builder_core",
"proc-macro2 1.0.10", "proc-macro2 1.0.10",
"quote 1.0.3", "quote 1.0.3",
"syn 1.0.17", "syn 1.0.18",
] ]
[[package]] [[package]]
@@ -323,7 +323,7 @@ dependencies = [
"darling", "darling",
"proc-macro2 1.0.10", "proc-macro2 1.0.10",
"quote 1.0.3", "quote 1.0.3",
"syn 1.0.17", "syn 1.0.18",
] ]
[[package]] [[package]]
@@ -363,13 +363,13 @@ checksum = "030a733c8287d6213886dd487564ff5c8f6aae10278b3588ed177f9d18f8d231"
dependencies = [ dependencies = [
"proc-macro2 1.0.10", "proc-macro2 1.0.10",
"quote 1.0.3", "quote 1.0.3",
"syn 1.0.17", "syn 1.0.18",
"synstructure", "synstructure",
] ]
[[package]] [[package]]
name = "fido2luks" name = "fido2luks"
version = "0.2.7" version = "0.2.9"
dependencies = [ dependencies = [
"ctap_hmac", "ctap_hmac",
"failure", "failure",
@@ -377,6 +377,9 @@ dependencies = [
"libcryptsetup-rs", "libcryptsetup-rs",
"ring", "ring",
"rpassword", "rpassword",
"serde",
"serde_derive",
"serde_json",
"structopt", "structopt",
] ]
@@ -415,9 +418,9 @@ dependencies = [
[[package]] [[package]]
name = "hermit-abi" name = "hermit-abi"
version = "0.1.10" version = "0.1.12"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "725cf19794cf90aa94e65050cb4191ff5d8fa87a498383774c47b332e3af952e" checksum = "61565ff7aaace3525556587bd2dc31d4a07071957be715e63ce7b1eccf51a8f4"
dependencies = [ dependencies = [
"libc", "libc",
] ]
@@ -463,20 +466,21 @@ checksum = "b294d6fa9ee409a054354afc4352b0b9ef7ca222c69b8812cbea9e7d2bf3783f"
[[package]] [[package]]
name = "libc" name = "libc"
version = "0.2.68" version = "0.2.69"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "dea0c0405123bba743ee3f91f49b1c7cfb684eef0da0a50110f758ccf24cdff0" checksum = "99e85c08494b21a9054e7fe1374a732aeadaff3980b6990b94bfd3a70f690005"
[[package]] [[package]]
name = "libcryptsetup-rs" name = "libcryptsetup-rs"
version = "0.2.0" version = "0.4.1"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c0177fd0ec022a5adb247e13e3238309913c28102a811227ad5de6a55697f152" checksum = "38cd24132ee0239515bc895782f65ab3e382a0f78e7cee30417159e5c6f81b6b"
dependencies = [ dependencies = [
"either", "either",
"libc", "libc",
"libcryptsetup-rs-sys", "libcryptsetup-rs-sys",
"pkg-config", "pkg-config",
"semver",
"serde_json", "serde_json",
"uuid", "uuid",
] ]
@@ -577,26 +581,26 @@ checksum = "05da548ad6865900e60eaba7f589cc0783590a92e940c26953ff81ddbab2d677"
[[package]] [[package]]
name = "proc-macro-error" name = "proc-macro-error"
version = "0.4.12" version = "1.0.2"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "18f33027081eba0a6d8aba6d1b1c3a3be58cbb12106341c2d5759fcd9b5277e7" checksum = "98e9e4b82e0ef281812565ea4751049f1bdcdfccda7d3f459f2e138a40c08678"
dependencies = [ dependencies = [
"proc-macro-error-attr", "proc-macro-error-attr",
"proc-macro2 1.0.10", "proc-macro2 1.0.10",
"quote 1.0.3", "quote 1.0.3",
"syn 1.0.17", "syn 1.0.18",
"version_check", "version_check",
] ]
[[package]] [[package]]
name = "proc-macro-error-attr" name = "proc-macro-error-attr"
version = "0.4.12" version = "1.0.2"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8a5b4b77fdb63c1eca72173d68d24501c54ab1269409f6b672c85deb18af69de" checksum = "4f5444ead4e9935abd7f27dc51f7e852a0569ac888096d5ec2499470794e2e53"
dependencies = [ dependencies = [
"proc-macro2 1.0.10", "proc-macro2 1.0.10",
"quote 1.0.3", "quote 1.0.3",
"syn 1.0.17", "syn 1.0.18",
"syn-mid", "syn-mid",
"version_check", "version_check",
] ]
@@ -781,17 +785,11 @@ dependencies = [
"rand_core 0.3.1", "rand_core 0.3.1",
] ]
[[package]]
name = "redox_syscall"
version = "0.1.56"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2439c63f3f6139d1b57529d16bc3b8bb855230c8efcc5d3a896c8bea7c3b1e84"
[[package]] [[package]]
name = "regex" name = "regex"
version = "1.3.6" version = "1.3.7"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7f6946991529684867e47d86474e3a6d0c0ab9b82d5821e314b1ede31fa3a4b3" checksum = "a6020f034922e3194c711b82a627453881bc4682166cabb07134a10c26ba7692"
dependencies = [ dependencies = [
"aho-corasick", "aho-corasick",
"memchr", "memchr",
@@ -860,9 +858,9 @@ checksum = "dcf128d1287d2ea9d80910b5f1120d0b8eede3fbf1abe91c40d39ea7d51e6fda"
[[package]] [[package]]
name = "ryu" name = "ryu"
version = "1.0.3" version = "1.0.4"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "535622e6be132bccd223f4bb2b8ac8d53cda3c7a6394944d3b2b33fb974f9d76" checksum = "ed3d612bc64430efeb3f7ee6ef26d590dce0c43249217bddc62112540c7941e1"
[[package]] [[package]]
name = "scopeguard" name = "scopeguard"
@@ -891,6 +889,17 @@ version = "1.0.106"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "36df6ac6412072f67cf767ebbde4133a5b2e88e76dc6187fa7104cd16f783399" checksum = "36df6ac6412072f67cf767ebbde4133a5b2e88e76dc6187fa7104cd16f783399"
[[package]]
name = "serde_derive"
version = "1.0.106"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9e549e3abf4fb8621bd1609f11dfc9f5e50320802273b12f3811a67e6716ea6c"
dependencies = [
"proc-macro2 1.0.10",
"quote 1.0.3",
"syn 1.0.18",
]
[[package]] [[package]]
name = "serde_json" name = "serde_json"
version = "1.0.51" version = "1.0.51"
@@ -922,9 +931,9 @@ checksum = "6446ced80d6c486436db5c078dde11a9f73d42b57fb273121e160b84f63d894c"
[[package]] [[package]]
name = "structopt" name = "structopt"
version = "0.3.12" version = "0.3.14"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c8faa2719539bbe9d77869bfb15d4ee769f99525e707931452c97b693b3f159d" checksum = "863246aaf5ddd0d6928dfeb1a9ca65f505599e4e1b399935ef7e75107516b4ef"
dependencies = [ dependencies = [
"clap", "clap",
"lazy_static", "lazy_static",
@@ -933,15 +942,15 @@ dependencies = [
[[package]] [[package]]
name = "structopt-derive" name = "structopt-derive"
version = "0.4.5" version = "0.4.7"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3f88b8e18c69496aad6f9ddf4630dd7d585bcaf765786cb415b9aec2fe5a0430" checksum = "d239ca4b13aee7a2142e6795cbd69e457665ff8037aed33b3effdc430d2f927a"
dependencies = [ dependencies = [
"heck", "heck",
"proc-macro-error", "proc-macro-error",
"proc-macro2 1.0.10", "proc-macro2 1.0.10",
"quote 1.0.3", "quote 1.0.3",
"syn 1.0.17", "syn 1.0.18",
] ]
[[package]] [[package]]
@@ -957,9 +966,9 @@ dependencies = [
[[package]] [[package]]
name = "syn" name = "syn"
version = "1.0.17" version = "1.0.18"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0df0eb663f387145cab623dea85b09c2c5b4b0aef44e945d928e682fce71bb03" checksum = "410a7488c0a728c7ceb4ad59b9567eb4053d02e8cc7f5c0e0eeeb39518369213"
dependencies = [ dependencies = [
"proc-macro2 1.0.10", "proc-macro2 1.0.10",
"quote 1.0.3", "quote 1.0.3",
@@ -974,7 +983,7 @@ checksum = "7be3539f6c128a931cf19dcee741c1af532c7fd387baa739c03dd2e96479338a"
dependencies = [ dependencies = [
"proc-macro2 1.0.10", "proc-macro2 1.0.10",
"quote 1.0.3", "quote 1.0.3",
"syn 1.0.17", "syn 1.0.18",
] ]
[[package]] [[package]]
@@ -985,7 +994,7 @@ checksum = "67656ea1dc1b41b1451851562ea232ec2e5a80242139f7e679ceccfb5d61f545"
dependencies = [ dependencies = [
"proc-macro2 1.0.10", "proc-macro2 1.0.10",
"quote 1.0.3", "quote 1.0.3",
"syn 1.0.17", "syn 1.0.18",
"unicode-xid 0.2.0", "unicode-xid 0.2.0",
] ]
@@ -1018,12 +1027,11 @@ dependencies = [
[[package]] [[package]]
name = "time" name = "time"
version = "0.1.42" version = "0.1.43"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "db8dcfca086c1143c9270ac42a2bbd8a7ee477b78ac8e45b19abfb0cbede4b6f" checksum = "ca8a50ef2360fbd1eeb0ecd46795a87a19024eb4b53c5dc916ca1fd95fe62438"
dependencies = [ dependencies = [
"libc", "libc",
"redox_syscall",
"winapi", "winapi",
] ]
@@ -1105,9 +1113,9 @@ checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6"
[[package]] [[package]]
name = "winapi-util" name = "winapi-util"
version = "0.1.4" version = "0.1.5"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "fa515c5163a99cc82bab70fd3bfdd36d827be85de63737b40fcef2ce084a436e" checksum = "70ec6ce85bb158151cae5e5c87f95a8e97d2c0c4b001223f33a334e3ce5de178"
dependencies = [ dependencies = [
"winapi", "winapi",
] ]

7
Cargo.toml
View File

@@ -1,6 +1,6 @@
[package] [package]
name = "fido2luks" name = "fido2luks"
version = "0.2.7" version = "0.2.9"
authors = ["shimunn <shimun@shimun.net>"] authors = ["shimunn <shimun@shimun.net>"]
edition = "2018" edition = "2018"
@@ -20,7 +20,10 @@ ring = "0.13.5"
failure = "0.1.5" failure = "0.1.5"
rpassword = "4.0.1" rpassword = "4.0.1"
structopt = "0.3.2" structopt = "0.3.2"
libcryptsetup-rs = "0.2.0" libcryptsetup-rs = "0.4.1"
serde_json = "1.0.51"
serde_derive = "1.0.106"
serde = "1.0.106"
[profile.release] [profile.release]
lto = true lto = true

6
README.md
View File

@@ -2,7 +2,7 @@
This will allow you to unlock your luks encrypted disk with an fido2 compatible key This will allow you to unlock your luks encrypted disk with an fido2 compatible key
Note: This has only been tested under Fedora 31 using a Solo Key, Trezor Model T Note: This has only been tested under Fedora 31, [Ubuntu 20.04](initramfs-tools/), [NixOS](https://nixos.org/nixos/manual/#sec-luks-file-systems-fido2) using a Solo Key, Trezor Model T
## Setup ## Setup
@@ -30,6 +30,8 @@ set -a
. /etc/fido2luks.conf . /etc/fido2luks.conf
# Repeat for each luks volume # Repeat for each luks volume
# You can also use the `--token` flag when using LUKS2 which will then store the credential in the LUKS header,
# enabling you to use `fido2luks open-token` without passing a credential as parameter
sudo -E fido2luks -i add-key /dev/disk/by-uuid/<DISK_UUID> sudo -E fido2luks -i add-key /dev/disk/by-uuid/<DISK_UUID>
# Test(only works if the luks container isn't active) # Test(only works if the luks container isn't active)
@@ -71,6 +73,8 @@ Just reboot and see if it works, if that's the case you should remove your old l
# Recommend in case you lose your authenticator, store this backupfile somewhere safe # Recommend in case you lose your authenticator, store this backupfile somewhere safe
cryptsetup luksHeaderBackup /dev/disk/by-uuid/<DISK_UUID> --header-backup-file luks_backup_<DISK_UUID> cryptsetup luksHeaderBackup /dev/disk/by-uuid/<DISK_UUID> --header-backup-file luks_backup_<DISK_UUID>
# There is no turning back if you mess this up, make sure you made a backup # There is no turning back if you mess this up, make sure you made a backup
# You can also pass `--token` if you're using LUKS2 which will then store the credential in the LUKS header,
# which will enable you to use `fido2luks open-token` without passing a credential as parameter
fido2luks -i add-key --exclusive /dev/disk/by-uuid/<DISK_UUID> fido2luks -i add-key --exclusive /dev/disk/by-uuid/<DISK_UUID>
``` ```

23
initramfs-tools/Makefile Normal file
View File

@@ -0,0 +1,23 @@
.PHONY: install clean
DRACUT_MODULES_D=/usr/lib/dracut/modules.d
DRACUT_CONF_D=/etc/dracut.conf.d
MODULE_CONF_D=dracut.conf.d
MODULE_CONF=luks-2fa.conf
MODULE_DIR=96luks-2fa
help:
@echo make help to show this help
@echo make install to install
@echo make clean to remove
install:
chmod +x hook/fido2luks.sh keyscript.sh
cp -f hook/fido2luks.sh /etc/initramfs-tools/hooks/
mkdir -p /usr/share/fido2luks
cp -f keyscript.sh /lib/cryptsetup/scripts/fido2luks
update-initramfs -u
remove:
rm /etc/initramfs-tools/hooks/fido2luks.sh
update-initramfs -u

13
initramfs-tools/README.md Normal file
View File

@@ -0,0 +1,13 @@
## Initramfs-tools based systems(Ubuntu and derivatives)
After installation generate your credentials and add keys to your disk as described in the top-level README
then add `initramfs,keyscript=fido2luks` to your `/etc/crypttab`
Example:
```
sda6_crypt UUID=9793d81a-4cfb-4712-85f3-c7a8d715112c none luks,discard,initramfs,keyscript=fido2luks
```
But don't forget to run `make install` which will install all necessary scripts and regenerate your intrid.
[Recording showing part of the setup](https://shimun.net/fido2luks/setup.svg)

3
initramfs-tools/fido2luks.conf Normal file
View File

@@ -0,0 +1,3 @@
FIDO2LUKS_SALT=Ask
#FIDO2LUKS_PASSWORD_HELPER="/usr/bin/plymouth ask-for-password --promt 'FIDO2 password salt'"
FIDO2LUKS_CREDENTIAL_ID=

14
initramfs-tools/hook/fido2luks.sh Executable file
View File

@@ -0,0 +1,14 @@
#!/bin/sh
case "$1" in
prereqs)
echo ""
exit 0
;;
esac
. /usr/share/initramfs-tools/hook-functions
copy_file config /etc/fido2luks.conf /etc/fido2luks.conf
copy_exec /usr/bin/fido2luks
exit 0

9
initramfs-tools/keyscript.sh Executable file
View File

@@ -0,0 +1,9 @@
#!/bin/sh
set -a
. /etc/fido2luks.conf
if [ -z "$FIDO2LUKS_PASSWORD_HELPER" ]; then
export FIDO2LUKS_PASSWORD_HELPER="plymouth ask-for-password --promt 'FIDO2 password salt for $CRYPTTAB_NAME'"
fi
fido2luks print-secret --bin

332
initramfs-tools/setup.svg Normal file
View File

File diff suppressed because one or more lines are too long
Side by Side

After

Width:  |  Height:  |  Size: 550 KiB

306
src/cli.rs
View File

@@ -1,5 +1,4 @@
use crate::error::*; use crate::error::*;
use crate::luks;
use crate::*; use crate::*;
use structopt::StructOpt; use structopt::StructOpt;
@@ -12,7 +11,10 @@ use std::io::Write;
use std::process::exit; use std::process::exit;
use std::thread; use std::thread;
use crate::luks::{Fido2LuksToken, LuksDevice};
use crate::util::sha256; use crate::util::sha256;
use std::borrow::Cow;
use std::collections::HashSet;
use std::time::SystemTime; use std::time::SystemTime;
#[derive(Debug, Eq, PartialEq, Clone)] #[derive(Debug, Eq, PartialEq, Clone)]
@@ -24,6 +26,12 @@ impl Display for HexEncoded {
} }
} }
impl AsRef<[u8]> for HexEncoded {
fn as_ref(&self) -> &[u8] {
&self.0[..]
}
}
impl FromStr for HexEncoded { impl FromStr for HexEncoded {
type Err = hex::FromHexError; type Err = hex::FromHexError;
@@ -58,7 +66,7 @@ impl<T: Display + FromStr> FromStr for CommaSeparated<T> {
#[derive(Debug, StructOpt)] #[derive(Debug, StructOpt)]
pub struct Credentials { pub struct Credentials {
/// FIDO credential ids, seperated by ',' generate using fido2luks credential /// FIDO credential ids, separated by ',' generate using fido2luks credential
#[structopt(name = "credential-id", env = "FIDO2LUKS_CREDENTIAL_ID")] #[structopt(name = "credential-id", env = "FIDO2LUKS_CREDENTIAL_ID")]
pub ids: CommaSeparated<HexEncoded>, pub ids: CommaSeparated<HexEncoded>,
} }
@@ -126,7 +134,7 @@ fn derive_secret(
salt: &[u8; 32], salt: &[u8; 32],
timeout: u64, timeout: u64,
pin: Option<&str>, pin: Option<&str>,
) -> Fido2LuksResult<[u8; 32]> { ) -> Fido2LuksResult<([u8; 32], FidoCredential)> {
let timeout = Duration::from_secs(timeout); let timeout = Duration::from_secs(timeout);
let start = SystemTime::now(); let start = SystemTime::now();
@@ -143,23 +151,18 @@ fn derive_secret(
thread::sleep(Duration::from_millis(500)); thread::sleep(Duration::from_millis(500));
} }
Ok(sha256(&[ let credentials = credentials
&perform_challenge(
&credentials
.iter() .iter()
.map(|hex| FidoCredential { .map(|hex| FidoCredential {
id: hex.0.clone(), id: hex.0.clone(),
public_key: None, public_key: None,
}) })
.collect::<Vec<_>>() .collect::<Vec<_>>();
.iter() let credentials = credentials.iter().collect::<Vec<_>>();
.collect::<Vec<_>>()[..], let (unsalted, cred) =
salt, perform_challenge(&credentials, salt, timeout - start.elapsed().unwrap(), pin)?;
timeout - start.elapsed().unwrap(),
pin, Ok((sha256(&[salt, &unsalted[..]]), cred.clone()))
)?[..],
salt,
]))
} }
fn read_pin() -> Fido2LuksResult<String> { fn read_pin() -> Fido2LuksResult<String> {
@@ -214,6 +217,9 @@ pub enum Command {
/// Will wipe all other keys /// Will wipe all other keys
#[structopt(short = "e", long = "exclusive")] #[structopt(short = "e", long = "exclusive")]
exclusive: bool, exclusive: bool,
/// Will add an token to your LUKS 2 header, including the credential id
#[structopt(short = "t", long = "token")]
token: bool,
#[structopt(flatten)] #[structopt(flatten)]
existing_secret: OtherSecret, existing_secret: OtherSecret,
#[structopt(flatten)] #[structopt(flatten)]
@@ -233,6 +239,9 @@ pub enum Command {
/// Add the password and keep the key /// Add the password and keep the key
#[structopt(short = "a", long = "add-password")] #[structopt(short = "a", long = "add-password")]
add_password: bool, add_password: bool,
/// Will add an token to your LUKS 2 header, including the credential id
#[structopt(short = "t", long = "token")]
token: bool,
#[structopt(flatten)] #[structopt(flatten)]
replacement: OtherSecret, replacement: OtherSecret,
#[structopt(flatten)] #[structopt(flatten)]
@@ -251,7 +260,20 @@ pub enum Command {
authenticator: AuthenticatorParameters, authenticator: AuthenticatorParameters,
#[structopt(flatten)] #[structopt(flatten)]
secret: SecretParameters, secret: SecretParameters,
#[structopt(short = "r", long = "max-retries", default_value = "0")]
retries: i32,
},
/// Open the LUKS device using credentials embedded in the LUKS 2 header
#[structopt(name = "open-token")]
OpenToken {
#[structopt(flatten)]
luks: LuksParameters,
#[structopt(env = "FIDO2LUKS_MAPPER_NAME")]
name: String,
#[structopt(flatten)]
authenticator: AuthenticatorParameters,
#[structopt(flatten)]
secret: SecretParameters,
#[structopt(short = "r", long = "max-retries", default_value = "0")] #[structopt(short = "r", long = "max-retries", default_value = "0")]
retries: i32, retries: i32,
}, },
@@ -267,6 +289,45 @@ pub enum Command {
/// Check if an authenticator is connected /// Check if an authenticator is connected
#[structopt(name = "connected")] #[structopt(name = "connected")]
Connected, Connected,
Token(TokenCommand),
}
///LUKS2 token related operations
#[derive(Debug, StructOpt)]
pub enum TokenCommand {
/// List all tokens associated with the specified device
List {
#[structopt(env = "FIDO2LUKS_DEVICE")]
device: PathBuf,
/// Dump all credentials as CSV
#[structopt(long = "csv")]
csv: bool,
},
/// Add credential to a keyslot
Add {
#[structopt(env = "FIDO2LUKS_DEVICE")]
device: PathBuf,
#[structopt(flatten)]
credentials: Credentials,
/// Slot to which the credentials will be added
#[structopt(long = "slot", env = "FIDO2LUKS_DEVICE_SLOT")]
slot: u32,
},
/// Remove credentials from token(s)
Remove {
#[structopt(env = "FIDO2LUKS_DEVICE")]
device: PathBuf,
#[structopt(flatten)]
credentials: Credentials,
/// Token from which the credentials will be removed
#[structopt(long = "token")]
token_id: Option<u32>,
},
/// Remove all unassigned tokens
GC {
#[structopt(env = "FIDO2LUKS_DEVICE")]
device: PathBuf,
},
} }
pub fn parse_cmdline() -> Args { pub fn parse_cmdline() -> Args {
@@ -311,7 +372,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
} else { } else {
secret.salt.obtain(&secret.password_helper) secret.salt.obtain(&secret.password_helper)
}?; }?;
let secret = derive_secret( let (secret, _cred) = derive_secret(
credentials.ids.0.as_slice(), credentials.ids.0.as_slice(),
&salt, &salt,
authenticator.await_time, authenticator.await_time,
@@ -331,6 +392,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
secret, secret,
luks_mod, luks_mod,
existing_secret: other_secret, existing_secret: other_secret,
token,
.. ..
} }
| Command::ReplaceKey { | Command::ReplaceKey {
@@ -340,6 +402,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
secret, secret,
luks_mod, luks_mod,
replacement: other_secret, replacement: other_secret,
token,
.. ..
} => { } => {
let pin = if authenticator.pin { let pin = if authenticator.pin {
@@ -354,12 +417,14 @@ pub fn run_cli() -> Fido2LuksResult<()> {
secret.salt.obtain(&secret.password_helper) secret.salt.obtain(&secret.password_helper)
} }
}; };
let other_secret = |salt_q: &str, verify: bool| -> Fido2LuksResult<Vec<u8>> { let other_secret = |salt_q: &str,
verify: bool|
-> Fido2LuksResult<(Vec<u8>, Option<FidoCredential>)> {
match other_secret { match other_secret {
OtherSecret { OtherSecret {
keyfile: Some(file), keyfile: Some(file),
.. ..
} => util::read_keyfile(file), } => Ok((util::read_keyfile(file)?, None)),
OtherSecret { OtherSecret {
fido_device: true, .. fido_device: true, ..
} => Ok(derive_secret( } => Ok(derive_secret(
@@ -367,12 +432,15 @@ pub fn run_cli() -> Fido2LuksResult<()> {
&salt(salt_q, verify)?, &salt(salt_q, verify)?,
authenticator.await_time, authenticator.await_time,
pin.as_deref(), pin.as_deref(),
)?[..] )
.to_vec()), .map(|(secret, cred)| (secret[..].to_vec(), Some(cred)))?),
_ => Ok(util::read_password(salt_q, verify)?.as_bytes().to_vec()), _ => Ok((
util::read_password(salt_q, verify)?.as_bytes().to_vec(),
None,
)),
} }
}; };
let secret = |verify: bool| -> Fido2LuksResult<[u8; 32]> { let secret = |verify: bool| -> Fido2LuksResult<([u8; 32], FidoCredential)> {
derive_secret( derive_secret(
&credentials.ids.0, &credentials.ids.0,
&salt("Password", verify)?, &salt("Password", verify)?,
@@ -380,19 +448,20 @@ pub fn run_cli() -> Fido2LuksResult<()> {
pin.as_deref(), pin.as_deref(),
) )
}; };
let mut luks_dev = LuksDevice::load(&luks.device)?;
// Non overlap // Non overlap
match &args.command { match &args.command {
Command::AddKey { exclusive, .. } => { Command::AddKey { exclusive, .. } => {
let existing_secret = other_secret("Current password", false)?; let (existing_secret, _) = other_secret("Current password", false)?;
let new_secret = secret(true)?; let (new_secret, cred) = secret(true)?;
let added_slot = luks::add_key( let added_slot = luks_dev.add_key(
&luks.device,
&new_secret, &new_secret,
&existing_secret[..], &existing_secret[..],
luks_mod.kdf_time.or(Some(10)), luks_mod.kdf_time.or(Some(10)),
Some(&cred.id[..]).filter(|_| *token),
)?; )?;
if *exclusive { if *exclusive {
let destroyed = luks::remove_keyslots(&luks.device, &[added_slot])?; let destroyed = luks_dev.remove_keyslots(&[added_slot])?;
println!( println!(
"Added to key to device {}, slot: {}\nRemoved {} old keys", "Added to key to device {}, slot: {}\nRemoved {} old keys",
luks.device.display(), luks.device.display(),
@@ -409,21 +478,21 @@ pub fn run_cli() -> Fido2LuksResult<()> {
Ok(()) Ok(())
} }
Command::ReplaceKey { add_password, .. } => { Command::ReplaceKey { add_password, .. } => {
let existing_secret = secret(false)?; let (existing_secret, _) = secret(false)?;
let replacement_secret = other_secret("Replacement password", true)?; let (replacement_secret, cred) = other_secret("Replacement password", true)?;
let slot = if *add_password { let slot = if *add_password {
luks::add_key( luks_dev.add_key(
&luks.device,
&replacement_secret[..], &replacement_secret[..],
&existing_secret, &existing_secret,
luks_mod.kdf_time, luks_mod.kdf_time,
cred.as_ref().filter(|_| *token).map(|cred| &cred.id[..]),
) )
} else { } else {
luks::replace_key( luks_dev.replace_key(
&luks.device,
&replacement_secret[..], &replacement_secret[..],
&existing_secret, &existing_secret,
luks_mod.kdf_time, luks_mod.kdf_time,
cred.as_ref().filter(|_| *token).map(|cred| &cred.id[..]),
) )
}?; }?;
println!( println!(
@@ -439,7 +508,14 @@ pub fn run_cli() -> Fido2LuksResult<()> {
Command::Open { Command::Open {
luks, luks,
authenticator, authenticator,
credentials, secret,
name,
retries,
..
}
| Command::OpenToken {
luks,
authenticator,
secret, secret,
name, name,
retries, retries,
@@ -458,16 +534,38 @@ pub fn run_cli() -> Fido2LuksResult<()> {
secret.salt.obtain(&secret.password_helper) secret.salt.obtain(&secret.password_helper)
} }
}; };
let mut retries = *retries;
loop { // Cow shouldn't be necessary
match derive_secret( let secret = |credentials: Cow<'_, Vec<HexEncoded>>| {
&credentials.ids.0, derive_secret(
credentials.as_ref(),
&salt("Password", false)?, &salt("Password", false)?,
authenticator.await_time, authenticator.await_time,
pin, pin,
) )
.and_then(|secret| luks::open_container(&luks.device, &name, &secret, luks.slot)) };
{
let mut retries = *retries;
let mut luks_dev = LuksDevice::load(&luks.device)?;
loop {
let secret = match &args.command {
Command::Open { credentials, .. } => secret(Cow::Borrowed(&credentials.ids.0))
.and_then(|(secret, _cred)| luks_dev.activate(&name, &secret, luks.slot)),
Command::OpenToken { .. } => luks_dev.activate_token(
&name,
Box::new(|credentials: Vec<String>| {
let creds = credentials
.into_iter()
.flat_map(|cred| HexEncoded::from_str(cred.as_ref()).ok())
.collect::<Vec<_>>();
secret(Cow::Owned(creds))
.map(|(secret, cred)| (secret, hex::encode(&cred.id)))
}),
luks.slot,
),
_ => unreachable!(),
};
match secret {
Err(e) => { Err(e) => {
match e { match e {
Fido2LuksError::WrongSecret if retries > 0 => {} Fido2LuksError::WrongSecret if retries > 0 => {}
@@ -479,7 +577,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
retries -= 1; retries -= 1;
eprintln!("{}", e); eprintln!("{}", e);
} }
res => break res, res => break res.map(|_| ()),
} }
} }
} }
@@ -490,5 +588,129 @@ pub fn run_cli() -> Fido2LuksResult<()> {
} }
_ => exit(1), _ => exit(1),
}, },
Command::Token(cmd) => match cmd {
TokenCommand::List {
device,
csv: dump_credentials,
} => {
let mut dev = LuksDevice::load(device)?;
let mut creds = Vec::new();
for token in dev.tokens()? {
let (id, token) = token?;
for cred in token.credential.iter() {
if !creds.contains(cred) {
creds.push(cred.clone());
if *dump_credentials {
print!("{}{}", if creds.len() == 1 { "" } else { "," }, cred);
}
}
}
if *dump_credentials {
continue;
}
println!(
"{}:\n\tSlots: {}\n\tCredentials: {}",
id,
if token.keyslots.is_empty() {
"None".into()
} else {
token.keyslots.iter().cloned().collect::<Vec<_>>().join(",")
},
token
.credential
.iter()
.map(|cred| format!(
"{} ({})",
cred,
creds.iter().position(|c| c == cred).unwrap().to_string()
))
.collect::<Vec<_>>()
.join(",")
);
}
if *dump_credentials {
println!();
}
Ok(())
}
TokenCommand::Add {
device,
credentials,
slot,
} => {
let mut dev = LuksDevice::load(device)?;
let mut tokens = Vec::new();
for token in dev.tokens()? {
let (id, token) = token?;
if token.keyslots.contains(&slot.to_string()) {
tokens.push((id, token));
}
}
let count = if tokens.is_empty() {
dev.add_token(&Fido2LuksToken::with_credentials(&credentials.ids.0, *slot))?;
1
} else {
tokens.len()
};
for (id, mut token) in tokens {
token
.credential
.extend(credentials.ids.0.iter().map(|h| h.to_string()));
dev.update_token(id, &token)?;
}
println!("Updated {} tokens", count);
Ok(())
}
TokenCommand::Remove {
device,
credentials,
token_id,
} => {
let mut dev = LuksDevice::load(device)?;
let mut tokens = Vec::new();
for token in dev.tokens()? {
let (id, token) = token?;
if let Some(token_id) = token_id {
if id == *token_id {
tokens.push((id, token));
}
} else {
tokens.push((id, token));
}
}
let count = tokens.len();
for (id, mut token) in tokens {
token.credential = token
.credential
.into_iter()
.filter(|cred| !credentials.ids.0.iter().any(|h| &h.to_string() == cred))
.collect();
dev.update_token(id, &token)?;
}
println!("Updated {} tokens", count);
Ok(())
}
TokenCommand::GC { device } => {
let mut dev = LuksDevice::load(device)?;
let mut creds: HashSet<String> = HashSet::new();
let mut remove = Vec::new();
for token in dev.tokens()? {
let (id, token) = token?;
if token.keyslots.is_empty() || token.credential.is_empty() {
creds.extend(token.credential);
remove.push(id);
}
}
for id in remove.iter().rev() {
dev.remove_token(*id)?;
}
println!(
"Removed {} tokens, affected credentials: {}",
remove.len(),
creds.into_iter().collect::<Vec<_>>().join(",")
);
Ok(())
}
},
} }
} }

10
src/device.rs
View File

@@ -32,12 +32,12 @@ pub fn make_credential_id(
)?) )?)
} }
pub fn perform_challenge( pub fn perform_challenge<'a>(
credentials: &[&FidoCredential], credentials: &'a [&'a FidoCredential],
salt: &[u8; 32], salt: &[u8; 32],
timeout: Duration, timeout: Duration,
pin: Option<&str>, pin: Option<&str>,
) -> Fido2LuksResult<[u8; 32]> { ) -> Fido2LuksResult<([u8; 32], &'a FidoCredential)> {
let request = FidoAssertionRequestBuilder::default() let request = FidoAssertionRequestBuilder::default()
.rp_id(RP_ID) .rp_id(RP_ID)
.credentials(credentials) .credentials(credentials)
@@ -49,13 +49,13 @@ pub fn perform_challenge(
} }
device.get_hmac_assertion(&request, &util::sha256(&[&salt[..]]), None) device.get_hmac_assertion(&request, &util::sha256(&[&salt[..]]), None)
}; };
let (_, (secret, _)) = request_multiple_devices( let (credential, (secret, _)) = request_multiple_devices(
get_devices()? get_devices()?
.iter_mut() .iter_mut()
.map(|device| (device, &get_assertion)), .map(|device| (device, &get_assertion)),
Some(timeout), Some(timeout),
)?; )?;
Ok(secret) Ok((secret, credential))
} }
pub fn get_devices() -> Fido2LuksResult<Vec<FidoDevice>> { pub fn get_devices() -> Fido2LuksResult<Vec<FidoDevice>> {

44
src/error.rs
View File

@@ -13,11 +13,13 @@ pub enum Fido2LuksError {
AuthenticatorError { cause: ctap::FidoError }, AuthenticatorError { cause: ctap::FidoError },
#[fail(display = "no authenticator found, please ensure your device is plugged in")] #[fail(display = "no authenticator found, please ensure your device is plugged in")]
NoAuthenticatorError, NoAuthenticatorError,
#[fail(display = "luks err")] #[fail(display = " {}", cause)]
LuksError { CryptsetupError {
cause: libcryptsetup_rs::LibcryptErr, cause: libcryptsetup_rs::LibcryptErr,
}, },
#[fail(display = "no authenticator found, please ensure your device is plugged in")] #[fail(display = "{}", cause)]
LuksError { cause: LuksError },
#[fail(display = "{}", cause)]
IoError { cause: io::Error }, IoError { cause: io::Error },
#[fail(display = "supplied secret isn't valid for this device")] #[fail(display = "supplied secret isn't valid for this device")]
WrongSecret, WrongSecret,
@@ -46,7 +48,41 @@ pub enum AskPassError {
Mismatch, Mismatch,
} }
#[derive(Debug, Fail)]
pub enum LuksError {
#[fail(display = "This feature requires to the LUKS device to be formatted as LUKS 2")]
Luks2Required,
#[fail(display = "Invalid token: {}", _0)]
InvalidToken(String),
#[fail(display = "No token found")]
NoToken,
#[fail(display = "The device already exists")]
DeviceExists,
}
impl LuksError {
pub fn activate(e: LibcryptErr) -> Fido2LuksError {
match e {
LibcryptErr::IOError(ref io) => match io.raw_os_error() {
Some(1) if io.kind() == ErrorKind::PermissionDenied => Fido2LuksError::WrongSecret,
Some(17) => Fido2LuksError::LuksError {
cause: LuksError::DeviceExists,
},
_ => return Fido2LuksError::CryptsetupError { cause: e },
},
_ => Fido2LuksError::CryptsetupError { cause: e },
}
}
}
impl From<LuksError> for Fido2LuksError {
fn from(e: LuksError) -> Self {
Fido2LuksError::LuksError { cause: e }
}
}
use libcryptsetup_rs::LibcryptErr; use libcryptsetup_rs::LibcryptErr;
use std::io::ErrorKind;
use std::string::FromUtf8Error; use std::string::FromUtf8Error;
use Fido2LuksError::*; use Fido2LuksError::*;
@@ -62,7 +98,7 @@ impl From<LibcryptErr> for Fido2LuksError {
LibcryptErr::IOError(e) if e.raw_os_error().iter().any(|code| code == &1i32) => { LibcryptErr::IOError(e) if e.raw_os_error().iter().any(|code| code == &1i32) => {
WrongSecret WrongSecret
} }
_ => LuksError { cause: e }, _ => CryptsetupError { cause: e },
} }
} }
} }

333
src/luks.rs
View File

@@ -1,82 +1,327 @@
use crate::error::*; use crate::error::*;
use libcryptsetup_rs::{CryptActivateFlags, CryptDevice, CryptInit, EncryptionFormat, KeyslotInfo}; use libcryptsetup_rs::{
CryptActivateFlags, CryptDevice, CryptInit, CryptTokenInfo, EncryptionFormat, KeyslotInfo,
TokenInput,
};
use std::collections::{HashMap, HashSet};
use std::path::Path; use std::path::Path;
fn load_device_handle<P: AsRef<Path>>(path: P) -> Fido2LuksResult<CryptDevice> { pub struct LuksDevice {
device: CryptDevice,
luks2: Option<bool>,
}
impl LuksDevice {
pub fn load<P: AsRef<Path>>(path: P) -> Fido2LuksResult<LuksDevice> {
let mut device = CryptInit::init(path.as_ref())?; let mut device = CryptInit::init(path.as_ref())?;
//TODO: determine luks version some way other way than just trying device.context_handle().load::<()>(None, None)?;
let mut load = |format| device.context_handle().load::<()>(format, None).map(|_| ()); Ok(Self {
vec![EncryptionFormat::Luks2, EncryptionFormat::Luks1] device,
.into_iter() luks2: None,
.fold(None, |res, format| match res {
Some(Ok(())) => res,
Some(e) => Some(e.or_else(|_| load(format))),
None => Some(load(format)),
}) })
.unwrap()?;
Ok(device)
} }
pub fn open_container<P: AsRef<Path>>(path: P, name: &str, secret: &[u8], slot_hint: Option<u32>) -> Fido2LuksResult<()> { pub fn is_luks2(&mut self) -> Fido2LuksResult<bool> {
let mut device = load_device_handle(path)?; if let Some(luks2) = self.luks2 {
device Ok(luks2)
.activate_handle() } else {
.activate_by_passphrase(Some(name), slot_hint, secret, CryptActivateFlags::empty()) self.luks2 = Some(match self.device.format_handle().get_type()? {
.map(|_slot| ()) EncryptionFormat::Luks2 => true,
.map_err(|_e| Fido2LuksError::WrongSecret) _ => false,
});
self.is_luks2()
}
} }
pub fn add_key<P: AsRef<Path>>( fn require_luks2(&mut self) -> Fido2LuksResult<()> {
path: P, if !self.is_luks2()? {
return Err(LuksError::Luks2Required.into());
}
Ok(())
}
pub fn tokens<'a>(
&'a mut self,
) -> Fido2LuksResult<Box<dyn Iterator<Item = Fido2LuksResult<(u32, Fido2LuksToken)>> + 'a>>
{
self.require_luks2()?;
Ok(Box::new(
(0..32)
.map(move |i| {
let status = match self.device.token_handle().status(i) {
Ok(status) => status,
Err(err) => return Some(Err(Fido2LuksError::from(err))),
};
match status {
CryptTokenInfo::Inactive => return None,
CryptTokenInfo::Internal(s)
| CryptTokenInfo::InternalUnknown(s)
| CryptTokenInfo::ExternalUnknown(s)
| CryptTokenInfo::External(s)
if &s != Fido2LuksToken::default_type() =>
{
return None
}
_ => (),
};
let json = match self.device.token_handle().json_get(i) {
Ok(json) => json,
Err(err) => return Some(Err(Fido2LuksError::from(err))),
};
let info: Fido2LuksToken =
match serde_json::from_value(json.clone()).map_err(|_| {
Fido2LuksError::LuksError {
cause: LuksError::InvalidToken(json.to_string()),
}
}) {
Ok(info) => info,
Err(err) => return Some(Err(Fido2LuksError::from(err))),
};
Some(Ok((i, info)))
})
.filter_map(|o| o),
))
}
pub fn find_token(&mut self, slot: u32) -> Fido2LuksResult<Option<(u32, Fido2LuksToken)>> {
let slot_str = slot.to_string();
for token in self.tokens()? {
let (id, token) = token?;
if token.keyslots.contains(&slot_str) {
return Ok(Some((id, token)));
}
}
Ok(None)
}
pub fn add_token(&mut self, data: &Fido2LuksToken) -> Fido2LuksResult<()> {
self.require_luks2()?;
self.device
.token_handle()
.json_set(TokenInput::AddToken(&serde_json::to_value(&data).unwrap()))?;
Ok(())
}
pub fn remove_token(&mut self, token: u32) -> Fido2LuksResult<()> {
self.require_luks2()?;
self.device
.token_handle()
.json_set(TokenInput::RemoveToken(token))?;
Ok(())
}
pub fn update_token(&mut self, token: u32, data: &Fido2LuksToken) -> Fido2LuksResult<()> {
self.require_luks2()?;
self.device
.token_handle()
.json_set(TokenInput::ReplaceToken(
token,
&serde_json::to_value(&data).unwrap(),
))?;
Ok(())
}
pub fn add_key(
&mut self,
secret: &[u8], secret: &[u8],
old_secret: &[u8], old_secret: &[u8],
iteration_time: Option<u64>, iteration_time: Option<u64>,
credential_id: Option<&[u8]>,
) -> Fido2LuksResult<u32> { ) -> Fido2LuksResult<u32> {
let mut device = load_device_handle(path)?;
if let Some(millis) = iteration_time { if let Some(millis) = iteration_time {
device.settings_handle().set_iteration_time(millis) self.device.settings_handle().set_iteration_time(millis)
} }
let slot = device let slot = self
.keyslot_handle(None) .device
.add_by_passphrase(old_secret, secret)?; .keyslot_handle()
.add_by_passphrase(None, old_secret, secret)?;
if let Some(id) = credential_id {
self.device.token_handle().json_set(TokenInput::AddToken(
&serde_json::to_value(&Fido2LuksToken::new(id, slot)).unwrap(),
))?;
}
Ok(slot) Ok(slot)
} }
pub fn remove_keyslots<P: AsRef<Path>>(path: P, exclude: &[u32]) -> Fido2LuksResult<u32> { pub fn remove_keyslots(&mut self, exclude: &[u32]) -> Fido2LuksResult<u32> {
let mut device = load_device_handle(path)?;
let mut handle;
let mut destroyed = 0; let mut destroyed = 0;
//TODO: detect how many keyslots there are instead of trying within a given range let mut tokens = Vec::new();
for slot in 0..1024 { for slot in 0..256 {
handle = device.keyslot_handle(Some(slot)); match self.device.keyslot_handle().status(slot)? {
match handle.status()? {
KeyslotInfo::Inactive => continue, KeyslotInfo::Inactive => continue,
KeyslotInfo::Active if !exclude.contains(&slot) => { KeyslotInfo::Active | KeyslotInfo::ActiveLast if !exclude.contains(&slot) => {
handle.destroy()?; if self.is_luks2()? {
if let Some((id, _token)) = self.find_token(slot)? {
tokens.push(id);
}
}
self.device.keyslot_handle().destroy(slot)?;
destroyed += 1; destroyed += 1;
} }
KeyslotInfo::ActiveLast => break,
_ => (), _ => (),
} }
if let KeyslotInfo::ActiveLast = handle.status()? { if self.device.keyslot_handle().status(slot)? == KeyslotInfo::ActiveLast {
break; break;
} }
} }
// Ensure indices stay valid
tokens.sort();
for token in tokens.iter().rev() {
self.remove_token(*token)?;
}
Ok(destroyed) Ok(destroyed)
} }
pub fn replace_key<P: AsRef<Path>>( pub fn replace_key(
path: P, &mut self,
secret: &[u8], secret: &[u8],
old_secret: &[u8], old_secret: &[u8],
iteration_time: Option<u64>, iteration_time: Option<u64>,
credential_id: Option<&[u8]>,
) -> Fido2LuksResult<u32> { ) -> Fido2LuksResult<u32> {
let mut device = load_device_handle(path)?;
// Set iteration time not sure wether this applies to luks2 as well
if let Some(millis) = iteration_time { if let Some(millis) = iteration_time {
device.settings_handle().set_iteration_time(millis) self.device.settings_handle().set_iteration_time(millis)
}
// Use activate dry-run to locate keyslot
let slot = self.device.activate_handle().activate_by_passphrase(
None,
None,
old_secret,
CryptActivateFlags::empty(),
)?;
self.device.keyslot_handle().change_by_passphrase(
Some(slot),
Some(slot),
old_secret,
secret,
)? as u32;
if let Some(id) = credential_id {
if self.is_luks2()? {
let token = self.find_token(slot)?.map(|(t, _)| t);
let json = serde_json::to_value(&Fido2LuksToken::new(id, slot)).unwrap();
if let Some(token) = token {
self.device
.token_handle()
.json_set(TokenInput::ReplaceToken(token, &json))?;
} else {
self.device
.token_handle()
.json_set(TokenInput::AddToken(&json))?;
}
}
}
Ok(slot)
}
pub fn activate(
&mut self,
name: &str,
secret: &[u8],
slot_hint: Option<u32>,
) -> Fido2LuksResult<u32> {
self.device
.activate_handle()
.activate_by_passphrase(Some(name), slot_hint, secret, CryptActivateFlags::empty())
.map_err(LuksError::activate)
}
pub fn activate_token(
&mut self,
name: &str,
secret: impl Fn(Vec<String>) -> Fido2LuksResult<([u8; 32], String)>,
slot_hint: Option<u32>,
) -> Fido2LuksResult<u32> {
if !self.is_luks2()? {
return Err(LuksError::Luks2Required.into());
}
let mut creds: HashMap<String, HashSet<u32>> = HashMap::new();
for token in self.tokens()? {
let token = match token {
Ok((_id, t)) => t,
_ => continue, // An corrupted token should't lock the user out
};
let slots = || {
token
.keyslots
.iter()
.filter_map(|slot| slot.parse::<u32>().ok())
};
for cred in token.credential.iter() {
creds
.entry(cred.clone())
.or_insert_with(|| slots().collect::<HashSet<u32>>())
.extend(slots());
}
}
if creds.is_empty() {
return Err(Fido2LuksError::LuksError {
cause: LuksError::NoToken,
});
}
let (secret, credential) = secret(creds.keys().cloned().collect())?;
let empty;
let slots = if let Some(slots) = creds.get(&credential) {
slots
} else {
empty = HashSet::new();
&empty
};
//Try slots associated with the credential used
let slots = slots.iter().cloned().map(Option::Some).chain(
std::iter::once(slot_hint) // Try slot hint if there is one
.take(slot_hint.is_some() as usize)
.chain(std::iter::once(None).take(slots.is_empty() as usize)), // Try all slots as last resort
);
for slot in slots {
match self.activate(name, &secret, slot) {
Err(Fido2LuksError::WrongSecret) => (),
res => return res,
}
}
Err(Fido2LuksError::WrongSecret)
}
}
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct Fido2LuksToken {
#[serde(rename = "type")]
pub type_: String,
pub credential: HashSet<String>,
pub keyslots: HashSet<String>,
}
impl Fido2LuksToken {
pub fn new(credential_id: impl AsRef<[u8]>, slot: u32) -> Self {
Self::with_credentials(std::iter::once(credential_id), slot)
}
pub fn with_credentials<I: IntoIterator<Item = B>, B: AsRef<[u8]>>(
credentials: I,
slot: u32,
) -> Self {
Self {
credential: credentials
.into_iter()
.map(|cred| hex::encode(cred.as_ref()))
.collect(),
keyslots: vec![slot.to_string()].into_iter().collect(),
..Default::default()
}
}
pub fn default_type() -> &'static str {
"fido2luks"
}
}
impl Default for Fido2LuksToken {
fn default() -> Self {
Self {
type_: Self::default_type().into(),
credential: HashSet::new(),
keyslots: HashSet::new(),
}
} }
Ok(device
.keyslot_handle(None)
.change_by_passphrase(None, None, old_secret, secret)? as u32)
} }

2
src/main.rs
View File

@@ -1,6 +1,8 @@
#[macro_use] #[macro_use]
extern crate failure; extern crate failure;
extern crate ctap_hmac as ctap; extern crate ctap_hmac as ctap;
#[macro_use]
extern crate serde_derive;
use crate::cli::*; use crate::cli::*;
use crate::config::*; use crate::config::*;
use crate::device::*; use crate::device::*;