shimun/fido2luks
1
0
Fork 0
Code Issues Pull Requests 3 Releases Wiki Activity

Compare commits

base: shimun:completions
Branches Tags
shimun:master shimun:0.3.0-alpha shimun:ctap-hid-fido2 shimun:retry_pin shimun:0.3.0 shimun:debVM shimun:flake shimun:password_promt shimun:dracut shimun:initcpio shimun:pam_mod shimun:setup shimun:completions shimun:pkgbuild shimun:pin_source shimun:relicense shimun:deb shimun:initramfs-tools shimun:luks_refr shimun:0.2.8 shimun:luks2_token shimun:cli_reorg shimun:request_multiple shimun:luks2 shimun:cratesio shimun:isalt shimun:connected shimun:keyutils
shimun:0.2.20 shimun:0.2.19 shimun:0.2.18 shimun:0.2.17 shimun:0.2.16 shimun:0.2.15 shimun:0.2.14 shimun:0.2.13 shimun:0.2.12 shimun:0.2.11 shimun:0.2.10 shimun:0.2.9 shimun:0.2.8 shimun:0.2.7 shimun:0.2.6 shimun:0.2.5 shimun:0.2.4 shimun:0.2.3 shimun:0.2.2 shimun:0.2.1 shimun:0.2.0
..
compare: shimun:debVM
Branches Tags
shimun:0.3.0-alpha shimun:ctap-hid-fido2 shimun:retry_pin shimun:master shimun:0.3.0 shimun:debVM shimun:flake shimun:password_promt shimun:dracut shimun:initcpio shimun:pam_mod shimun:setup shimun:completions shimun:pkgbuild shimun:pin_source shimun:relicense shimun:deb shimun:initramfs-tools shimun:luks_refr shimun:0.2.8 shimun:luks2_token shimun:cli_reorg shimun:request_multiple shimun:luks2 shimun:cratesio shimun:isalt shimun:connected shimun:keyutils
shimun:0.2.20 shimun:0.2.19 shimun:0.2.18 shimun:0.2.17 shimun:0.2.16 shimun:0.2.15 shimun:0.2.14 shimun:0.2.13 shimun:0.2.12 shimun:0.2.11 shimun:0.2.10 shimun:0.2.9 shimun:0.2.8 shimun:0.2.7 shimun:0.2.6 shimun:0.2.5 shimun:0.2.4 shimun:0.2.3 shimun:0.2.2 shimun:0.2.1 shimun:0.2.0

48 Commits
completion ... debVM

Author SHA1 Message Date
shimun
a776c00c69 wip: deb VM 2021-07-29 01:37:29 +02:00
shimun
38b3a77b78 added: Dockerimage for .deb build 2021-07-28 19:27:42 +02:00
shimun
57bad4a625 Merge remote-tracking branch 'gh/master' into 0.3.0 2021-07-28 13:19:25 +02:00
shimun
b2e4950db5 update ctap_hmac 2021-07-26 18:46:10 +02:00
shimun
a33d591cbb Merge branch 'master' into 0.3.0 2021-07-16 19:08:23 +02:00
shimun
f53096dc5b password helper: inherit stdin, stderr 
should make fido2luks much easier to use in boot scripts since it will
allow for usage as follows:

`fido2luks open-token /dev/disk/by-uuid/sda1 test 'bash -c "read -p Pass PW 1>&2; echo $PW"'`

which will read the password from the current terminal
 2021-07-16 15:23:11 +02:00
shimun
5496c4e61b always set credential name 2021-07-14 15:47:23 +02:00
shimun
51fa26b7d5 bump version 2021-07-14 12:24:58 +02:00
Vyacheslav Konovalov
a3696962e8 Support for initcpio (#31) 
* Add initcpio hook and install script

* Make PIN optional

* Add README for initcpio

* Fix PKGBUILD, add install of initcpio

* Fix README for initcpio
 2021-07-14 12:23:32 +02:00
shimun
a75d1af01b added: hydra job
All checks were successful
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/pr Build is passing
Details
2021-04-18 19:20:11 +02:00
shimun
534d36bb13 Merge branch 'master' into HEAD
All checks were successful
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/pr Build is passing
Details
2021-03-01 20:04:43 +01:00
shimunn
7e6b33ae7f Theory of operation (#30)
All checks were successful
continuous-integration/drone/push Build is passing
Details
2021-02-28 12:56:57 +01:00
shimun
b3495c45f3 add nix flake 2021-02-08 16:06:56 +01:00
shimunn
17ca487b85 Obvious password promt (#29) 
* obvious password promt

* prompt interaction with FIDO device
 2021-02-08 15:58:41 +01:00
shimun
b0404f2fc1 minimum YubiKey firmware version
Some checks reported errors
continuous-integration/drone/push Build encountered an error
Details
2020-11-17 13:05:45 +01:00
shimunn
de21e3ef8d Merge pull request #21 from aacebedo/master 
Added an helper script to be used with pam_mount
 2020-11-01 21:18:13 +01:00
Alexandre ACEBEDO
8a7b3addbb Added an helper script to be used with pam_mount 2020-11-01 18:21:04 +01:00
shimun
39b90d27b7 update keyscript
Some checks failed
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/pr Build is failing
Details
2020-10-27 15:54:18 +01:00
shimun
f37ad8e78b update readme
Some checks failed
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/pr Build is failing
Details
2020-10-27 15:53:21 +01:00
shimun
543198a5fe auto_credential -> generate_credential 2020-10-27 15:44:26 +01:00
shimun
d8aca91136 generate all completions by default 2020-10-27 15:03:05 +01:00
shimun
06f97592c1 dectect enabled PIN
Some checks failed
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/pr Build is failing
Details
2020-10-18 20:48:30 +02:00
shimun
8e2948fbb9 use CARGO_MANIFEST_DIR instead of PWD
Some checks failed
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/pr Build is failing
Details
2020-10-18 20:01:43 +02:00
shimun
be2639d9fe tolerate generated bash-completion scripts
Some checks failed
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/pr Build is failing
Details
2020-10-18 16:47:36 +02:00
shimun
6f9941a107 readable
Some checks failed
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/pr Build is failing
Details
2020-10-18 16:39:28 +02:00
shimun
81c2bbf692 changelog
Some checks failed
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/pr Build is failing
Details
2020-10-18 15:47:30 +02:00
shimun
516b590739 describe dry-run 2020-10-18 15:46:56 +02:00
shimun
2ed7f8141f verbose
Some checks failed
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/pr Build is failing
Details
2020-10-18 15:39:30 +02:00
shimun
8e98bf024e read_pin
Some checks failed
continuous-integration/drone/push Build is failing
Details
continuous-integration/drone/pr Build is failing
Details
2020-10-17 18:38:21 +02:00
shimun
49a7512743 dry-run
Some checks failed
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/pr Build is failing
Details
2020-10-17 18:27:12 +02:00
shimun
a264f4c9eb rewrite helper
Some checks failed
continuous-integration/drone/push Build is failing
Details
continuous-integration/drone/pr Build is failing
Details
2020-10-17 17:58:28 +02:00
shimun
a5c0840a59 update deps 2020-10-13 23:00:44 +02:00
shimun
ab23fe5ac9 remove env attr to keep --disable-token as flag
Some checks failed
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/pr Build is failing
Details
2020-10-13 21:29:06 +02:00
shimun
4b09fcb6cb honour disable-token 2020-10-13 21:28:47 +02:00
shimun
e5c6ca9237 use claps variant list 2020-10-13 19:29:05 +02:00
shimun
716a845e55 open-token alias
Some checks failed
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/pr Build is failing
Details
2020-10-13 19:23:02 +02:00
shimun
24a06b9085 doc 2020-10-13 19:18:35 +02:00
shimun
e7e44cd61b fix test
All checks were successful
continuous-integration/drone/push Build is passing
Details
2020-10-13 14:17:22 +02:00
shimun
ae96d3ba5d remove dbg
All checks were successful
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/pr Build is passing
Details
2020-10-11 22:41:18 +02:00
shimun
88b9677e7a 4
All checks were successful
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/pr Build is passing
Details
2020-10-11 22:23:45 +02:00
shimun
99a536f2d4 3
All checks were successful
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/pr Build is passing
Details
2020-10-11 22:03:07 +02:00
shimun
8954de3558 2
Some checks failed
continuous-integration/drone/push Build is failing
Details
continuous-integration/drone/pr Build is failing
Details
2020-10-11 21:11:42 +02:00
shimun
bd29452980 use prebuild image 2020-10-11 19:05:41 +02:00
shimun
e9510216ef 1
Some checks failed
continuous-integration/drone/push Build is failing
Details
continuous-integration/drone/pr Build is failing
Details
2020-10-11 18:33:59 +02:00
shimun
0ec859f4a6 remove trailing newline from pin
Some checks failed
continuous-integration/drone/push Build is failing
Details
2020-09-25 12:40:34 +02:00
shimun
55bae4161e add credentials situated in the luks header to credential list
Some checks failed
continuous-integration/drone/push Build is failing
Details
2020-09-19 18:23:21 +02:00
shimun
086c1a0594 file path must be relative to src
Some checks failed
continuous-integration/drone/push Build is failing
Details
2020-09-05 19:35:36 +02:00
shimun
c2e38eb06f generate shell completions during build
Some checks failed
continuous-integration/drone/push Build is failing
Details
continuous-integration/drone/tag Build is failing
Details
2020-09-05 18:52:07 +02:00
27 changed files with 1373 additions and 265 deletions
Expand all files Collapse all files

10
.drone.yml
View File

@@ -8,22 +8,20 @@ steps:
- rustup component add rustfmt
- cargo fmt --all -- --check
- name: test
image: ubuntu:focal
image: shimun/fido2luks@sha256:6d0b4017bffbec5fac8f25d383d68671fcc9930efb02e97ce5ea81acf0060ece
environment:
DEBIAN_FRONTEND: noninteractive
commands:
- apt update && apt install -y cargo libkeyutils-dev libclang-dev clang pkg-config libcryptsetup-dev
- cargo test --locked
- name: publish
image: ubuntu:focal
image: shimun/fido2luks@sha256:6d0b4017bffbec5fac8f25d383d68671fcc9930efb02e97ce5ea81acf0060ece
environment:
DEBIAN_FRONTEND: noninteractive
CARGO_REGISTRY_TOKEN:
from_secret: cargo_tkn
commands:
- grep -E 'version ?= ?"${DRONE_TAG}"' -i Cargo.toml || (printf "incorrect crate/tag version" && exit 1)
- apt update && apt install -y cargo libkeyutils-dev libclang-dev clang pkg-config libcryptsetup-dev
- cargo package --all-features
- cargo publish --all-features
- cargo package --all-features --allow-dirty
- cargo publish --all-features --allow-dirty
when:
event: tag

4
.gitignore vendored
View File

@@ -5,4 +5,6 @@
fido2luks.bash
fido2luks.elv
fido2luks.fish
fido2luks.zsh
fido2luks.zsh
result
result-*

11
CHANGELOG.md Normal file
View File

@@ -0,0 +1,11 @@
## 0.3.0
* LUKS2 Tokens are now supported by every subcommand
* `<credential>` has been converted into the flag `--creds`
credentials provided by `--creds` will be supplemented from the LUKS header unless this is disabled by `--disable-token`
* `fido2luks add-key` will take an `--auto-cred` flag which allows for credentials to be generated and stored without having to use `fido2luks credential`
`fido2luks replace-key` will allow for credentials to be removed using the `--remove-cred` flag respectively
* Removed `fido2luks open-token` subcommand
`fido2luks open` now fulfills both functions
* Added `fido2luks open --dry-run` flag, to perform the whole procedure apart from mounting the LUKS volume
* Added an `--verbose` flag to display additional information like credentials and keyslots used if desired

160
Cargo.lock generated
View File

@@ -52,9 +52,9 @@ checksum = "1d49d90015b3c36167a20fe2810c5cd875ad504b39cff3d4eae7977e6b7c1cb2"
[[package]]
name = "autocfg"
version = "1.0.0"
version = "1.0.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f8aac770f1885fd7e387acedd76065302551364496e46b3dd00860b2f8359b9d"
checksum = "cdb031dd78e28731d87d56cc8ffef4a8f36ca26c38fe2de700543e627f8a464a"
[[package]]
name = "backtrace"
@@ -72,9 +72,9 @@ dependencies = [
[[package]]
name = "bindgen"
version = "0.54.1"
version = "0.54.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f4d49b80beb70d76cdac92f5681e666f9a697c737c4f4117a67229a0386dc736"
checksum = "66c0bb6167449588ff70803f4127f0684f9063097eca5016f37eb52b92c2cf36"
dependencies = [
"bitflags",
"cexpr",
@@ -86,7 +86,7 @@ dependencies = [
"lazycell",
"log",
"peeking_take_while",
"proc-macro2 1.0.19",
"proc-macro2 1.0.27",
"quote 1.0.7",
"regex",
"rustc-hash",
@@ -100,6 +100,18 @@ version = "1.2.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "cf1de2fe8c75bc145a2f577add951f8134889b4795d47466a54a5c846d691693"
[[package]]
name = "bstr"
version = "0.2.15"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a40b47ad93e1a5404e6c18dec46b628214fee441c70f4ab5d6942142cc268a3d"
dependencies = [
"lazy_static",
"memchr",
"regex-automata",
"serde",
]
[[package]]
name = "byteorder"
version = "1.3.4"
@@ -118,9 +130,9 @@ dependencies = [
[[package]]
name = "cc"
version = "1.0.58"
version = "1.0.59"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f9a06fb2e53271d7c279ec1efea6ab691c35a2ae67ec0d91d7acec0caf13b518"
checksum = "66120af515773fb005778dc07c261bd201ec8ce50bd6e7144c927753fe013381"
[[package]]
name = "cexpr"
@@ -150,9 +162,9 @@ dependencies = [
[[package]]
name = "clap"
version = "2.33.2"
version = "2.33.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "10040cdf04294b565d9e0319955430099ec3813a64c952b86a41200ad714ae48"
checksum = "37e58ac78573c40708d45522f0d80fa2f01cc4f9b4e2bf749807255454312002"
dependencies = [
"ansi_term",
"atty",
@@ -188,12 +200,12 @@ dependencies = [
[[package]]
name = "crossbeam-channel"
version = "0.4.3"
version = "0.4.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "09ee0cc8804d5393478d743b035099520087a5186f3b93fa58cec08fa62407b6"
checksum = "b153fe7cbef478c567df0f972e02e6d736db11affe43dfc9c56a9374d1adfb87"
dependencies = [
"cfg-if",
"crossbeam-utils",
"maybe-uninit",
]
[[package]]
@@ -213,7 +225,7 @@ version = "0.8.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "058ed274caafc1f60c4997b5fc07bf7dc7cca454af7c6e81edffe5f33f70dace"
dependencies = [
"autocfg 1.0.0",
"autocfg 1.0.1",
"cfg-if",
"crossbeam-utils",
"lazy_static",
@@ -239,11 +251,24 @@ version = "0.7.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c3c7c73a2d1e9fc0886a08b93e98eb643461230d5f1925e4036204d5f2e261a8"
dependencies = [
"autocfg 1.0.0",
"autocfg 1.0.1",
"cfg-if",
"lazy_static",
]
[[package]]
name = "csv"
version = "1.1.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "22813a6dc45b335f9bade10bf7271dc477e81113e89eb251a0bc2a8a81c536e1"
dependencies = [
"bstr",
"csv-core",
"itoa",
"ryu",
"serde",
]
[[package]]
name = "csv-core"
version = "0.1.10"
@@ -255,14 +280,14 @@ dependencies = [
[[package]]
name = "ctap_hmac"
version = "0.4.2"
version = "0.4.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c5fec79b66e3a7bc6a7ace0f4c98f0748892b36d3c5c317fadfce0344fd185dc"
checksum = "e9c22d4c95aeeb4e2d41e823912d5460cfa1ebf672363eb97b32fa7c91cab89a"
dependencies = [
"byteorder",
"cbor-codec",
"crossbeam",
"csv-core",
"csv",
"derive_builder",
"failure",
"failure_derive",
@@ -271,6 +296,8 @@ dependencies = [
"rand 0.6.5",
"ring",
"rust-crypto",
"serde",
"serde_derive",
"untrusted",
]
@@ -292,10 +319,10 @@ checksum = "f0c960ae2da4de88a91b2d920c2a7233b400bc33cb28453a2987822d8392519b"
dependencies = [
"fnv",
"ident_case",
"proc-macro2 1.0.19",
"proc-macro2 1.0.27",
"quote 1.0.7",
"strsim 0.9.3",
"syn 1.0.38",
"syn 1.0.73",
]
[[package]]
@@ -306,7 +333,7 @@ checksum = "d9b5a2f4ac4969822c62224815d069952656cadc7084fdca9751e6d959189b72"
dependencies = [
"darling_core",
"quote 1.0.7",
"syn 1.0.38",
"syn 1.0.73",
]
[[package]]
@@ -317,9 +344,9 @@ checksum = "a2658621297f2cf68762a6f7dc0bb7e1ff2cfd6583daef8ee0fed6f7ec468ec0"
dependencies = [
"darling",
"derive_builder_core",
"proc-macro2 1.0.19",
"proc-macro2 1.0.27",
"quote 1.0.7",
"syn 1.0.38",
"syn 1.0.73",
]
[[package]]
@@ -329,9 +356,9 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2791ea3e372c8495c0bc2033991d76b512cd799d07491fbd6890124db9458bef"
dependencies = [
"darling",
"proc-macro2 1.0.19",
"proc-macro2 1.0.27",
"quote 1.0.7",
"syn 1.0.38",
"syn 1.0.73",
]
[[package]]
@@ -369,15 +396,15 @@ version = "0.1.8"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "aa4da3c766cd7a0db8242e326e9e4e081edd567072893ed320008189715366a4"
dependencies = [
"proc-macro2 1.0.19",
"proc-macro2 1.0.27",
"quote 1.0.7",
"syn 1.0.38",
"syn 1.0.73",
"synstructure",
]
[[package]]
name = "fido2luks"
version = "0.2.13"
version = "0.3.0"
dependencies = [
"ctap_hmac",
"failure",
@@ -474,15 +501,15 @@ checksum = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646"
[[package]]
name = "lazycell"
version = "1.2.1"
version = "1.3.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b294d6fa9ee409a054354afc4352b0b9ef7ca222c69b8812cbea9e7d2bf3783f"
checksum = "830d08ce1d1d941e6b30645f1a0eb5643013d835ce3779a5fc208261dbe10f55"
[[package]]
name = "libc"
version = "0.2.74"
version = "0.2.76"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a2f02823cf78b754822df5f7f268fb59822e7296276d3e069d8e8cb26a14bd10"
checksum = "755456fae044e6fa1ebbbd1b3e902ae19e73097ed4ed87bb79934a867c007bc3"
[[package]]
name = "libcryptsetup-rs"
@@ -548,14 +575,14 @@ version = "0.5.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c198b026e1bbf08a937e94c6c60f9ec4a2267f5b0d2eec9c1b21b061ce2be55f"
dependencies = [
"autocfg 1.0.0",
"autocfg 1.0.1",
]
[[package]]
name = "miniz_oxide"
version = "0.4.0"
version = "0.4.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "be0f75932c1f6cfae3c04000e40114adf955636e19040f9c0a2c380702aa1c7f"
checksum = "4d7559a8a40d0f97e1edea3220f698f78b1c5ab67532e49f68fde3910323b722"
dependencies = [
"adler",
]
@@ -587,7 +614,7 @@ version = "0.2.12"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ac267bcc07f48ee5f8935ab0d24f316fb722d7a1292e2913f0cc196b29ffd611"
dependencies = [
"autocfg 1.0.0",
"autocfg 1.0.1",
]
[[package]]
@@ -615,9 +642,9 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "da25490ff9892aab3fcf7c36f08cfb902dd3e71ca0f9f9517bea02a73a5ce38c"
dependencies = [
"proc-macro-error-attr",
"proc-macro2 1.0.19",
"proc-macro2 1.0.27",
"quote 1.0.7",
"syn 1.0.38",
"syn 1.0.73",
"version_check",
]
@@ -627,7 +654,7 @@ version = "1.0.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a1be40180e52ecc98ad80b184934baf3d0d29f979574e439af5a55274b35f869"
dependencies = [
"proc-macro2 1.0.19",
"proc-macro2 1.0.27",
"quote 1.0.7",
"version_check",
]
@@ -643,9 +670,9 @@ dependencies = [
[[package]]
name = "proc-macro2"
version = "1.0.19"
version = "1.0.27"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "04f5f085b5d71e2188cb8271e5da0161ad52c3f227a661a3c135fdf28e258b12"
checksum = "f0d8caf72986c1a598726adc988bb5984792ef84f5ee5aa50209145ee8077038"
dependencies = [
"unicode-xid 0.2.1",
]
@@ -671,7 +698,7 @@ version = "1.0.7"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "aa563d17ecb180e500da1cfd2b028310ac758de548efdd203e18f283af693f37"
dependencies = [
"proc-macro2 1.0.19",
"proc-macro2 1.0.27",
]
[[package]]
@@ -824,6 +851,12 @@ dependencies = [
"thread_local",
]
[[package]]
name = "regex-automata"
version = "0.1.10"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6c230d73fb8d8c1b9c0b3135c5142a8acee3a0558fb8db5cf1cb65f8d7862132"
[[package]]
name = "regex-syntax"
version = "0.6.18"
@@ -912,19 +945,19 @@ checksum = "388a1df253eca08550bef6c72392cfe7c30914bf41df5269b68cbd6ff8f570a3"
[[package]]
name = "serde"
version = "1.0.115"
version = "1.0.126"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e54c9a88f2da7238af84b5101443f0c0d0a3bbdc455e34a5c9497b1903ed55d5"
checksum = "ec7505abeacaec74ae4778d9d9328fe5a5d04253220a85c4ee022239fc996d03"
[[package]]
name = "serde_derive"
version = "1.0.115"
version = "1.0.126"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "609feed1d0a73cc36a0182a840a9b37b4a82f0b1150369f0536a9e3f2a31dc48"
checksum = "963a7dbc9895aeac7ac90e74f34a5d5261828f79df35cbed41e10189d3804d43"
dependencies = [
"proc-macro2 1.0.19",
"proc-macro2 1.0.27",
"quote 1.0.7",
"syn 1.0.38",
"syn 1.0.73",
]
[[package]]
@@ -958,9 +991,9 @@ checksum = "6446ced80d6c486436db5c078dde11a9f73d42b57fb273121e160b84f63d894c"
[[package]]
name = "structopt"
version = "0.3.16"
version = "0.3.17"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "de5472fb24d7e80ae84a7801b7978f95a19ec32cb1876faea59ab711eb901976"
checksum = "6cc388d94ffabf39b5ed5fadddc40147cb21e605f53db6f8f36a625d27489ac5"
dependencies = [
"clap",
"lazy_static",
@@ -969,15 +1002,15 @@ dependencies = [
[[package]]
name = "structopt-derive"
version = "0.4.9"
version = "0.4.10"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1e0eb37335aeeebe51be42e2dc07f031163fbabfa6ac67d7ea68b5c2f68d5f99"
checksum = "5e2513111825077552a6751dfad9e11ce0fba07d7276a3943a037d7e93e64c5f"
dependencies = [
"heck",
"proc-macro-error",
"proc-macro2 1.0.19",
"proc-macro2 1.0.27",
"quote 1.0.7",
"syn 1.0.38",
"syn 1.0.73",
]
[[package]]
@@ -993,11 +1026,11 @@ dependencies = [
[[package]]
name = "syn"
version = "1.0.38"
version = "1.0.73"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e69abc24912995b3038597a7a593be5053eb0fb44f3cc5beec0deb421790c1f4"
checksum = "f71489ff30030d2ae598524f61326b902466f72a0fb1a8564c001cc63425bcc7"
dependencies = [
"proc-macro2 1.0.19",
"proc-macro2 1.0.27",
"quote 1.0.7",
"unicode-xid 0.2.1",
]
@@ -1008,9 +1041,9 @@ version = "0.12.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b834f2d66f734cb897113e34aaff2f1ab4719ca946f9a7358dba8f8064148701"
dependencies = [
"proc-macro2 1.0.19",
"proc-macro2 1.0.27",
"quote 1.0.7",
"syn 1.0.38",
"syn 1.0.73",
"unicode-xid 0.2.1",
]
@@ -1043,11 +1076,12 @@ dependencies = [
[[package]]
name = "time"
version = "0.1.43"
version = "0.1.44"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ca8a50ef2360fbd1eeb0ecd46795a87a19024eb4b53c5dc916ca1fd95fe62438"
checksum = "6db9e6914ab8b1ae1c260a4ae7a49b6c5611b40328a735b21862567685e73255"
dependencies = [
"libc",
"wasi",
"winapi",
]
@@ -1102,6 +1136,12 @@ version = "0.9.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b5a972e5669d67ba988ce3dc826706fb0a8b01471c088cb0b6110b805cc36aed"
[[package]]
name = "wasi"
version = "0.10.0+wasi-snapshot-preview1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1a143597ca7c7793eff794def352d41792a93c481eb1042423ff7ff72ba2c31f"
[[package]]
name = "which"
version = "3.1.1"

12
Cargo.toml
View File

@@ -1,6 +1,6 @@
[package]
name = "fido2luks"
version = "0.2.13"
version = "0.3.0"
authors = ["shimunn <shimun@shimun.net>"]
edition = "2018"
@@ -14,19 +14,19 @@ categories = ["command-line-utilities"]
license = "MPL-2.0"
[dependencies]
ctap_hmac = { version="0.4.2", features = ["request_multiple"] }
ctap_hmac = { version="0.4.5", features = ["request_multiple"] }
hex = "0.3.2"
ring = "0.13.5"
failure = "0.1.5"
rpassword = "4.0.1"
structopt = "0.3.2"
libcryptsetup-rs = "0.4.1"
libcryptsetup-rs = "0.4.2"
serde_json = "1.0.51"
serde_derive = "1.0.106"
serde = "1.0.106"
serde_derive = "1.0.116"
serde = "1.0.116"
[build-dependencies]
ctap_hmac = { version="0.4.2", features = ["request_multiple"] }
ctap_hmac = { version="0.4.5", features = ["request_multiple"] }
hex = "0.3.2"
ring = "0.13.5"
failure = "0.1.5"

26
PKGBUILD
View File

@@ -1,25 +1,37 @@
# Maintainer: shimunn <shimun@shimun.net>
pkgname=fido2luks
pkgver=0.2.12
pkgname=fido2luks-git
pkgver=0.2.16.7e6b33a
pkgrel=1
makedepends=('rust' 'cargo' 'cryptsetup' 'clang')
makedepends=('rust' 'cargo' 'cryptsetup' 'clang' 'git')
depends=('cryptsetup')
arch=('i686' 'x86_64' 'armv6h' 'armv7h')
pkgdesc="Decrypt your LUKS partition using a FIDO2 compatible authenticator"
url="https://github.com/shimunn/fido2luks"
license=('MPL-2.0')
source=('git+https://github.com/shimunn/fido2luks')
sha512sums=('SKIP')
pkgver() {
# Use tag version if possible otherwise concat project version and git ref
git describe --exact-match --tags HEAD 2> /dev/null || \
echo "$(cargo pkgid | cut -d'#' -f2).$(git describe --always)"
cd fido2luks
# Use tag version if possible otherwise concat project version and git ref
git describe --exact-match --tags HEAD 2>/dev/null ||
echo "$(cargo pkgid | cut -d'#' -f2).$(git describe --always)"
}
build() {
cd fido2luks
cargo build --release --locked --all-features --target-dir=target
}
package() {
install -Dm 755 target/release/${pkgname} -t "${pkgdir}/usr/bin"
cd fido2luks
install -Dm 755 target/release/fido2luks -t "${pkgdir}/usr/bin"
install -Dm 755 pam_mount/fido2luksmounthelper.sh -t "${pkgdir}/usr/bin"
install -Dm 644 initcpio/hooks/fido2luks -t "${pkgdir}/usr/lib/initcpio/hooks"
install -Dm 644 initcpio/install/fido2luks -t "${pkgdir}/usr/lib/initcpio/install"
install -Dm 644 fido2luks.bash "${pkgdir}/usr/share/bash-completion/completions/fido2luks"
install -Dm 644 fido2luks.fish -t "${pkgdir}/usr/share/fish/vendor_completions.d"
}

32
README.md
View File

@@ -2,7 +2,7 @@
This will allow you to unlock your LUKS encrypted disk with an FIDO2 compatible key.
Note: This has only been tested under Fedora 31, [Ubuntu 20.04](initramfs-tools/), [NixOS](https://nixos.org/nixos/manual/#sec-luks-file-systems-fido2) using a Solo Key, Trezor Model T
Note: This has only been tested under Fedora 31, [Ubuntu 20.04](initramfs-tools/), [NixOS](https://nixos.org/nixos/manual/#sec-luks-file-systems-fido2) using a Solo Key, Trezor Model T, YubiKey(fw >= [5.2.3](https://support.yubico.com/hc/en-us/articles/360016649319-YubiKey-5-2-3-Enhancements-to-FIDO-2-Support))
## Setup
@@ -115,6 +115,36 @@ sudo -E fido2luks -i replace-key /dev/disk/by-uuid/<DISK_UUID>
sudo rm -rf /usr/lib/dracut/modules.d/96luks-2fa /etc/dracut.conf.d/luks-2fa.conf /etc/fido2luks.conf
```
## Theory of operation
fido2luks builds on two basic building blocks, LUKS as an abstraction over linux disk encryption and and the FIDO2 extension [`hmac-secret`](https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-client-to-authenticator-protocol-v2.0-rd-20180702.html#sctn-hmac-secret-extension).
The `hmac-secret` extension allows for an secret to be dervied on the FIDO2 device from two inputs, the user supplied salt/password/keyfile and another secret contained within the FID2 device. The output of the `hmac-secret` function will then be used to decrypt the LUKS header which in turn is used to decrypt the disk.
```
+-------------------------------------------------------------------------------+
| |
| +-----------------------------------------+ |
| | FIDO2 device | |
| | | |
| | | |
+-------+--------+ +------+ | +---------------+ | | +------------------------+
| Salt/Password +-> |sha256+------------------------> | | | v | LUKS header |
+----------------+ +------+ | | | | | | +---------------+
| | | | +--------+ +------------------------+--------> |Disk master key|
| | sha256_hmac +---------> | sha256 +-------> | Keyslot 1 | +---------------+
+----------------+ | +----------+ | | | +--------+ +------------------------+
| FIDO credential+---------------> |Credential| +----> | | | | Keyslot 2 |
+----------------+ | |secret | | | | +------------------------+
| +----------+ +---------------+ |
| |
| |
+-----------------------------------------+
```
Since all these components build upon each other losing or damaging just one of them will render the disk undecryptable, it's threfore of paramount importance to backup the LUKS header and ideally set an backup password
or utilise more than one FIDO2 device. Each additional credential and password combination will require it's own LUKS keyslot since the credential secret is randomly generated for each new credential and will thus result
in a completly different secret.
## License
Licensed under

79
README_NEW.md Normal file
View File

@@ -0,0 +1,79 @@
# fido2luks [![Crates.io Version](https://img.shields.io/crates/v/fido2luks.svg)](https://crates.io/crates/fido2luks)
This will allow you to unlock your LUKS encrypted disk with an FIDO2 compatible key.
Note: This has only been tested under Fedora 31, [Ubuntu 20.04](initramfs-tools/), [NixOS](https://nixos.org/nixos/manual/#sec-luks-file-systems-fido2) using a Solo Key, Trezor Model T
## Installation
### From Source
Installing from source requires the following dependencies:
Ubuntu: `cargo, libclang-dev, libcryptsetup-dev >= 2.2`
Fedora: `cargo, clang-devel, cryptsetup-devel`
To compile the fido2luks binary you can simply run `sudo cargo install --root /usr fido2luks` but since you may want to install the scripts included it this repo as well,
it's recommended to clone the repo and install from there.
``
git clone https://github.com/shimunn/fido2luks.git
cargo install --root /usr --path fido2luks
``
Continue with further instructions for [Ubuntu](initramfs-tools) or [Fedora](dracut)
### From Package
Ubuntu: see [releases](https://github.com/shimunn/fido2luks/releases)
NixOS: https://nixos.org/nixos/manual/#sec-luks-file-systems-fido2
ArchLinux:
* [AUR](https://aur.archlinux.org/packages/fido2luks/)
* [Git](PKGBUILD)
Fedora: coming soon
## Credentials
Depending on the version of cryptsetup and the age of your installation your LUKS header might be in the LUKS2 format already if that's the case fido2luks will be able to spare you from dealing with just another config file by simply storeing all the required information within your LUKS header.
If your header is still using the LUKS1 format you may convert it:
```
cryptsetup convert --type luks2 <device>
```
if you want to keep using LUKS1 due to other software such as pam_mount not being compatible with LUKS2 at the moment, you will have to generate credentials by hand an add them to `/etc/fido2luks.conf` otherwise you can skip this step.
```
fido2luks credential [optional name]
```
the generated hexadecimal credential can then be added to `FIDO2LUKS_CREDENTIAL_ID=` in `/etc/fido2luks.conf` multiple credentials can be separated by comma.
## Adding a Key
If you had to generate a credential in the previous step you'll have to provide it to the following commands as a parameter or via an environment variable:
```
set -a
. /etc/fido2luks.conf
```
To then add the key you need to have your current password/keyfile ready:
without having generated a credential in the previous step: `fido2luks -i add-key --gen-cred <device>`
with a keyfile: `fido2luks -i add-key --keyfile <path-to-keyfile <device>`
if you've confirmed at a later stage that everything works as expected you may want to remove your keyfile/password by running the previous commands with the `--exclusive` flag which will remove all other keys from the device.
## Replacing a Key
with password: `fido2luks -i replace-key <device>`
with keyfile: `fido2luks -i replace-key -d <path-to-keyfile> <device>`
with another fido2 derived key: `fido2luks -i replace-key -f <device>`

6
build.rs
View File

@@ -19,6 +19,10 @@ use structopt::StructOpt;
fn main() {
// generate completion scripts, zsh does panic for some reason
for shell in Shell::variants().iter().filter(|shell| **shell != "zsh") {
Args::clap().gen_completions(env!("CARGO_PKG_NAME"), Shell::from_str(shell).unwrap(), ".");
Args::clap().gen_completions(
env!("CARGO_PKG_NAME"),
Shell::from_str(shell).unwrap(),
env!("CARGO_MANIFEST_DIR"),
);
}
}

79
flake.lock generated Normal file
View File

@@ -0,0 +1,79 @@
{
"nodes": {
"cargo-deb": {
"flake": false,
"locked": {
"lastModified": 1627137192,
"narHash": "sha256-zDAwiETJquiViEvBKMuI9WWgSGhVDscL/m1ufKJENBw=",
"owner": "mmstick",
"repo": "cargo-deb",
"rev": "f603d105b4641e00640e46b189c6ee0c8f084de2",
"type": "github"
},
"original": {
"owner": "mmstick",
"repo": "cargo-deb",
"type": "github"
}
},
"naersk": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1623927034,
"narHash": "sha256-sGxlmfp5eXL5sAMNqHSb04Zq6gPl+JeltIZ226OYN0w=",
"owner": "nmattia",
"repo": "naersk",
"rev": "e09c320446c5c2516d430803f7b19f5833781337",
"type": "github"
},
"original": {
"owner": "nmattia",
"repo": "naersk",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1627245147,
"narHash": "sha256-CQzH/4Mbhcx1HD+dtD7pZ0dHUZvX4eKN9b8Ifzz4gC4=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "23098f20376cd1c874af476e5d8ef9169105b020",
"type": "github"
},
"original": {
"id": "nixpkgs",
"type": "indirect"
}
},
"root": {
"inputs": {
"cargo-deb": "cargo-deb",
"naersk": "naersk",
"nixpkgs": "nixpkgs",
"utils": "utils"
}
},
"utils": {
"locked": {
"lastModified": 1623875721,
"narHash": "sha256-A8BU7bjS5GirpAUv4QA+QnJ4CceLHkcXdRp4xITDB0s=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "f7e004a55b120c02ecb6219596820fcd32ca8772",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

106
flake.nix Normal file
View File

@@ -0,0 +1,106 @@
{
description = "Decrypt your LUKS partition using a FIDO2 compatible authenticator";
inputs = {
utils.url = "github:numtide/flake-utils";
cargo-deb = {
flake = false;
url = "github:mmstick/cargo-deb";
};
naersk = {
url = "github:nmattia/naersk";
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs = { self, nixpkgs, utils, naersk, cargo-deb }:
let
root = ./.;
pname = (builtins.fromTOML (builtins.readFile ./Cargo.toml)).package.name;
forPkgs = pkgs:
let
naersk-lib = naersk.lib."${pkgs.system}";
buildInputs = with pkgs; [ cryptsetup ];
LIBCLANG_PATH = "${pkgs.clang.cc.lib}/lib";
nativeBuildInputs = with pkgs; [
pkgconfig
clang
];
in
rec {
# `nix build`
packages.${pname} = naersk-lib.buildPackage {
inherit pname root buildInputs nativeBuildInputs LIBCLANG_PATH;
};
packages."${pname}-deb" =
let
cargoDeb = naersk-lib.buildPackage {
pname = "cargo-deb";
root = cargo-deb;
};
pkg = packages.${pname};
vm = pkgs.vmTools.diskImageFuns.ubuntu1804x86_64 { extraPackages = [ "cargo" "cryptsetup" "libclang-dev" "libcryptsetup-dev" ]; };
makefile = pkgs.writeText "Makefile" "
.PHONY: install
cargo-deb:
cargo install --debug --path cargo-deb
install: cargo-deb
cargo-deb
mkdir -p debs
cp target/debian/*.deb debs/
";
src = pkgs.runCommandLocal "${pname}-vendored" {} ''
mkdir -p $out/.cargo $out/cargo-deb/.cargo
printf '${pkg.cargoconfig}' > $out/.cargo/config.toml;
printf '${cargoDeb.cargoconfig}' > $out/cargo-deb/.cargo/config.toml;
printf '.PHONY: install\ninstall:\n\tcargo install --debug --path cargo-deb\n\tcargo-deb\n\tmkdir -p debs\n\tcp target/debian/*.deb debs/' > $out/Makefile
cp -r ${pkg.src}/. $out/
cp -r ${cargoDeb.src}/. $out/cargo-deb/
'';
args = {
diskImage = vm;
inherit src;
name = pname;
buildInputs = [ ];
meta.description = "No descr";
};
in
pkgs.releaseTools.debBuild args;
defaultPackage = packages.${pname};
# `nix run`
apps.${pname} = utils.lib.mkApp {
drv = packages.${pname};
};
defaultApp = apps.${pname};
# `nix flake check`
checks = {
fmt = with pkgs; runCommandLocal "${pname}-fmt" { buildInputs = [ cargo rustfmt nixpkgs-fmt ]; } ''
cd ${root}
cargo fmt -- --check
nixpkgs-fmt --check *.nix
touch $out
'';
};
hydraJobs = checks // packages;
# `nix develop`
devShell = pkgs.mkShell {
nativeBuildInputs = with pkgs; [ rustc cargo rustfmt nixpkgs-fmt ] ++ nativeBuildInputs;
inherit buildInputs LIBCLANG_PATH;
};
};
forSystem = system: forPkgs nixpkgs.legacyPackages."${system}";
in
(utils.lib.eachSystem [ "aarch64-linux" "i686-linux" "x86_64-linux" ] forSystem) // {
overlay = final: prev: (forPkgs final).packages;
};
}

18
initcpio/Makefile Normal file
View File

@@ -0,0 +1,18 @@
.PHONY: install remove
install:
install -Dm644 hooks/fido2luks -t /usr/lib/initcpio/hooks
install -Dm644 install/fido2luks -t /usr/lib/initcpio/install
ifdef preset
mkinitcpio -p $(preset)
else
mkinitcpio -P
endif
remove:
rm /usr/lib/initcpio/{hooks,install}/fido2luks
ifdef preset
mkinitcpio -p $(preset)
else
mkinitcpio -P
endif

52
initcpio/README.md Normal file
View File

@@ -0,0 +1,52 @@
## fido2luks hook for mkinitcpio (ArchLinux and derivatives)
> ⚠️ Before proceeding, it is very advised to [backup your existing LUKS2 header](https://wiki.archlinux.org/title/dm-crypt/Device_encryption#Backup_using_cryptsetup) to external storage
### Setup
1. Connect your FIDO2 authenticator
2. Generate credential id
```shell
fido2luks credential
```
3. Generate salt (random string)
```shell
pwgen 48 1
```
4. Add key to your LUKS2 device
```shell
fido2luks add-key -Pt --salt <salt> <block_device> <credential_id>
```
`-P` - request PIN to unlock the authenticator
`-t` - add token (including credential id) to the LUKS2 header
`-e` - wipe all other keys
For the full list of options see `fido2luks add-key --help`
5. Edit [/etc/fido2luks.conf](/initcpio/fido2luks.conf)
Keyslot (`FIDO2LUKS_DEVICE_SLOT`) can be obtained from the output of
```shell
cryptsetup luksDump <block_device>
```
6. Add fido2luks hook to /etc/mkinitcpio.conf
Before or instead of `encrypt` hook, for example:
```shell
HOOKS=(base udev autodetect modconf keyboard block fido2luks filesystems fsck)
```
7. Recreate initial ramdisk
```shell
mkinitcpio -p <preset>
```

18
initcpio/fido2luks.conf Normal file
View File

@@ -0,0 +1,18 @@
# Set credential *ONLY IF* it's not embedded in the LUKS2 header
FIDO2LUKS_CREDENTIAL_ID=
# Encrypted device and its name under /dev/mapper
# Can be overridden by `cryptdevice` kernel parameter
FIDO2LUKS_DEVICE=
FIDO2LUKS_MAPPER_NAME=
FIDO2LUKS_SALT=string:<salt>
# Use specific keyslot (ignore all other slots)
FIDO2LUKS_DEVICE_SLOT=
# Await for an authenticator to be connected (in seconds)
FIDO2LUKS_DEVICE_AWAIT=
# Set to 1 if PIN is required to unlock the authenticator
FIDO2LUKS_ASK_PIN=

55
initcpio/hooks/fido2luks Normal file
View File

@@ -0,0 +1,55 @@
#!/usr/bin/ash
run_hook() {
modprobe -a -q dm-crypt >/dev/null 2>&1
. /etc/fido2luks.conf
if [ -z "$cryptdevice" ]; then
device="$FIDO2LUKS_DEVICE"
dmname="$FIDO2LUKS_MAPPER_NAME"
else
IFS=: read cryptdev dmname _cryptoptions <<EOF
$cryptdevice
EOF
if ! device=$(resolve_device "${cryptdev}" ${rootdelay}); then
return 1
fi
fi
options="--salt $FIDO2LUKS_SALT"
if [ "$FIDO2LUKS_ASK_PIN" == 1 ]; then
options="$options --pin"
fi
if [ -n "$FIDO2LUKS_DEVICE_SLOT" ]; then
options="$options --slot $FIDO2LUKS_DEVICE_SLOT"
fi
if [ -n "$FIDO2LUKS_DEVICE_AWAIT" ]; then
options="$options --await-dev $FIDO2LUKS_DEVICE_AWAIT"
fi
# HACK: /dev/tty is hardcoded in rpassword, but not accessible from the ramdisk
# Temporary link it to /dev/tty1
mv /dev/tty /dev/tty.back
ln -s /dev/tty1 /dev/tty
printf "\nAuthentication is required to access the $dmname volume at $device\n"
if [ -z "$FIDO2LUKS_CREDENTIAL_ID" ]; then
fido2luks open-token $device $dmname $options
else
fido2luks open $device $dmname $FIDO2LUKS_CREDENTIAL_ID $options
fi
exit_code=$?
# Restore /dev/tty
mv /dev/tty.back /dev/tty
if [ $exit_code -ne 0 ]; then
printf '\n'
read -s -p 'Press Enter to continue'
printf '\n'
fi
}

31
initcpio/install/fido2luks Normal file
View File

@@ -0,0 +1,31 @@
#!/bin/bash
build() {
local mod
add_module dm-crypt
add_module dm-integrity
if [[ $CRYPTO_MODULES ]]; then
for mod in $CRYPTO_MODULES; do
add_module "$mod"
done
else
add_all_modules /crypto/
fi
add_binary fido2luks
add_binary dmsetup
add_file /usr/lib/udev/rules.d/10-dm.rules
add_file /usr/lib/udev/rules.d/13-dm-disk.rules
add_file /usr/lib/udev/rules.d/95-dm-notify.rules
add_file /usr/lib/initcpio/udev/11-dm-initramfs.rules /usr/lib/udev/rules.d/11-dm-initramfs.rules
add_file /etc/fido2luks.conf /etc/fido2luks.conf
add_runscript
}
help() {
cat <<HELPEOF
This hook allows to decrypt LUKS2 partition using FIDO2 compatible authenticator
HELPEOF
}

15
initramfs-tools/Dockerfile Normal file
View File

@@ -0,0 +1,15 @@
FROM rust:bullseye
RUN cargo install -f cargo-deb --debug --version 1.30.0
ARG DEBIAN_FRONTEND=noninteractive
RUN apt update && apt install -y cryptsetup pkg-config libclang-dev libcryptsetup-dev && mkdir -p /build/fido2luks
WORKDIR /build/fido2luks
ENV CARGO_TARGET_DIR=/build/fido2luks/target
RUN cargo install fido2luks -f
CMD bash -xc 'cp -rf /code/* /build/fido2luks && cargo-deb && cp target/debian/*.deb /out'

9
initramfs-tools/build-deb.sh Executable file
View File

@@ -0,0 +1,9 @@
#!/usr/bin/env bash
set -ex
docker build . -t fido2luks-deb
mkdir -p debs
docker run -ti -v "$(pwd)/..:/code:ro" -v "$(pwd)/debs:/out" fido2luks-deb

2
initramfs-tools/keyscript.sh
View File

@@ -7,4 +7,4 @@ if [ -z "$FIDO2LUKS_PASSWORD_HELPER" ]; then
export FIDO2LUKS_PASSWORD_HELPER="plymouth ask-for-password --prompt '$MSG'"
fi
fido2luks print-secret --bin
fido2luks print-secret --bin "$CRYPTTAB_SOURCE" $([ "$FIDO2LUKS_USE_TOKEN" -eq 0 ] && printf "--disable-token")

220
pam_mount/fido2luksmounthelper.sh Executable file
View File

@@ -0,0 +1,220 @@
#!/bin/bash
#
# This is a rather minimal example Argbash potential
# Example taken from http://argbash.readthedocs.io/en/stable/example.html
#
# ARG_POSITIONAL_SINGLE([operation],[Operation to perform (mount|umount)],[])
# ARG_OPTIONAL_SINGLE([credentials-type],[c],[Type of the credentials to use (external|embedded)])
# ARG_OPTIONAL_SINGLE([device],[d],[Name of the device to create])
# ARG_OPTIONAL_SINGLE([mount-point],[m],[Path of the mount point to use])
# ARG_OPTIONAL_BOOLEAN([ask-pin],[a],[Ask for a pin],[off])
# ARG_OPTIONAL_SINGLE([salt],[s],[Salt to use],[""])
# ARG_HELP([Unlocks/Locks a LUKS volume and mount/unmount it in the given mount point.])
# ARGBASH_GO()
# needed because of Argbash --> m4_ignore([
### START OF CODE GENERATED BY Argbash v2.9.0 one line above ###
# Argbash is a bash code generator used to get arguments parsing right.
# Argbash is FREE SOFTWARE, see https://argbash.io for more info
# Generated online by https://argbash.io/generate
die()
{
local _ret="${2:-1}"
test "${_PRINT_HELP:-no}" = yes && print_help >&2
echo "$1" >&2
exit "${_ret}"
}
begins_with_short_option()
{
local first_option all_short_options='cdmash'
first_option="${1:0:1}"
test "$all_short_options" = "${all_short_options/$first_option/}" && return 1 || return 0
}
# THE DEFAULTS INITIALIZATION - POSITIONALS
_positionals=()
# THE DEFAULTS INITIALIZATION - OPTIONALS
_arg_credentials_type=
_arg_device=
_arg_mount_point=
_arg_ask_pin="off"
_arg_salt=""
print_help()
{
printf '%s\n' "Unlocks/Locks a LUKS volume and mount/unmount it in the given mount point."
printf 'Usage: %s [-c|--credentials-type <arg>] [-d|--device <arg>] [-m|--mount-point <arg>] [-a|--(no-)ask-pin] [-s|--salt <arg>] [-h|--help] <operation>\n' "$0"
printf '\t%s\n' "<operation>: Operation to perform (mount|umount)"
printf '\t%s\n' "-c, --credentials-type: Type of the credentials to use (external|embedded) (no default)"
printf '\t%s\n' "-d, --device: Name of the device to create (no default)"
printf '\t%s\n' "-m, --mount-point: Path of the mount point to use (no default)"
printf '\t%s\n' "-a, --ask-pin, --no-ask-pin: Ask for a pin (off by default)"
printf '\t%s\n' "-s, --salt: Salt to use (default: '""')"
printf '\t%s\n' "-h, --help: Prints help"
}
parse_commandline()
{
_positionals_count=0
while test $# -gt 0
do
_key="$1"
case "$_key" in
-c|--credentials-type)
test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1
_arg_credentials_type="$2"
shift
;;
--credentials-type=*)
_arg_credentials_type="${_key##--credentials-type=}"
;;
-c*)
_arg_credentials_type="${_key##-c}"
;;
-d|--device)
test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1
_arg_device="$2"
shift
;;
--device=*)
_arg_device="${_key##--device=}"
;;
-d*)
_arg_device="${_key##-d}"
;;
-m|--mount-point)
test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1
_arg_mount_point="$2"
shift
;;
--mount-point=*)
_arg_mount_point="${_key##--mount-point=}"
;;
-m*)
_arg_mount_point="${_key##-m}"
;;
-a|--no-ask-pin|--ask-pin)
_arg_ask_pin="on"
test "${1:0:5}" = "--no-" && _arg_ask_pin="off"
;;
-a*)
_arg_ask_pin="on"
_next="${_key##-a}"
if test -n "$_next" -a "$_next" != "$_key"
then
{ begins_with_short_option "$_next" && shift && set -- "-a" "-${_next}" "$@"; } || die "The short option '$_key' can't be decomposed to ${_key:0:2} and -${_key:2}, because ${_key:0:2} doesn't accept value and '-${_key:2:1}' doesn't correspond to a short option."
fi
;;
-s|--salt)
test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1
_arg_salt="$2"
shift
;;
--salt=*)
_arg_salt="${_key##--salt=}"
;;
-s*)
_arg_salt="${_key##-s}"
;;
-h|--help)
print_help
exit 0
;;
-h*)
print_help
exit 0
;;
*)
_last_positional="$1"
_positionals+=("$_last_positional")
_positionals_count=$((_positionals_count + 1))
;;
esac
shift
done
}
handle_passed_args_count()
{
local _required_args_string="'operation'"
test "${_positionals_count}" -ge 1 || _PRINT_HELP=yes die "FATAL ERROR: Not enough positional arguments - we require exactly 1 (namely: $_required_args_string), but got only ${_positionals_count}." 1
test "${_positionals_count}" -le 1 || _PRINT_HELP=yes die "FATAL ERROR: There were spurious positional arguments --- we expect exactly 1 (namely: $_required_args_string), but got ${_positionals_count} (the last one was: '${_last_positional}')." 1
}
assign_positional_args()
{
local _positional_name _shift_for=$1
_positional_names="_arg_operation "
shift "$_shift_for"
for _positional_name in ${_positional_names}
do
test $# -gt 0 || break
eval "$_positional_name=\${1}" || die "Error during argument parsing, possibly an Argbash bug." 1
shift
done
}
parse_commandline "$@"
handle_passed_args_count
assign_positional_args 1 "${_positionals[@]}"
# OTHER STUFF GENERATED BY Argbash
### END OF CODE GENERATED BY Argbash (sortof) ### ])
# [ <-- needed because of Argbash
if [ -z ${_arg_mount_point} ]; then
die "Missing '--mount-point' argument"
fi
if [ -z ${_arg_device} ]; then
die "Missing '--device' argument"
fi
ASK_PIN=${_arg_ask_pin}
OPERATION=${_arg_operation}
DEVICE=${_arg_device}
DEVICE_NAME=$(sed "s|/|_|g" <<< ${DEVICE})
MOUNT_POINT=${_arg_mount_point}
CREDENTIALS_TYPE=${_arg_credentials_type}
SALT=${_arg_salt}
CONF_FILE_PATH="/etc/fido2luksmounthelper.conf"
if [ "${OPERATION}" == "mount" ]; then
if [ "${CREDENTIALS_TYPE}" == "external" ]; then
if [ -f ${CONF_FILE_PATH} ]; then
if [ "${ASK_PIN}" == "on" ]; then
read PASSWORD
fi
CREDENTIALS=$(<${CONF_FILE_PATH})
else
die "The configuration file '${CONF_FILE_PATH}' is missing. Please create it or use embedded credentials."
fi
printf ${PASSWORD} | fido2luks open --salt string:${SALT} --pin --pin-source /dev/stdin ${DEVICE} ${DEVICE_NAME} ${CREDENTIALS}
elif [ "${CREDENTIALS_TYPE}" == "embedded" ]; then
if [ "${ASK_PIN}" == "on" ]; then
read PASSWORD
fi
printf ${PASSWORD} | fido2luks open-token --salt string:${SALT} --pin --pin-source /dev/stdin ${DEVICE} ${DEVICE_NAME}
else
die "Given credential-type '${CREDENTIALS_TYPE}' is invalid. It must be 'external' or 'embedded'"
fi
mount /dev/mapper/${DEVICE_NAME} ${MOUNT_POINT}
elif [ "${OPERATION}" == "umount" ]; then
umount ${MOUNT_POINT}
cryptsetup luksClose ${DEVICE_NAME}
else
die "Given operation '${OPERATION}' is invalid. It must be 'mount' or 'unmount'"
fi
exit 0
# ] <-- needed because of Argbash

481
src/cli.rs
View File

@@ -2,33 +2,23 @@ use crate::error::*;
use crate::luks::{Fido2LuksToken, LuksDevice};
use crate::util::sha256;
use crate::*;
pub use cli_args::Args;
use cli_args::*;
use structopt::clap::Shell;
use structopt::StructOpt;
use ctap::{FidoCredential, FidoErrorKind};
use std::io::{Read, Write};
use std::borrow::Cow;
use std::collections::HashSet;
use std::io::Write;
use std::iter::FromIterator;
use std::path::Path;
use std::str::FromStr;
use std::thread;
use std::time::Duration;
use std::borrow::Cow;
use std::collections::HashSet;
use std::fs::File;
use std::time::SystemTime;
use structopt::clap::Shell;
use structopt::StructOpt;
pub use cli_args::Args;
fn read_pin(ap: &AuthenticatorParameters) -> Fido2LuksResult<String> {
if let Some(src) = ap.pin_source.as_ref() {
let mut pin = String::new();
File::open(src)?.read_to_string(&mut pin)?;
Ok(pin)
} else {
util::read_password("Authenticator PIN", false)
}
fn read_pin() -> Fido2LuksResult<String> {
util::read_password_tty("Authenticator PIN", false)
}
fn derive_secret(
@@ -37,6 +27,9 @@ fn derive_secret(
timeout: u64,
pin: Option<&str>,
) -> Fido2LuksResult<([u8; 32], FidoCredential)> {
if credentials.is_empty() {
return Err(Fido2LuksError::InsufficientCredentials);
}
let timeout = Duration::from_secs(timeout);
let start = SystemTime::now();
@@ -64,16 +57,118 @@ fn derive_secret(
let (unsalted, cred) =
perform_challenge(&credentials, salt, timeout - start.elapsed().unwrap(), pin)?;
Ok((sha256(&[salt, &unsalted[..]]), cred.clone()))
let binary = sha256(&[salt, &unsalted[..]]);
Ok((binary, cred.clone()))
}
pub fn extend_creds_device(
creds: &[HexEncoded],
luks_dev: &mut LuksDevice,
) -> Fido2LuksResult<Vec<HexEncoded>> {
let mut additional = HashSet::new();
additional.extend(creds.iter().cloned());
for token in luks_dev.tokens()? {
for cred in token?.1.credential {
let parsed = HexEncoded::from_str(cred.as_str()).map_err(|_e| {
Fido2LuksError::HexEncodingError {
string: cred.clone(),
}
})?;
additional.insert(parsed);
}
}
Ok(Vec::from_iter(additional.into_iter()))
}
pub fn get_input(
secret: &SecretParameters,
authenticator: &AuthenticatorParameters,
interactive: bool,
q: &str,
verify: bool,
) -> Fido2LuksResult<(Option<String>, [u8; 32])> {
let password_helper = secret
.password_helper
.as_ref()
.map(|helper| move || helper.obtain());
let salt = &secret.salt;
Ok(if interactive {
(
if authenticator.pin && may_require_pin()? {
Some(read_pin()?)
} else {
None
},
salt.obtain_sha256(Some(|| util::read_password_tty(q, verify)))?,
)
} else {
match (
authenticator.pin && may_require_pin()?,
authenticator.pin_prefixed,
) {
(true, false) => (Some(read_pin()?), salt.obtain_sha256(password_helper)?),
(true, true) => read_password_pin_prefixed(|| {
salt.obtain(password_helper).and_then(|secret| {
String::from_utf8(secret).map_err(|e| Fido2LuksError::from(e))
})
})?,
(false, _) => (None, salt.obtain_sha256(password_helper)?),
}
})
}
pub fn read_password_pin_prefixed(
prefixed: impl Fn() -> Fido2LuksResult<String>,
) -> Fido2LuksResult<(Option<String>, [u8; 32])> {
let read = prefixed()?;
let separator = ':';
let mut parts = read.split(separator);
let pin = parts.next().filter(|p| p.len() > 0).map(|p| p.to_string());
let password = match pin {
Some(ref pin) if read.len() > pin.len() => {
read.chars().skip(pin.len() + 1).collect::<String>()
}
Some(_) => String::new(),
_ => read
.chars()
.skip(read.chars().next().map(|c| c == separator).unwrap_or(false) as usize)
.collect::<String>(),
};
Ok((pin, util::sha256(&[password.as_bytes()])))
}
/// generate an more readable name from common paths
pub fn derive_credential_name(path: &Path) -> String {
match path.file_name() {
Some(name)
if path
.iter()
.any(|p| p == "by-label" || p == "by-partlabel" || p == "by-uuid") =>
{
name.to_string_lossy().as_ref().to_string()
}
_ => path.display().to_string(),
}
}
pub fn parse_cmdline() -> Args {
Args::from_args()
}
pub fn prompt_interaction(interactive: bool) {
if interactive {
println!("Authorize using your FIDO device");
}
}
pub fn run_cli() -> Fido2LuksResult<()> {
let mut stdout = io::stdout();
let args = parse_cmdline();
let log = |message: &dyn Fn() -> String| {
if args.verbose {
eprintln!("{}", &*message());
}
};
let interactive = args.interactive;
match &args.command {
Command::Credential {
@@ -81,13 +176,13 @@ pub fn run_cli() -> Fido2LuksResult<()> {
name,
} => {
let pin_string;
let pin = if authenticator.pin {
pin_string = read_pin(authenticator)?;
let pin = if authenticator.pin && may_require_pin()? {
pin_string = read_pin()?;
Some(pin_string.as_ref())
} else {
None
};
let cred = make_credential_id(name.as_ref().map(|n| n.as_ref()), pin)?;
let cred = make_credential_id(Some(name.as_ref()), pin)?;
println!("{}", hex::encode(&cred.id));
Ok(())
}
@@ -96,25 +191,44 @@ pub fn run_cli() -> Fido2LuksResult<()> {
authenticator,
credentials,
secret,
device,
} => {
let pin_string;
let pin = if authenticator.pin {
pin_string = read_pin(authenticator)?;
Some(pin_string.as_ref())
let (pin, salt) =
get_input(&secret, &authenticator, args.interactive, "Password", false)?;
let credentials = if let Some(path) = device {
let mut dev = LuksDevice::load(path)?;
let luks2 = dev.is_luks2()?;
log(&|| format!("luks2 supported: {}", luks2));
extend_creds_device(
credentials
.ids
.clone()
.map(|cs| cs.0)
.unwrap_or_default()
.as_slice(),
&mut dev,
)?
} else {
None
credentials.ids.clone().map(|cs| cs.0).unwrap_or_default()
};
let salt = if interactive || secret.password_helper == PasswordHelper::Stdin {
util::read_password_hashed("Password", false)
} else {
secret.salt.obtain_sha256(&secret.password_helper)
}?;
let (secret, _cred) = derive_secret(
credentials.ids.0.as_slice(),
log(&|| {
format!(
"credentials: {}",
credentials
.iter()
.map(ToString::to_string)
.collect::<Vec<_>>()
.join(", ")
)
});
prompt_interaction(interactive);
let (secret, cred) = derive_secret(
&credentials,
&salt,
authenticator.await_time,
pin,
pin.as_deref(),
)?;
log(&|| format!("credential used: {}", hex::encode(&cred.id)));
if *binary {
stdout.write_all(&secret[..])?;
} else {
@@ -129,7 +243,6 @@ pub fn run_cli() -> Fido2LuksResult<()> {
secret,
luks_mod,
existing_secret: other_secret,
token,
..
}
| Command::ReplaceKey {
@@ -139,21 +252,41 @@ pub fn run_cli() -> Fido2LuksResult<()> {
secret,
luks_mod,
replacement: other_secret,
token,
..
} => {
let pin = if authenticator.pin {
Some(read_pin(authenticator)?)
let mut luks_dev = LuksDevice::load(&luks.device)?;
let luks2 = luks_dev.is_luks2()?;
log(&|| format!("luks2 supported: {}", luks2));
let credentials = if !luks.disable_token && luks2 {
extend_creds_device(
credentials
.ids
.clone()
.map(|cs| cs.0)
.unwrap_or_default()
.as_slice(),
&mut luks_dev,
)?
} else {
None
credentials.ids.clone().map(|cs| cs.0).unwrap_or_default()
};
let salt = |q: &str, verify: bool| -> Fido2LuksResult<[u8; 32]> {
if interactive || secret.password_helper == PasswordHelper::Stdin {
util::read_password_hashed(q, verify)
} else {
secret.salt.obtain_sha256(&secret.password_helper)
}
log(&|| {
format!(
"credentials: {}",
credentials
.iter()
.map(ToString::to_string)
.collect::<Vec<_>>()
.join(", ")
)
});
let inputs = |q: &str, verify: bool| -> Fido2LuksResult<(Option<String>, [u8; 32])> {
get_input(&secret, &authenticator, args.interactive, q, verify)
};
let other_secret = |salt_q: &str,
verify: bool|
-> Fido2LuksResult<(Vec<u8>, Option<FidoCredential>)> {
@@ -164,38 +297,70 @@ pub fn run_cli() -> Fido2LuksResult<()> {
} => Ok((util::read_keyfile(file)?, None)),
OtherSecret {
fido_device: true, ..
} => Ok(derive_secret(
&credentials.ids.0,
&salt(salt_q, verify)?,
authenticator.await_time,
pin.as_deref(),
)
.map(|(secret, cred)| (secret[..].to_vec(), Some(cred)))?),
} => {
let (pin, salt) = inputs(salt_q, verify)?;
prompt_interaction(interactive);
Ok(derive_secret(
&credentials,
&salt,
authenticator.await_time,
pin.as_deref(),
)
.map(|(secret, cred)| (secret[..].to_vec(), Some(cred)))?)
}
_ => Ok((
util::read_password(salt_q, verify)?.as_bytes().to_vec(),
util::read_password_tty(salt_q, verify)?.as_bytes().to_vec(),
None,
)),
}
};
let secret = |verify: bool| -> Fido2LuksResult<([u8; 32], FidoCredential)> {
derive_secret(
&credentials.ids.0,
&salt("Password", verify)?,
authenticator.await_time,
pin.as_deref(),
)
let secret = |q: &str,
verify: bool,
credentials: &[HexEncoded]|
-> Fido2LuksResult<([u8; 32], FidoCredential)> {
let (pin, salt) = inputs(q, verify)?;
prompt_interaction(interactive);
derive_secret(credentials, &salt, authenticator.await_time, pin.as_deref())
};
let mut luks_dev = LuksDevice::load(&luks.device)?;
// Non overlap
match &args.command {
Command::AddKey { exclusive, .. } => {
Command::AddKey {
exclusive,
generate_credential,
..
} => {
let (existing_secret, _) = other_secret("Current password", false)?;
let (new_secret, cred) = secret(true)?;
let (new_secret, cred) = if *generate_credential && luks2 {
let cred = make_credential_id(
Some(derive_credential_name(luks.device.as_path()).as_str()),
(if authenticator.pin && may_require_pin()? {
//TODO: not ideal since it ignores pin-prefixed
Some(read_pin()?)
} else {
None
})
.as_deref(),
)?;
log(&|| {
format!(
"generated credential: {}\ncredential username: {:?}",
hex::encode(&cred.id),
derive_credential_name(luks.device.as_path())
)
});
let creds = vec![HexEncoded(cred.id)];
secret("Password to be added", true, &creds)
} else {
secret("Password to be added", true, &credentials)
}?;
log(&|| format!("credential used: {}", hex::encode(&cred.id)));
let added_slot = luks_dev.add_key(
&new_secret,
&existing_secret[..],
luks_mod.kdf_time.or(Some(10)),
Some(&cred.id[..]).filter(|_| *token),
Some(&cred.id[..])
.filter(|_| !luks.disable_token || *generate_credential)
.filter(|_| luks2),
)?;
if *exclusive {
let destroyed = luks_dev.remove_keyslots(&[added_slot])?;
@@ -214,24 +379,42 @@ pub fn run_cli() -> Fido2LuksResult<()> {
}
Ok(())
}
Command::ReplaceKey { add_password, .. } => {
let (existing_secret, _) = secret(false)?;
Command::ReplaceKey {
add_password,
remove_cred,
..
} => {
let (existing_secret, _prev_cred) =
secret("Current password", false, &credentials)?;
let (replacement_secret, cred) = other_secret("Replacement password", true)?;
let slot = if *add_password {
luks_dev.add_key(
&replacement_secret[..],
&existing_secret,
luks_mod.kdf_time,
cred.as_ref().filter(|_| *token).map(|cred| &cred.id[..]),
cred.as_ref()
.filter(|_| !luks.disable_token)
.filter(|_| luks2)
.map(|cred| &cred.id[..]),
)
} else {
luks_dev.replace_key(
let slot = luks_dev.replace_key(
&replacement_secret[..],
&existing_secret,
luks_mod.kdf_time,
cred.as_ref().filter(|_| *token).map(|cred| &cred.id[..]),
)
cred.as_ref()
.filter(|_| !luks.disable_token)
.filter(|_| luks2)
.map(|cred| &cred.id[..]),
)?;
if *remove_cred && cred.is_none() {
luks_dev.remove_token_slot(slot)?;
}
Ok(slot)
}?;
if let Some(cred) = cred {
log(&|| format!("credential used: {}", hex::encode(&cred.id)));
}
println!(
"Added to password to device {}, slot: {}",
luks.device.display(),
@@ -247,62 +430,71 @@ pub fn run_cli() -> Fido2LuksResult<()> {
authenticator,
secret,
name,
credentials,
retries,
..
}
| Command::OpenToken {
luks,
authenticator,
secret,
name,
retries,
dry_run,
} => {
let pin_string;
let pin = if authenticator.pin {
pin_string = read_pin(authenticator)?;
Some(pin_string.as_ref())
} else {
None
};
let salt = |q: &str, verify: bool| -> Fido2LuksResult<[u8; 32]> {
if interactive || secret.password_helper == PasswordHelper::Stdin {
util::read_password_hashed(q, verify)
} else {
secret.salt.obtain_sha256(&secret.password_helper)
}
let inputs = |q: &str, verify: bool| -> Fido2LuksResult<(Option<String>, [u8; 32])> {
get_input(&secret, &authenticator, args.interactive, q, verify)
};
// Cow shouldn't be necessary
let secret = |credentials: Cow<'_, Vec<HexEncoded>>| {
let (pin, salt) = inputs("Password", false)?;
prompt_interaction(interactive);
derive_secret(
credentials.as_ref(),
&salt("Password", false)?,
&salt,
authenticator.await_time,
pin,
pin.as_deref(),
)
};
let mut retries = *retries;
let mut luks_dev = LuksDevice::load(&luks.device)?;
let luks2 = luks_dev.is_luks2()?;
log(&|| format!("luks2 supported: {}", luks2));
loop {
let secret = match &args.command {
Command::Open { credentials, .. } => secret(Cow::Borrowed(&credentials.ids.0))
.and_then(|(secret, _cred)| luks_dev.activate(&name, &secret, luks.slot)),
Command::OpenToken { .. } => luks_dev.activate_token(
let slot = if let Some(ref credentials) = credentials.ids {
log(&|| {
format!(
"credentials: {}",
credentials
.0
.iter()
.map(ToString::to_string)
.collect::<Vec<_>>()
.join(", ")
)
});
secret(Cow::Borrowed(&credentials.0)).and_then(|(secret, cred)| {
log(&|| format!("credential used: {}", hex::encode(&cred.id)));
luks_dev.activate(&name, &secret, luks.slot, *dry_run)
})
} else if luks2 && !luks.disable_token {
luks_dev.activate_token(
&name,
Box::new(|credentials: Vec<String>| {
log(&|| format!("credentials: {}", credentials.join(", ")));
let creds = credentials
.into_iter()
.flat_map(|cred| HexEncoded::from_str(cred.as_ref()).ok())
.collect::<Vec<_>>();
secret(Cow::Owned(creds))
.map(|(secret, cred)| (secret, hex::encode(&cred.id)))
secret(Cow::Owned(creds)).map(|(secret, cred)| {
log(&|| format!("credential used: {}", hex::encode(&cred.id)));
(secret, hex::encode(&cred.id))
})
}),
luks.slot,
),
_ => unreachable!(),
*dry_run,
)
} else if luks_dev.is_luks2()? && luks.disable_token {
// disable-token is mostly cosmetic in this instance
return Err(Fido2LuksError::InsufficientCredentials);
} else {
return Err(Fido2LuksError::WrongSecret);
};
match secret {
match slot {
Err(e) => {
match e {
Fido2LuksError::WrongSecret if retries > 0 => {}
@@ -310,11 +502,14 @@ pub fn run_cli() -> Fido2LuksResult<()> {
if cause.kind() == FidoErrorKind::Timeout && retries > 0 => {}
e => return Err(e),
}
};
retries -= 1;
eprintln!("{}", e);
}
res => break res.map(|_| ()),
Ok(slot) => {
log(&|| format!("keyslot: {}", slot));
break Ok(());
}
}
}
}
@@ -384,7 +579,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
}
}
let count = if tokens.is_empty() {
dev.add_token(&Fido2LuksToken::with_credentials(&credentials.ids.0, *slot))?;
dev.add_token(&Fido2LuksToken::with_credentials(&credentials.0, *slot))?;
1
} else {
tokens.len()
@@ -392,7 +587,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
for (id, mut token) in tokens {
token
.credential
.extend(credentials.ids.0.iter().map(|h| h.to_string()));
.extend(credentials.0.iter().map(|h| h.to_string()));
dev.update_token(id, &token)?;
}
println!("Updated {} tokens", count);
@@ -420,7 +615,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
token.credential = token
.credential
.into_iter()
.filter(|cred| !credentials.ids.0.iter().any(|h| &h.to_string() == cred))
.filter(|cred| !credentials.0.iter().any(|h| &h.to_string() == cred))
.collect();
dev.update_token(id, &token)?;
}
@@ -450,16 +645,64 @@ pub fn run_cli() -> Fido2LuksResult<()> {
}
},
Command::GenerateCompletions { shell, out_dir } => {
Args::clap().gen_completions(
env!("CARGO_PKG_NAME"),
match shell.as_ref() {
"bash" => Shell::Bash,
"fish" => Shell::Fish,
_ => unreachable!("structopt shouldn't allow us to reach this point"),
},
&out_dir,
);
// zsh won't work atm https://github.com/clap-rs/clap/issues/1822
if let Some(s) = shell {
if s.as_str() == "zsh" {
unimplemented!("zsh completions are broken atm: see https://github.com/clap-rs/clap/issues/1822")
}
}
for variant in Shell::variants().iter().filter(|v| *v != &"zsh") {
if let Some(s) = shell {
if *variant != s.as_str() {
break;
}
}
Args::clap().gen_completions(
env!("CARGO_PKG_NAME"),
Shell::from_str(variant)
.expect("structopt shouldn't allow us to reach this point"),
&out_dir,
);
}
Ok(())
}
}
}
#[cfg(test)]
mod test {
use super::*;
#[test]
fn test_read_password_pin_prefixed() {
// 1234:test -> PIN: 1234, password: test
assert_eq!(
read_password_pin_prefixed(|| Ok("1234:test".into())).unwrap(),
(Some("1234".to_string()), util::sha256(&["test".as_bytes()]))
);
// :test -> PIN: None, password: test
assert_eq!(
read_password_pin_prefixed(|| Ok(":test".into())).unwrap(),
(None, util::sha256(&["test".as_bytes()]))
);
// 1234::test -> PIN: 1234, password: :test
assert_eq!(
read_password_pin_prefixed(|| Ok("1234::test".into())).unwrap(),
(
Some("1234".to_string()),
util::sha256(&[":test".as_bytes()])
)
);
// 1234 -> PIN: 1234, password: empty
assert_eq!(
read_password_pin_prefixed(|| Ok("1234".into())).unwrap(),
(Some("1234".to_string()), util::sha256(&["".as_bytes()]))
);
// 1234:test -> PIN: None, password: test
assert_eq!(
read_password_pin_prefixed(|| Ok(":test".into())).unwrap(),
(None, util::sha256(&["test".as_bytes()]))
);
}
}

31
src/cli_args/config.rs
View File

@@ -7,6 +7,7 @@ use std::fs::File;
use std::io::Read;
use std::path::PathBuf;
use std::process::Command;
use std::process::Stdio;
use std::str::FromStr;
#[derive(Debug, Clone, PartialEq)]
@@ -55,11 +56,17 @@ impl fmt::Display for SecretInput {
}
impl SecretInput {
pub fn obtain_string(&self, password_helper: &PasswordHelper) -> Fido2LuksResult<String> {
pub fn obtain_string(
&self,
password_helper: Option<impl FnOnce() -> Fido2LuksResult<String>>,
) -> Fido2LuksResult<String> {
Ok(String::from_utf8(self.obtain(password_helper)?)?)
}
pub fn obtain(&self, password_helper: &PasswordHelper) -> Fido2LuksResult<Vec<u8>> {
pub fn obtain(
&self,
password_helper: Option<impl FnOnce() -> Fido2LuksResult<String>>,
) -> Fido2LuksResult<Vec<u8>> {
let mut secret = Vec::new();
match self {
SecretInput::File { path } => {
@@ -67,16 +74,22 @@ impl SecretInput {
let mut do_io = || File::open(path)?.read_to_end(&mut secret);
do_io().map_err(|cause| Fido2LuksError::KeyfileError { cause })?;
}
SecretInput::AskPassword => {
secret.extend_from_slice(password_helper.obtain()?.as_bytes())
}
SecretInput::AskPassword => secret.extend_from_slice(
password_helper.ok_or_else(|| Fido2LuksError::AskPassError {
cause: AskPassError::FailedHelper,
})?()?
.as_bytes(),
),
SecretInput::String(s) => secret.extend_from_slice(s.as_bytes()),
}
Ok(secret)
}
pub fn obtain_sha256(&self, password_helper: &PasswordHelper) -> Fido2LuksResult<[u8; 32]> {
pub fn obtain_sha256(
&self,
password_helper: Option<impl FnOnce() -> Fido2LuksResult<String>>,
) -> Fido2LuksResult<[u8; 32]> {
let mut digest = digest::Context::new(&digest::SHA256);
match self {
SecretInput::File { path } => {
@@ -151,11 +164,13 @@ impl PasswordHelper {
use PasswordHelper::*;
match self {
Systemd => unimplemented!(),
Stdin => Ok(util::read_password("Password", true)?),
Stdin => Ok(util::read_password("Password", true, false)?),
Script(password_helper) => {
let password = Command::new("sh")
.arg("-c")
.arg(&password_helper)
.stdin(Stdio::inherit())
.stderr(Stdio::inherit())
.output()
.map_err(|e| Fido2LuksError::AskPassError {
cause: error::AskPassError::IO(e),
@@ -198,7 +213,7 @@ mod test {
fn input_salt_obtain() {
assert_eq!(
SecretInput::String("abc".into())
.obtain(&PasswordHelper::Stdin)
.obtain_sha256(Some(|| Ok("123456".to_string())))
.unwrap(),
[
186, 120, 22, 191, 143, 1, 207, 234, 65, 65, 64, 222, 93, 174, 34, 35, 176, 3, 97,

113
src/cli_args/mod.rs
View File

@@ -1,7 +1,8 @@
use std::fmt::{Display, Error, Formatter};
use std::hash::{Hash, Hasher};
use std::path::PathBuf;
use std::str::FromStr;
use structopt::clap::AppSettings;
use structopt::clap::{AppSettings, Shell};
use structopt::StructOpt;
mod config;
@@ -31,6 +32,12 @@ impl FromStr for HexEncoded {
}
}
impl Hash for HexEncoded {
fn hash<H: Hasher>(&self, state: &mut H) {
self.0.hash(state)
}
}
#[derive(Debug, Eq, PartialEq, Clone)]
pub struct CommaSeparated<T: FromStr + Display>(pub Vec<T>);
@@ -58,19 +65,24 @@ impl<T: Display + FromStr> FromStr for CommaSeparated<T> {
#[derive(Debug, StructOpt)]
pub struct Credentials {
/// FIDO credential ids, separated by ',' generate using fido2luks credential
#[structopt(name = "credential-id", env = "FIDO2LUKS_CREDENTIAL_ID")]
pub ids: CommaSeparated<HexEncoded>,
#[structopt(
name = "credential-ids",
env = "FIDO2LUKS_CREDENTIAL_ID",
short = "c",
long = "creds"
)]
pub ids: Option<CommaSeparated<HexEncoded>>,
}
#[derive(Debug, StructOpt)]
pub struct AuthenticatorParameters {
/// Request a PIN to unlock the authenticator
/// Request a PIN to unlock the authenticator if required
#[structopt(short = "P", long = "pin")]
pub pin: bool,
/// Location to read PIN from
#[structopt(long = "pin-source", env = "FIDO2LUKS_PIN_SOURCE")]
pub pin_source: Option<PathBuf>,
/// Request PIN and password combined `pin:password` when using an password helper
#[structopt(long = "pin-prefixed")]
pub pin_prefixed: bool,
/// Await for an authenticator to be connected, timeout after n seconds
#[structopt(
@@ -90,13 +102,20 @@ pub struct LuksParameters {
/// Try to unlock the device using a specifc keyslot, ignore all other slots
#[structopt(long = "slot", env = "FIDO2LUKS_DEVICE_SLOT")]
pub slot: Option<u32>,
/// Disable implicit use of LUKS2 tokens
#[structopt(
long = "disable-token",
// env = "FIDO2LUKS_DISABLE_TOKEN" // unfortunately clap will convert flags into args if they have an env attribute
)]
pub disable_token: bool,
}
#[derive(Debug, StructOpt, Clone)]
pub struct LuksModParameters {
/// Number of milliseconds required to derive the volume decryption key
/// Defaults to 10ms when using an authenticator or the default by cryptsetup when using a password
#[structopt(long = "kdf-time", name = "kdf-time")]
#[structopt(long = "kdf-time", name = "kdf-time", env = "FIDO2LUKS_KDF_TIME")]
pub kdf_time: Option<u64>,
}
@@ -119,15 +138,17 @@ pub struct SecretParameters {
#[structopt(
name = "password-helper",
env = "FIDO2LUKS_PASSWORD_HELPER",
default_value = "/usr/bin/env systemd-ask-password 'Please enter second factor for LUKS disk encryption!'"
long = "password-helper"
)]
pub password_helper: PasswordHelper,
pub password_helper: Option<PasswordHelper>,
}
#[derive(Debug, StructOpt)]
pub struct Args {
/// Request passwords via Stdin instead of using the password helper
#[structopt(short = "i", long = "interactive")]
pub interactive: bool,
#[structopt(short = "v", long = "verbose")]
pub verbose: bool,
#[structopt(subcommand)]
pub command: Command,
}
@@ -138,7 +159,7 @@ pub struct OtherSecret {
#[structopt(short = "d", long = "keyfile", conflicts_with = "fido_device")]
pub keyfile: Option<PathBuf>,
/// Use another fido device instead of a password
/// Note: this requires for the credential fot the other device to be passed as argument as well
/// Note: this requires for the credential for the other device to be passed as argument as well
#[structopt(short = "f", long = "fido-device", conflicts_with = "keyfile")]
pub fido_device: bool,
}
@@ -147,8 +168,9 @@ pub struct OtherSecret {
pub enum Command {
#[structopt(name = "print-secret")]
PrintSecret {
// version 0.3.0 will store use the lower case ascii encoded hex string making binary output unnecessary
/// Prints the secret as binary instead of hex encoded
#[structopt(short = "b", long = "bin")]
#[structopt(hidden = true, short = "b", long = "bin")]
binary: bool,
#[structopt(flatten)]
credentials: Credentials,
@@ -156,6 +178,9 @@ pub enum Command {
authenticator: AuthenticatorParameters,
#[structopt(flatten)]
secret: SecretParameters,
/// Load credentials from LUKS header
#[structopt(env = "FIDO2LUKS_DEVICE")]
device: Option<PathBuf>,
},
/// Adds a generated key to the specified LUKS device
#[structopt(name = "add-key")]
@@ -171,9 +196,9 @@ pub enum Command {
/// Will wipe all other keys
#[structopt(short = "e", long = "exclusive")]
exclusive: bool,
/// Will add an token to your LUKS 2 header, including the credential id
#[structopt(short = "t", long = "token")]
token: bool,
/// Will generate an credential while adding a new key to this LUKS device if supported
#[structopt(short = "g", long = "gen-cred")]
generate_credential: bool,
#[structopt(flatten)]
existing_secret: OtherSecret,
#[structopt(flatten)]
@@ -193,16 +218,16 @@ pub enum Command {
/// Add the password and keep the key
#[structopt(short = "a", long = "add-password")]
add_password: bool,
/// Will add an token to your LUKS 2 header, including the credential id
#[structopt(short = "t", long = "token")]
token: bool,
/// Remove the affected credential from LUKS header
#[structopt(short = "r", long = "remove-cred")]
remove_cred: bool,
#[structopt(flatten)]
replacement: OtherSecret,
#[structopt(flatten)]
luks_mod: LuksModParameters,
},
/// Open the LUKS device
#[structopt(name = "open")]
#[structopt(name = "open", alias = "open-token")]
Open {
#[structopt(flatten)]
luks: LuksParameters,
@@ -216,40 +241,30 @@ pub enum Command {
secret: SecretParameters,
#[structopt(short = "r", long = "max-retries", default_value = "0")]
retries: i32,
},
/// Open the LUKS device using credentials embedded in the LUKS 2 header
#[structopt(name = "open-token")]
OpenToken {
#[structopt(flatten)]
luks: LuksParameters,
#[structopt(env = "FIDO2LUKS_MAPPER_NAME")]
name: String,
#[structopt(flatten)]
authenticator: AuthenticatorParameters,
#[structopt(flatten)]
secret: SecretParameters,
#[structopt(short = "r", long = "max-retries", default_value = "0")]
retries: i32,
/// Perform the whole procedure without mounting the LUKS volume on success
#[structopt(long = "dry-run")]
dry_run: bool,
},
/// Generate a new FIDO credential
#[structopt(name = "credential")]
Credential {
#[structopt(flatten)]
authenticator: AuthenticatorParameters,
/// Name to be displayed on the authenticator if it has a display
#[structopt(env = "FIDO2LUKS_CREDENTIAL_NAME")]
name: Option<String>,
/// Name to be displayed on the authenticator display
#[structopt(env = "FIDO2LUKS_CREDENTIAL_NAME", default_value = "fido2luks")]
name: String,
},
/// Check if an authenticator is connected
#[structopt(name = "connected")]
Connected,
Token(TokenCommand),
/// Generate bash completion scripts
/// Example: fido2luks completions --shell bash /usr/share/bash-completion/completions
#[structopt(name = "completions", setting = AppSettings::Hidden)]
GenerateCompletions {
/// Shell to generate completions for: bash, fish
#[structopt(possible_values = &["bash", "fish"])]
shell: String,
/// Shell to generate completions for
#[structopt(short = "s", long = "shell",possible_values = &Shell::variants()[..])]
shell: Option<String>,
out_dir: PathBuf,
},
}
@@ -269,8 +284,14 @@ pub enum TokenCommand {
Add {
#[structopt(env = "FIDO2LUKS_DEVICE")]
device: PathBuf,
#[structopt(flatten)]
credentials: Credentials,
/// FIDO credential ids, separated by ',' generate using fido2luks credential
#[structopt(
name = "credential-ids",
env = "FIDO2LUKS_CREDENTIAL_ID",
short = "c",
long = "creds"
)]
credentials: CommaSeparated<HexEncoded>,
/// Slot to which the credentials will be added
#[structopt(long = "slot", env = "FIDO2LUKS_DEVICE_SLOT")]
slot: u32,
@@ -279,8 +300,14 @@ pub enum TokenCommand {
Remove {
#[structopt(env = "FIDO2LUKS_DEVICE")]
device: PathBuf,
#[structopt(flatten)]
credentials: Credentials,
/// FIDO credential ids, separated by ',' generate using fido2luks credential
#[structopt(
name = "credential-ids",
env = "FIDO2LUKS_CREDENTIAL_ID",
short = "c",
long = "creds"
)]
credentials: CommaSeparated<HexEncoded>,
/// Token from which the credentials will be removed
#[structopt(long = "token")]
token_id: Option<u32>,

15
src/device.rs
View File

@@ -19,7 +19,7 @@ pub fn make_credential_id(
}
let request = request.build().unwrap();
let make_credential = |device: &mut FidoDevice| {
if let Some(pin) = pin {
if let Some(pin) = pin.filter(|_| device.needs_pin()) {
device.unlock(pin)?;
}
device.make_hmac_credential(&request)
@@ -44,7 +44,7 @@ pub fn perform_challenge<'a>(
.build()
.unwrap();
let get_assertion = |device: &mut FidoDevice| {
if let Some(pin) = pin {
if let Some(pin) = pin.filter(|_| device.needs_pin()) {
device.unlock(pin)?;
}
device.get_hmac_assertion(&request, &util::sha256(&[&salt[..]]), None)
@@ -58,6 +58,17 @@ pub fn perform_challenge<'a>(
Ok((secret, credential))
}
pub fn may_require_pin() -> Fido2LuksResult<bool> {
for di in ctap::get_devices()? {
if let Ok(dev) = FidoDevice::new(&di) {
if dev.needs_pin() {
return Ok(true);
}
}
}
Ok(false)
}
pub fn get_devices() -> Fido2LuksResult<Vec<FidoDevice>> {
let mut devices = Vec::with_capacity(2);
for di in ctap::get_devices()? {

6
src/error.rs
View File

@@ -29,6 +29,10 @@ pub enum Fido2LuksError {
WrongSecret,
#[fail(display = "not an utf8 string")]
StringEncodingError { cause: FromUtf8Error },
#[fail(display = "not an hex string: {}", string)]
HexEncodingError { string: String },
#[fail(display = "couldn't obtain at least one credential")]
InsufficientCredentials,
}
impl Fido2LuksError {
@@ -50,6 +54,8 @@ pub enum AskPassError {
IO(io::Error),
#[fail(display = "provided passwords don't match")]
Mismatch,
#[fail(display = "failed to call password helper")]
FailedHelper,
}
#[derive(Debug, Fail)]

29
src/luks.rs
View File

@@ -111,6 +111,20 @@ impl LuksDevice {
Ok(())
}
pub fn remove_token_slot(&mut self, slot: u32) -> Fido2LuksResult<()> {
let mut remove = HashSet::new();
for token in self.tokens()? {
let (id, token) = token?;
if token.keyslots.contains(&slot.to_string()) {
remove.insert(id);
}
}
for rm in remove {
self.remove_token(rm)?;
}
Ok(())
}
pub fn update_token(&mut self, token: u32, data: &Fido2LuksToken) -> Fido2LuksResult<()> {
self.require_luks2()?;
self.device
@@ -192,7 +206,9 @@ impl LuksDevice {
old_secret,
CryptActivateFlags::empty(),
)?;
self.device.keyslot_handle().change_by_passphrase(
// slot should stay the same but better be safe than sorry
let slot = self.device.keyslot_handle().change_by_passphrase(
Some(slot),
Some(slot),
old_secret,
@@ -221,10 +237,16 @@ impl LuksDevice {
name: &str,
secret: &[u8],
slot_hint: Option<u32>,
dry_run: bool,
) -> Fido2LuksResult<u32> {
self.device
.activate_handle()
.activate_by_passphrase(Some(name), slot_hint, secret, CryptActivateFlags::empty())
.activate_by_passphrase(
Some(name).filter(|_| !dry_run),
slot_hint,
secret,
CryptActivateFlags::empty(),
)
.map_err(LuksError::activate)
}
@@ -233,6 +255,7 @@ impl LuksDevice {
name: &str,
secret: impl Fn(Vec<String>) -> Fido2LuksResult<([u8; 32], String)>,
slot_hint: Option<u32>,
dry_run: bool,
) -> Fido2LuksResult<u32> {
if !self.is_luks2()? {
return Err(LuksError::Luks2Required.into());
@@ -276,7 +299,7 @@ impl LuksDevice {
.chain(std::iter::once(None).take(slots.is_empty() as usize)), // Try all slots as last resort
);
for slot in slots {
match self.activate(name, &secret, slot) {
match self.activate(name, &secret, slot, dry_run) {
Err(Fido2LuksError::WrongSecret) => (),
res => return res,
}

18
src/util.rs
View File

@@ -13,9 +13,17 @@ pub fn sha256(messages: &[&[u8]]) -> [u8; 32] {
secret.as_mut().copy_from_slice(digest.finish().as_ref());
secret
}
pub fn read_password(q: &str, verify: bool) -> Fido2LuksResult<String> {
match rpassword::read_password_from_tty(Some(&[q, ": "].join("")))? {
pub fn read_password_tty(q: &str, verify: bool) -> Fido2LuksResult<String> {
read_password(q, verify, true)
}
pub fn read_password(q: &str, verify: bool, tty: bool) -> Fido2LuksResult<String> {
let res = if tty {
rpassword::read_password_from_tty(Some(&[q, ": "].join("")))
} else {
print!("{}: ", q);
rpassword::read_password()
}?;
match res {
ref pass
if verify
&& &rpassword::read_password_from_tty(Some(&[q, "(again): "].join(" ")))?
@@ -29,10 +37,6 @@ pub fn read_password(q: &str, verify: bool) -> Fido2LuksResult<String> {
}
}
pub fn read_password_hashed(q: &str, verify: bool) -> Fido2LuksResult<[u8; 32]> {
read_password(q, verify).map(|pass| sha256(&[pass.as_bytes()]))
}
pub fn read_keyfile<P: Into<PathBuf>>(path: P) -> Fido2LuksResult<Vec<u8>> {
let mut file = File::open(path.into())?;
let mut key = Vec::new();