0.2.0

.drone.yml

@@ -12,3 +12,23 @@ steps:
    commands:
     - apt update && apt install -y libcryptsetup-dev libkeyutils-dev
     - cargo test
+
+ - name: build
+   image: rust:1.37.0
+   commands:
+    - apt update && apt install -y libcryptsetup-dev libkeyutils-dev
+    - cargo install -f --path . --root .
+   when:
+    event: tag
+ - name: publish
+   image: plugins/github-release
+   settings:
+     api_key:
+      from_secret: github_release
+     files:
+      - bin/fido2luks
+     checksum:
+      - md5
+      - sha256
+   when:
+    event: tag    

Cargo.lock

@@ -50,7 +50,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 [[package]]
 name = "blkid-rs"
 version = "0.1.1"
-source = "git+https://github.com/shimunn/cryptsetup-rs.git?branch=destroy#2f3e0e20a4619e09750e759c96286f32c2baa2fa"
+source = "git+https://github.com/shimunn/cryptsetup-rs.git?branch=update_keyslot#09189246eac5b930d13a4e0d78d75157bf07c832"
 dependencies = [
  "byteorder 1.3.2 (registry+https://github.com/rust-lang/crates.io-index)",
  "uuid 0.6.5 (registry+https://github.com/rust-lang/crates.io-index)",
@@ -105,12 +105,12 @@ dependencies = [
 [[package]]
 name = "cryptsetup-rs"
 version = "0.2.0"
-source = "git+https://github.com/shimunn/cryptsetup-rs.git?branch=destroy#2f3e0e20a4619e09750e759c96286f32c2baa2fa"
+source = "git+https://github.com/shimunn/cryptsetup-rs.git?branch=update_keyslot#09189246eac5b930d13a4e0d78d75157bf07c832"
 dependencies = [
- "blkid-rs 0.1.1 (git+https://github.com/shimunn/cryptsetup-rs.git?branch=destroy)",
+ "blkid-rs 0.1.1 (git+https://github.com/shimunn/cryptsetup-rs.git?branch=update_keyslot)",
  "errno 0.2.4 (registry+https://github.com/rust-lang/crates.io-index)",
  "libc 0.2.62 (registry+https://github.com/rust-lang/crates.io-index)",
- "libcryptsetup-sys 0.1.1 (git+https://github.com/shimunn/cryptsetup-rs.git?branch=destroy)",
+ "libcryptsetup-sys 0.1.1 (git+https://github.com/shimunn/cryptsetup-rs.git?branch=update_keyslot)",
  "log 0.4.8 (registry+https://github.com/rust-lang/crates.io-index)",
  "uuid 0.6.5 (registry+https://github.com/rust-lang/crates.io-index)",
 ]
@@ -175,11 +175,11 @@ dependencies = [
 name = "fido2luks"
 version = "0.1.0"
 dependencies = [
- "cryptsetup-rs 0.2.0 (git+https://github.com/shimunn/cryptsetup-rs.git?branch=destroy)",
+ "cryptsetup-rs 0.2.0 (git+https://github.com/shimunn/cryptsetup-rs.git?branch=update_keyslot)",
  "ctap 0.1.0 (git+https://github.com/shimunn/ctap.git?branch=hmac_ext)",
  "failure 0.1.5 (registry+https://github.com/rust-lang/crates.io-index)",
  "hex 0.3.2 (registry+https://github.com/rust-lang/crates.io-index)",
- "libcryptsetup-sys 0.1.1 (git+https://github.com/shimunn/cryptsetup-rs.git?branch=destroy)",
+ "libcryptsetup-sys 0.1.1 (git+https://github.com/shimunn/cryptsetup-rs.git?branch=update_keyslot)",
  "rpassword 4.0.1 (registry+https://github.com/rust-lang/crates.io-index)",
  "rust-crypto 0.2.36 (registry+https://github.com/rust-lang/crates.io-index)",
  "structopt 0.3.2 (registry+https://github.com/rust-lang/crates.io-index)",
@@ -221,7 +221,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 [[package]]
 name = "libcryptsetup-sys"
 version = "0.1.1"
-source = "git+https://github.com/shimunn/cryptsetup-rs.git?branch=destroy#2f3e0e20a4619e09750e759c96286f32c2baa2fa"
+source = "git+https://github.com/shimunn/cryptsetup-rs.git?branch=update_keyslot#09189246eac5b930d13a4e0d78d75157bf07c832"
 dependencies = [
  "libc 0.2.62 (registry+https://github.com/rust-lang/crates.io-index)",
  "pkg-config 0.3.16 (registry+https://github.com/rust-lang/crates.io-index)",
@@ -612,14 +612,14 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 "checksum backtrace 0.3.37 (registry+https://github.com/rust-lang/crates.io-index)" = "5180c5a20655b14a819b652fd2378fa5f1697b6c9ddad3e695c2f9cedf6df4e2"
 "checksum backtrace-sys 0.1.31 (registry+https://github.com/rust-lang/crates.io-index)" = "82a830b4ef2d1124a711c71d263c5abdc710ef8e907bd508c88be475cebc422b"
 "checksum bitflags 1.1.0 (registry+https://github.com/rust-lang/crates.io-index)" = "3d155346769a6855b86399e9bc3814ab343cd3d62c7e985113d46a0ec3c281fd"
-"checksum blkid-rs 0.1.1 (git+https://github.com/shimunn/cryptsetup-rs.git?branch=destroy)" = "<none>"
+"checksum blkid-rs 0.1.1 (git+https://github.com/shimunn/cryptsetup-rs.git?branch=update_keyslot)" = "<none>"
 "checksum byteorder 1.3.2 (registry+https://github.com/rust-lang/crates.io-index)" = "a7c3dd8985a7111efc5c80b44e23ecdd8c007de8ade3b96595387e812b957cf5"
 "checksum cbor-codec 0.7.1 (registry+https://github.com/rust-lang/crates.io-index)" = "e083a023562b37c52837e850131a51b1154cceb9d149f41ee3d386737b140f46"
 "checksum cc 1.0.45 (registry+https://github.com/rust-lang/crates.io-index)" = "4fc9a35e1f4290eb9e5fc54ba6cf40671ed2a2514c3eeb2b2a908dda2ea5a1be"
 "checksum cfg-if 0.1.9 (registry+https://github.com/rust-lang/crates.io-index)" = "b486ce3ccf7ffd79fdeb678eac06a9e6c09fc88d33836340becb8fffe87c5e33"
 "checksum clap 2.33.0 (registry+https://github.com/rust-lang/crates.io-index)" = "5067f5bb2d80ef5d68b4c87db81601f0b75bca627bc2ef76b141d7b846a3c6d9"
 "checksum cloudabi 0.0.3 (registry+https://github.com/rust-lang/crates.io-index)" = "ddfc5b9aa5d4507acaf872de71051dfd0e309860e88966e1051e462a077aac4f"
-"checksum cryptsetup-rs 0.2.0 (git+https://github.com/shimunn/cryptsetup-rs.git?branch=destroy)" = "<none>"
+"checksum cryptsetup-rs 0.2.0 (git+https://github.com/shimunn/cryptsetup-rs.git?branch=update_keyslot)" = "<none>"
 "checksum ctap 0.1.0 (git+https://github.com/shimunn/ctap.git?branch=hmac_ext)" = "<none>"
 "checksum errno 0.2.4 (registry+https://github.com/rust-lang/crates.io-index)" = "c2a071601ed01b988f896ab14b95e67335d1eeb50190932a1320f7fe3cadc84e"
 "checksum errno-dragonfly 0.1.1 (registry+https://github.com/rust-lang/crates.io-index)" = "14ca354e36190500e1e1fb267c647932382b54053c50b14970856c0b00a35067"
@@ -631,7 +631,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 "checksum hex 0.3.2 (registry+https://github.com/rust-lang/crates.io-index)" = "805026a5d0141ffc30abb3be3173848ad46a1b1664fe632428479619a3644d77"
 "checksum lazy_static 1.4.0 (registry+https://github.com/rust-lang/crates.io-index)" = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646"
 "checksum libc 0.2.62 (registry+https://github.com/rust-lang/crates.io-index)" = "34fcd2c08d2f832f376f4173a231990fa5aef4e99fb569867318a227ef4c06ba"
-"checksum libcryptsetup-sys 0.1.1 (git+https://github.com/shimunn/cryptsetup-rs.git?branch=destroy)" = "<none>"
+"checksum libcryptsetup-sys 0.1.1 (git+https://github.com/shimunn/cryptsetup-rs.git?branch=update_keyslot)" = "<none>"
 "checksum log 0.4.8 (registry+https://github.com/rust-lang/crates.io-index)" = "14b6052be84e6b71ab17edffc2eeabf5c2c3ae1fdb464aae35ac50c67a44e1f7"
 "checksum num-derive 0.2.5 (registry+https://github.com/rust-lang/crates.io-index)" = "eafd0b45c5537c3ba526f79d3e75120036502bebacbb3f3220914067ce39dbf2"
 "checksum num-traits 0.2.8 (registry+https://github.com/rust-lang/crates.io-index)" = "6ba9a427cfca2be13aa6f6403b0b7e7368fe982bfa16fccc450ce74c46cd9b32"

Cargo.toml

@@ -1,14 +1,14 @@
 [package]
 name = "fido2luks"
-version = "0.1.0"
+version = "0.2.0"
 authors = ["shimunn <shimun@shimun.net>"]
 edition = "2018"
 
 [dependencies]
 ctap = { git = "https://github.com/shimunn/ctap.git", branch = "hmac_ext" }
 #cryptsetup-rs = "0.2.0"
-cryptsetup-rs = { git = "https://github.com/shimunn/cryptsetup-rs.git", branch = "destroy" }
-libcryptsetup-sys = { git = "https://github.com/shimunn/cryptsetup-rs.git", branch = "destroy" }
+cryptsetup-rs = { git = "https://github.com/shimunn/cryptsetup-rs.git", branch = "update_keyslot" }
+libcryptsetup-sys = { git = "https://github.com/shimunn/cryptsetup-rs.git", branch = "update_keyslot" }
 
 hex = "0.3.2"
 rust-crypto = "0.2.36"

README.md

@@ -26,7 +26,7 @@ set -a
 . fido2luks.conf
 
 #Repeat for each luks volume
-sudo -E fido2luks -i addkey /dev/disk/by-uuid/<DISK_UUID>
+sudo -E fido2luks -i add-key /dev/disk/by-uuid/<DISK_UUID>
 
 #Test(only works if the luks container isn't active)
 sudo -E fido2luks -i open /dev/disk/by-uuid/<DISK_UUID> luks-<DISK_UUID>

dracut/96luks-2fa/luks-2fa-generator.sh

@@ -1,11 +1,10 @@
 #!/bin/bash
 
-NORMAL_DIR="/tmp//run/systemd/system"
+NORMAL_DIR="/run/systemd/system"
 LUKS_2FA_WANTS="/etc/systemd/system/luks-2fa.target.wants"
 
 CRYPTSETUP="/usr/lib/systemd/systemd-cryptsetup"
 FIDO2LUKS="/usr/bin/fido2luks"
-XXD="/usr/bin/xxd"
 MOUNT=$(command -v mount)
 UMOUNT=$(command -v umount)
 
@@ -35,11 +34,11 @@ generate_service () {
                 printf -- "\nRemainAfterExit=yes"
                 printf -- "\nEnvironment=FIDO2LUKS_CREDENTIAL_ID='%s'" "$credential_id"
                 printf -- "\nEnvironment=FIDO2LUKS_SALT='%s'" "Ask"
-                printf -- "\nEnvironment=FIDO2LUKS_PASSWORD_HELPER='%s'" "/usr/bin/systemd-ask-password \"Disk 2fa password\""
+                printf -- "\nEnvironment=FIDO2LUKS_PASSWORD_HELPER='%s'" "/usr/bin/systemd-ask-password Disk 2fa password"
                 printf -- "\nKeyringMode=%s" "shared"
-		printf -- "\nExecStartPre=-/usr/bin/plymouth display-message --text ${CON_MSG}"
+		printf -- "\nExecStartPre=-/usr/bin/plymouth display-message --text \"${CON_MSG}\""
 		printf -- "\nExecStartPre=-/bin/bash -c \"while ! ${FIDO2LUKS} connected; do /usr/bin/sleep 1; done\""
-		printf -- "\nExecStartPre=-/usr/bin/plymouth hide-message --text ${CON_MSG}"
+		printf -- "\nExecStartPre=-/usr/bin/plymouth hide-message --text \"${CON_MSG}\""
                 printf -- "\nExecStart=/bin/bash -c \"${FIDO2LUKS} print-secret --bin | ${CRYPTSETUP} attach 'luks-%s' '/dev/disk/by-uuid/%s' '/dev/stdin'\"" "$target_uuid" "$target_uuid"
                 printf -- "\nExecStop=${CRYPTSETUP} detach 'luks-%s'" "$target_uuid"
         } > "$sd_service"
@@ -50,7 +49,7 @@ generate_service () {
                 printf -- "\nConditionPathExists=!/dev/mapper/luks-%s" "$target_uuid"
         } > "${sd_dir}/${crypto_target_service}.d/drop-in.conf"
 
-       # ln -sf "$sd_service" "${LUKS_2FA_WANTS}/"
+        ln -sf "$sd_service" "${LUKS_2FA_WANTS}/"
 }
 
 parse_cmdline () {
@@ -81,5 +80,4 @@ generate_from_cmdline () {
         done
 }
 
-#generate_from_cmdline
-generate_service CRED UUID $timeout
+generate_from_cmdline

src/cli.rs

@@ -8,11 +8,15 @@ use cryptsetup_rs::{CryptDevice, Luks1CryptDevice};
 use libcryptsetup_sys::crypt_keyslot_info;
 use structopt::StructOpt;
 
-use std::fs::File;
-use std::io::{Read, Write};
+use std::io::Write;
 use std::process::exit;
 
-pub fn add_key_to_luks(device: PathBuf, secret: &[u8; 32], exclusive: bool) -> Fido2LuksResult<u8> {
+pub fn add_key_to_luks(
+    device: PathBuf,
+    secret: &[u8; 32],
+    old_secret: Box<dyn Fn() -> Fido2LuksResult<Vec<u8>>>,
+    exclusive: bool,
+) -> Fido2LuksResult<u8> {
     fn offer_format(
         _dev: CryptDeviceOpenBuilder,
     ) -> Fido2LuksResult<CryptDeviceHandle<Luks1Params>> {
@@ -21,20 +25,7 @@ pub fn add_key_to_luks(device: PathBuf, secret: &[u8; 32], exclusive: bool) -> F
     let dev =
         || -> luks::device::Result<CryptDeviceOpenBuilder> { luks::open(&device.canonicalize()?) };
 
-    let prev_key_info = rpassword::read_password_from_tty(Some(
-        "Please enter your current password or path to a keyfile in order to add a new key: ",
-    ))?;
-
-    let prev_key = match prev_key_info.as_ref() {
-        "" => None,
-        keyfile if PathBuf::from(keyfile).exists() => {
-            let mut f = File::open(keyfile)?;
-            let mut key = Vec::new();
-            f.read_to_end(&mut key)?;
-            Some(key)
-        }
-        password => Some(Vec::from(password.as_bytes())),
-    };
+    let prev_key = old_secret()?;
 
     let mut handle = match dev()?.luks1() {
         Ok(handle) => handle,
@@ -47,7 +38,7 @@ pub fn add_key_to_luks(device: PathBuf, secret: &[u8; 32], exclusive: bool) -> F
         err => err?,
     };
     handle.set_iteration_time(50);
-    let slot = handle.add_keyslot(secret, prev_key.as_ref().map(|b| b.as_slice()), None)?;
+    let slot = handle.add_keyslot(secret, Some(prev_key.as_slice()), None)?;
     if exclusive {
         for old_slot in 0..8u8 {
             if old_slot != slot
@@ -62,6 +53,23 @@ pub fn add_key_to_luks(device: PathBuf, secret: &[u8; 32], exclusive: bool) -> F
     Ok(slot)
 }
 
+pub fn add_password_to_luks(
+    device: PathBuf,
+    secret: &[u8; 32],
+    new_secret: Box<dyn Fn() -> Fido2LuksResult<Vec<u8>>>,
+    add_password: bool,
+) -> Fido2LuksResult<u8> {
+    let dev = luks::open(&device.canonicalize()?)?;
+    let mut handle = dev.luks1()?;
+    let prev_slot = if add_password {
+        Some(handle.add_keyslot(&secret[..], Some(&secret[..]), None)?)
+    } else {
+        None
+    };
+    let slot = handle.update_keyslot(&new_secret()?[..], &secret[..], prev_slot)?;
+    Ok(slot)
+}
+
 pub fn authenticator_connected() -> Fido2LuksResult<bool> {
     Ok(!device::get_devices()?.is_empty())
 }
@@ -128,6 +136,24 @@ pub enum Command {
         /// Will wipe all other keys
         #[structopt(short = "e", long = "exclusive")]
         exclusive: bool,
+        /// Use a keyfile instead of a password
+        #[structopt(short = "d", long = "keyfile")]
+        keyfile: Option<PathBuf>,
+        #[structopt(flatten)]
+        secret_gen: SecretGeneration,
+    },
+
+    /// Replace a previously added key with a password
+    #[structopt(name = "replace-key")]
+    ReplaceKey {
+        #[structopt(env = "FIDO2LUKS_DEVICE")]
+        device: PathBuf,
+        /// Add the password and keep the key
+        #[structopt(short = "a", long = "add-password")]
+        add_password: bool,
+        /// Use a keyfile instead of a password
+        #[structopt(short = "d", long = "keyfile")]
+        keyfile: Option<PathBuf>,
         #[structopt(flatten)]
         secret_gen: SecretGeneration,
     },
@@ -177,10 +203,22 @@ pub fn run_cli() -> Fido2LuksResult<()> {
         Command::AddKey {
             device,
             exclusive,
+            keyfile,
             ref secret_gen,
         } => {
             let secret = secret_gen.patch(&args).obtain_secret()?;
-            let slot = add_key_to_luks(device.clone(), &secret, *exclusive)?;
+            let slot = add_key_to_luks(
+                device.clone(),
+                &secret,
+                if let Some(keyfile) = keyfile.clone() {
+                    Box::new(move || util::read_keyfile(keyfile.clone()))
+                } else {
+                    Box::new(|| {
+                        util::read_password("Old password", true).map(|p| p.as_bytes().to_vec())
+                    })
+                },
+                *exclusive,
+            )?;
             println!(
                 "Added to key to device {}, slot: {}",
                 device.display(),
@@ -188,6 +226,32 @@ pub fn run_cli() -> Fido2LuksResult<()> {
             );
             Ok(())
         }
+        Command::ReplaceKey {
+            device,
+            add_password,
+            keyfile,
+            ref secret_gen,
+        } => {
+            let secret = secret_gen.patch(&args).obtain_secret()?;
+            let slot = add_password_to_luks(
+                device.clone(),
+                &secret,
+                if let Some(keyfile) = keyfile.clone() {
+                    Box::new(move || util::read_keyfile(keyfile.clone()))
+                } else {
+                    Box::new(|| {
+                        util::read_password("Password to add", true).map(|p| p.as_bytes().to_vec())
+                    })
+                },
+                *add_password,
+            )?;
+            println!(
+                "Added to password to device {}, slot: {}",
+                device.display(),
+                slot
+            );
+            Ok(())
+        }
         Command::Open {
             device,
             name,

src/config.rs

@@ -132,23 +132,7 @@ impl PasswordHelper {
         use PasswordHelper::*;
         match self {
             Systemd => unimplemented!(),
-            Stdin => Ok(rpassword::read_password_from_tty(Some("Password: "))
-                .map_err(|e| Fido2LuksError::AskPassError {
-                    cause: AskPassError::IO(e),
-                })
-                .and_then(|pass| {
-                    match rpassword::read_password_from_tty(Some("Password again: ")).map_err(|e| {
-                        Fido2LuksError::AskPassError {
-                            cause: AskPassError::IO(e),
-                        }
-                    }) {
-                        Ok(ref pass2) if &pass == pass2 => Ok(pass),
-                        Ok(_) => Err(Fido2LuksError::AskPassError {
-                            cause: error::AskPassError::Mismatch,
-                        }),
-                        e => e,
-                    }
-                })?),
+            Stdin => Ok(util::read_password("Password", true)?),
             Script(password_helper) => {
                 let mut helper_parts = password_helper.split(" ");
 

src/error.rs

@@ -17,7 +17,7 @@ pub enum Fido2LuksError {
     LuksError { cause: cryptsetup_rs::device::Error },
     #[fail(display = "no authenticator found, please ensure you device is plugged in")]
     IoError { cause: io::Error },
-    #[fail(display = "failed to parse config, please check formatting and contents")]
+    #[fail(display = "supplied secret isn't valid for this device")]
     WrongSecret,
     #[fail(display = "not an utf8 string")]
     StringEncodingError { cause: FromUtf8Error },
@@ -42,7 +42,12 @@ impl From<FidoError> for Fido2LuksError {
 
 impl From<cryptsetup_rs::device::Error> for Fido2LuksError {
     fn from(e: cryptsetup_rs::device::Error) -> Self {
-        LuksError { cause: e }
+        match e {
+            cryptsetup_rs::device::Error::CryptsetupError(error_no) if error_no.0 == 1i32 => {
+                WrongSecret
+            }
+            e => LuksError { cause: e },
+        }
     }
 }
 

src/main.rs

@@ -7,9 +7,7 @@ use crate::error::*;
 use crypto::digest::Digest;
 use crypto::sha2::Sha256;
 use cryptsetup_rs as luks;
-
 use cryptsetup_rs::Luks1CryptDevice;
-use ctap;
 
 use std::io::{self};
 use std::path::PathBuf;
@@ -18,6 +16,7 @@ mod cli;
 mod config;
 mod device;
 mod error;
+mod util;
 
 fn open_container(device: &PathBuf, name: &str, secret: &[u8; 32]) -> Fido2LuksResult<()> {
     let mut handle = luks::open(device.canonicalize()?)?.luks1()?;

src/util.rs

@@ -0,0 +1,26 @@
+use crate::error::*;
+use std::fs::File;
+use std::io::Read;
+use std::path::PathBuf;
+
+pub fn read_password(q: &str, verify: bool) -> Fido2LuksResult<String> {
+    match rpassword::read_password_from_tty(Some(&[q, ": "].join("")))? {
+        ref pass
+            if verify
+                && &rpassword::read_password_from_tty(Some(&[q, "(again): "].join(" ")))?
+                    != pass =>
+        {
+            Err(Fido2LuksError::AskPassError {
+                cause: AskPassError::Mismatch,
+            })?
+        }
+        pass => Ok(pass),
+    }
+}
+
+pub fn read_keyfile<P: Into<PathBuf>>(path: P) -> Fido2LuksResult<Vec<u8>> {
+    let mut file = File::open(path.into())?;
+    let mut key = Vec::new();
+    file.read_to_end(&mut key)?;
+    Ok(key)
+}