shimun/fido2luks
1
0
Fork 0
Code Issues Pull Requests 3 Releases Wiki Activity

Compare commits

base: shimun:cratesio
Branches Tags
shimun:master shimun:0.3.0-alpha shimun:ctap-hid-fido2 shimun:retry_pin shimun:0.3.0 shimun:debVM shimun:flake shimun:password_promt shimun:dracut shimun:initcpio shimun:pam_mod shimun:setup shimun:completions shimun:pkgbuild shimun:pin_source shimun:relicense shimun:deb shimun:initramfs-tools shimun:luks_refr shimun:0.2.8 shimun:luks2_token shimun:cli_reorg shimun:request_multiple shimun:luks2 shimun:cratesio shimun:isalt shimun:connected shimun:keyutils
shimun:0.2.20 shimun:0.2.19 shimun:0.2.18 shimun:0.2.17 shimun:0.2.16 shimun:0.2.15 shimun:0.2.14 shimun:0.2.13 shimun:0.2.12 shimun:0.2.11 shimun:0.2.10 shimun:0.2.9 shimun:0.2.8 shimun:0.2.7 shimun:0.2.6 shimun:0.2.5 shimun:0.2.4 shimun:0.2.3 shimun:0.2.2 shimun:0.2.1 shimun:0.2.0
..
compare: shimun:0.2.2
Branches Tags
shimun:0.3.0-alpha shimun:ctap-hid-fido2 shimun:retry_pin shimun:master shimun:0.3.0 shimun:debVM shimun:flake shimun:password_promt shimun:dracut shimun:initcpio shimun:pam_mod shimun:setup shimun:completions shimun:pkgbuild shimun:pin_source shimun:relicense shimun:deb shimun:initramfs-tools shimun:luks_refr shimun:0.2.8 shimun:luks2_token shimun:cli_reorg shimun:request_multiple shimun:luks2 shimun:cratesio shimun:isalt shimun:connected shimun:keyutils
shimun:0.2.20 shimun:0.2.19 shimun:0.2.18 shimun:0.2.17 shimun:0.2.16 shimun:0.2.15 shimun:0.2.14 shimun:0.2.13 shimun:0.2.12 shimun:0.2.11 shimun:0.2.10 shimun:0.2.9 shimun:0.2.8 shimun:0.2.7 shimun:0.2.6 shimun:0.2.5 shimun:0.2.4 shimun:0.2.3 shimun:0.2.2 shimun:0.2.1 shimun:0.2.0

15 Commits
cratesio ... 0.2.2

Author SHA1 Message Date
shimun
659fafdfb4 update to 0.2.2
Some checks failed
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/tag Build is failing
Details
2020-01-10 21:44:33 +01:00
shimun
7f2668eded allow for named credentials 2020-01-10 21:32:39 +01:00
shimunn
ae714cdef3 Merge pull request #6 from mmahut/fixid
All checks were successful
continuous-integration/drone/push Build is passing
Details 
match rp_id to fido2luks
 2020-01-10 19:47:31 +01:00
shimunn
ae802e5e71 Merge pull request #5 from mmahut/env 
use password helper in modified environments
 2020-01-10 19:47:01 +01:00
Marek Mahut
a5f0444d24 match rp_id to fido2luks 2020-01-10 17:13:56 +01:00
Marek Mahut
a307d87d88 use password helper in modified environments 2020-01-10 16:52:22 +01:00
shimun
721dded6d2 WIP: 0.2.2
All checks were successful
continuous-integration/drone/push Build is passing
Details 
Warning: This release cointains changes to way credentials are generated,
which may cause your authenticator to reject the old credential.
 2020-01-09 22:22:54 +01:00
Shimun
e7049a281a Use fido2luks as rp_id instead if default hmac, consider making
All checks were successful
continuous-integration/drone/push Build is passing
Details 
credenials device specific
 2020-01-02 15:35:32 +01:00
shimun
5d1c7beb4d added flag to retry open command
All checks were successful
continuous-integration/drone/push Build is passing
Details
2019-10-12 22:46:54 +02:00
shimun
2bac911b32 assigned exit codes to error cases 2019-10-12 22:46:20 +02:00
shimun
9a8ea993b5 fmt
All checks were successful
continuous-integration/drone/push Build is passing
Details
2019-10-12 13:40:24 +02:00
shimunn
7eb9dcc928 Merge pull request #2 from jannic/add-test-cases
Some checks failed
continuous-integration/drone/push Build is failing
Details 
Add test case for hash calculations
 2019-10-12 13:24:33 +02:00
shimunn
509e300a8f Merge pull request #1 from jannic/port-to-ring 
Use ring for sha256 calculation
 2019-10-12 13:24:18 +02:00
Jan Niehusmann
42945956a6 Add test case for hash calculations 
While replacing the implementation of sha256, I noticed that there
is no test case actually calling the hash calculations.

Added two such test cases. Please note that I didn't verify that the
result is correct, but just took the value the existing implementation
returned. So those tests will only catch future regressions.
 2019-10-11 22:15:21 +00:00
Jan Niehusmann
3cf5ccf2a0 Use ring for sha256 calculation 
According to https://rustsec.org/advisories/RUSTSEC-2016-0005.html,
rust-crypto is unmaintained.

Crates depending on rust-crypto should be ported to other crates.

This port replaces rust-crypto with the sha2 implementation of ring,
as fido2luks already depends on it via ctap_hmac. Note that it uses
an old version of ring, so I used the same version, here.
 2019-10-11 22:06:00 +00:00
9 changed files with 183 additions and 45 deletions
Expand all files Collapse all files

36
Cargo.lock generated
View File

@@ -115,15 +115,25 @@ dependencies = [
"uuid 0.7.4 (registry+https://github.com/rust-lang/crates.io-index)", "uuid 0.7.4 (registry+https://github.com/rust-lang/crates.io-index)",
] ]
[[package]]
name = "csv-core"
version = "0.1.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
dependencies = [
"memchr 2.2.1 (registry+https://github.com/rust-lang/crates.io-index)",
]
[[package]] [[package]]
name = "ctap_hmac" name = "ctap_hmac"
version = "0.1.1" version = "0.2.1"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
dependencies = [ dependencies = [
"byteorder 1.3.2 (registry+https://github.com/rust-lang/crates.io-index)", "byteorder 1.3.2 (registry+https://github.com/rust-lang/crates.io-index)",
"cbor-codec 0.7.1 (registry+https://github.com/rust-lang/crates.io-index)", "cbor-codec 0.7.1 (registry+https://github.com/rust-lang/crates.io-index)",
"csv-core 0.1.6 (registry+https://github.com/rust-lang/crates.io-index)",
"failure 0.1.5 (registry+https://github.com/rust-lang/crates.io-index)", "failure 0.1.5 (registry+https://github.com/rust-lang/crates.io-index)",
"failure_derive 0.1.5 (registry+https://github.com/rust-lang/crates.io-index)", "failure_derive 0.1.5 (registry+https://github.com/rust-lang/crates.io-index)",
"hex 0.4.0 (registry+https://github.com/rust-lang/crates.io-index)",
"num-derive 0.2.5 (registry+https://github.com/rust-lang/crates.io-index)", "num-derive 0.2.5 (registry+https://github.com/rust-lang/crates.io-index)",
"num-traits 0.2.8 (registry+https://github.com/rust-lang/crates.io-index)", "num-traits 0.2.8 (registry+https://github.com/rust-lang/crates.io-index)",
"rand 0.6.5 (registry+https://github.com/rust-lang/crates.io-index)", "rand 0.6.5 (registry+https://github.com/rust-lang/crates.io-index)",
@@ -173,15 +183,15 @@ dependencies = [
[[package]] [[package]]
name = "fido2luks" name = "fido2luks"
version = "0.2.1" version = "0.2.2"
dependencies = [ dependencies = [
"cryptsetup-rs 0.2.1 (registry+https://github.com/rust-lang/crates.io-index)", "cryptsetup-rs 0.2.1 (registry+https://github.com/rust-lang/crates.io-index)",
"ctap_hmac 0.1.1 (registry+https://github.com/rust-lang/crates.io-index)", "ctap_hmac 0.2.1 (registry+https://github.com/rust-lang/crates.io-index)",
"failure 0.1.5 (registry+https://github.com/rust-lang/crates.io-index)", "failure 0.1.5 (registry+https://github.com/rust-lang/crates.io-index)",
"hex 0.3.2 (registry+https://github.com/rust-lang/crates.io-index)", "hex 0.3.2 (registry+https://github.com/rust-lang/crates.io-index)",
"libcryptsetup-sys 0.1.2 (registry+https://github.com/rust-lang/crates.io-index)", "libcryptsetup-sys 0.1.2 (registry+https://github.com/rust-lang/crates.io-index)",
"ring 0.13.5 (registry+https://github.com/rust-lang/crates.io-index)",
"rpassword 4.0.1 (registry+https://github.com/rust-lang/crates.io-index)", "rpassword 4.0.1 (registry+https://github.com/rust-lang/crates.io-index)",
"rust-crypto 0.2.36 (registry+https://github.com/rust-lang/crates.io-index)",
"structopt 0.3.2 (registry+https://github.com/rust-lang/crates.io-index)", "structopt 0.3.2 (registry+https://github.com/rust-lang/crates.io-index)",
] ]
@@ -208,6 +218,11 @@ name = "hex"
version = "0.3.2" version = "0.3.2"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
[[package]]
name = "hex"
version = "0.4.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
[[package]] [[package]]
name = "lazy_static" name = "lazy_static"
version = "1.4.0" version = "1.4.0"
@@ -235,6 +250,14 @@ dependencies = [
"cfg-if 0.1.10 (registry+https://github.com/rust-lang/crates.io-index)", "cfg-if 0.1.10 (registry+https://github.com/rust-lang/crates.io-index)",
] ]
[[package]]
name = "memchr"
version = "2.2.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
dependencies = [
"libc 0.2.62 (registry+https://github.com/rust-lang/crates.io-index)",
]
[[package]] [[package]]
name = "num-derive" name = "num-derive"
version = "0.2.5" version = "0.2.5"
@@ -619,7 +642,8 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
"checksum clap 2.33.0 (registry+https://github.com/rust-lang/crates.io-index)" = "5067f5bb2d80ef5d68b4c87db81601f0b75bca627bc2ef76b141d7b846a3c6d9" "checksum clap 2.33.0 (registry+https://github.com/rust-lang/crates.io-index)" = "5067f5bb2d80ef5d68b4c87db81601f0b75bca627bc2ef76b141d7b846a3c6d9"
"checksum cloudabi 0.0.3 (registry+https://github.com/rust-lang/crates.io-index)" = "ddfc5b9aa5d4507acaf872de71051dfd0e309860e88966e1051e462a077aac4f" "checksum cloudabi 0.0.3 (registry+https://github.com/rust-lang/crates.io-index)" = "ddfc5b9aa5d4507acaf872de71051dfd0e309860e88966e1051e462a077aac4f"
"checksum cryptsetup-rs 0.2.1 (registry+https://github.com/rust-lang/crates.io-index)" = "8b1eb6abff80fdc7b52c37b3e58f5a4cbda78bffc01ac7b02c1296552a07028a" "checksum cryptsetup-rs 0.2.1 (registry+https://github.com/rust-lang/crates.io-index)" = "8b1eb6abff80fdc7b52c37b3e58f5a4cbda78bffc01ac7b02c1296552a07028a"
"checksum ctap_hmac 0.1.1 (registry+https://github.com/rust-lang/crates.io-index)" = "4f91b9400ac9c99e3280065f5bfd6eb7f0a9bb737a7fd166fda4153338e115e3" "checksum csv-core 0.1.6 (registry+https://github.com/rust-lang/crates.io-index)" = "9b5cadb6b25c77aeff80ba701712494213f4a8418fcda2ee11b6560c3ad0bf4c"
"checksum ctap_hmac 0.2.1 (registry+https://github.com/rust-lang/crates.io-index)" = "4d57004228e303ed0d161f081020240d969ce18b623c3f4503645e1a06b42ae7"
"checksum errno 0.2.4 (registry+https://github.com/rust-lang/crates.io-index)" = "c2a071601ed01b988f896ab14b95e67335d1eeb50190932a1320f7fe3cadc84e" "checksum errno 0.2.4 (registry+https://github.com/rust-lang/crates.io-index)" = "c2a071601ed01b988f896ab14b95e67335d1eeb50190932a1320f7fe3cadc84e"
"checksum errno-dragonfly 0.1.1 (registry+https://github.com/rust-lang/crates.io-index)" = "14ca354e36190500e1e1fb267c647932382b54053c50b14970856c0b00a35067" "checksum errno-dragonfly 0.1.1 (registry+https://github.com/rust-lang/crates.io-index)" = "14ca354e36190500e1e1fb267c647932382b54053c50b14970856c0b00a35067"
"checksum failure 0.1.5 (registry+https://github.com/rust-lang/crates.io-index)" = "795bd83d3abeb9220f257e597aa0080a508b27533824adf336529648f6abf7e2" "checksum failure 0.1.5 (registry+https://github.com/rust-lang/crates.io-index)" = "795bd83d3abeb9220f257e597aa0080a508b27533824adf336529648f6abf7e2"
@@ -628,10 +652,12 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
"checksum gcc 0.3.55 (registry+https://github.com/rust-lang/crates.io-index)" = "8f5f3913fa0bfe7ee1fd8248b6b9f42a5af4b9d65ec2dd2c3c26132b950ecfc2" "checksum gcc 0.3.55 (registry+https://github.com/rust-lang/crates.io-index)" = "8f5f3913fa0bfe7ee1fd8248b6b9f42a5af4b9d65ec2dd2c3c26132b950ecfc2"
"checksum heck 0.3.1 (registry+https://github.com/rust-lang/crates.io-index)" = "20564e78d53d2bb135c343b3f47714a56af2061f1c928fdb541dc7b9fdd94205" "checksum heck 0.3.1 (registry+https://github.com/rust-lang/crates.io-index)" = "20564e78d53d2bb135c343b3f47714a56af2061f1c928fdb541dc7b9fdd94205"
"checksum hex 0.3.2 (registry+https://github.com/rust-lang/crates.io-index)" = "805026a5d0141ffc30abb3be3173848ad46a1b1664fe632428479619a3644d77" "checksum hex 0.3.2 (registry+https://github.com/rust-lang/crates.io-index)" = "805026a5d0141ffc30abb3be3173848ad46a1b1664fe632428479619a3644d77"
"checksum hex 0.4.0 (registry+https://github.com/rust-lang/crates.io-index)" = "023b39be39e3a2da62a94feb433e91e8bcd37676fbc8bea371daf52b7a769a3e"
"checksum lazy_static 1.4.0 (registry+https://github.com/rust-lang/crates.io-index)" = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646" "checksum lazy_static 1.4.0 (registry+https://github.com/rust-lang/crates.io-index)" = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646"
"checksum libc 0.2.62 (registry+https://github.com/rust-lang/crates.io-index)" = "34fcd2c08d2f832f376f4173a231990fa5aef4e99fb569867318a227ef4c06ba" "checksum libc 0.2.62 (registry+https://github.com/rust-lang/crates.io-index)" = "34fcd2c08d2f832f376f4173a231990fa5aef4e99fb569867318a227ef4c06ba"
"checksum libcryptsetup-sys 0.1.2 (registry+https://github.com/rust-lang/crates.io-index)" = "f8cab37dfc7316ea263a42ffa51b4b75c9022538576350d7a416de697384f596" "checksum libcryptsetup-sys 0.1.2 (registry+https://github.com/rust-lang/crates.io-index)" = "f8cab37dfc7316ea263a42ffa51b4b75c9022538576350d7a416de697384f596"
"checksum log 0.4.8 (registry+https://github.com/rust-lang/crates.io-index)" = "14b6052be84e6b71ab17edffc2eeabf5c2c3ae1fdb464aae35ac50c67a44e1f7" "checksum log 0.4.8 (registry+https://github.com/rust-lang/crates.io-index)" = "14b6052be84e6b71ab17edffc2eeabf5c2c3ae1fdb464aae35ac50c67a44e1f7"
"checksum memchr 2.2.1 (registry+https://github.com/rust-lang/crates.io-index)" = "88579771288728879b57485cc7d6b07d648c9f0141eb955f8ab7f9d45394468e"
"checksum num-derive 0.2.5 (registry+https://github.com/rust-lang/crates.io-index)" = "eafd0b45c5537c3ba526f79d3e75120036502bebacbb3f3220914067ce39dbf2" "checksum num-derive 0.2.5 (registry+https://github.com/rust-lang/crates.io-index)" = "eafd0b45c5537c3ba526f79d3e75120036502bebacbb3f3220914067ce39dbf2"
"checksum num-traits 0.2.8 (registry+https://github.com/rust-lang/crates.io-index)" = "6ba9a427cfca2be13aa6f6403b0b7e7368fe982bfa16fccc450ce74c46cd9b32" "checksum num-traits 0.2.8 (registry+https://github.com/rust-lang/crates.io-index)" = "6ba9a427cfca2be13aa6f6403b0b7e7368fe982bfa16fccc450ce74c46cd9b32"
"checksum pkg-config 0.3.16 (registry+https://github.com/rust-lang/crates.io-index)" = "72d5370d90f49f70bd033c3d75e87fc529fbfff9d6f7cccef07d6170079d91ea" "checksum pkg-config 0.3.16 (registry+https://github.com/rust-lang/crates.io-index)" = "72d5370d90f49f70bd033c3d75e87fc529fbfff9d6f7cccef07d6170079d91ea"

6
Cargo.toml
View File

@@ -1,6 +1,6 @@
[package] [package]
name = "fido2luks" name = "fido2luks"
version = "0.2.1" version = "0.2.2"
authors = ["shimunn <shimun@shimun.net>"] authors = ["shimunn <shimun@shimun.net>"]
edition = "2018" edition = "2018"
@@ -15,13 +15,13 @@ license-file = "LICENSE"
[dependencies] [dependencies]
#ctap = "0.1.0" #ctap = "0.1.0"
ctap_hmac = "0.1.1" ctap_hmac = "0.2.1"
cryptsetup-rs = "0.2.1" cryptsetup-rs = "0.2.1"
libcryptsetup-sys = "0.1.2" libcryptsetup-sys = "0.1.2"
hex = "0.3.2" hex = "0.3.2"
rust-crypto = "0.2.36" ring = "0.13.5"
failure = "0.1.5" failure = "0.1.5"
rpassword = "4.0.1" rpassword = "4.0.1"
structopt = "0.3.2" structopt = "0.3.2"

2
README.md
View File

@@ -2,7 +2,7 @@
This will allow you to unlock your luks encrypted disk with an fido2 compatible key This will allow you to unlock your luks encrypted disk with an fido2 compatible key
Note: This has only been tested under Fedora 30 using a Solo Key Note: This has only been tested under Fedora 31 using a Solo Key, Trezor Model T
## Setup ## Setup

34
src/cli.rs
View File

@@ -70,10 +70,6 @@ pub fn add_password_to_luks(
Ok(slot) Ok(slot)
} }
pub fn authenticator_connected() -> Fido2LuksResult<bool> {
Ok(!device::get_devices()?.is_empty())
}
#[derive(Debug, StructOpt)] #[derive(Debug, StructOpt)]
pub struct Args { pub struct Args {
/// Request passwords via Stdin instead of using the password helper /// Request passwords via Stdin instead of using the password helper
@@ -105,7 +101,7 @@ pub struct SecretGeneration {
#[structopt( #[structopt(
name = "password-helper", name = "password-helper",
env = "FIDO2LUKS_PASSWORD_HELPER", env = "FIDO2LUKS_PASSWORD_HELPER",
default_value = "/usr/bin/systemd-ask-password 'Please enter second factor for LUKS disk encryption!'" default_value = "/usr/bin/env systemd-ask-password 'Please enter second factor for LUKS disk encryption!'"
)] )]
pub password_helper: PasswordHelper, pub password_helper: PasswordHelper,
} }
@@ -174,12 +170,18 @@ pub enum Command {
device: PathBuf, device: PathBuf,
#[structopt(env = "FIDO2LUKS_MAPPER_NAME")] #[structopt(env = "FIDO2LUKS_MAPPER_NAME")]
name: String, name: String,
#[structopt(short = "r", long = "max-retries", default_value = "0")]
retries: i32,
#[structopt(flatten)] #[structopt(flatten)]
secret_gen: SecretGeneration, secret_gen: SecretGeneration,
}, },
/// Generate a new FIDO credential /// Generate a new FIDO credential
#[structopt(name = "credential")] #[structopt(name = "credential")]
Credential, Credential {
/// Name to be displayed on the authenticator if it has a display
#[structopt(env = "FIDO2LUKS_CREDENTIAL_NAME")]
name: Option<String>,
},
/// Check if an authenticator is connected /// Check if an authenticator is connected
#[structopt(name = "connected")] #[structopt(name = "connected")]
Connected, Connected,
@@ -193,8 +195,8 @@ pub fn run_cli() -> Fido2LuksResult<()> {
let mut stdout = io::stdout(); let mut stdout = io::stdout();
let args = parse_cmdline(); let args = parse_cmdline();
match &args.command { match &args.command {
Command::Credential => { Command::Credential { name } => {
let cred = make_credential_id()?; let cred = make_credential_id(name.as_ref().map(|n| n.as_ref()))?;
println!("{}", hex::encode(&cred.id)); println!("{}", hex::encode(&cred.id));
Ok(()) Ok(())
} }
@@ -265,10 +267,24 @@ pub fn run_cli() -> Fido2LuksResult<()> {
Command::Open { Command::Open {
device, device,
name, name,
retries,
ref secret_gen, ref secret_gen,
} => { } => {
let mut retries = *retries;
loop {
let secret = secret_gen.patch(&args).obtain_secret()?; let secret = secret_gen.patch(&args).obtain_secret()?;
open_container(&device, &name, &secret) match open_container(&device, &name, &secret) {
Err(e) => match e {
Fido2LuksError::WrongSecret if retries > 0 => {
retries -= 1;
eprintln!("{}", e);
continue;
}
e => Err(e)?,
},
res => break res,
}
}
} }
Command::Connected => match get_devices() { Command::Connected => match get_devices() {
Ok(ref devs) if !devs.is_empty() => { Ok(ref devs) if !devs.is_empty() => {

28
src/config.rs
View File

@@ -1,7 +1,6 @@
use crate::error::*; use crate::error::*;
use crate::*; use crate::*;
use crypto::digest::Digest; use ring::digest;
use crypto::sha2::Sha256;
use std::fmt; use std::fmt;
use std::fs::File; use std::fs::File;
@@ -57,7 +56,7 @@ impl fmt::Display for InputSalt {
impl InputSalt { impl InputSalt {
pub fn obtain(&self, password_helper: &PasswordHelper) -> Fido2LuksResult<[u8; 32]> { pub fn obtain(&self, password_helper: &PasswordHelper) -> Fido2LuksResult<[u8; 32]> {
let mut digest = Sha256::new(); let mut digest = digest::Context::new(&digest::SHA256);
match self { match self {
InputSalt::File { path } => { InputSalt::File { path } => {
let mut do_io = || { let mut do_io = || {
@@ -65,7 +64,7 @@ impl InputSalt {
let mut buf = [0u8; 512]; let mut buf = [0u8; 512];
loop { loop {
let red = reader.read(&mut buf)?; let red = reader.read(&mut buf)?;
digest.input(&buf[0..red]); digest.update(&buf[0..red]);
if red == 0 { if red == 0 {
break; break;
} }
@@ -75,12 +74,12 @@ impl InputSalt {
do_io().map_err(|cause| Fido2LuksError::KeyfileError { cause })?; do_io().map_err(|cause| Fido2LuksError::KeyfileError { cause })?;
} }
InputSalt::AskPassword => { InputSalt::AskPassword => {
digest.input(password_helper.obtain()?.as_bytes()); digest.update(password_helper.obtain()?.as_bytes());
} }
InputSalt::String(s) => digest.input(s.as_bytes()), InputSalt::String(s) => digest.update(s.as_bytes()),
} }
let mut salt = [0u8; 32]; let mut salt = [0u8; 32];
digest.result(&mut salt); salt.as_mut().copy_from_slice(digest.finish().as_ref());
Ok(salt) Ok(salt)
} }
} }
@@ -95,7 +94,7 @@ pub enum PasswordHelper {
impl Default for PasswordHelper { impl Default for PasswordHelper {
fn default() -> Self { fn default() -> Self {
PasswordHelper::Script( PasswordHelper::Script(
"/usr/bin/systemd-ask-password 'Please enter second factor for LUKS disk encryption!'" "/usr/bin/env systemd-ask-password 'Please enter second factor for LUKS disk encryption!'"
.into(), .into(),
) )
} }
@@ -170,4 +169,17 @@ mod test {
assert_eq!("ask".parse::<InputSalt>().unwrap(), InputSalt::AskPassword); assert_eq!("ask".parse::<InputSalt>().unwrap(), InputSalt::AskPassword);
assert_eq!("lol".parse::<InputSalt>().unwrap(), InputSalt::default()); assert_eq!("lol".parse::<InputSalt>().unwrap(), InputSalt::default());
} }
#[test]
fn input_salt_obtain() {
assert_eq!(
InputSalt::String("abc".into())
.obtain(&PasswordHelper::Stdin)
.unwrap(),
[
186, 120, 22, 191, 143, 1, 207, 234, 65, 65, 64, 222, 93, 174, 34, 35, 176, 3, 97,
163, 150, 23, 122, 156, 180, 16, 255, 97, 242, 0, 21, 173
]
)
}
} }

56
src/device.rs
View File

@@ -1,16 +1,56 @@
use crate::error::*; use crate::error::*;
use crate::util::sha256;
use ctap; use ctap::{
use ctap::extensions::hmac::{FidoHmacCredential, HmacExtension}; self,
use ctap::{FidoDevice, FidoError, FidoErrorKind}; extensions::hmac::{FidoHmacCredential, HmacExtension},
AuthenticatorOptions, FidoDevice, FidoError, FidoErrorKind, PublicKeyCredentialRpEntity,
PublicKeyCredentialUserEntity,
};
pub fn make_credential_id() -> Fido2LuksResult<FidoHmacCredential> { const RP_ID: &'static str = "fido2luks";
fn authenticator_options() -> Option<AuthenticatorOptions> {
Some(AuthenticatorOptions {
uv: false, //TODO: should get this from config
rk: true,
})
}
fn authenticator_rp() -> PublicKeyCredentialRpEntity<'static> {
PublicKeyCredentialRpEntity {
id: RP_ID,
name: None,
icon: None,
}
}
fn authenticator_user(name: Option<&str>) -> PublicKeyCredentialUserEntity {
PublicKeyCredentialUserEntity {
id: &[0u8],
name: name.unwrap_or(""),
icon: None,
display_name: name,
}
}
pub fn make_credential_id(name: Option<&str>) -> Fido2LuksResult<FidoHmacCredential> {
let mut errs = Vec::new(); let mut errs = Vec::new();
match get_devices()? { match get_devices()? {
ref devs if devs.is_empty() => Err(Fido2LuksError::NoAuthenticatorError)?, ref devs if devs.is_empty() => Err(Fido2LuksError::NoAuthenticatorError)?,
devs => { devs => {
for mut dev in devs.into_iter() { for mut dev in devs.into_iter() {
match dev.make_hmac_credential() { match dev
.make_hmac_credential_full(
authenticator_rp(),
authenticator_user(name),
&[0u8; 32],
&[],
authenticator_options(),
)
.map(|cred| cred.into())
{
//TODO: make credentials device specific
Ok(cred) => { Ok(cred) => {
return Ok(cred); return Ok(cred);
} }
@@ -27,16 +67,16 @@ pub fn make_credential_id() -> Fido2LuksResult<FidoHmacCredential> {
pub fn perform_challenge(credential_id: &str, salt: &[u8; 32]) -> Fido2LuksResult<[u8; 32]> { pub fn perform_challenge(credential_id: &str, salt: &[u8; 32]) -> Fido2LuksResult<[u8; 32]> {
let cred = FidoHmacCredential { let cred = FidoHmacCredential {
id: hex::decode(credential_id).unwrap(), id: hex::decode(credential_id).unwrap(),
rp_id: "hmac".to_string(), rp_id: RP_ID.to_string(),
}; };
let mut errs = Vec::new(); let mut errs = Vec::new();
match get_devices()? { match get_devices()? {
ref devs if devs.is_empty() => Err(Fido2LuksError::NoAuthenticatorError)?, ref devs if devs.is_empty() => Err(Fido2LuksError::NoAuthenticatorError)?,
devs => { devs => {
for mut dev in devs.into_iter() { for mut dev in devs.into_iter() {
match dev.hmac_challange(&cred, &salt[..]) { match dev.get_hmac_assertion(&cred, &sha256(&[&salt[..]]), None, None) {
Ok(secret) => { Ok(secret) => {
return Ok(secret); return Ok(secret.0);
} }
Err(e) => { Err(e) => {
errs.push(e); errs.push(e);

13
src/error.rs
View File

@@ -23,6 +23,19 @@ pub enum Fido2LuksError {
StringEncodingError { cause: FromUtf8Error }, StringEncodingError { cause: FromUtf8Error },
} }
impl Fido2LuksError {
pub fn exit_code(&self) -> i32 {
use Fido2LuksError::*;
match self {
AskPassError { .. } | KeyfileError { .. } => 2,
AuthenticatorError { .. } => 3,
NoAuthenticatorError => 4,
WrongSecret => 5,
_ => 1,
}
}
}
#[derive(Debug, Fail)] #[derive(Debug, Fail)]
pub enum AskPassError { pub enum AskPassError {
#[fail(display = "unable to retrieve password: {}", _0)] #[fail(display = "unable to retrieve password: {}", _0)]

40
src/main.rs
View File

@@ -5,13 +5,12 @@ use crate::cli::*;
use crate::config::*; use crate::config::*;
use crate::device::*; use crate::device::*;
use crate::error::*; use crate::error::*;
use crypto::digest::Digest;
use crypto::sha2::Sha256;
use cryptsetup_rs as luks; use cryptsetup_rs as luks;
use cryptsetup_rs::Luks1CryptDevice; use cryptsetup_rs::Luks1CryptDevice;
use std::io::{self}; use std::io;
use std::path::PathBuf; use std::path::PathBuf;
use std::process::exit;
mod cli; mod cli;
mod config; mod config;
@@ -26,14 +25,35 @@ fn open_container(device: &PathBuf, name: &str, secret: &[u8; 32]) -> Fido2LuksR
} }
fn assemble_secret(hmac_result: &[u8], salt: &[u8]) -> [u8; 32] { fn assemble_secret(hmac_result: &[u8], salt: &[u8]) -> [u8; 32] {
let mut digest = Sha256::new(); util::sha256(&[salt, hmac_result])
digest.input(salt);
digest.input(hmac_result);
let mut secret = [0u8; 32];
digest.result(&mut secret);
secret
} }
fn main() -> Fido2LuksResult<()> { fn main() -> Fido2LuksResult<()> {
run_cli() match run_cli() {
Err(e) => {
#[cfg(debug_assertions)]
eprintln!("{:?}", e);
#[cfg(not(debug_assertions))]
eprintln!("{}", e);
exit(e.exit_code())
}
_ => exit(0),
}
}
#[cfg(test)]
mod test {
use super::*;
#[test]
fn test_assemble_secret() {
assert_eq!(
assemble_secret(b"abc", b"def"),
[
46, 82, 82, 140, 142, 159, 249, 196, 227, 160, 142, 72, 151, 77, 59, 62, 180, 36,
33, 47, 241, 94, 17, 232, 133, 103, 247, 32, 152, 253, 43, 19
]
)
}
} }

11
src/util.rs
View File

@@ -1,8 +1,19 @@
use crate::error::*; use crate::error::*;
use ring::digest;
use std::fs::File; use std::fs::File;
use std::io::Read; use std::io::Read;
use std::path::PathBuf; use std::path::PathBuf;
pub fn sha256<'a>(messages: &[&[u8]]) -> [u8; 32] {
let mut digest = digest::Context::new(&digest::SHA256);
for m in messages.iter() {
digest.update(m);
}
let mut secret = [0u8; 32];
secret.as_mut().copy_from_slice(digest.finish().as_ref());
secret
}
pub fn read_password(q: &str, verify: bool) -> Fido2LuksResult<String> { pub fn read_password(q: &str, verify: bool) -> Fido2LuksResult<String> {
match rpassword::read_password_from_tty(Some(&[q, ": "].join("")))? { match rpassword::read_password_from_tty(Some(&[q, ": "].join("")))? {
ref pass ref pass