shimun/fido2luks
1
0
Fork 0
Code Issues Pull Requests 3 Releases Wiki Activity

Compare commits

base: shimun:isalt
Branches Tags
shimun:master shimun:0.3.0-alpha shimun:ctap-hid-fido2 shimun:retry_pin shimun:0.3.0 shimun:debVM shimun:flake shimun:password_promt shimun:dracut shimun:initcpio shimun:pam_mod shimun:setup shimun:completions shimun:pkgbuild shimun:pin_source shimun:relicense shimun:deb shimun:initramfs-tools shimun:luks_refr shimun:0.2.8 shimun:luks2_token shimun:cli_reorg shimun:request_multiple shimun:luks2 shimun:cratesio shimun:isalt shimun:connected shimun:keyutils
shimun:0.2.20 shimun:0.2.19 shimun:0.2.18 shimun:0.2.17 shimun:0.2.16 shimun:0.2.15 shimun:0.2.14 shimun:0.2.13 shimun:0.2.12 shimun:0.2.11 shimun:0.2.10 shimun:0.2.9 shimun:0.2.8 shimun:0.2.7 shimun:0.2.6 shimun:0.2.5 shimun:0.2.4 shimun:0.2.3 shimun:0.2.2 shimun:0.2.1 shimun:0.2.0
...
compare: shimun:0.2.13
Branches Tags
shimun:0.3.0-alpha shimun:ctap-hid-fido2 shimun:retry_pin shimun:master shimun:0.3.0 shimun:debVM shimun:flake shimun:password_promt shimun:dracut shimun:initcpio shimun:pam_mod shimun:setup shimun:completions shimun:pkgbuild shimun:pin_source shimun:relicense shimun:deb shimun:initramfs-tools shimun:luks_refr shimun:0.2.8 shimun:luks2_token shimun:cli_reorg shimun:request_multiple shimun:luks2 shimun:cratesio shimun:isalt shimun:connected shimun:keyutils
shimun:0.2.20 shimun:0.2.19 shimun:0.2.18 shimun:0.2.17 shimun:0.2.16 shimun:0.2.15 shimun:0.2.14 shimun:0.2.13 shimun:0.2.12 shimun:0.2.11 shimun:0.2.10 shimun:0.2.9 shimun:0.2.8 shimun:0.2.7 shimun:0.2.6 shimun:0.2.5 shimun:0.2.4 shimun:0.2.3 shimun:0.2.2 shimun:0.2.1 shimun:0.2.0

86 Commits
isalt ... 0.2.13

Author SHA1 Message Date
shimun
03ef5721e0 bump version
All checks were successful
continuous-integration/drone/tag Build is passing
Details
continuous-integration/drone/push Build is passing
Details
2020-09-03 14:56:36 +02:00
shimun
008e644024 auto detect current version 2020-09-03 14:56:22 +02:00
shimun
e1f762ddc9 add subcommand to generate bash completions
All checks were successful
continuous-integration/drone/push Build is passing
Details
2020-09-03 14:45:52 +02:00
Saravanan Palanisamy
2266754a95 create PKGBUILD file for archlinux package (#17)
Some checks reported errors
continuous-integration/drone/push Build encountered an error
Details 
* create PKGBUILD file

* use build & install method

* add package dependencies
 2020-09-02 14:14:40 +02:00
shimun
8811cff6d1 0.2.12
All checks were successful
continuous-integration/drone/tag Build is passing
Details
2020-08-31 00:04:24 +02:00
shimun
99787b614c Merge branch 'pin_source' into master
Some checks reported errors
continuous-integration/drone/push Build encountered an error
Details
2020-08-31 00:00:42 +02:00
shimun
ee28f87148 always print the full error message
All checks were successful
continuous-integration/drone/push Build is passing
Details
2020-08-30 17:09:57 +02:00
shimun
196356fe3b structopt does not allow for flags to be linked to env atm 2020-08-25 21:47:25 +02:00
shimun
3ff7e698bd add flag to read pin from alternate source
Some checks reported errors
continuous-integration/drone/push Build encountered an error
Details
2020-08-25 21:26:30 +02:00
shimun
04d0d60fb3 use ubuntu as base image
Some checks reported errors
continuous-integration/drone/tag Build is passing
Details
continuous-integration/drone/push Build was killed
Details
2020-08-16 15:30:20 +02:00
shimun
e64f777c54 use sh to run password helper 2020-08-16 13:42:54 +02:00
shimun
8465949b44 spell promPt correctly 2020-08-16 13:42:35 +02:00
shimunn
06bed03e7b Merge pull request #13 from Andrew-Finn/master 
Added documentation and tweaked readme
 2020-08-14 12:40:02 +02:00
Andrew-Finn
36f82e7c3a Added and edited documentation 2020-08-14 11:36:25 +01:00
shimun
cd90564f60 protect fido2luks.conf from being overwritten
Some checks failed
continuous-integration/drone/push Build is failing
Details
continuous-integration/drone/tag Build is failing
Details
2020-08-11 23:08:12 +02:00
shimun
0f6d79a7e4 get plymouth to display a message
Some checks failed
continuous-integration/drone/push Build is failing
Details
2020-08-11 22:41:21 +02:00
shimun
4136b1bfad relicense to MPL
Some checks failed
continuous-integration/drone/push Build is failing
Details
2020-07-27 09:22:02 +02:00
shimun
81016a1a42 require MPL for new contributions
Some checks failed
continuous-integration/drone/push Build is failing
Details
2020-07-26 21:11:03 +02:00
shimun
840868468b cargo-deb meta
All checks were successful
continuous-integration/drone/push Build is passing
Details
2020-07-04 21:32:21 +02:00
shimun
97880e4f41 refuse removal while crypttab depends on keyscript
All checks were successful
continuous-integration/drone/push Build is passing
Details
2020-07-03 16:21:35 +02:00
shimun
e798ba5c70 remove keyscript aswell
All checks were successful
continuous-integration/drone/push Build is passing
Details
2020-07-03 15:59:12 +02:00
shimun
298e05fed7 initramfs-tools
All checks were successful
continuous-integration/drone/push Build is passing
Details
2020-07-03 15:55:23 +02:00
shimun
a498e1416f automate cargo publish
Some checks failed
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/tag Build is failing
Details
2020-06-23 23:55:07 +02:00
shimun
92e413de50 refactored luks operations
All checks were successful
continuous-integration/drone/push Build is passing
Details
2020-06-22 20:47:19 +00:00
shimun
023399bb14 use unstable cryptsetup
Some checks failed
continuous-integration/drone/push Build is failing
Details
2020-06-22 18:17:10 +02:00
shimun
a53a430c23 update drone
Some checks failed
continuous-integration/drone/push Build is failing
Details
2020-06-21 22:16:45 +02:00
shimun
5f107cd337 add non existing token
Some checks failed
continuous-integration/drone/push Build is failing
Details
2020-06-19 20:09:36 +02:00
shimun
ddfd24a098 ensure replace_key uses the same slot 2020-06-19 20:05:05 +02:00
shimun
743edf668a document --token 2020-06-13 14:35:46 +02:00
shimun
4507107fac update libcryptsetup-rs 2020-06-10 13:50:28 +02:00
shimun
a8482c50a2 handle tokens when replacing 2020-06-08 19:22:19 +02:00
shimun
09be5ef551 assemble secret in correct order 2020-06-08 18:08:24 +02:00
shimun
6f6c84ddba skip luks2 check until underlying issue is fixed 2020-06-07 14:14:51 +02:00
shimun
5a05cad695 more precise description 2020-06-06 23:39:23 +02:00
shimun
d8d24b40f5 Merge branch 'cli_reorg' 2020-06-06 23:37:22 +02:00
shimun
c1a82b9ae6 update libcryptsetup_rs to 0.4.0 2020-06-06 22:43:18 +02:00
shimun
a26b79bcd6 reduced redundant code 2020-05-05 23:53:50 +02:00
shimun
f774580c9c update to current api 2020-05-05 23:28:44 +02:00
shimun
69732a1ad6 restore order 2020-04-29 20:33:28 +02:00
shimun
b8ae9d91f0 rudimentary pin support 2020-04-29 19:56:18 +02:00
shimun
fcdd2a2d3d add option to specify keyslot 2020-04-29 18:55:25 +02:00
shimun
c3d6425e2d reorganised cli 2020-04-29 18:50:55 +02:00
shimun
0b19760175 hint slots 2020-04-28 19:09:53 +02:00
shimun
2ec8679c47 open token 2020-04-28 14:27:14 +02:00
shimun
65e1dead8b remove token 2020-04-27 22:07:00 +02:00
shimun
478fb5e036 store luks token 2020-04-27 19:26:21 +02:00
shimun
1547f5e199 get format 2020-04-27 18:12:06 +02:00
shimun
5c0364587e update ctap 2020-04-26 18:58:37 +02:00
shimun
9307503bdc applied clippy lints 2020-04-07 20:06:24 +02:00
shimun
b94f45d1ff patch secret_gen before obtaing first secret 2020-04-06 23:33:41 +02:00
shimun
c8fb636846 mention clang build dependency 2020-04-06 22:52:15 +02:00
shimun
49e2835f60 enable fido requests to be sent to multiple devices at once 2020-04-06 21:38:11 +02:00
shimun
d5c0d48f03 allow another fido device to be used as previous secret 2020-04-06 20:18:00 +02:00
shimun
ad2451f548 add timeout 2020-04-05 23:24:18 +02:00
shimun
bb7ee7c1ce request password only once if possible 2020-04-03 22:02:05 +02:00
shimun
0ba77963d2 update ctap_hmac 2020-04-02 17:22:15 +02:00
shimun
1658800553 request_multiple 2020-04-01 20:24:49 +02:00
shimun
a394b7d1d1 libcryptsetup-rs patch 2020-03-28 14:54:36 +01:00
shimun
c99d7f562d support luks2 2020-03-27 20:08:54 +01:00
shimun
c4f781e6e3 only process keyslots within a given range 2020-03-27 20:03:42 +01:00
shimun
f6de4a033e more detailed messages 2020-03-27 18:28:33 +01:00
shimun
f5880346b9 switch to libcryptsetup-rs 2020-03-27 18:09:38 +01:00
shimun
6089b254b4 switch to libcryptsetup-rs for luks2 support 2020-03-22 17:39:44 +01:00
shimun
03e34ec790 0.2.3
Some checks failed
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/tag Build is failing
Details
2020-01-20 22:43:06 +01:00
shimun
a437106fcb use await-dev per default
All checks were successful
continuous-integration/drone/push Build is passing
Details
2020-01-16 19:41:59 +01:00
shimun
7ed948d53b update & tidy readme
All checks were successful
continuous-integration/drone/push Build is passing
Details
2020-01-15 16:46:15 +01:00
shimun
c4e08413c0 Added --await-dev flag
All checks were successful
continuous-integration/drone/push Build is passing
Details
2020-01-13 23:23:45 +01:00
shimunn
7429706920 Merge pull request #7 from mmahut/patch-1
All checks were successful
continuous-integration/drone/push Build is passing
Details 
error.rs: typo
 2020-01-13 21:54:09 +01:00
Marek Mahut
a5fd5fa9f6 error.rs: typo 2020-01-13 17:44:51 +01:00
shimun
659fafdfb4 update to 0.2.2
Some checks failed
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/tag Build is failing
Details
2020-01-10 21:44:33 +01:00
shimun
7f2668eded allow for named credentials 2020-01-10 21:32:39 +01:00
shimunn
ae714cdef3 Merge pull request #6 from mmahut/fixid
All checks were successful
continuous-integration/drone/push Build is passing
Details 
match rp_id to fido2luks
 2020-01-10 19:47:31 +01:00
shimunn
ae802e5e71 Merge pull request #5 from mmahut/env 
use password helper in modified environments
 2020-01-10 19:47:01 +01:00
Marek Mahut
a5f0444d24 match rp_id to fido2luks 2020-01-10 17:13:56 +01:00
Marek Mahut
a307d87d88 use password helper in modified environments 2020-01-10 16:52:22 +01:00
shimun
721dded6d2 WIP: 0.2.2
All checks were successful
continuous-integration/drone/push Build is passing
Details 
Warning: This release cointains changes to way credentials are generated,
which may cause your authenticator to reject the old credential.
 2020-01-09 22:22:54 +01:00
Shimun
e7049a281a Use fido2luks as rp_id instead if default hmac, consider making
All checks were successful
continuous-integration/drone/push Build is passing
Details 
credenials device specific
 2020-01-02 15:35:32 +01:00
shimun
5d1c7beb4d added flag to retry open command
All checks were successful
continuous-integration/drone/push Build is passing
Details
2019-10-12 22:46:54 +02:00
shimun
2bac911b32 assigned exit codes to error cases 2019-10-12 22:46:20 +02:00
shimun
9a8ea993b5 fmt
All checks were successful
continuous-integration/drone/push Build is passing
Details
2019-10-12 13:40:24 +02:00
shimunn
7eb9dcc928 Merge pull request #2 from jannic/add-test-cases
Some checks failed
continuous-integration/drone/push Build is failing
Details 
Add test case for hash calculations
 2019-10-12 13:24:33 +02:00
shimunn
509e300a8f Merge pull request #1 from jannic/port-to-ring 
Use ring for sha256 calculation
 2019-10-12 13:24:18 +02:00
Jan Niehusmann
42945956a6 Add test case for hash calculations 
While replacing the implementation of sha256, I noticed that there
is no test case actually calling the hash calculations.

Added two such test cases. Please note that I didn't verify that the
result is correct, but just took the value the existing implementation
returned. So those tests will only catch future regressions.
 2019-10-11 22:15:21 +00:00
Jan Niehusmann
3cf5ccf2a0 Use ring for sha256 calculation 
According to https://rustsec.org/advisories/RUSTSEC-2016-0005.html,
rust-crypto is unmaintained.

Crates depending on rust-crypto should be ported to other crates.

This port replaces rust-crypto with the sha2 implementation of ring,
as fido2luks already depends on it via ctap_hmac. Note that it uses
an old version of ring, so I used the same version, here.
 2019-10-11 22:06:00 +00:00
shimun
79e9a37806 use cratesio deps only
All checks were successful
continuous-integration/drone/push Build is passing
Details
2019-10-10 13:41:02 +02:00
shimun
d16118e695 Readme
All checks were successful
continuous-integration/drone/push Build is passing
Details
2019-10-08 15:13:15 +02:00
20 changed files with 2788 additions and 1257 deletions
Expand all files Collapse all files

37
.drone.yml
View File

@@ -3,32 +3,27 @@ name: default
steps: steps:
- name: fmt - name: fmt
image: rust:1.37.0 image: rust:1.43.0
commands: commands:
- rustup component add rustfmt - rustup component add rustfmt
- cargo fmt --all -- --check - cargo fmt --all -- --check
- name: test - name: test
image: rust:1.37.0 image: ubuntu:focal
environment:
DEBIAN_FRONTEND: noninteractive
commands: commands:
- apt update && apt install -y libcryptsetup-dev libkeyutils-dev - apt update && apt install -y cargo libkeyutils-dev libclang-dev clang pkg-config libcryptsetup-dev
- cargo test - cargo test --locked
- name: build
image: rust:1.37.0
commands:
- apt update && apt install -y libcryptsetup-dev libkeyutils-dev
- cargo install -f --path . --root .
when:
event: tag
- name: publish - name: publish
image: plugins/github-release image: ubuntu:focal
settings: environment:
api_key: DEBIAN_FRONTEND: noninteractive
from_secret: github_release CARGO_REGISTRY_TOKEN:
files: from_secret: cargo_tkn
- bin/fido2luks commands:
checksum: - grep -E 'version ?= ?"${DRONE_TAG}"' -i Cargo.toml || (printf "incorrect crate/tag version" && exit 1)
- md5 - apt update && apt install -y cargo libkeyutils-dev libclang-dev clang pkg-config libcryptsetup-dev
- sha256 - cargo package --all-features
- cargo publish --all-features
when: when:
event: tag event: tag

1023
Cargo.lock generated
View File

File diff suppressed because it is too large Load Diff

35
Cargo.toml
View File

@@ -1,20 +1,29 @@
[package] [package]
name = "fido2luks" name = "fido2luks"
version = "0.2.0" version = "0.2.13"
authors = ["shimunn <shimun@shimun.net>"] authors = ["shimunn <shimun@shimun.net>"]
edition = "2018" edition = "2018"
[dependencies] description = "Decrypt your LUKS partition using a FIDO2 compatible authenticator"
ctap = { git = "https://github.com/shimunn/ctap.git", branch = "hmac_ext" } documentation = "https://github.com/shimunn/fido2luks/blob/master/README.md"
#cryptsetup-rs = "0.2.0" homepage = "https://github.com/shimunn/fido2luks"
cryptsetup-rs = { git = "https://github.com/shimunn/cryptsetup-rs.git", branch = "update_keyslot" } repository = "https://github.com/shimunn/fido2luks"
libcryptsetup-sys = { git = "https://github.com/shimunn/cryptsetup-rs.git", branch = "update_keyslot" } readme = "README.md"
keywords = ["luks", "fido2", "u2f"]
categories = ["command-line-utilities"]
license = "MPL-2.0"
[dependencies]
ctap_hmac = { version="0.4.2", features = ["request_multiple"] }
hex = "0.3.2" hex = "0.3.2"
rust-crypto = "0.2.36" ring = "0.13.5"
failure = "0.1.5" failure = "0.1.5"
rpassword = "4.0.1" rpassword = "4.0.1"
structopt = "0.3.2" structopt = "0.3.2"
libcryptsetup-rs = "0.4.1"
serde_json = "1.0.51"
serde_derive = "1.0.106"
serde = "1.0.106"
[profile.release] [profile.release]
lto = true lto = true
@@ -22,3 +31,15 @@ opt-level = 'z'
panic = 'abort' panic = 'abort'
incremental = false incremental = false
overflow-checks = false overflow-checks = false
[package.metadata.deb]
depends = "$auto, cryptsetup"
build-depends = "libclang-dev, libcryptsetup-dev"
extended-description = "Decrypt your LUKS partition using a FIDO2 compatible authenticator"
assets = [
["target/release/fido2luks", "usr/bin/", "755"],
["initramfs-tools/keyscript.sh", "/lib/cryptsetup/scripts/fido2luks", "755" ],
["initramfs-tools/hook/fido2luks.sh", "etc/initramfs-tools/hooks/", "755" ],
["initramfs-tools/fido2luks.conf", "etc/", "644"],
]
conf-files = ["/etc/fido2luks.conf"]

1047
LICENSE
View File

File diff suppressed because it is too large Load Diff

26
PKGBUILD Normal file
View File

@@ -0,0 +1,26 @@
# Maintainer: shimunn <shimun@shimun.net>
pkgname=fido2luks
pkgver=0.2.12
pkgrel=1
makedepends=('rust' 'cargo' 'cryptsetup' 'clang')
depends=('cryptsetup')
arch=('i686' 'x86_64' 'armv6h' 'armv7h')
pkgdesc="Decrypt your LUKS partition using a FIDO2 compatible authenticator"
url="https://github.com/shimunn/fido2luks"
license=('MPL-2.0')
pkgver() {
# Use tag version if possible otherwise concat project version and git ref
git describe --exact-match --tags HEAD 2> /dev/null || \
echo "$(cargo pkgid | cut -d'#' -f2).$(git describe --always)"
}
build() {
cargo build --release --locked --all-features --target-dir=target
./target/release/fido2luks completions bash target
}
package() {
install -Dm 755 target/release/${pkgname} -t "${pkgdir}/usr/bin"
install -Dm 644 target/fido2luks.bash "${pkgdir}/usr/share/bash-completion/completions/fido2luks"
}

81
README.md
View File

@@ -1,15 +1,15 @@
# fido2luks # fido2luks [![Crates.io Version](https://img.shields.io/crates/v/fido2luks.svg)](https://crates.io/crates/fido2luks)
This will allow you to unlock your luks encrypted disk with an fido2 compatible key This will allow you to unlock your LUKS encrypted disk with an FIDO2 compatible key.
Note: This has only been tested under Fedora 30 using a Solo Key Note: This has only been tested under Fedora 31, [Ubuntu 20.04](initramfs-tools/), [NixOS](https://nixos.org/nixos/manual/#sec-luks-file-systems-fido2) using a Solo Key, Trezor Model T
## Setup ## Setup
### Prerequisites ### Prerequisites
``` ```
dnf install cargo cryptsetup-devel -y dnf install clang cargo cryptsetup-devel -y
``` ```
### Device ### Device
@@ -17,18 +17,24 @@ dnf install cargo cryptsetup-devel -y
``` ```
git clone https://github.com/shimunn/fido2luks.git && cd fido2luks git clone https://github.com/shimunn/fido2luks.git && cd fido2luks
#Alternativly cargo build --release && sudo cp target/release/fido2luks /usr/bin/ # Alternativly cargo build --release && sudo cp target/release/fido2luks /usr/bin/
CARGO_INSTALL_ROOT=/usr sudo -E cargo install -f --path . sudo -E cargo install -f --path . --root /usr
echo FIDO2LUKS_CREDENTIAL_ID=$(fido2luks credential) >> dracut/96luks-2fa/fido2luks.conf # Copy template
cp dracut/96luks-2fa/fido2luks.conf /etc/
# Name is optional but useful if your authenticator has a display
echo FIDO2LUKS_CREDENTIAL_ID=$(fido2luks credential [NAME]) >> /etc/fido2luks.conf
# Load config into env
set -a set -a
. dracut/96luks-2fa/fido2luks.conf . /etc/fido2luks.conf
#Repeat for each luks volume # Repeat for each luks volume
# You can also use the `--token` flag when using LUKS2 which will then store the credential in the LUKS header,
# enabling you to use `fido2luks open-token` without passing a credential as parameter
sudo -E fido2luks -i add-key /dev/disk/by-uuid/<DISK_UUID> sudo -E fido2luks -i add-key /dev/disk/by-uuid/<DISK_UUID>
#Test(only works if the luks container isn't active) # Test(only works if the luks container isn't active)
sudo -E fido2luks -i open /dev/disk/by-uuid/<DISK_UUID> luks-<DISK_UUID> sudo -E fido2luks -i open /dev/disk/by-uuid/<DISK_UUID> luks-<DISK_UUID>
``` ```
@@ -45,13 +51,13 @@ sudo make install
Add `rd.luks.2fa=<CREDENTIAL_ID>:<DISK_UUID>` to `GRUB_CMDLINE_LINUX` in /etc/default/grub Add `rd.luks.2fa=<CREDENTIAL_ID>:<DISK_UUID>` to `GRUB_CMDLINE_LINUX` in /etc/default/grub
Note: This is only required for your root disk, systemd will try to unlock all other luks partions using the same key if you added it using `fido2luks add-key` Note: This is only required for your root disk, systemd will try to unlock all other LUKS partions using the same key if you added it using `fido2luks add-key`
``` ```
grub2-mkconfig > /boot/grub2/grub.cfg grub2-mkconfig > /boot/grub2/grub.cfg
``` ```
I'd also recommend to copy the executable onto /boot so that it is accessible in case you have to access your disk from a live system I'd also recommend to copy the executable onto /boot so that it is accessible in case you have to access your disk from a rescue system
``` ```
mkdir /boot/fido2luks/ mkdir /boot/fido2luks/
@@ -59,17 +65,44 @@ cp /usr/bin/fido2luks /boot/fido2luks/
cp /etc/fido2luks.conf /boot/fido2luks/ cp /etc/fido2luks.conf /boot/fido2luks/
``` ```
## Test ## Testing
Just reboot and see if it works, if thats the case you should remove your old less secure password from your luks header: Just reboot and see if it works, if that's the case you should remove your old less secure password from your LUKS header:
``` ```
#Recommend in case you lose your authenticator, store this backupfile somewhere safe # Recommend in case you lose your authenticator, store this backupfile somewhere safe
cryptsetup luksHeaderBackup /dev/disk/by-uuid/<DISK_UUID> --header-backup-file luks_backup_<DISK_UUID> cryptsetup luksHeaderBackup /dev/disk/by-uuid/<DISK_UUID> --header-backup-file luks_backup_<DISK_UUID>
#There is no turning back if you mess this up, make sure you made a backup # There is no turning back if you mess this up, make sure you made a backup
# You can also pass `--token` if you're using LUKS2 which will then store the credential in the LUKS header,
# which will enable you to use `fido2luks open-token` without passing a credential as parameter
fido2luks -i add-key --exclusive /dev/disk/by-uuid/<DISK_UUID> fido2luks -i add-key --exclusive /dev/disk/by-uuid/<DISK_UUID>
``` ```
## Addtional settings
### Password less
Remove your previous secret as described in the next section, in case you've already added one.
Open `/etc/fido2luks.conf` and replace `FIDO2LUKS_SALT=Ask` with `FIDO2LUKS_SALT=string:<YOUR_RANDOM_STRING>`
but be warned that this password will be included to into your initramfs.
Import the new config into env:
```
set -a
. /etc/fido2luks.conf
```
Then add the new secret to each device and update dracut afterwards `dracut -f`
### Multiple keys
Additional/backup keys are supported, Multiple fido2luks credentials can be added to your /etc/fido2luks.conf file. Credential tokens are comma separated.
```
FIDO2LUKS_CREDENTIAL_ID=<CREDENTIAL1>,<CREDENTIAL2>,<CREDENTIAL3>
```
## Removal ## Removal
Remove `rd.luks.2fa` from `GRUB_CMDLINE_LINUX` in /etc/default/grub Remove `rd.luks.2fa` from `GRUB_CMDLINE_LINUX` in /etc/default/grub
@@ -79,5 +112,19 @@ set -a
. fido2luks.conf . fido2luks.conf
sudo -E fido2luks -i replace-key /dev/disk/by-uuid/<DISK_UUID> sudo -E fido2luks -i replace-key /dev/disk/by-uuid/<DISK_UUID>
sudo rm -rf /usr/lib/dracut/modules.d/96luks-2fa /etc/dracut.conf.d/luks-2fa.conf sudo rm -rf /usr/lib/dracut/modules.d/96luks-2fa /etc/dracut.conf.d/luks-2fa.conf /etc/fido2luks.conf
``` ```
## License
Licensed under
* Mozilla Public License 2.0, ([LICENSE-MPL](LICENSE-MPL) or https://www.mozilla.org/en-US/MPL/2.0/)
### Contribution
Unless you explicitly state otherwise, any contribution intentionally
submitted for inclusion in the work by you, as defined in the MPL 2.0
license, shall be licensed as above, without any additional terms or
conditions.

15
dracut/96luks-2fa/luks-2fa-generator.sh
View File

@@ -9,7 +9,7 @@ MOUNT=$(command -v mount)
UMOUNT=$(command -v umount) UMOUNT=$(command -v umount)
TIMEOUT=120 TIMEOUT=120
CON_MSG="Please connect your authenicator" CON_MSG="Please connect your authenticator"
generate_service () { generate_service () {
local credential_id=$1 target_uuid=$2 timeout=$3 sd_dir=${4:-$NORMAL_DIR} local credential_id=$1 target_uuid=$2 timeout=$3 sd_dir=${4:-$NORMAL_DIR}
@@ -19,6 +19,10 @@ generate_service () {
local crypto_target_service="systemd-cryptsetup@luks\x2d${sd_target_uuid}.service" local crypto_target_service="systemd-cryptsetup@luks\x2d${sd_target_uuid}.service"
local sd_service="${sd_dir}/luks-2fa@luks\x2d${sd_target_uuid}.service" local sd_service="${sd_dir}/luks-2fa@luks\x2d${sd_target_uuid}.service"
local fido2luks_args="--bin"
if [ ! -z "$timeout" ]; then
fido2luks_args="$fido2luks_args --await-dev ${timeout}"
fi
{ {
printf -- "[Unit]" printf -- "[Unit]"
printf -- "\nDescription=%s" "2fa for luks" printf -- "\nDescription=%s" "2fa for luks"
@@ -27,18 +31,15 @@ generate_service () {
printf -- "\nBefore=%s umount.target luks-2fa.target" "$crypto_target_service" printf -- "\nBefore=%s umount.target luks-2fa.target" "$crypto_target_service"
printf -- "\nConflicts=umount.target" printf -- "\nConflicts=umount.target"
printf -- "\nDefaultDependencies=no" printf -- "\nDefaultDependencies=no"
printf -- "\nJobTimeoutSec=%s" "$timeout" [ ! -z "$timeout" ] && printf -- "\nJobTimeoutSec=%s" "$timeout"
printf -- "\n\n[Service]" printf -- "\n\n[Service]"
printf -- "\nType=oneshot" printf -- "\nType=oneshot"
printf -- "\nRemainAfterExit=yes" printf -- "\nRemainAfterExit=yes"
printf -- "\nEnvironmentFile=%s" "/etc/fido2luks.conf" printf -- "\nEnvironmentFile=%s" "/etc/fido2luks.conf"
printf -- "\nEnvironment=FIDO2LUKS_CREDENTIAL_ID='%s'" "$credential_id" [ ! -z "$credential_id" ] && printf -- "\nEnvironment=FIDO2LUKS_CREDENTIAL_ID='%s'" "$credential_id"
printf -- "\nKeyringMode=%s" "shared" printf -- "\nKeyringMode=%s" "shared"
printf -- "\nExecStartPre=-/usr/bin/plymouth display-message --text \"${CON_MSG}\"" printf -- "\nExecStartPre=-/usr/bin/plymouth display-message --text \"${CON_MSG}\""
printf -- "\nExecStartPre=-/bin/bash -c \"while ! ${FIDO2LUKS} connected; do /usr/bin/sleep 1; done\"" printf -- "\nExecStart=/bin/bash -c \"${FIDO2LUKS} print-secret $fido2luks_args | ${CRYPTSETUP} attach 'luks-%s' '/dev/disk/by-uuid/%s' '/dev/stdin'\"" "$target_uuid" "$target_uuid"
printf -- "\nExecStartPre=-/usr/bin/plymouth hide-message --text \"${CON_MSG}\""
printf -- "\nExecStart=/bin/bash -c \"${FIDO2LUKS} print-secret --bin | ${CRYPTSETUP} attach 'luks-%s' '/dev/disk/by-uuid/%s' '/dev/stdin'\"" "$target_uuid" "$target_uuid"
printf -- "\nExecStop=${CRYPTSETUP} detach 'luks-%s'" "$target_uuid" printf -- "\nExecStop=${CRYPTSETUP} detach 'luks-%s'" "$target_uuid"
} > "$sd_service" } > "$sd_service"

11
initramfs-tools/Makefile Normal file
View File

@@ -0,0 +1,11 @@
.PHONY: install
install:
chmod +x hook/fido2luks.sh keyscript.sh
cp -f hook/fido2luks.sh /etc/initramfs-tools/hooks/
mkdir -p /usr/share/fido2luks
cp -f keyscript.sh /lib/cryptsetup/scripts/fido2luks
update-initramfs -u
remove:
sh -c "grep 'keyscript=fido2luks' -i /etc/crypttab && ( echo 'ERROR: your system is still setup to use fido2luks during boot' && exit 1) || exit 0"
rm /etc/initramfs-tools/hooks/fido2luks.sh /lib/cryptsetup/scripts/fido2luks
update-initramfs -u

34
initramfs-tools/README.md Normal file
View File

@@ -0,0 +1,34 @@
## Initramfs-tools based systems(Ubuntu and derivatives)
For easiest installation [download and install the precompiled deb from releases.](https://github.com/shimunn/fido2luks/releases). However it is possible to build from source via the instructions on the main readme.
```
sudo -s
# Insert FIDO key.
fido2luks credential
# Tap FIDO key
# Copy returned string <CREDENTIAL>
nano /etc/fido2luks.conf
# Insert <CREDENTIAL>
# FIDO2LUKS_CREDENTIAL_ID=<CREDENTIAL>
set -a
. /etc/fido2luks.conf
fido2luks -i add-key /dev/<LUKS PARTITION>
# Current password: <Any current LUKS password>
# Password: <Password used as FIDO challange>
# Tap FIDO key
nano /etc/crypttab
# Append to end ",discard,initramfs,keyscript=fido2luks"
# E.g. sda6_crypt UUID=XXXXXXXXXX none luks,discard,initramfs,keyscript=fido2luks
update-initramfs -u
```
[Recording showing part of the setup](https://shimun.net/fido2luks/setup.svg)

3
initramfs-tools/fido2luks.conf Normal file
View File

@@ -0,0 +1,3 @@
FIDO2LUKS_SALT=Ask
#FIDO2LUKS_PASSWORD_HELPER="/usr/bin/plymouth ask-for-password --prompt 'FIDO2 password salt'"
FIDO2LUKS_CREDENTIAL_ID=

14
initramfs-tools/hook/fido2luks.sh Executable file
View File

@@ -0,0 +1,14 @@
#!/bin/sh
case "$1" in
prereqs)
echo ""
exit 0
;;
esac
. /usr/share/initramfs-tools/hook-functions
copy_file config /etc/fido2luks.conf /etc/fido2luks.conf
copy_exec /usr/bin/fido2luks
exit 0

10
initramfs-tools/keyscript.sh Executable file
View File

@@ -0,0 +1,10 @@
#!/bin/sh
set -a
. /etc/fido2luks.conf
if [ -z "$FIDO2LUKS_PASSWORD_HELPER" ]; then
MSG="FIDO2 password salt for $CRYPTTAB_NAME"
export FIDO2LUKS_PASSWORD_HELPER="plymouth ask-for-password --prompt '$MSG'"
fi
fido2luks print-secret --bin

332
initramfs-tools/setup.svg Normal file
View File

File diff suppressed because one or more lines are too long
Side by Side

After

Width:  |  Height:  |  Size: 550 KiB

769
src/cli.rs
View File

@@ -1,97 +1,134 @@
use crate::error::*; use crate::error::*;
use crate::*; use crate::*;
use cryptsetup_rs as luks; use structopt::clap::{AppSettings, Shell};
use cryptsetup_rs::api::{CryptDeviceHandle, CryptDeviceOpenBuilder, Luks1Params};
use cryptsetup_rs::{CryptDevice, Luks1CryptDevice};
use libcryptsetup_sys::crypt_keyslot_info;
use structopt::StructOpt; use structopt::StructOpt;
use std::io::Write; use ctap::{FidoCredential, FidoErrorKind};
use failure::_core::fmt::{Display, Error, Formatter};
use failure::_core::str::FromStr;
use failure::_core::time::Duration;
use std::io::{Read, Write};
use std::process::exit; use std::process::exit;
use std::thread;
pub fn add_key_to_luks( use crate::luks::{Fido2LuksToken, LuksDevice};
device: PathBuf, use crate::util::sha256;
secret: &[u8; 32], use std::borrow::Cow;
old_secret: Box<dyn Fn() -> Fido2LuksResult<Vec<u8>>>, use std::collections::HashSet;
exclusive: bool, use std::fs::File;
) -> Fido2LuksResult<u8> { use std::time::SystemTime;
fn offer_format(
_dev: CryptDeviceOpenBuilder,
) -> Fido2LuksResult<CryptDeviceHandle<Luks1Params>> {
unimplemented!()
}
let dev =
|| -> luks::device::Result<CryptDeviceOpenBuilder> { luks::open(&device.canonicalize()?) };
let prev_key = old_secret()?; #[derive(Debug, Eq, PartialEq, Clone)]
pub struct HexEncoded(pub Vec<u8>);
let mut handle = match dev()?.luks1() { impl Display for HexEncoded {
Ok(handle) => handle, fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error> {
Err(luks::device::Error::BlkidError(_)) => offer_format(dev()?)?, f.write_str(&hex::encode(&self.0))
Err(luks::device::Error::CryptsetupError(errno)) => {
//if i32::from(errno) == 555
dbg!(errno);
offer_format(dev()?)?
} //TODO: find correct errorno and offer to format as luks
err => err?,
};
handle.set_iteration_time(50);
let slot = handle.add_keyslot(secret, Some(prev_key.as_slice()), None)?;
if exclusive {
for old_slot in 0..8u8 {
if old_slot != slot
&& (handle.keyslot_status(old_slot.into()) == crypt_keyslot_info::CRYPT_SLOT_ACTIVE
|| handle.keyslot_status(old_slot.into())
== crypt_keyslot_info::CRYPT_SLOT_ACTIVE_LAST)
{
handle.destroy_keyslot(old_slot)?;
} }
}
}
Ok(slot)
} }
pub fn add_password_to_luks( impl AsRef<[u8]> for HexEncoded {
device: PathBuf, fn as_ref(&self) -> &[u8] {
secret: &[u8; 32], &self.0[..]
new_secret: Box<dyn Fn() -> Fido2LuksResult<Vec<u8>>>, }
add_password: bool,
) -> Fido2LuksResult<u8> {
let dev = luks::open(&device.canonicalize()?)?;
let mut handle = dev.luks1()?;
let prev_slot = if add_password {
Some(handle.add_keyslot(&secret[..], Some(&secret[..]), None)?)
} else {
None
};
let slot = handle.update_keyslot(&new_secret()?[..], &secret[..], prev_slot)?;
Ok(slot)
} }
pub fn authenticator_connected() -> Fido2LuksResult<bool> { impl FromStr for HexEncoded {
Ok(!device::get_devices()?.is_empty()) type Err = hex::FromHexError;
fn from_str(s: &str) -> Result<Self, Self::Err> {
Ok(HexEncoded(hex::decode(s)?))
}
}
#[derive(Debug, Eq, PartialEq, Clone)]
pub struct CommaSeparated<T: FromStr + Display>(pub Vec<T>);
impl<T: Display + FromStr> Display for CommaSeparated<T> {
fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error> {
for i in &self.0 {
f.write_str(&i.to_string())?;
f.write_str(",")?;
}
Ok(())
}
}
impl<T: Display + FromStr> FromStr for CommaSeparated<T> {
type Err = <T as FromStr>::Err;
fn from_str(s: &str) -> Result<Self, Self::Err> {
Ok(CommaSeparated(
s.split(',')
.map(|part| <T as FromStr>::from_str(part))
.collect::<Result<Vec<_>, _>>()?,
))
}
} }
#[derive(Debug, StructOpt)] #[derive(Debug, StructOpt)]
pub struct Args { pub struct Credentials {
/// Request passwords via Stdin instead of using the password helper /// FIDO credential ids, separated by ',' generate using fido2luks credential
#[structopt(short = "i", long = "interactive")] #[structopt(name = "credential-id", env = "FIDO2LUKS_CREDENTIAL_ID")]
pub interactive: bool, pub ids: CommaSeparated<HexEncoded>,
#[structopt(subcommand)] }
pub command: Command,
#[derive(Debug, StructOpt)]
pub struct AuthenticatorParameters {
/// Request a PIN to unlock the authenticator
#[structopt(short = "P", long = "pin")]
pub pin: bool,
/// Location to read PIN from
#[structopt(long = "pin-source", env = "FIDO2LUKS_PIN_SOURCE")]
pub pin_source: Option<PathBuf>,
/// Await for an authenticator to be connected, timeout after n seconds
#[structopt(
long = "await-dev",
name = "await-dev",
env = "FIDO2LUKS_DEVICE_AWAIT",
default_value = "15"
)]
pub await_time: u64,
}
impl AuthenticatorParameters {
fn read_pin(&self) -> Fido2LuksResult<String> {
if let Some(src) = self.pin_source.as_ref() {
let mut pin = String::new();
File::open(src)?.read_to_string(&mut pin)?;
Ok(pin)
} else {
util::read_password("Authenticator PIN", false)
}
}
}
#[derive(Debug, StructOpt)]
pub struct LuksParameters {
#[structopt(env = "FIDO2LUKS_DEVICE")]
device: PathBuf,
/// Try to unlock the device using a specifc keyslot, ignore all other slots
#[structopt(long = "slot", env = "FIDO2LUKS_DEVICE_SLOT")]
slot: Option<u32>,
} }
#[derive(Debug, StructOpt, Clone)] #[derive(Debug, StructOpt, Clone)]
pub struct SecretGeneration { pub struct LuksModParameters {
/// FIDO credential id, generate using fido2luks credential /// Number of milliseconds required to derive the volume decryption key
#[structopt(name = "credential-id", env = "FIDO2LUKS_CREDENTIAL_ID")] /// Defaults to 10ms when using an authenticator or the default by cryptsetup when using a password
pub credential_id: String, #[structopt(long = "kdf-time", name = "kdf-time")]
kdf_time: Option<u64>,
}
#[derive(Debug, StructOpt)]
pub struct SecretParameters {
/// Salt for secret generation, defaults to 'ask' /// Salt for secret generation, defaults to 'ask'
/// ///
/// Options:{n} /// Options:{n}
/// - ask : Promt user using password helper{n} /// - ask : Prompt user using password helper{n}
/// - file:<PATH> : Will read <FILE>{n} /// - file:<PATH> : Will read <FILE>{n}
/// - string:<STRING> : Will use <STRING>, which will be handled like a password provided to the 'ask' option{n} /// - string:<STRING> : Will use <STRING>, which will be handled like a password provided to the 'ask' option{n}
#[structopt( #[structopt(
@@ -105,27 +142,65 @@ pub struct SecretGeneration {
#[structopt( #[structopt(
name = "password-helper", name = "password-helper",
env = "FIDO2LUKS_PASSWORD_HELPER", env = "FIDO2LUKS_PASSWORD_HELPER",
default_value = "/usr/bin/systemd-ask-password 'Please enter second factor for LUKS disk encryption!'" default_value = "/usr/bin/env systemd-ask-password 'Please enter second factor for LUKS disk encryption!'"
)] )]
pub password_helper: PasswordHelper, pub password_helper: PasswordHelper,
} }
impl SecretGeneration { fn derive_secret(
pub fn patch(&self, args: &Args) -> Self { credentials: &[HexEncoded],
let mut me = self.clone(); salt: &[u8; 32],
if args.interactive { timeout: u64,
me.password_helper = PasswordHelper::Stdin; pin: Option<&str>,
) -> Fido2LuksResult<([u8; 32], FidoCredential)> {
let timeout = Duration::from_secs(timeout);
let start = SystemTime::now();
while let Ok(el) = start.elapsed() {
if el > timeout {
return Err(error::Fido2LuksError::NoAuthenticatorError);
} }
me if get_devices()
.map(|devices| !devices.is_empty())
.unwrap_or(false)
{
break;
}
thread::sleep(Duration::from_millis(500));
} }
pub fn obtain_secret(&self) -> Fido2LuksResult<[u8; 32]> { let credentials = credentials
let salt = self.salt.obtain(&self.password_helper)?; .iter()
Ok(assemble_secret( .map(|hex| FidoCredential {
&perform_challenge(&self.credential_id, &salt)?, id: hex.0.clone(),
&salt, public_key: None,
)) })
} .collect::<Vec<_>>();
let credentials = credentials.iter().collect::<Vec<_>>();
let (unsalted, cred) =
perform_challenge(&credentials, salt, timeout - start.elapsed().unwrap(), pin)?;
Ok((sha256(&[salt, &unsalted[..]]), cred.clone()))
}
#[derive(Debug, StructOpt)]
pub struct Args {
/// Request passwords via Stdin instead of using the password helper
#[structopt(short = "i", long = "interactive")]
pub interactive: bool,
#[structopt(subcommand)]
pub command: Command,
}
#[derive(Debug, StructOpt, Clone)]
pub struct OtherSecret {
/// Use a keyfile instead of a password
#[structopt(short = "d", long = "keyfile", conflicts_with = "fido_device")]
keyfile: Option<PathBuf>,
/// Use another fido device instead of a password
/// Note: this requires for the credential fot the other device to be passed as argument as well
#[structopt(short = "f", long = "fido-device", conflicts_with = "keyfile")]
fido_device: bool,
} }
#[derive(Debug, StructOpt)] #[derive(Debug, StructOpt)]
@@ -136,53 +211,145 @@ pub enum Command {
#[structopt(short = "b", long = "bin")] #[structopt(short = "b", long = "bin")]
binary: bool, binary: bool,
#[structopt(flatten)] #[structopt(flatten)]
secret_gen: SecretGeneration, credentials: Credentials,
#[structopt(flatten)]
authenticator: AuthenticatorParameters,
#[structopt(flatten)]
secret: SecretParameters,
}, },
/// Adds a generated key to the specified LUKS device /// Adds a generated key to the specified LUKS device
#[structopt(name = "add-key")] #[structopt(name = "add-key")]
AddKey { AddKey {
#[structopt(env = "FIDO2LUKS_DEVICE")] #[structopt(flatten)]
device: PathBuf, luks: LuksParameters,
#[structopt(flatten)]
credentials: Credentials,
#[structopt(flatten)]
authenticator: AuthenticatorParameters,
#[structopt(flatten)]
secret: SecretParameters,
/// Will wipe all other keys /// Will wipe all other keys
#[structopt(short = "e", long = "exclusive")] #[structopt(short = "e", long = "exclusive")]
exclusive: bool, exclusive: bool,
/// Use a keyfile instead of a password /// Will add an token to your LUKS 2 header, including the credential id
#[structopt(short = "d", long = "keyfile")] #[structopt(short = "t", long = "token")]
keyfile: Option<PathBuf>, token: bool,
#[structopt(flatten)] #[structopt(flatten)]
secret_gen: SecretGeneration, existing_secret: OtherSecret,
#[structopt(flatten)]
luks_mod: LuksModParameters,
}, },
/// Replace a previously added key with a password /// Replace a previously added key with a password
#[structopt(name = "replace-key")] #[structopt(name = "replace-key")]
ReplaceKey { ReplaceKey {
#[structopt(env = "FIDO2LUKS_DEVICE")] #[structopt(flatten)]
device: PathBuf, luks: LuksParameters,
#[structopt(flatten)]
credentials: Credentials,
#[structopt(flatten)]
authenticator: AuthenticatorParameters,
#[structopt(flatten)]
secret: SecretParameters,
/// Add the password and keep the key /// Add the password and keep the key
#[structopt(short = "a", long = "add-password")] #[structopt(short = "a", long = "add-password")]
add_password: bool, add_password: bool,
/// Use a keyfile instead of a password /// Will add an token to your LUKS 2 header, including the credential id
#[structopt(short = "d", long = "keyfile")] #[structopt(short = "t", long = "token")]
keyfile: Option<PathBuf>, token: bool,
#[structopt(flatten)] #[structopt(flatten)]
secret_gen: SecretGeneration, replacement: OtherSecret,
#[structopt(flatten)]
luks_mod: LuksModParameters,
}, },
/// Open the LUKS device /// Open the LUKS device
#[structopt(name = "open")] #[structopt(name = "open")]
Open { Open {
#[structopt(env = "FIDO2LUKS_DEVICE")] #[structopt(flatten)]
device: PathBuf, luks: LuksParameters,
#[structopt(env = "FIDO2LUKS_MAPPER_NAME")] #[structopt(env = "FIDO2LUKS_MAPPER_NAME")]
name: String, name: String,
#[structopt(flatten)] #[structopt(flatten)]
secret_gen: SecretGeneration, credentials: Credentials,
#[structopt(flatten)]
authenticator: AuthenticatorParameters,
#[structopt(flatten)]
secret: SecretParameters,
#[structopt(short = "r", long = "max-retries", default_value = "0")]
retries: i32,
},
/// Open the LUKS device using credentials embedded in the LUKS 2 header
#[structopt(name = "open-token")]
OpenToken {
#[structopt(flatten)]
luks: LuksParameters,
#[structopt(env = "FIDO2LUKS_MAPPER_NAME")]
name: String,
#[structopt(flatten)]
authenticator: AuthenticatorParameters,
#[structopt(flatten)]
secret: SecretParameters,
#[structopt(short = "r", long = "max-retries", default_value = "0")]
retries: i32,
}, },
/// Generate a new FIDO credential /// Generate a new FIDO credential
#[structopt(name = "credential")] #[structopt(name = "credential")]
Credential, Credential {
#[structopt(flatten)]
authenticator: AuthenticatorParameters,
/// Name to be displayed on the authenticator if it has a display
#[structopt(env = "FIDO2LUKS_CREDENTIAL_NAME")]
name: Option<String>,
},
/// Check if an authenticator is connected /// Check if an authenticator is connected
#[structopt(name = "connected")] #[structopt(name = "connected")]
Connected, Connected,
Token(TokenCommand),
/// Generate bash completion scripts
#[structopt(name = "completions", setting = AppSettings::Hidden)]
GenerateCompletions {
/// Shell to generate completions for: bash, fish
#[structopt(possible_values = &["bash", "fish"])]
shell: String,
out_dir: PathBuf,
},
}
///LUKS2 token related operations
#[derive(Debug, StructOpt)]
pub enum TokenCommand {
/// List all tokens associated with the specified device
List {
#[structopt(env = "FIDO2LUKS_DEVICE")]
device: PathBuf,
/// Dump all credentials as CSV
#[structopt(long = "csv")]
csv: bool,
},
/// Add credential to a keyslot
Add {
#[structopt(env = "FIDO2LUKS_DEVICE")]
device: PathBuf,
#[structopt(flatten)]
credentials: Credentials,
/// Slot to which the credentials will be added
#[structopt(long = "slot", env = "FIDO2LUKS_DEVICE_SLOT")]
slot: u32,
},
/// Remove credentials from token(s)
Remove {
#[structopt(env = "FIDO2LUKS_DEVICE")]
device: PathBuf,
#[structopt(flatten)]
credentials: Credentials,
/// Token from which the credentials will be removed
#[structopt(long = "token")]
token_id: Option<u32>,
},
/// Remove all unassigned tokens
GC {
#[structopt(env = "FIDO2LUKS_DEVICE")]
device: PathBuf,
},
} }
pub fn parse_cmdline() -> Args { pub fn parse_cmdline() -> Args {
@@ -192,83 +359,249 @@ pub fn parse_cmdline() -> Args {
pub fn run_cli() -> Fido2LuksResult<()> { pub fn run_cli() -> Fido2LuksResult<()> {
let mut stdout = io::stdout(); let mut stdout = io::stdout();
let args = parse_cmdline(); let args = parse_cmdline();
let interactive = args.interactive;
match &args.command { match &args.command {
Command::Credential => { Command::Credential {
let cred = make_credential_id()?; authenticator,
name,
} => {
let pin_string;
let pin = if authenticator.pin {
pin_string = authenticator.read_pin()?;
Some(pin_string.as_ref())
} else {
None
};
let cred = make_credential_id(name.as_ref().map(|n| n.as_ref()), pin)?;
println!("{}", hex::encode(&cred.id)); println!("{}", hex::encode(&cred.id));
Ok(()) Ok(())
} }
Command::PrintSecret { Command::PrintSecret {
binary, binary,
ref secret_gen, authenticator,
credentials,
secret,
} => { } => {
let secret = secret_gen.patch(&args).obtain_secret()?; let pin_string;
if *binary { let pin = if authenticator.pin {
stdout.write(&secret[..])?; pin_string = authenticator.read_pin()?;
Some(pin_string.as_ref())
} else { } else {
stdout.write(hex::encode(&secret[..]).as_bytes())?; None
};
let salt = if interactive || secret.password_helper == PasswordHelper::Stdin {
util::read_password_hashed("Password", false)
} else {
secret.salt.obtain(&secret.password_helper)
}?;
let (secret, _cred) = derive_secret(
credentials.ids.0.as_slice(),
&salt,
authenticator.await_time,
pin,
)?;
if *binary {
stdout.write_all(&secret[..])?;
} else {
stdout.write_all(hex::encode(&secret[..]).as_bytes())?;
} }
Ok(stdout.flush()?) Ok(stdout.flush()?)
} }
Command::AddKey { Command::AddKey {
device, luks,
exclusive, authenticator,
keyfile, credentials,
ref secret_gen, secret,
luks_mod,
existing_secret: other_secret,
token,
..
}
| Command::ReplaceKey {
luks,
authenticator,
credentials,
secret,
luks_mod,
replacement: other_secret,
token,
..
} => { } => {
let secret = secret_gen.patch(&args).obtain_secret()?; let pin = if authenticator.pin {
let slot = add_key_to_luks( Some(authenticator.read_pin()?)
device.clone(),
&secret,
if let Some(keyfile) = keyfile.clone() {
Box::new(move || util::read_keyfile(keyfile.clone()))
} else { } else {
Box::new(|| { None
util::read_password("Old password", true).map(|p| p.as_bytes().to_vec()) };
}) let salt = |q: &str, verify: bool| -> Fido2LuksResult<[u8; 32]> {
}, if interactive || secret.password_helper == PasswordHelper::Stdin {
*exclusive, util::read_password_hashed(q, verify)
} else {
secret.salt.obtain(&secret.password_helper)
}
};
let other_secret = |salt_q: &str,
verify: bool|
-> Fido2LuksResult<(Vec<u8>, Option<FidoCredential>)> {
match other_secret {
OtherSecret {
keyfile: Some(file),
..
} => Ok((util::read_keyfile(file)?, None)),
OtherSecret {
fido_device: true, ..
} => Ok(derive_secret(
&credentials.ids.0,
&salt(salt_q, verify)?,
authenticator.await_time,
pin.as_deref(),
)
.map(|(secret, cred)| (secret[..].to_vec(), Some(cred)))?),
_ => Ok((
util::read_password(salt_q, verify)?.as_bytes().to_vec(),
None,
)),
}
};
let secret = |verify: bool| -> Fido2LuksResult<([u8; 32], FidoCredential)> {
derive_secret(
&credentials.ids.0,
&salt("Password", verify)?,
authenticator.await_time,
pin.as_deref(),
)
};
let mut luks_dev = LuksDevice::load(&luks.device)?;
// Non overlap
match &args.command {
Command::AddKey { exclusive, .. } => {
let (existing_secret, _) = other_secret("Current password", false)?;
let (new_secret, cred) = secret(true)?;
let added_slot = luks_dev.add_key(
&new_secret,
&existing_secret[..],
luks_mod.kdf_time.or(Some(10)),
Some(&cred.id[..]).filter(|_| *token),
)?; )?;
if *exclusive {
let destroyed = luks_dev.remove_keyslots(&[added_slot])?;
println!(
"Added to key to device {}, slot: {}\nRemoved {} old keys",
luks.device.display(),
added_slot,
destroyed
);
} else {
println!( println!(
"Added to key to device {}, slot: {}", "Added to key to device {}, slot: {}",
device.display(), luks.device.display(),
slot added_slot
); );
}
Ok(()) Ok(())
} }
Command::ReplaceKey { Command::ReplaceKey { add_password, .. } => {
device, let (existing_secret, _) = secret(false)?;
add_password, let (replacement_secret, cred) = other_secret("Replacement password", true)?;
keyfile, let slot = if *add_password {
ref secret_gen, luks_dev.add_key(
} => { &replacement_secret[..],
let secret = secret_gen.patch(&args).obtain_secret()?; &existing_secret,
let slot = add_password_to_luks( luks_mod.kdf_time,
device.clone(), cred.as_ref().filter(|_| *token).map(|cred| &cred.id[..]),
&secret, )
if let Some(keyfile) = keyfile.clone() {
Box::new(move || util::read_keyfile(keyfile.clone()))
} else { } else {
Box::new(|| { luks_dev.replace_key(
util::read_password("Password to add", true).map(|p| p.as_bytes().to_vec()) &replacement_secret[..],
}) &existing_secret,
}, luks_mod.kdf_time,
*add_password, cred.as_ref().filter(|_| *token).map(|cred| &cred.id[..]),
)?; )
}?;
println!( println!(
"Added to password to device {}, slot: {}", "Added to password to device {}, slot: {}",
device.display(), luks.device.display(),
slot slot
); );
Ok(()) Ok(())
} }
_ => unreachable!(),
}
}
Command::Open { Command::Open {
device, luks,
authenticator,
secret,
name, name,
ref secret_gen, retries,
..
}
| Command::OpenToken {
luks,
authenticator,
secret,
name,
retries,
} => { } => {
let secret = secret_gen.patch(&args).obtain_secret()?; let pin_string;
open_container(&device, &name, &secret) let pin = if authenticator.pin {
pin_string = authenticator.read_pin()?;
Some(pin_string.as_ref())
} else {
None
};
let salt = |q: &str, verify: bool| -> Fido2LuksResult<[u8; 32]> {
if interactive || secret.password_helper == PasswordHelper::Stdin {
util::read_password_hashed(q, verify)
} else {
secret.salt.obtain(&secret.password_helper)
}
};
// Cow shouldn't be necessary
let secret = |credentials: Cow<'_, Vec<HexEncoded>>| {
derive_secret(
credentials.as_ref(),
&salt("Password", false)?,
authenticator.await_time,
pin,
)
};
let mut retries = *retries;
let mut luks_dev = LuksDevice::load(&luks.device)?;
loop {
let secret = match &args.command {
Command::Open { credentials, .. } => secret(Cow::Borrowed(&credentials.ids.0))
.and_then(|(secret, _cred)| luks_dev.activate(&name, &secret, luks.slot)),
Command::OpenToken { .. } => luks_dev.activate_token(
&name,
Box::new(|credentials: Vec<String>| {
let creds = credentials
.into_iter()
.flat_map(|cred| HexEncoded::from_str(cred.as_ref()).ok())
.collect::<Vec<_>>();
secret(Cow::Owned(creds))
.map(|(secret, cred)| (secret, hex::encode(&cred.id)))
}),
luks.slot,
),
_ => unreachable!(),
};
match secret {
Err(e) => {
match e {
Fido2LuksError::WrongSecret if retries > 0 => {}
Fido2LuksError::AuthenticatorError { ref cause }
if cause.kind() == FidoErrorKind::Timeout && retries > 0 => {}
e => return Err(e),
}
retries -= 1;
eprintln!("{}", e);
}
res => break res.map(|_| ()),
}
}
} }
Command::Connected => match get_devices() { Command::Connected => match get_devices() {
Ok(ref devs) if !devs.is_empty() => { Ok(ref devs) if !devs.is_empty() => {
@@ -277,5 +610,141 @@ pub fn run_cli() -> Fido2LuksResult<()> {
} }
_ => exit(1), _ => exit(1),
}, },
Command::Token(cmd) => match cmd {
TokenCommand::List {
device,
csv: dump_credentials,
} => {
let mut dev = LuksDevice::load(device)?;
let mut creds = Vec::new();
for token in dev.tokens()? {
let (id, token) = token?;
for cred in token.credential.iter() {
if !creds.contains(cred) {
creds.push(cred.clone());
if *dump_credentials {
print!("{}{}", if creds.len() == 1 { "" } else { "," }, cred);
}
}
}
if *dump_credentials {
continue;
}
println!(
"{}:\n\tSlots: {}\n\tCredentials: {}",
id,
if token.keyslots.is_empty() {
"None".into()
} else {
token.keyslots.iter().cloned().collect::<Vec<_>>().join(",")
},
token
.credential
.iter()
.map(|cred| format!(
"{} ({})",
cred,
creds.iter().position(|c| c == cred).unwrap().to_string()
))
.collect::<Vec<_>>()
.join(",")
);
}
if *dump_credentials {
println!();
}
Ok(())
}
TokenCommand::Add {
device,
credentials,
slot,
} => {
let mut dev = LuksDevice::load(device)?;
let mut tokens = Vec::new();
for token in dev.tokens()? {
let (id, token) = token?;
if token.keyslots.contains(&slot.to_string()) {
tokens.push((id, token));
}
}
let count = if tokens.is_empty() {
dev.add_token(&Fido2LuksToken::with_credentials(&credentials.ids.0, *slot))?;
1
} else {
tokens.len()
};
for (id, mut token) in tokens {
token
.credential
.extend(credentials.ids.0.iter().map(|h| h.to_string()));
dev.update_token(id, &token)?;
}
println!("Updated {} tokens", count);
Ok(())
}
TokenCommand::Remove {
device,
credentials,
token_id,
} => {
let mut dev = LuksDevice::load(device)?;
let mut tokens = Vec::new();
for token in dev.tokens()? {
let (id, token) = token?;
if let Some(token_id) = token_id {
if id == *token_id {
tokens.push((id, token));
}
} else {
tokens.push((id, token));
}
}
let count = tokens.len();
for (id, mut token) in tokens {
token.credential = token
.credential
.into_iter()
.filter(|cred| !credentials.ids.0.iter().any(|h| &h.to_string() == cred))
.collect();
dev.update_token(id, &token)?;
}
println!("Updated {} tokens", count);
Ok(())
}
TokenCommand::GC { device } => {
let mut dev = LuksDevice::load(device)?;
let mut creds: HashSet<String> = HashSet::new();
let mut remove = Vec::new();
for token in dev.tokens()? {
let (id, token) = token?;
if token.keyslots.is_empty() || token.credential.is_empty() {
creds.extend(token.credential);
remove.push(id);
}
}
for id in remove.iter().rev() {
dev.remove_token(*id)?;
}
println!(
"Removed {} tokens, affected credentials: {}",
remove.len(),
creds.into_iter().collect::<Vec<_>>().join(",")
);
Ok(())
}
},
Command::GenerateCompletions { shell, out_dir } => {
Args::clap().gen_completions(
env!("CARGO_PKG_NAME"),
match shell.as_ref() {
"bash" => Shell::Bash,
"fish" => Shell::Fish,
_ => unreachable!("structopt shouldn't allow us to reach this point"),
},
&out_dir,
);
Ok(())
}
} }
} }

40
src/config.rs
View File

@@ -1,7 +1,6 @@
use crate::error::*; use crate::error::*;
use crate::*; use crate::*;
use crypto::digest::Digest; use ring::digest;
use crypto::sha2::Sha256;
use std::fmt; use std::fmt;
use std::fs::File; use std::fs::File;
@@ -25,7 +24,7 @@ impl Default for InputSalt {
impl From<&str> for InputSalt { impl From<&str> for InputSalt {
fn from(s: &str) -> Self { fn from(s: &str) -> Self {
let mut parts = s.split(":").into_iter(); let mut parts = s.split(':');
match parts.next() { match parts.next() {
Some("ask") | Some("Ask") => InputSalt::AskPassword, Some("ask") | Some("Ask") => InputSalt::AskPassword,
Some("file") => InputSalt::File { Some("file") => InputSalt::File {
@@ -57,7 +56,7 @@ impl fmt::Display for InputSalt {
impl InputSalt { impl InputSalt {
pub fn obtain(&self, password_helper: &PasswordHelper) -> Fido2LuksResult<[u8; 32]> { pub fn obtain(&self, password_helper: &PasswordHelper) -> Fido2LuksResult<[u8; 32]> {
let mut digest = Sha256::new(); let mut digest = digest::Context::new(&digest::SHA256);
match self { match self {
InputSalt::File { path } => { InputSalt::File { path } => {
let mut do_io = || { let mut do_io = || {
@@ -65,7 +64,7 @@ impl InputSalt {
let mut buf = [0u8; 512]; let mut buf = [0u8; 512];
loop { loop {
let red = reader.read(&mut buf)?; let red = reader.read(&mut buf)?;
digest.input(&buf[0..red]); digest.update(&buf[0..red]);
if red == 0 { if red == 0 {
break; break;
} }
@@ -75,19 +74,20 @@ impl InputSalt {
do_io().map_err(|cause| Fido2LuksError::KeyfileError { cause })?; do_io().map_err(|cause| Fido2LuksError::KeyfileError { cause })?;
} }
InputSalt::AskPassword => { InputSalt::AskPassword => {
digest.input(password_helper.obtain()?.as_bytes()); digest.update(password_helper.obtain()?.as_bytes());
} }
InputSalt::String(s) => digest.input(s.as_bytes()), InputSalt::String(s) => digest.update(s.as_bytes()),
} }
let mut salt = [0u8; 32]; let mut salt = [0u8; 32];
digest.result(&mut salt); salt.as_mut().copy_from_slice(digest.finish().as_ref());
Ok(salt) Ok(salt)
} }
} }
#[derive(Debug, Clone)] #[derive(Debug, Clone, PartialEq, Eq)]
pub enum PasswordHelper { pub enum PasswordHelper {
Script(String), Script(String),
#[allow(dead_code)]
Systemd, Systemd,
Stdin, Stdin,
} }
@@ -95,7 +95,7 @@ pub enum PasswordHelper {
impl Default for PasswordHelper { impl Default for PasswordHelper {
fn default() -> Self { fn default() -> Self {
PasswordHelper::Script( PasswordHelper::Script(
"/usr/bin/systemd-ask-password 'Please enter second factor for LUKS disk encryption!'" "/usr/bin/env systemd-ask-password 'Please enter second factor for LUKS disk encryption!'"
.into(), .into(),
) )
} }
@@ -135,10 +135,9 @@ impl PasswordHelper {
Systemd => unimplemented!(), Systemd => unimplemented!(),
Stdin => Ok(util::read_password("Password", true)?), Stdin => Ok(util::read_password("Password", true)?),
Script(password_helper) => { Script(password_helper) => {
let mut helper_parts = password_helper.split(" "); let password = Command::new("sh")
.arg("-c")
let password = Command::new((&mut helper_parts).next().unwrap()) .arg(&password_helper)
.args(helper_parts)
.output() .output()
.map_err(|e| Fido2LuksError::AskPassError { .map_err(|e| Fido2LuksError::AskPassError {
cause: error::AskPassError::IO(e), cause: error::AskPassError::IO(e),
@@ -170,4 +169,17 @@ mod test {
assert_eq!("ask".parse::<InputSalt>().unwrap(), InputSalt::AskPassword); assert_eq!("ask".parse::<InputSalt>().unwrap(), InputSalt::AskPassword);
assert_eq!("lol".parse::<InputSalt>().unwrap(), InputSalt::default()); assert_eq!("lol".parse::<InputSalt>().unwrap(), InputSalt::default());
} }
#[test]
fn input_salt_obtain() {
assert_eq!(
InputSalt::String("abc".into())
.obtain(&PasswordHelper::Stdin)
.unwrap(),
[
186, 120, 22, 191, 143, 1, 207, 234, 65, 65, 64, 222, 93, 174, 34, 35, 176, 3, 97,
163, 150, 23, 122, 156, 180, 16, 255, 97, 242, 0, 21, 173
]
)
}
} }

92
src/device.rs
View File

@@ -1,51 +1,61 @@
use crate::error::*; use crate::error::*;
use ctap; use crate::util;
use ctap::extensions::hmac::{FidoHmacCredential, HmacExtension}; use ctap::{
use ctap::{FidoDevice, FidoError, FidoErrorKind}; self, extensions::hmac::HmacExtension, request_multiple_devices, FidoAssertionRequestBuilder,
FidoCredential, FidoCredentialRequestBuilder, FidoDevice, FidoError, FidoErrorKind,
};
use std::time::Duration;
pub fn make_credential_id() -> Fido2LuksResult<FidoHmacCredential> { const RP_ID: &str = "fido2luks";
let mut errs = Vec::new();
match get_devices()? { pub fn make_credential_id(
ref devs if devs.is_empty() => Err(Fido2LuksError::NoAuthenticatorError)?, name: Option<&str>,
devs => { pin: Option<&str>,
for mut dev in devs.into_iter() { ) -> Fido2LuksResult<FidoCredential> {
match dev.make_hmac_credential() { let mut request = FidoCredentialRequestBuilder::default().rp_id(RP_ID);
Ok(cred) => { if let Some(user_name) = name {
return Ok(cred); request = request.user_name(user_name);
} }
Err(e) => { let request = request.build().unwrap();
errs.push(e); let make_credential = |device: &mut FidoDevice| {
if let Some(pin) = pin {
device.unlock(pin)?;
} }
} device.make_hmac_credential(&request)
} };
} Ok(request_multiple_devices(
} get_devices()?
Err(errs.pop().ok_or(Fido2LuksError::NoAuthenticatorError)?)? .iter_mut()
.map(|device| (device, &make_credential)),
None,
)?)
} }
pub fn perform_challenge(credential_id: &str, salt: &[u8; 32]) -> Fido2LuksResult<[u8; 32]> { pub fn perform_challenge<'a>(
let cred = FidoHmacCredential { credentials: &'a [&'a FidoCredential],
id: hex::decode(credential_id).unwrap(), salt: &[u8; 32],
rp_id: "hmac".to_string(), timeout: Duration,
pin: Option<&str>,
) -> Fido2LuksResult<([u8; 32], &'a FidoCredential)> {
let request = FidoAssertionRequestBuilder::default()
.rp_id(RP_ID)
.credentials(credentials)
.build()
.unwrap();
let get_assertion = |device: &mut FidoDevice| {
if let Some(pin) = pin {
device.unlock(pin)?;
}
device.get_hmac_assertion(&request, &util::sha256(&[&salt[..]]), None)
}; };
let mut errs = Vec::new(); let (credential, (secret, _)) = request_multiple_devices(
match get_devices()? { get_devices()?
ref devs if devs.is_empty() => Err(Fido2LuksError::NoAuthenticatorError)?, .iter_mut()
devs => { .map(|device| (device, &get_assertion)),
for mut dev in devs.into_iter() { Some(timeout),
match dev.hmac_challange(&cred, &salt[..]) { )?;
Ok(secret) => { Ok((secret, credential))
return Ok(secret);
}
Err(e) => {
errs.push(e);
}
}
}
}
}
Err(errs.pop().ok_or(Fido2LuksError::NoAuthenticatorError)?)?
} }
pub fn get_devices() -> Fido2LuksResult<Vec<FidoDevice>> { pub fn get_devices() -> Fido2LuksResult<Vec<FidoDevice>> {
@@ -54,7 +64,7 @@ pub fn get_devices() -> Fido2LuksResult<Vec<FidoDevice>> {
match FidoDevice::new(&di) { match FidoDevice::new(&di) {
Err(e) => match e.kind() { Err(e) => match e.kind() {
FidoErrorKind::ParseCtap | FidoErrorKind::DeviceUnsupported => (), FidoErrorKind::ParseCtap | FidoErrorKind::DeviceUnsupported => (),
err => Err(FidoError::from(err))?, err => return Err(FidoError::from(err).into()),
}, },
Ok(dev) => devices.push(dev), Ok(dev) => devices.push(dev),
} }

69
src/error.rs
View File

@@ -11,11 +11,15 @@ pub enum Fido2LuksError {
KeyfileError { cause: io::Error }, KeyfileError { cause: io::Error },
#[fail(display = "authenticator error: {}", cause)] #[fail(display = "authenticator error: {}", cause)]
AuthenticatorError { cause: ctap::FidoError }, AuthenticatorError { cause: ctap::FidoError },
#[fail(display = "no authenticator found, please ensure you device is plugged in")] #[fail(display = "no authenticator found, please ensure your device is plugged in")]
NoAuthenticatorError, NoAuthenticatorError,
#[fail(display = "luks err")] #[fail(display = " {}", cause)]
LuksError { cause: cryptsetup_rs::device::Error }, CryptsetupError {
#[fail(display = "no authenticator found, please ensure you device is plugged in")] cause: libcryptsetup_rs::LibcryptErr,
},
#[fail(display = "{}", cause)]
LuksError { cause: LuksError },
#[fail(display = "{}", cause)]
IoError { cause: io::Error }, IoError { cause: io::Error },
#[fail(display = "supplied secret isn't valid for this device")] #[fail(display = "supplied secret isn't valid for this device")]
WrongSecret, WrongSecret,
@@ -23,6 +27,19 @@ pub enum Fido2LuksError {
StringEncodingError { cause: FromUtf8Error }, StringEncodingError { cause: FromUtf8Error },
} }
impl Fido2LuksError {
pub fn exit_code(&self) -> i32 {
use Fido2LuksError::*;
match self {
AskPassError { .. } | KeyfileError { .. } => 2,
AuthenticatorError { .. } => 3,
NoAuthenticatorError => 4,
WrongSecret => 5,
_ => 1,
}
}
}
#[derive(Debug, Fail)] #[derive(Debug, Fail)]
pub enum AskPassError { pub enum AskPassError {
#[fail(display = "unable to retrieve password: {}", _0)] #[fail(display = "unable to retrieve password: {}", _0)]
@@ -31,6 +48,41 @@ pub enum AskPassError {
Mismatch, Mismatch,
} }
#[derive(Debug, Fail)]
pub enum LuksError {
#[fail(display = "This feature requires to the LUKS device to be formatted as LUKS 2")]
Luks2Required,
#[fail(display = "Invalid token: {}", _0)]
InvalidToken(String),
#[fail(display = "No token found")]
NoToken,
#[fail(display = "The device already exists")]
DeviceExists,
}
impl LuksError {
pub fn activate(e: LibcryptErr) -> Fido2LuksError {
match e {
LibcryptErr::IOError(ref io) => match io.raw_os_error() {
Some(1) if io.kind() == ErrorKind::PermissionDenied => Fido2LuksError::WrongSecret,
Some(17) => Fido2LuksError::LuksError {
cause: LuksError::DeviceExists,
},
_ => return Fido2LuksError::CryptsetupError { cause: e },
},
_ => Fido2LuksError::CryptsetupError { cause: e },
}
}
}
impl From<LuksError> for Fido2LuksError {
fn from(e: LuksError) -> Self {
Fido2LuksError::LuksError { cause: e }
}
}
use libcryptsetup_rs::LibcryptErr;
use std::io::ErrorKind;
use std::string::FromUtf8Error; use std::string::FromUtf8Error;
use Fido2LuksError::*; use Fido2LuksError::*;
@@ -40,17 +92,16 @@ impl From<FidoError> for Fido2LuksError {
} }
} }
impl From<cryptsetup_rs::device::Error> for Fido2LuksError { impl From<LibcryptErr> for Fido2LuksError {
fn from(e: cryptsetup_rs::device::Error) -> Self { fn from(e: LibcryptErr) -> Self {
match e { match e {
cryptsetup_rs::device::Error::CryptsetupError(error_no) if error_no.0 == 1i32 => { LibcryptErr::IOError(e) if e.raw_os_error().iter().any(|code| code == &1i32) => {
WrongSecret WrongSecret
} }
e => LuksError { cause: e }, _ => CryptsetupError { cause: e },
} }
} }
} }
impl From<io::Error> for Fido2LuksError { impl From<io::Error> for Fido2LuksError {
fn from(e: io::Error) -> Self { fn from(e: io::Error) -> Self {
IoError { cause: e } IoError { cause: e }

327
src/luks.rs Normal file
View File

@@ -0,0 +1,327 @@
use crate::error::*;
use libcryptsetup_rs::{
CryptActivateFlags, CryptDevice, CryptInit, CryptTokenInfo, EncryptionFormat, KeyslotInfo,
TokenInput,
};
use std::collections::{HashMap, HashSet};
use std::path::Path;
pub struct LuksDevice {
device: CryptDevice,
luks2: Option<bool>,
}
impl LuksDevice {
pub fn load<P: AsRef<Path>>(path: P) -> Fido2LuksResult<LuksDevice> {
let mut device = CryptInit::init(path.as_ref())?;
device.context_handle().load::<()>(None, None)?;
Ok(Self {
device,
luks2: None,
})
}
pub fn is_luks2(&mut self) -> Fido2LuksResult<bool> {
if let Some(luks2) = self.luks2 {
Ok(luks2)
} else {
self.luks2 = Some(match self.device.format_handle().get_type()? {
EncryptionFormat::Luks2 => true,
_ => false,
});
self.is_luks2()
}
}
fn require_luks2(&mut self) -> Fido2LuksResult<()> {
if !self.is_luks2()? {
return Err(LuksError::Luks2Required.into());
}
Ok(())
}
pub fn tokens<'a>(
&'a mut self,
) -> Fido2LuksResult<Box<dyn Iterator<Item = Fido2LuksResult<(u32, Fido2LuksToken)>> + 'a>>
{
self.require_luks2()?;
Ok(Box::new(
(0..32)
.map(move |i| {
let status = match self.device.token_handle().status(i) {
Ok(status) => status,
Err(err) => return Some(Err(Fido2LuksError::from(err))),
};
match status {
CryptTokenInfo::Inactive => return None,
CryptTokenInfo::Internal(s)
| CryptTokenInfo::InternalUnknown(s)
| CryptTokenInfo::ExternalUnknown(s)
| CryptTokenInfo::External(s)
if &s != Fido2LuksToken::default_type() =>
{
return None
}
_ => (),
};
let json = match self.device.token_handle().json_get(i) {
Ok(json) => json,
Err(err) => return Some(Err(Fido2LuksError::from(err))),
};
let info: Fido2LuksToken =
match serde_json::from_value(json.clone()).map_err(|_| {
Fido2LuksError::LuksError {
cause: LuksError::InvalidToken(json.to_string()),
}
}) {
Ok(info) => info,
Err(err) => return Some(Err(Fido2LuksError::from(err))),
};
Some(Ok((i, info)))
})
.filter_map(|o| o),
))
}
pub fn find_token(&mut self, slot: u32) -> Fido2LuksResult<Option<(u32, Fido2LuksToken)>> {
let slot_str = slot.to_string();
for token in self.tokens()? {
let (id, token) = token?;
if token.keyslots.contains(&slot_str) {
return Ok(Some((id, token)));
}
}
Ok(None)
}
pub fn add_token(&mut self, data: &Fido2LuksToken) -> Fido2LuksResult<()> {
self.require_luks2()?;
self.device
.token_handle()
.json_set(TokenInput::AddToken(&serde_json::to_value(&data).unwrap()))?;
Ok(())
}
pub fn remove_token(&mut self, token: u32) -> Fido2LuksResult<()> {
self.require_luks2()?;
self.device
.token_handle()
.json_set(TokenInput::RemoveToken(token))?;
Ok(())
}
pub fn update_token(&mut self, token: u32, data: &Fido2LuksToken) -> Fido2LuksResult<()> {
self.require_luks2()?;
self.device
.token_handle()
.json_set(TokenInput::ReplaceToken(
token,
&serde_json::to_value(&data).unwrap(),
))?;
Ok(())
}
pub fn add_key(
&mut self,
secret: &[u8],
old_secret: &[u8],
iteration_time: Option<u64>,
credential_id: Option<&[u8]>,
) -> Fido2LuksResult<u32> {
if let Some(millis) = iteration_time {
self.device.settings_handle().set_iteration_time(millis)
}
let slot = self
.device
.keyslot_handle()
.add_by_passphrase(None, old_secret, secret)?;
if let Some(id) = credential_id {
self.device.token_handle().json_set(TokenInput::AddToken(
&serde_json::to_value(&Fido2LuksToken::new(id, slot)).unwrap(),
))?;
}
Ok(slot)
}
pub fn remove_keyslots(&mut self, exclude: &[u32]) -> Fido2LuksResult<u32> {
let mut destroyed = 0;
let mut tokens = Vec::new();
for slot in 0..256 {
match self.device.keyslot_handle().status(slot)? {
KeyslotInfo::Inactive => continue,
KeyslotInfo::Active | KeyslotInfo::ActiveLast if !exclude.contains(&slot) => {
if self.is_luks2()? {
if let Some((id, _token)) = self.find_token(slot)? {
tokens.push(id);
}
}
self.device.keyslot_handle().destroy(slot)?;
destroyed += 1;
}
KeyslotInfo::ActiveLast => break,
_ => (),
}
if self.device.keyslot_handle().status(slot)? == KeyslotInfo::ActiveLast {
break;
}
}
// Ensure indices stay valid
tokens.sort();
for token in tokens.iter().rev() {
self.remove_token(*token)?;
}
Ok(destroyed)
}
pub fn replace_key(
&mut self,
secret: &[u8],
old_secret: &[u8],
iteration_time: Option<u64>,
credential_id: Option<&[u8]>,
) -> Fido2LuksResult<u32> {
if let Some(millis) = iteration_time {
self.device.settings_handle().set_iteration_time(millis)
}
// Use activate dry-run to locate keyslot
let slot = self.device.activate_handle().activate_by_passphrase(
None,
None,
old_secret,
CryptActivateFlags::empty(),
)?;
self.device.keyslot_handle().change_by_passphrase(
Some(slot),
Some(slot),
old_secret,
secret,
)? as u32;
if let Some(id) = credential_id {
if self.is_luks2()? {
let token = self.find_token(slot)?.map(|(t, _)| t);
let json = serde_json::to_value(&Fido2LuksToken::new(id, slot)).unwrap();
if let Some(token) = token {
self.device
.token_handle()
.json_set(TokenInput::ReplaceToken(token, &json))?;
} else {
self.device
.token_handle()
.json_set(TokenInput::AddToken(&json))?;
}
}
}
Ok(slot)
}
pub fn activate(
&mut self,
name: &str,
secret: &[u8],
slot_hint: Option<u32>,
) -> Fido2LuksResult<u32> {
self.device
.activate_handle()
.activate_by_passphrase(Some(name), slot_hint, secret, CryptActivateFlags::empty())
.map_err(LuksError::activate)
}
pub fn activate_token(
&mut self,
name: &str,
secret: impl Fn(Vec<String>) -> Fido2LuksResult<([u8; 32], String)>,
slot_hint: Option<u32>,
) -> Fido2LuksResult<u32> {
if !self.is_luks2()? {
return Err(LuksError::Luks2Required.into());
}
let mut creds: HashMap<String, HashSet<u32>> = HashMap::new();
for token in self.tokens()? {
let token = match token {
Ok((_id, t)) => t,
_ => continue, // An corrupted token should't lock the user out
};
let slots = || {
token
.keyslots
.iter()
.filter_map(|slot| slot.parse::<u32>().ok())
};
for cred in token.credential.iter() {
creds
.entry(cred.clone())
.or_insert_with(|| slots().collect::<HashSet<u32>>())
.extend(slots());
}
}
if creds.is_empty() {
return Err(Fido2LuksError::LuksError {
cause: LuksError::NoToken,
});
}
let (secret, credential) = secret(creds.keys().cloned().collect())?;
let empty;
let slots = if let Some(slots) = creds.get(&credential) {
slots
} else {
empty = HashSet::new();
&empty
};
//Try slots associated with the credential used
let slots = slots.iter().cloned().map(Option::Some).chain(
std::iter::once(slot_hint) // Try slot hint if there is one
.take(slot_hint.is_some() as usize)
.chain(std::iter::once(None).take(slots.is_empty() as usize)), // Try all slots as last resort
);
for slot in slots {
match self.activate(name, &secret, slot) {
Err(Fido2LuksError::WrongSecret) => (),
res => return res,
}
}
Err(Fido2LuksError::WrongSecret)
}
}
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct Fido2LuksToken {
#[serde(rename = "type")]
pub type_: String,
pub credential: HashSet<String>,
pub keyslots: HashSet<String>,
}
impl Fido2LuksToken {
pub fn new(credential_id: impl AsRef<[u8]>, slot: u32) -> Self {
Self::with_credentials(std::iter::once(credential_id), slot)
}
pub fn with_credentials<I: IntoIterator<Item = B>, B: AsRef<[u8]>>(
credentials: I,
slot: u32,
) -> Self {
Self {
credential: credentials
.into_iter()
.map(|cred| hex::encode(cred.as_ref()))
.collect(),
keyslots: vec![slot.to_string()].into_iter().collect(),
..Default::default()
}
}
pub fn default_type() -> &'static str {
"fido2luks"
}
}
impl Default for Fido2LuksToken {
fn default() -> Self {
Self {
type_: Self::default_type().into(),
credential: HashSet::new(),
keyslots: HashSet::new(),
}
}
}

35
src/main.rs
View File

@@ -1,38 +1,29 @@
#[macro_use] #[macro_use]
extern crate failure; extern crate failure;
extern crate ctap_hmac as ctap;
#[macro_use]
extern crate serde_derive;
use crate::cli::*; use crate::cli::*;
use crate::config::*; use crate::config::*;
use crate::device::*; use crate::device::*;
use crate::error::*; use crate::error::*;
use crypto::digest::Digest; use std::io;
use crypto::sha2::Sha256;
use cryptsetup_rs as luks;
use cryptsetup_rs::Luks1CryptDevice;
use std::io::{self};
use std::path::PathBuf; use std::path::PathBuf;
use std::process::exit;
mod cli; mod cli;
mod config; mod config;
mod device; mod device;
mod error; mod error;
mod luks;
mod util; mod util;
fn open_container(device: &PathBuf, name: &str, secret: &[u8; 32]) -> Fido2LuksResult<()> {
let mut handle = luks::open(device.canonicalize()?)?.luks1()?;
let _slot = handle.activate(name, &secret[..])?;
Ok(())
}
fn assemble_secret(hmac_result: &[u8], salt: &[u8]) -> [u8; 32] {
let mut digest = Sha256::new();
digest.input(salt);
digest.input(hmac_result);
let mut secret = [0u8; 32];
digest.result(&mut secret);
secret
}
fn main() -> Fido2LuksResult<()> { fn main() -> Fido2LuksResult<()> {
run_cli() match run_cli() {
Err(e) => {
eprintln!("{:?}", e);
exit(e.exit_code())
}
_ => exit(0),
}
} }

17
src/util.rs
View File

@@ -1,8 +1,19 @@
use crate::error::*; use crate::error::*;
use ring::digest;
use std::fs::File; use std::fs::File;
use std::io::Read; use std::io::Read;
use std::path::PathBuf; use std::path::PathBuf;
pub fn sha256(messages: &[&[u8]]) -> [u8; 32] {
let mut digest = digest::Context::new(&digest::SHA256);
for m in messages.iter() {
digest.update(m);
}
let mut secret = [0u8; 32];
secret.as_mut().copy_from_slice(digest.finish().as_ref());
secret
}
pub fn read_password(q: &str, verify: bool) -> Fido2LuksResult<String> { pub fn read_password(q: &str, verify: bool) -> Fido2LuksResult<String> {
match rpassword::read_password_from_tty(Some(&[q, ": "].join("")))? { match rpassword::read_password_from_tty(Some(&[q, ": "].join("")))? {
ref pass ref pass
@@ -12,12 +23,16 @@ pub fn read_password(q: &str, verify: bool) -> Fido2LuksResult<String> {
{ {
Err(Fido2LuksError::AskPassError { Err(Fido2LuksError::AskPassError {
cause: AskPassError::Mismatch, cause: AskPassError::Mismatch,
})? })
} }
pass => Ok(pass), pass => Ok(pass),
} }
} }
pub fn read_password_hashed(q: &str, verify: bool) -> Fido2LuksResult<[u8; 32]> {
read_password(q, verify).map(|pass| sha256(&[pass.as_bytes()]))
}
pub fn read_keyfile<P: Into<PathBuf>>(path: P) -> Fido2LuksResult<Vec<u8>> { pub fn read_keyfile<P: Into<PathBuf>>(path: P) -> Fido2LuksResult<Vec<u8>> {
let mut file = File::open(path.into())?; let mut file = File::open(path.into())?;
let mut key = Vec::new(); let mut key = Vec::new();