shimun/fido2luks
1
0
Fork 0
Code Issues Pull Requests 3 Releases Wiki Activity

Compare commits

base: shimun:luks2
Branches Tags
shimun:master shimun:0.3.0-alpha shimun:ctap-hid-fido2 shimun:retry_pin shimun:0.3.0 shimun:debVM shimun:flake shimun:password_promt shimun:dracut shimun:initcpio shimun:pam_mod shimun:setup shimun:completions shimun:pkgbuild shimun:pin_source shimun:relicense shimun:deb shimun:initramfs-tools shimun:luks_refr shimun:0.2.8 shimun:luks2_token shimun:cli_reorg shimun:request_multiple shimun:luks2 shimun:cratesio shimun:isalt shimun:connected shimun:keyutils
shimun:0.2.20 shimun:0.2.19 shimun:0.2.18 shimun:0.2.17 shimun:0.2.16 shimun:0.2.15 shimun:0.2.14 shimun:0.2.13 shimun:0.2.12 shimun:0.2.11 shimun:0.2.10 shimun:0.2.9 shimun:0.2.8 shimun:0.2.7 shimun:0.2.6 shimun:0.2.5 shimun:0.2.4 shimun:0.2.3 shimun:0.2.2 shimun:0.2.1 shimun:0.2.0
..
compare: shimun:ctap-hid-fido2
Branches Tags
shimun:0.3.0-alpha shimun:ctap-hid-fido2 shimun:retry_pin shimun:master shimun:0.3.0 shimun:debVM shimun:flake shimun:password_promt shimun:dracut shimun:initcpio shimun:pam_mod shimun:setup shimun:completions shimun:pkgbuild shimun:pin_source shimun:relicense shimun:deb shimun:initramfs-tools shimun:luks_refr shimun:0.2.8 shimun:luks2_token shimun:cli_reorg shimun:request_multiple shimun:luks2 shimun:cratesio shimun:isalt shimun:connected shimun:keyutils
shimun:0.2.20 shimun:0.2.19 shimun:0.2.18 shimun:0.2.17 shimun:0.2.16 shimun:0.2.15 shimun:0.2.14 shimun:0.2.13 shimun:0.2.12 shimun:0.2.11 shimun:0.2.10 shimun:0.2.9 shimun:0.2.8 shimun:0.2.7 shimun:0.2.6 shimun:0.2.5 shimun:0.2.4 shimun:0.2.3 shimun:0.2.2 shimun:0.2.1 shimun:0.2.0

81 Commits
luks2 ... ctap-hid-f

Author SHA1 Message Date
shimun
871b2863b2 fix: build env 2022-09-28 19:48:30 +02:00
shimun
f436ae538d chore: update 2022-07-28 15:10:28 +02:00
shimun
17c96090bd fix: ctap crate 2022-07-05 15:35:54 +02:00
shimun
fce6ea2e31 fix: use patched ctap-hid crate 2022-06-16 17:42:50 +02:00
shimun
b566af46f7 fix: prevent creation of rk credential 2022-06-15 01:16:06 +02:00
shimun
1f0d555cea added: comment field to luks header data 2022-04-15 17:06:11 +02:00
shimun
2255f224a5 bump version 2022-04-11 14:36:07 +02:00
shimun
581e1780d1 update ctap-hid 2022-04-10 17:23:25 +02:00
shimun
7daa5a3fdb use develop version 2022-04-04 10:57:57 +02:00
shimun
4e986b8f05 removed: keepalive msg 2022-03-29 15:58:51 +02:00
shimun
ca82293976 fix: reintroduce connected command 2022-03-29 15:58:16 +02:00
shimun
d5b043840f chore: migrate to ctap-hid-fido2 2022-03-27 10:00:12 +02:00
shimun
eb8d65eb4f switch to ctap-hid-fido2 2022-03-23 19:30:24 +01:00
shimun
f6c2bc4cdb added --allow-discards flag 2021-12-28 13:50:21 +01:00
shimun
4e7ef4b8b7 0.3.0-alpha notice 2021-12-11 11:52:40 +01:00
shimun
e1ad8b37c1 0.3.0-alpha 2021-12-11 11:51:07 +01:00
shimun
e9510216ef 1
Some checks failed
continuous-integration/drone/push Build is failing
Details
continuous-integration/drone/pr Build is failing
Details
2020-10-11 18:33:59 +02:00
shimun
0ec859f4a6 remove trailing newline from pin
Some checks failed
continuous-integration/drone/push Build is failing
Details
2020-09-25 12:40:34 +02:00
shimun
55bae4161e add credentials situated in the luks header to credential list
Some checks failed
continuous-integration/drone/push Build is failing
Details
2020-09-19 18:23:21 +02:00
shimun
086c1a0594 file path must be relative to src
Some checks failed
continuous-integration/drone/push Build is failing
Details
2020-09-05 19:35:36 +02:00
shimun
c2e38eb06f generate shell completions during build
Some checks failed
continuous-integration/drone/push Build is failing
Details
continuous-integration/drone/tag Build is failing
Details
2020-09-05 18:52:07 +02:00
shimun
03ef5721e0 bump version
All checks were successful
continuous-integration/drone/tag Build is passing
Details
continuous-integration/drone/push Build is passing
Details
2020-09-03 14:56:36 +02:00
shimun
008e644024 auto detect current version 2020-09-03 14:56:22 +02:00
shimun
e1f762ddc9 add subcommand to generate bash completions
All checks were successful
continuous-integration/drone/push Build is passing
Details
2020-09-03 14:45:52 +02:00
Saravanan Palanisamy
2266754a95 create PKGBUILD file for archlinux package (#17)
Some checks reported errors
continuous-integration/drone/push Build encountered an error
Details 
* create PKGBUILD file

* use build & install method

* add package dependencies
 2020-09-02 14:14:40 +02:00
shimun
8811cff6d1 0.2.12
All checks were successful
continuous-integration/drone/tag Build is passing
Details
2020-08-31 00:04:24 +02:00
shimun
99787b614c Merge branch 'pin_source' into master
Some checks reported errors
continuous-integration/drone/push Build encountered an error
Details
2020-08-31 00:00:42 +02:00
shimun
ee28f87148 always print the full error message
All checks were successful
continuous-integration/drone/push Build is passing
Details
2020-08-30 17:09:57 +02:00
shimun
196356fe3b structopt does not allow for flags to be linked to env atm 2020-08-25 21:47:25 +02:00
shimun
3ff7e698bd add flag to read pin from alternate source
Some checks reported errors
continuous-integration/drone/push Build encountered an error
Details
2020-08-25 21:26:30 +02:00
shimun
04d0d60fb3 use ubuntu as base image
Some checks reported errors
continuous-integration/drone/tag Build is passing
Details
continuous-integration/drone/push Build was killed
Details
2020-08-16 15:30:20 +02:00
shimun
e64f777c54 use sh to run password helper 2020-08-16 13:42:54 +02:00
shimun
8465949b44 spell promPt correctly 2020-08-16 13:42:35 +02:00
shimunn
06bed03e7b Merge pull request #13 from Andrew-Finn/master 
Added documentation and tweaked readme
 2020-08-14 12:40:02 +02:00
Andrew-Finn
36f82e7c3a Added and edited documentation 2020-08-14 11:36:25 +01:00
shimun
cd90564f60 protect fido2luks.conf from being overwritten
Some checks failed
continuous-integration/drone/push Build is failing
Details
continuous-integration/drone/tag Build is failing
Details
2020-08-11 23:08:12 +02:00
shimun
0f6d79a7e4 get plymouth to display a message
Some checks failed
continuous-integration/drone/push Build is failing
Details
2020-08-11 22:41:21 +02:00
shimun
4136b1bfad relicense to MPL
Some checks failed
continuous-integration/drone/push Build is failing
Details
2020-07-27 09:22:02 +02:00
shimun
81016a1a42 require MPL for new contributions
Some checks failed
continuous-integration/drone/push Build is failing
Details
2020-07-26 21:11:03 +02:00
shimun
840868468b cargo-deb meta
All checks were successful
continuous-integration/drone/push Build is passing
Details
2020-07-04 21:32:21 +02:00
shimun
97880e4f41 refuse removal while crypttab depends on keyscript
All checks were successful
continuous-integration/drone/push Build is passing
Details
2020-07-03 16:21:35 +02:00
shimun
e798ba5c70 remove keyscript aswell
All checks were successful
continuous-integration/drone/push Build is passing
Details
2020-07-03 15:59:12 +02:00
shimun
298e05fed7 initramfs-tools
All checks were successful
continuous-integration/drone/push Build is passing
Details
2020-07-03 15:55:23 +02:00
shimun
a498e1416f automate cargo publish
Some checks failed
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/tag Build is failing
Details
2020-06-23 23:55:07 +02:00
shimun
92e413de50 refactored luks operations
All checks were successful
continuous-integration/drone/push Build is passing
Details
2020-06-22 20:47:19 +00:00
shimun
023399bb14 use unstable cryptsetup
Some checks failed
continuous-integration/drone/push Build is failing
Details
2020-06-22 18:17:10 +02:00
shimun
a53a430c23 update drone
Some checks failed
continuous-integration/drone/push Build is failing
Details
2020-06-21 22:16:45 +02:00
shimun
5f107cd337 add non existing token
Some checks failed
continuous-integration/drone/push Build is failing
Details
2020-06-19 20:09:36 +02:00
shimun
ddfd24a098 ensure replace_key uses the same slot 2020-06-19 20:05:05 +02:00
shimun
743edf668a document --token 2020-06-13 14:35:46 +02:00
shimun
4507107fac update libcryptsetup-rs 2020-06-10 13:50:28 +02:00
shimun
a8482c50a2 handle tokens when replacing 2020-06-08 19:22:19 +02:00
shimun
09be5ef551 assemble secret in correct order 2020-06-08 18:08:24 +02:00
shimun
6f6c84ddba skip luks2 check until underlying issue is fixed 2020-06-07 14:14:51 +02:00
shimun
5a05cad695 more precise description 2020-06-06 23:39:23 +02:00
shimun
d8d24b40f5 Merge branch 'cli_reorg' 2020-06-06 23:37:22 +02:00
shimun
c1a82b9ae6 update libcryptsetup_rs to 0.4.0 2020-06-06 22:43:18 +02:00
shimun
a26b79bcd6 reduced redundant code 2020-05-05 23:53:50 +02:00
shimun
f774580c9c update to current api 2020-05-05 23:28:44 +02:00
shimun
69732a1ad6 restore order 2020-04-29 20:33:28 +02:00
shimun
b8ae9d91f0 rudimentary pin support 2020-04-29 19:56:18 +02:00
shimun
fcdd2a2d3d add option to specify keyslot 2020-04-29 18:55:25 +02:00
shimun
c3d6425e2d reorganised cli 2020-04-29 18:50:55 +02:00
shimun
0b19760175 hint slots 2020-04-28 19:09:53 +02:00
shimun
2ec8679c47 open token 2020-04-28 14:27:14 +02:00
shimun
65e1dead8b remove token 2020-04-27 22:07:00 +02:00
shimun
478fb5e036 store luks token 2020-04-27 19:26:21 +02:00
shimun
1547f5e199 get format 2020-04-27 18:12:06 +02:00
shimun
5c0364587e update ctap 2020-04-26 18:58:37 +02:00
shimun
9307503bdc applied clippy lints 2020-04-07 20:06:24 +02:00
shimun
b94f45d1ff patch secret_gen before obtaing first secret 2020-04-06 23:33:41 +02:00
shimun
c8fb636846 mention clang build dependency 2020-04-06 22:52:15 +02:00
shimun
49e2835f60 enable fido requests to be sent to multiple devices at once 2020-04-06 21:38:11 +02:00
shimun
d5c0d48f03 allow another fido device to be used as previous secret 2020-04-06 20:18:00 +02:00
shimun
ad2451f548 add timeout 2020-04-05 23:24:18 +02:00
shimun
bb7ee7c1ce request password only once if possible 2020-04-03 22:02:05 +02:00
shimun
0ba77963d2 update ctap_hmac 2020-04-02 17:22:15 +02:00
shimun
1658800553 request_multiple 2020-04-01 20:24:49 +02:00
shimun
a394b7d1d1 libcryptsetup-rs patch 2020-03-28 14:54:36 +01:00
shimun
c99d7f562d support luks2 2020-03-27 20:08:54 +01:00
shimun
c4f781e6e3 only process keyslots within a given range 2020-03-27 20:03:42 +01:00
34 changed files with 3869 additions and 1813 deletions
Expand all files Collapse all files

35
.drone.yml
View File

@@ -3,32 +3,25 @@ name: default
steps: steps:
- name: fmt - name: fmt
image: rust:1.37.0 image: rust:1.43.0
commands: commands:
- rustup component add rustfmt - rustup component add rustfmt
- cargo fmt --all -- --check - cargo fmt --all -- --check
- name: test - name: test
image: rust:1.37.0 image: shimun/fido2luks@sha256:6d0b4017bffbec5fac8f25d383d68671fcc9930efb02e97ce5ea81acf0060ece
environment:
DEBIAN_FRONTEND: noninteractive
commands: commands:
- apt update && apt install -y libcryptsetup-dev libkeyutils-dev - cargo test --locked
- cargo test
- name: build
image: rust:1.37.0
commands:
- apt update && apt install -y libcryptsetup-dev libkeyutils-dev
- cargo install -f --path . --root .
when:
event: tag
- name: publish - name: publish
image: plugins/github-release image: shimun/fido2luks@sha256:6d0b4017bffbec5fac8f25d383d68671fcc9930efb02e97ce5ea81acf0060ece
settings: environment:
api_key: DEBIAN_FRONTEND: noninteractive
from_secret: github_release CARGO_REGISTRY_TOKEN:
files: from_secret: cargo_tkn
- bin/fido2luks commands:
checksum: - grep -E 'version ?= ?"${DRONE_TAG}"' -i Cargo.toml || (printf "incorrect crate/tag version" && exit 1)
- md5 - cargo package --all-features --allow-dirty
- sha256 - cargo publish --all-features --allow-dirty
when: when:
event: tag event: tag

6
.gitignore vendored
View File

@@ -2,3 +2,9 @@
**/*.rs.bk **/*.rs.bk
.idea/ .idea/
*.iml *.iml
fido2luks.bash
fido2luks.elv
fido2luks.fish
fido2luks.zsh
result
result-*

11
CHANGELOG.md Normal file
View File

@@ -0,0 +1,11 @@
## 0.3.0
* LUKS2 Tokens are now supported by every subcommand
* `<credential>` has been converted into the flag `--creds`
credentials provided by `--creds` will be supplemented from the LUKS header unless this is disabled by `--disable-token`
* `fido2luks add-key` will take an `--auto-cred` flag which allows for credentials to be generated and stored without having to use `fido2luks credential`
`fido2luks replace-key` will allow for credentials to be removed using the `--remove-cred` flag respectively
* Removed `fido2luks open-token` subcommand
`fido2luks open` now fulfills both functions
* Added `fido2luks open --dry-run` flag, to perform the whole procedure apart from mounting the LUKS volume
* Added an `--verbose` flag to display additional information like credentials and keyslots used if desired

1297
Cargo.lock generated
View File

File diff suppressed because it is too large Load Diff

38
Cargo.toml
View File

@@ -1,6 +1,6 @@
[package] [package]
name = "fido2luks" name = "fido2luks"
version = "0.2.4" version = "0.3.1-alpha"
authors = ["shimunn <shimun@shimun.net>"] authors = ["shimunn <shimun@shimun.net>"]
edition = "2018" edition = "2018"
@@ -11,18 +11,29 @@ repository = "https://github.com/shimunn/fido2luks"
readme = "README.md" readme = "README.md"
keywords = ["luks", "fido2", "u2f"] keywords = ["luks", "fido2", "u2f"]
categories = ["command-line-utilities"] categories = ["command-line-utilities"]
license-file = "LICENSE" license = "MPL-2.0"
[dependencies] [dependencies]
ctap_hmac = "0.2.1"
hex = "0.3.2" hex = "0.3.2"
ring = "0.13.5" ring = "0.16.5"
failure = "0.1.5" failure = "0.1.5"
rpassword = "4.0.1" rpassword = "4.0.1"
structopt = "0.3.2" structopt = "0.3.2"
libcryptsetup-rs = "0.2.0" serde_json = "1.0.51"
serde_derive = "1.0.116"
serde = "1.0.116"
anyhow = "1.0.56"
ctap-hid-fido2 = "3.4.1"
libcryptsetup-rs = "0.5.1"
[build-dependencies]
hex = "0.3.2"
ring = "0.16.5"
failure = "0.1.5"
rpassword = "4.0.1"
anyhow = "1.0.56"
libcryptsetup-rs = "0.5.1"
structopt = "0.3.2"
[profile.release] [profile.release]
lto = true lto = true
@@ -30,3 +41,16 @@ opt-level = 'z'
panic = 'abort' panic = 'abort'
incremental = false incremental = false
overflow-checks = false overflow-checks = false
[package.metadata.deb]
depends = "$auto, cryptsetup"
build-depends = "libclang-dev, libcryptsetup-dev"
extended-description = "Decrypt your LUKS partition using a FIDO2 compatible authenticator"
assets = [
["target/release/fido2luks", "usr/bin/", "755"],
["fido2luks.bash", "usr/share/bash-completion/completions/fido2luks", "644"],
["initramfs-tools/keyscript.sh", "/lib/cryptsetup/scripts/fido2luks", "755" ],
["initramfs-tools/hook/fido2luks.sh", "etc/initramfs-tools/hooks/", "755" ],
["initramfs-tools/fido2luks.conf", "etc/", "644"],
]
conf-files = ["/etc/fido2luks.conf"]

1047
LICENSE
View File

File diff suppressed because it is too large Load Diff

37
PKGBUILD Normal file
View File

@@ -0,0 +1,37 @@
# Maintainer: shimunn <shimun@shimun.net>
pkgname=fido2luks-git
pkgver=0.2.16.7e6b33a
pkgrel=1
makedepends=('rust' 'cargo' 'cryptsetup' 'clang' 'git')
depends=('cryptsetup')
arch=('i686' 'x86_64' 'armv6h' 'armv7h')
pkgdesc="Decrypt your LUKS partition using a FIDO2 compatible authenticator"
url="https://github.com/shimunn/fido2luks"
license=('MPL-2.0')
source=('git+https://github.com/shimunn/fido2luks')
sha512sums=('SKIP')
pkgver() {
cd fido2luks
# Use tag version if possible otherwise concat project version and git ref
git describe --exact-match --tags HEAD 2>/dev/null ||
echo "$(cargo pkgid | cut -d'#' -f2).$(git describe --always)"
}
build() {
cd fido2luks
cargo build --release --locked --all-features --target-dir=target
}
package() {
cd fido2luks
install -Dm 755 target/release/fido2luks -t "${pkgdir}/usr/bin"
install -Dm 755 pam_mount/fido2luksmounthelper.sh -t "${pkgdir}/usr/bin"
install -Dm 644 initcpio/hooks/fido2luks -t "${pkgdir}/usr/lib/initcpio/hooks"
install -Dm 644 initcpio/install/fido2luks -t "${pkgdir}/usr/lib/initcpio/install"
install -Dm 644 fido2luks.bash "${pkgdir}/usr/share/bash-completion/completions/fido2luks"
install -Dm 644 fido2luks.fish -t "${pkgdir}/usr/share/fish/vendor_completions.d"
}

106
README.md
View File

@@ -1,105 +1,7 @@
# fido2luks [![Crates.io Version](https://img.shields.io/crates/v/fido2luks.svg)](https://crates.io/crates/fido2luks) # fido2luks [![Crates.io Version](https://img.shields.io/crates/v/fido2luks.svg)](https://crates.io/crates/fido2luks)
This will allow you to unlock your luks encrypted disk with an fido2 compatible key ## 0.3.0-alpha
Note: This has only been tested under Fedora 31 using a Solo Key, Trezor Model T This is just the program itself, all intitrid scripts are mostly taylored to the latest 0.2.x version and will most likely not work with 0.3.0 due to breaking changes in the CLI interface.
I've decided it release the version in this state since I just do not have the time now or in the forseeable future to tewak all scripts since it's quite an tedious tasks which involves rebooting VMs countless times.
## Setup If you're interested to adapt or write scripts for an particular distro I'd be more than happy to accept pull requests.
### Prerequisites
```
dnf install cargo cryptsetup-devel -y
```
### Device
```
git clone https://github.com/shimunn/fido2luks.git && cd fido2luks
# Alternativly cargo build --release && sudo cp target/release/fido2luks /usr/bin/
sudo -E cargo install -f --path . --root /usr
# Copy template
cp dracut/96luks-2fa/fido2luks.conf /etc/
# Name is optional but useful if your authenticator has a display
echo FIDO2LUKS_CREDENTIAL_ID=$(fido2luks credential [NAME]) >> /etc/fido2luks.conf
# Load config into env
set -a
. /etc/fido2luks.conf
# Repeat for each luks volume
sudo -E fido2luks -i add-key /dev/disk/by-uuid/<DISK_UUID>
# Test(only works if the luks container isn't active)
sudo -E fido2luks -i open /dev/disk/by-uuid/<DISK_UUID> luks-<DISK_UUID>
```
### Dracut
```
cd dracut
sudo make install
```
### Grub
Add `rd.luks.2fa=<CREDENTIAL_ID>:<DISK_UUID>` to `GRUB_CMDLINE_LINUX` in /etc/default/grub
Note: This is only required for your root disk, systemd will try to unlock all other LUKS partions using the same key if you added it using `fido2luks add-key`
```
grub2-mkconfig > /boot/grub2/grub.cfg
```
I'd also recommend to copy the executable onto /boot so that it is accessible in case you have to access your disk from a rescue system
```
mkdir /boot/fido2luks/
cp /usr/bin/fido2luks /boot/fido2luks/
cp /etc/fido2luks.conf /boot/fido2luks/
```
## Test
Just reboot and see if it works, if that's the case you should remove your old less secure password from your LUKS header:
```
# Recommend in case you lose your authenticator, store this backupfile somewhere safe
cryptsetup luksHeaderBackup /dev/disk/by-uuid/<DISK_UUID> --header-backup-file luks_backup_<DISK_UUID>
# There is no turning back if you mess this up, make sure you made a backup
fido2luks -i add-key --exclusive /dev/disk/by-uuid/<DISK_UUID>
```
## Addtional settings
### Password less
Remove your previous secret as described in the next section, in case you've already added one.
Open `/etc/fido2luks.conf` and replace `FIDO2LUKS_SALT=Ask` with `FIDO2LUKS_SALT=string:<YOUR_RANDOM_STRING>`
but be warned that this password will be included to into your initramfs.
Import the new config into env:
```
set -a
. /etc/fido2luks.conf
```
Then add the new secret to each device and update dracut afterwards `dracut -f`
## Removal
Remove `rd.luks.2fa` from `GRUB_CMDLINE_LINUX` in /etc/default/grub
```
set -a
. fido2luks.conf
sudo -E fido2luks -i replace-key /dev/disk/by-uuid/<DISK_UUID>
sudo rm -rf /usr/lib/dracut/modules.d/96luks-2fa /etc/dracut.conf.d/luks-2fa.conf /etc/fido2luks.conf
```

32
build.rs Normal file
View File

@@ -0,0 +1,32 @@
#![allow(warnings)]
#[macro_use]
extern crate failure;
#[path = "src/cli_args/mod.rs"]
mod cli_args;
#[path = "src/error.rs"]
mod error;
#[path = "src/util.rs"]
mod util;
use cli_args::Args;
use std::env;
use std::fs;
use std::path::PathBuf;
use std::str::FromStr;
use structopt::clap::Shell;
use structopt::StructOpt;
fn main() {
let env_outdir = env::var_os("OUT_DIR").unwrap();
let outdir = PathBuf::from(PathBuf::from(env_outdir).ancestors().nth(3).unwrap());
fs::create_dir_all(&outdir).unwrap();
// generate completion scripts, zsh does panic for some reason
for shell in Shell::variants().iter().filter(|shell| **shell != "zsh") {
Args::clap().gen_completions(
env!("CARGO_PKG_NAME"),
Shell::from_str(shell).unwrap(),
&outdir,
);
}
}

62
flake.lock generated Normal file
View File

@@ -0,0 +1,62 @@
{
"nodes": {
"naersk": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1639947939,
"narHash": "sha256-pGsM8haJadVP80GFq4xhnSpNitYNQpaXk4cnA796Cso=",
"owner": "nmattia",
"repo": "naersk",
"rev": "2fc8ce9d3c025d59fee349c1f80be9785049d653",
"type": "github"
},
"original": {
"owner": "nmattia",
"repo": "naersk",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1647282937,
"narHash": "sha256-K8Oo6QyFCfiEWTRpQVfzcwI3YNMKlz6Tu8rr+o3rzRQ=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "64fc73bd74f04d3e10cb4e70e1c65b92337e76db",
"type": "github"
},
"original": {
"id": "nixpkgs",
"type": "indirect"
}
},
"root": {
"inputs": {
"naersk": "naersk",
"nixpkgs": "nixpkgs",
"utils": "utils"
}
},
"utils": {
"locked": {
"lastModified": 1644229661,
"narHash": "sha256-1YdnJAsNy69bpcjuoKdOYQX0YxZBiCYZo4Twxerqv7k=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "3cecb5b042f7f209c56ffd8371b2711a290ec797",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

100
flake.nix Normal file
View File

@@ -0,0 +1,100 @@
{
description = "Decrypt your LUKS partition using a FIDO2 compatible authenticator";
inputs = {
utils.url = "github:numtide/flake-utils";
naersk = {
url = "github:nmattia/naersk";
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs = inputs @ { self, nixpkgs, utils, naersk, ... }:
let
root = inputs.source or self;
pname = (builtins.fromTOML (builtins.readFile (root + "/Cargo.toml"))).package.name;
# toolchains: stable, beta, default(nightly)
toolchain = pkgs: if inputs ? fenix then inputs.fenix.packages."${pkgs.system}".complete.toolchain
else with pkgs; symlinkJoin { name = "rust-toolchain"; paths = [ rustc cargo ]; };
forSystem = system:
let
pkgs = nixpkgs.legacyPackages."${system}";
in
rec {
# `nix build`
packages.${pname} = (self.overlay pkgs pkgs).${pname};
packages.dockerImage = pkgs.runCommandLocal "docker-${pname}.tar.gz" {} "${apps.streamDockerImage.program} | gzip --fast > $out";
packages.default = packages.${pname};
# `nix run`
apps.${pname} = utils.lib.mkApp {
drv = packages.${pname};
};
# `nix run .#streamDockerImage | docker load`
apps.streamDockerImage = utils.lib.mkApp {
drv = with pkgs; dockerTools.streamLayeredImage {
name = pname;
tag = self.shortRev or "latest";
config = {
Entrypoint = apps.default.program;
};
};
exePath = "";
};
apps.default = apps.${pname};
# `nix flake check`
checks = {
fmt = with pkgs; runCommandLocal "${pname}-fmt" { buildInputs = [ cargo rustfmt nixpkgs-fmt ]; } ''
cd ${root}
cargo fmt -- --check
nixpkgs-fmt --check *.nix
touch $out
'';
};
hydraJobs = checks // packages;
# `nix develop`
devShell = pkgs.mkShell rec {
RUST_SRC_PATH = "${if inputs ? fenix then "${toolchain pkgs}/lib/rustlib" else pkgs.rustPlatform.rustLibSrc}";
nativeBuildInputs = with pkgs; [ (toolchain pkgs) cargo-edit rustfmt nixpkgs-fmt ] ++ packages.default.nativeBuildInputs;
inherit (packages.default) buildInputs LIBCLANG_PATH;
shellHook = ''
printf "Rust version:"
rustc --version
printf "\nbuild inputs: ${pkgs.lib.concatStringsSep ", " (map (bi: bi.name) (buildInputs ++ nativeBuildInputs))}"
'';
};
};
in
(utils.lib.eachDefaultSystem forSystem) // {
overlays.pinned = final: prev: (self.overlay final (import nixpkgs {
inherit (final) localSystem;
})).packages;
overlay = final: prev:
let
naersk-lib = naersk.lib."${final.system}".override {
rustc = toolchain prev;
cargo = toolchain prev;
};
buildInputs = with prev; [
udev cryptsetup.dev
];
nativeBuildInputs = with prev; [
pkg-config clang
];
in
{
"${pname}" =
naersk-lib.buildPackage {
LIBCLANG_PATH = "${final.llvmPackages.libclang.lib}/lib";
inherit pname root buildInputs nativeBuildInputs;
};
};
};
}

18
initcpio/Makefile Normal file
View File

@@ -0,0 +1,18 @@
.PHONY: install remove
install:
install -Dm644 hooks/fido2luks -t /usr/lib/initcpio/hooks
install -Dm644 install/fido2luks -t /usr/lib/initcpio/install
ifdef preset
mkinitcpio -p $(preset)
else
mkinitcpio -P
endif
remove:
rm /usr/lib/initcpio/{hooks,install}/fido2luks
ifdef preset
mkinitcpio -p $(preset)
else
mkinitcpio -P
endif

52
initcpio/README.md Normal file
View File

@@ -0,0 +1,52 @@
## fido2luks hook for mkinitcpio (ArchLinux and derivatives)
> ⚠️ Before proceeding, it is very advised to [backup your existing LUKS2 header](https://wiki.archlinux.org/title/dm-crypt/Device_encryption#Backup_using_cryptsetup) to external storage
### Setup
1. Connect your FIDO2 authenticator
2. Generate credential id
```shell
fido2luks credential
```
3. Generate salt (random string)
```shell
pwgen 48 1
```
4. Add key to your LUKS2 device
```shell
fido2luks add-key -Pt --salt <salt> <block_device> <credential_id>
```
`-P` - request PIN to unlock the authenticator
`-t` - add token (including credential id) to the LUKS2 header
`-e` - wipe all other keys
For the full list of options see `fido2luks add-key --help`
5. Edit [/etc/fido2luks.conf](/initcpio/fido2luks.conf)
Keyslot (`FIDO2LUKS_DEVICE_SLOT`) can be obtained from the output of
```shell
cryptsetup luksDump <block_device>
```
6. Add fido2luks hook to /etc/mkinitcpio.conf
Before or instead of `encrypt` hook, for example:
```shell
HOOKS=(base udev autodetect modconf keyboard block fido2luks filesystems fsck)
```
7. Recreate initial ramdisk
```shell
mkinitcpio -p <preset>
```

18
initcpio/fido2luks.conf Normal file
View File

@@ -0,0 +1,18 @@
# Set credential *ONLY IF* it's not embedded in the LUKS2 header
FIDO2LUKS_CREDENTIAL_ID=
# Encrypted device and its name under /dev/mapper
# Can be overridden by `cryptdevice` kernel parameter
FIDO2LUKS_DEVICE=
FIDO2LUKS_MAPPER_NAME=
FIDO2LUKS_SALT=string:<salt>
# Use specific keyslot (ignore all other slots)
FIDO2LUKS_DEVICE_SLOT=
# Await for an authenticator to be connected (in seconds)
FIDO2LUKS_DEVICE_AWAIT=
# Set to 1 if PIN is required to unlock the authenticator
FIDO2LUKS_ASK_PIN=

55
initcpio/hooks/fido2luks Normal file
View File

@@ -0,0 +1,55 @@
#!/usr/bin/ash
run_hook() {
modprobe -a -q dm-crypt >/dev/null 2>&1
. /etc/fido2luks.conf
if [ -z "$cryptdevice" ]; then
device="$FIDO2LUKS_DEVICE"
dmname="$FIDO2LUKS_MAPPER_NAME"
else
IFS=: read cryptdev dmname _cryptoptions <<EOF
$cryptdevice
EOF
if ! device=$(resolve_device "${cryptdev}" ${rootdelay}); then
return 1
fi
fi
options="--salt $FIDO2LUKS_SALT"
if [ "$FIDO2LUKS_ASK_PIN" == 1 ]; then
options="$options --pin"
fi
if [ -n "$FIDO2LUKS_DEVICE_SLOT" ]; then
options="$options --slot $FIDO2LUKS_DEVICE_SLOT"
fi
if [ -n "$FIDO2LUKS_DEVICE_AWAIT" ]; then
options="$options --await-dev $FIDO2LUKS_DEVICE_AWAIT"
fi
# HACK: /dev/tty is hardcoded in rpassword, but not accessible from the ramdisk
# Temporary link it to /dev/tty1
mv /dev/tty /dev/tty.back
ln -s /dev/tty1 /dev/tty
printf "\nAuthentication is required to access the $dmname volume at $device\n"
if [ -z "$FIDO2LUKS_CREDENTIAL_ID" ]; then
fido2luks open-token $device $dmname $options
else
fido2luks open $device $dmname $FIDO2LUKS_CREDENTIAL_ID $options
fi
exit_code=$?
# Restore /dev/tty
mv /dev/tty.back /dev/tty
if [ $exit_code -ne 0 ]; then
printf '\n'
read -s -p 'Press Enter to continue'
printf '\n'
fi
}

31
initcpio/install/fido2luks Normal file
View File

@@ -0,0 +1,31 @@
#!/bin/bash
build() {
local mod
add_module dm-crypt
add_module dm-integrity
if [[ $CRYPTO_MODULES ]]; then
for mod in $CRYPTO_MODULES; do
add_module "$mod"
done
else
add_all_modules /crypto/
fi
add_binary fido2luks
add_binary dmsetup
add_file /usr/lib/udev/rules.d/10-dm.rules
add_file /usr/lib/udev/rules.d/13-dm-disk.rules
add_file /usr/lib/udev/rules.d/95-dm-notify.rules
add_file /usr/lib/initcpio/udev/11-dm-initramfs.rules /usr/lib/udev/rules.d/11-dm-initramfs.rules
add_file /etc/fido2luks.conf /etc/fido2luks.conf
add_runscript
}
help() {
cat <<HELPEOF
This hook allows to decrypt LUKS2 partition using FIDO2 compatible authenticator
HELPEOF
}

15
initramfs-tools/Dockerfile Normal file
View File

@@ -0,0 +1,15 @@
FROM rust:bullseye
RUN cargo install -f cargo-deb --debug --version 1.30.0
ARG DEBIAN_FRONTEND=noninteractive
RUN apt update && apt install -y cryptsetup pkg-config libclang-dev libcryptsetup-dev && mkdir -p /build/fido2luks
WORKDIR /build/fido2luks
ENV CARGO_TARGET_DIR=/build/fido2luks/target
RUN cargo install fido2luks -f
CMD bash -xc 'cp -rf /code/* /build/fido2luks && cargo-deb && cp target/debian/*.deb /out'

11
initramfs-tools/Makefile Normal file
View File

@@ -0,0 +1,11 @@
.PHONY: install
install:
chmod +x hook/fido2luks.sh keyscript.sh
cp -f hook/fido2luks.sh /etc/initramfs-tools/hooks/
mkdir -p /usr/share/fido2luks
cp -f keyscript.sh /lib/cryptsetup/scripts/fido2luks
update-initramfs -u
remove:
sh -c "grep 'keyscript=fido2luks' -i /etc/crypttab && ( echo 'ERROR: your system is still setup to use fido2luks during boot' && exit 1) || exit 0"
rm /etc/initramfs-tools/hooks/fido2luks.sh /lib/cryptsetup/scripts/fido2luks
update-initramfs -u

34
initramfs-tools/README.md Normal file
View File

@@ -0,0 +1,34 @@
## Initramfs-tools based systems(Ubuntu and derivatives)
For easiest installation [download and install the precompiled deb from releases.](https://github.com/shimunn/fido2luks/releases). However it is possible to build from source via the instructions on the main readme.
```
sudo -s
# Insert FIDO key.
fido2luks credential
# Tap FIDO key
# Copy returned string <CREDENTIAL>
nano /etc/fido2luks.conf
# Insert <CREDENTIAL>
# FIDO2LUKS_CREDENTIAL_ID=<CREDENTIAL>
set -a
. /etc/fido2luks.conf
fido2luks -i add-key /dev/<LUKS PARTITION>
# Current password: <Any current LUKS password>
# Password: <Password used as FIDO challange>
# Tap FIDO key
nano /etc/crypttab
# Append to end ",discard,initramfs,keyscript=fido2luks"
# E.g. sda6_crypt UUID=XXXXXXXXXX none luks,discard,initramfs,keyscript=fido2luks
update-initramfs -u
```
[Recording showing part of the setup](https://shimun.net/fido2luks/setup.svg)

9
initramfs-tools/build-deb.sh Executable file
View File

@@ -0,0 +1,9 @@
#!/usr/bin/env bash
set -ex
docker build . -t fido2luks-deb
mkdir -p debs
docker run -ti -v "$(pwd)/..:/code:ro" -v "$(pwd)/debs:/out" fido2luks-deb

3
initramfs-tools/fido2luks.conf Normal file
View File

@@ -0,0 +1,3 @@
FIDO2LUKS_SALT=Ask
#FIDO2LUKS_PASSWORD_HELPER="/usr/bin/plymouth ask-for-password --prompt 'FIDO2 password salt'"
FIDO2LUKS_CREDENTIAL_ID=

14
initramfs-tools/hook/fido2luks.sh Executable file
View File

@@ -0,0 +1,14 @@
#!/bin/sh
case "$1" in
prereqs)
echo ""
exit 0
;;
esac
. /usr/share/initramfs-tools/hook-functions
copy_file config /etc/fido2luks.conf /etc/fido2luks.conf
copy_exec /usr/bin/fido2luks
exit 0

10
initramfs-tools/keyscript.sh Executable file
View File

@@ -0,0 +1,10 @@
#!/bin/sh
set -a
. /etc/fido2luks.conf
if [ -z "$FIDO2LUKS_PASSWORD_HELPER" ]; then
MSG="FIDO2 password salt for $CRYPTTAB_NAME"
export FIDO2LUKS_PASSWORD_HELPER="plymouth ask-for-password --prompt '$MSG'"
fi
fido2luks print-secret --bin "$CRYPTTAB_SOURCE" $([ "$FIDO2LUKS_USE_TOKEN" -eq 0 ] && printf "--disable-token")

332
initramfs-tools/setup.svg Normal file
View File

File diff suppressed because one or more lines are too long
Side by Side

After

Width:  |  Height:  |  Size: 550 KiB

220
pam_mount/fido2luksmounthelper.sh Executable file
View File

@@ -0,0 +1,220 @@
#!/bin/bash
#
# This is a rather minimal example Argbash potential
# Example taken from http://argbash.readthedocs.io/en/stable/example.html
#
# ARG_POSITIONAL_SINGLE([operation],[Operation to perform (mount|umount)],[])
# ARG_OPTIONAL_SINGLE([credentials-type],[c],[Type of the credentials to use (external|embedded)])
# ARG_OPTIONAL_SINGLE([device],[d],[Name of the device to create])
# ARG_OPTIONAL_SINGLE([mount-point],[m],[Path of the mount point to use])
# ARG_OPTIONAL_BOOLEAN([ask-pin],[a],[Ask for a pin],[off])
# ARG_OPTIONAL_SINGLE([salt],[s],[Salt to use],[""])
# ARG_HELP([Unlocks/Locks a LUKS volume and mount/unmount it in the given mount point.])
# ARGBASH_GO()
# needed because of Argbash --> m4_ignore([
### START OF CODE GENERATED BY Argbash v2.9.0 one line above ###
# Argbash is a bash code generator used to get arguments parsing right.
# Argbash is FREE SOFTWARE, see https://argbash.io for more info
# Generated online by https://argbash.io/generate
die()
{
local _ret="${2:-1}"
test "${_PRINT_HELP:-no}" = yes && print_help >&2
echo "$1" >&2
exit "${_ret}"
}
begins_with_short_option()
{
local first_option all_short_options='cdmash'
first_option="${1:0:1}"
test "$all_short_options" = "${all_short_options/$first_option/}" && return 1 || return 0
}
# THE DEFAULTS INITIALIZATION - POSITIONALS
_positionals=()
# THE DEFAULTS INITIALIZATION - OPTIONALS
_arg_credentials_type=
_arg_device=
_arg_mount_point=
_arg_ask_pin="off"
_arg_salt=""
print_help()
{
printf '%s\n' "Unlocks/Locks a LUKS volume and mount/unmount it in the given mount point."
printf 'Usage: %s [-c|--credentials-type <arg>] [-d|--device <arg>] [-m|--mount-point <arg>] [-a|--(no-)ask-pin] [-s|--salt <arg>] [-h|--help] <operation>\n' "$0"
printf '\t%s\n' "<operation>: Operation to perform (mount|umount)"
printf '\t%s\n' "-c, --credentials-type: Type of the credentials to use (external|embedded) (no default)"
printf '\t%s\n' "-d, --device: Name of the device to create (no default)"
printf '\t%s\n' "-m, --mount-point: Path of the mount point to use (no default)"
printf '\t%s\n' "-a, --ask-pin, --no-ask-pin: Ask for a pin (off by default)"
printf '\t%s\n' "-s, --salt: Salt to use (default: '""')"
printf '\t%s\n' "-h, --help: Prints help"
}
parse_commandline()
{
_positionals_count=0
while test $# -gt 0
do
_key="$1"
case "$_key" in
-c|--credentials-type)
test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1
_arg_credentials_type="$2"
shift
;;
--credentials-type=*)
_arg_credentials_type="${_key##--credentials-type=}"
;;
-c*)
_arg_credentials_type="${_key##-c}"
;;
-d|--device)
test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1
_arg_device="$2"
shift
;;
--device=*)
_arg_device="${_key##--device=}"
;;
-d*)
_arg_device="${_key##-d}"
;;
-m|--mount-point)
test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1
_arg_mount_point="$2"
shift
;;
--mount-point=*)
_arg_mount_point="${_key##--mount-point=}"
;;
-m*)
_arg_mount_point="${_key##-m}"
;;
-a|--no-ask-pin|--ask-pin)
_arg_ask_pin="on"
test "${1:0:5}" = "--no-" && _arg_ask_pin="off"
;;
-a*)
_arg_ask_pin="on"
_next="${_key##-a}"
if test -n "$_next" -a "$_next" != "$_key"
then
{ begins_with_short_option "$_next" && shift && set -- "-a" "-${_next}" "$@"; } || die "The short option '$_key' can't be decomposed to ${_key:0:2} and -${_key:2}, because ${_key:0:2} doesn't accept value and '-${_key:2:1}' doesn't correspond to a short option."
fi
;;
-s|--salt)
test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1
_arg_salt="$2"
shift
;;
--salt=*)
_arg_salt="${_key##--salt=}"
;;
-s*)
_arg_salt="${_key##-s}"
;;
-h|--help)
print_help
exit 0
;;
-h*)
print_help
exit 0
;;
*)
_last_positional="$1"
_positionals+=("$_last_positional")
_positionals_count=$((_positionals_count + 1))
;;
esac
shift
done
}
handle_passed_args_count()
{
local _required_args_string="'operation'"
test "${_positionals_count}" -ge 1 || _PRINT_HELP=yes die "FATAL ERROR: Not enough positional arguments - we require exactly 1 (namely: $_required_args_string), but got only ${_positionals_count}." 1
test "${_positionals_count}" -le 1 || _PRINT_HELP=yes die "FATAL ERROR: There were spurious positional arguments --- we expect exactly 1 (namely: $_required_args_string), but got ${_positionals_count} (the last one was: '${_last_positional}')." 1
}
assign_positional_args()
{
local _positional_name _shift_for=$1
_positional_names="_arg_operation "
shift "$_shift_for"
for _positional_name in ${_positional_names}
do
test $# -gt 0 || break
eval "$_positional_name=\${1}" || die "Error during argument parsing, possibly an Argbash bug." 1
shift
done
}
parse_commandline "$@"
handle_passed_args_count
assign_positional_args 1 "${_positionals[@]}"
# OTHER STUFF GENERATED BY Argbash
### END OF CODE GENERATED BY Argbash (sortof) ### ])
# [ <-- needed because of Argbash
if [ -z ${_arg_mount_point} ]; then
die "Missing '--mount-point' argument"
fi
if [ -z ${_arg_device} ]; then
die "Missing '--device' argument"
fi
ASK_PIN=${_arg_ask_pin}
OPERATION=${_arg_operation}
DEVICE=${_arg_device}
DEVICE_NAME=$(sed "s|/|_|g" <<< ${DEVICE})
MOUNT_POINT=${_arg_mount_point}
CREDENTIALS_TYPE=${_arg_credentials_type}
SALT=${_arg_salt}
CONF_FILE_PATH="/etc/fido2luksmounthelper.conf"
if [ "${OPERATION}" == "mount" ]; then
if [ "${CREDENTIALS_TYPE}" == "external" ]; then
if [ -f ${CONF_FILE_PATH} ]; then
if [ "${ASK_PIN}" == "on" ]; then
read PASSWORD
fi
CREDENTIALS=$(<${CONF_FILE_PATH})
else
die "The configuration file '${CONF_FILE_PATH}' is missing. Please create it or use embedded credentials."
fi
printf ${PASSWORD} | fido2luks open --salt string:${SALT} --pin --pin-source /dev/stdin ${DEVICE} ${DEVICE_NAME} ${CREDENTIALS}
elif [ "${CREDENTIALS_TYPE}" == "embedded" ]; then
if [ "${ASK_PIN}" == "on" ]; then
read PASSWORD
fi
printf ${PASSWORD} | fido2luks open-token --salt string:${SALT} --pin --pin-source /dev/stdin ${DEVICE} ${DEVICE_NAME}
else
die "Given credential-type '${CREDENTIALS_TYPE}' is invalid. It must be 'external' or 'embedded'"
fi
mount /dev/mapper/${DEVICE_NAME} ${MOUNT_POINT}
elif [ "${OPERATION}" == "umount" ]; then
umount ${MOUNT_POINT}
cryptsetup luksClose ${DEVICE_NAME}
else
die "Given operation '${OPERATION}' is invalid. It must be 'mount' or 'unmount'"
fi
exit 0
# ] <-- needed because of Argbash

858
src/cli.rs
View File

@@ -1,273 +1,539 @@
use crate::error::*; use crate::error::*;
use crate::luks; use crate::luks::{Fido2LuksToken, LuksDevice};
use crate::util::sha256;
use crate::*; use crate::*;
pub use cli_args::Args;
use cli_args::*;
use ctap_hid_fido2::public_key_credential_descriptor::PublicKeyCredentialDescriptor;
use std::borrow::Cow;
use std::collections::HashSet;
use std::io::Write;
use std::iter::FromIterator;
use std::path::Path;
use std::str::FromStr;
use std::time::Duration;
use std::time::SystemTime;
use structopt::clap::Shell;
use structopt::StructOpt; use structopt::StructOpt;
use failure::_core::fmt::{Error, Formatter}; fn read_pin() -> Fido2LuksResult<String> {
use failure::_core::str::FromStr; util::read_password_tty("Authenticator PIN", false)
use failure::_core::time::Duration;
use std::io::Write;
use std::process::exit;
use std::thread;
use std::time::SystemTime;
#[derive(Debug, Eq, PartialEq, Clone)]
pub struct HexEncoded(Vec<u8>);
impl std::fmt::Display for HexEncoded {
fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error> {
f.write_str(&hex::encode(&self.0))
}
} }
impl FromStr for HexEncoded { fn derive_secret(
type Err = hex::FromHexError; credentials: &[HexEncoded],
salt: &[u8; 32],
fn from_str(s: &str) -> Result<Self, Self::Err> { timeout: u64,
Ok(HexEncoded(hex::decode(s)?)) pin: Option<&str>,
) -> Fido2LuksResult<([u8; 32], PublicKeyCredentialDescriptor)> {
if credentials.is_empty() {
return Err(Fido2LuksError::InsufficientCredentials);
} }
} let timeout = Duration::from_secs(timeout);
#[derive(Debug, StructOpt)]
pub struct Args {
/// Request passwords via Stdin instead of using the password helper
#[structopt(short = "i", long = "interactive")]
pub interactive: bool,
#[structopt(subcommand)]
pub command: Command,
}
#[derive(Debug, StructOpt, Clone)]
pub struct SecretGeneration {
/// FIDO credential id, generate using fido2luks credential
#[structopt(name = "credential-id", env = "FIDO2LUKS_CREDENTIAL_ID")]
pub credential_id: HexEncoded,
/// Salt for secret generation, defaults to 'ask'
///
/// Options:{n}
/// - ask : Prompt user using password helper{n}
/// - file:<PATH> : Will read <FILE>{n}
/// - string:<STRING> : Will use <STRING>, which will be handled like a password provided to the 'ask' option{n}
#[structopt(
name = "salt",
long = "salt",
env = "FIDO2LUKS_SALT",
default_value = "ask"
)]
pub salt: InputSalt,
/// Script used to obtain passwords, overridden by --interactive flag
#[structopt(
name = "password-helper",
env = "FIDO2LUKS_PASSWORD_HELPER",
default_value = "/usr/bin/env systemd-ask-password 'Please enter second factor for LUKS disk encryption!'"
)]
pub password_helper: PasswordHelper,
/// Await for an authenticator to be connected, timeout after n seconds
#[structopt(
long = "await-dev",
name = "await-dev",
env = "FIDO2LUKS_DEVICE_AWAIT",
default_value = "15"
)]
pub await_authenticator: u64,
}
impl SecretGeneration {
pub fn patch(&self, args: &Args) -> Self {
let mut me = self.clone();
if args.interactive {
me.password_helper = PasswordHelper::Stdin;
}
me
}
pub fn obtain_secret(&self) -> Fido2LuksResult<[u8; 32]> {
let salt = self.salt.obtain(&self.password_helper)?;
let timeout = Duration::from_secs(self.await_authenticator);
let start = SystemTime::now(); let start = SystemTime::now();
while let Ok(el) = start.elapsed() { //while let Ok(el) = start.elapsed() {
if el > timeout { // if el > timeout {
Err(error::Fido2LuksError::NoAuthenticatorError)?; // return Err(error::Fido2LuksError::NoAuthenticatorError);
} // }
if get_devices() // if get_devices()
.map(|devices| !devices.is_empty()) // .map(|devices| !devices.is_empty())
.unwrap_or(false) // .unwrap_or(false)
{ // {
break; // break;
} // }
thread::sleep(Duration::from_millis(500)); // thread::sleep(Duration::from_millis(500));
} //}
Ok(assemble_secret(
&perform_challenge(&self.credential_id.0, &salt)?, let credentials = credentials
&salt, .iter()
)) .map(|hex| PublicKeyCredentialDescriptor {
} id: hex.0.clone(),
ctype: Default::default(),
})
.collect::<Vec<_>>();
let credentials = credentials.iter().collect::<Vec<_>>();
let (unsalted, cred) =
perform_challenge(&credentials, salt, timeout - start.elapsed().unwrap(), pin)?;
let binary = sha256(&[salt, &unsalted[..]]);
Ok((binary, cred.clone()))
} }
#[derive(Debug, StructOpt)] pub fn extend_creds_device(
pub enum Command { creds: &[HexEncoded],
#[structopt(name = "print-secret")] luks_dev: &mut LuksDevice,
PrintSecret { ) -> Fido2LuksResult<Vec<HexEncoded>> {
/// Prints the secret as binary instead of hex encoded let mut additional = HashSet::new();
#[structopt(short = "b", long = "bin")] additional.extend(creds.iter().cloned());
binary: bool, for token in luks_dev.tokens()? {
#[structopt(flatten)] for cred in token?.1.credential {
secret_gen: SecretGeneration, let parsed = HexEncoded::from_str(cred.as_str()).map_err(|_e| {
Fido2LuksError::HexEncodingError {
string: cred.clone(),
}
})?;
additional.insert(parsed);
}
}
Ok(Vec::from_iter(additional.into_iter()))
}
pub fn get_input(
secret: &SecretParameters,
authenticator: &AuthenticatorParameters,
interactive: bool,
q: &str,
verify: bool,
) -> Fido2LuksResult<(Option<String>, [u8; 32])> {
let password_helper = secret
.password_helper
.as_ref()
.map(|helper| move || helper.obtain());
let salt = &secret.salt;
Ok(if interactive {
(
if authenticator.pin && may_require_pin()? {
Some(read_pin()?)
} else {
None
}, },
/// Adds a generated key to the specified LUKS device salt.obtain_sha256(Some(|| util::read_password_tty(q, verify)))?,
#[structopt(name = "add-key")] )
AddKey { } else {
#[structopt(env = "FIDO2LUKS_DEVICE")] match (
device: PathBuf, authenticator.pin && may_require_pin()?,
/// Will wipe all other keys authenticator.pin_prefixed,
#[structopt(short = "e", long = "exclusive")] ) {
exclusive: bool, (true, false) => (Some(read_pin()?), salt.obtain_sha256(password_helper)?),
/// Use a keyfile instead of typing a previous password (true, true) => read_password_pin_prefixed(|| {
#[structopt(short = "d", long = "keyfile")] salt.obtain(password_helper).and_then(|secret| {
keyfile: Option<PathBuf>, String::from_utf8(secret).map_err(|e| Fido2LuksError::from(e))
#[structopt(flatten)] })
secret_gen: SecretGeneration, })?,
}, (false, _) => (None, salt.obtain_sha256(password_helper)?),
/// Replace a previously added key with a password }
#[structopt(name = "replace-key")] })
ReplaceKey { }
#[structopt(env = "FIDO2LUKS_DEVICE")]
device: PathBuf, pub fn read_password_pin_prefixed(
/// Add the password and keep the key prefixed: impl Fn() -> Fido2LuksResult<String>,
#[structopt(short = "a", long = "add-password")] ) -> Fido2LuksResult<(Option<String>, [u8; 32])> {
add_password: bool, let read = prefixed()?;
/// Use a keyfile instead of typing a previous password let separator = ':';
#[structopt(short = "d", long = "keyfile")] let mut parts = read.split(separator);
keyfile: Option<PathBuf>, let pin = parts.next().filter(|p| p.len() > 0).map(|p| p.to_string());
#[structopt(flatten)] let password = match pin {
secret_gen: SecretGeneration, Some(ref pin) if read.len() > pin.len() => {
}, read.chars().skip(pin.len() + 1).collect::<String>()
/// Open the LUKS device }
#[structopt(name = "open")] Some(_) => String::new(),
Open { _ => read
#[structopt(env = "FIDO2LUKS_DEVICE")] .chars()
device: PathBuf, .skip(read.chars().next().map(|c| c == separator).unwrap_or(false) as usize)
#[structopt(env = "FIDO2LUKS_MAPPER_NAME")] .collect::<String>(),
name: String, };
#[structopt(short = "r", long = "max-retries", default_value = "0")] Ok((pin, util::sha256(&[password.as_bytes()])))
retries: i32, }
#[structopt(flatten)]
secret_gen: SecretGeneration, /// generate an more readable name from common paths
}, pub fn derive_credential_name(path: &Path) -> String {
/// Generate a new FIDO credential match path.file_name() {
#[structopt(name = "credential")] Some(name)
Credential { if path
/// Name to be displayed on the authenticator if it has a display .iter()
#[structopt(env = "FIDO2LUKS_CREDENTIAL_NAME")] .any(|p| p == "by-label" || p == "by-partlabel" || p == "by-uuid") =>
name: Option<String>, {
}, name.to_string_lossy().as_ref().to_string()
/// Check if an authenticator is connected }
#[structopt(name = "connected")] _ => path.display().to_string(),
Connected, }
} }
pub fn parse_cmdline() -> Args { pub fn parse_cmdline() -> Args {
Args::from_args() Args::from_args()
} }
pub fn prompt_interaction(interactive: bool) {
if interactive {
println!("Authorize using your FIDO device");
}
}
pub fn run_cli() -> Fido2LuksResult<()> { pub fn run_cli() -> Fido2LuksResult<()> {
let mut stdout = io::stdout(); let mut stdout = io::stdout();
let args = parse_cmdline(); let args = parse_cmdline();
let log = |message: &dyn Fn() -> String| {
if args.verbose {
eprintln!("{}", &*message());
}
};
let interactive = args.interactive;
match &args.command { match &args.command {
Command::Credential { name } => { Command::Credential {
let cred = make_credential_id(name.as_ref().map(|n| n.as_ref()))?; authenticator,
name,
} => {
let pin_string;
let pin = if authenticator.pin && may_require_pin()? {
pin_string = read_pin()?;
Some(pin_string.as_ref())
} else {
None
};
let cred =
make_credential_id(Some(name.as_str()).filter(|name| name.len() > 0), pin, &[])?;
println!("{}", hex::encode(&cred.id)); println!("{}", hex::encode(&cred.id));
Ok(()) Ok(())
} }
Command::PrintSecret { Command::PrintSecret {
binary, binary,
ref secret_gen, authenticator,
credentials,
secret,
device,
} => { } => {
let secret = secret_gen.patch(&args).obtain_secret()?; let (pin, salt) =
if *binary { get_input(&secret, &authenticator, args.interactive, "Password", false)?;
stdout.write(&secret[..])?; let credentials = if let Some(path) = device {
let mut dev = LuksDevice::load(path)?;
let luks2 = dev.is_luks2()?;
log(&|| format!("luks2 supported: {}", luks2));
extend_creds_device(
credentials
.ids
.clone()
.map(|cs| cs.0)
.unwrap_or_default()
.as_slice(),
&mut dev,
)?
} else { } else {
stdout.write(hex::encode(&secret[..]).as_bytes())?; credentials.ids.clone().map(|cs| cs.0).unwrap_or_default()
};
log(&|| {
format!(
"credentials: {}",
credentials
.iter()
.map(ToString::to_string)
.collect::<Vec<_>>()
.join(", ")
)
});
prompt_interaction(interactive);
let (secret, cred) = derive_secret(
&credentials,
&salt,
authenticator.await_time,
pin.as_deref(),
)?;
log(&|| format!("credential used: {}", hex::encode(&cred.id)));
if *binary {
stdout.write_all(&secret[..])?;
} else {
stdout.write_all(hex::encode(&secret[..]).as_bytes())?;
} }
Ok(stdout.flush()?) Ok(stdout.flush()?)
} }
Command::AddKey { Command::AddKey {
device, luks,
exclusive, authenticator,
keyfile, credentials,
ref secret_gen, secret,
luks_mod,
existing_secret: other_secret,
..
}
| Command::ReplaceKey {
luks,
authenticator,
credentials,
secret,
luks_mod,
replacement: other_secret,
..
} => { } => {
let secret = secret_gen.patch(&args).obtain_secret()?; let mut luks_dev = LuksDevice::load(&luks.device)?;
let old_secret = if let Some(keyfile) = keyfile.clone() {
util::read_keyfile(keyfile.clone()) let luks2 = luks_dev.is_luks2()?;
log(&|| format!("luks2 supported: {}", luks2));
let credentials = if !luks.disable_token && luks2 {
extend_creds_device(
credentials
.ids
.clone()
.map(|cs| cs.0)
.unwrap_or_default()
.as_slice(),
&mut luks_dev,
)?
} else { } else {
util::read_password("Old password", false).map(|p| p.as_bytes().to_vec()) credentials.ids.clone().map(|cs| cs.0).unwrap_or_default()
};
log(&|| {
format!(
"credentials: {}",
credentials
.iter()
.map(ToString::to_string)
.collect::<Vec<_>>()
.join(", ")
)
});
let inputs = |q: &str, verify: bool| -> Fido2LuksResult<(Option<String>, [u8; 32])> {
get_input(&secret, &authenticator, args.interactive, q, verify)
};
let other_secret = |salt_q: &str,
verify: bool|
-> Fido2LuksResult<(
Vec<u8>,
Option<PublicKeyCredentialDescriptor>,
)> {
match other_secret {
OtherSecret {
keyfile: Some(file),
..
} => Ok((util::read_keyfile(file)?, None)),
OtherSecret {
fido_device: true, ..
} => {
let (pin, salt) = inputs(salt_q, verify)?;
prompt_interaction(interactive);
Ok(derive_secret(
&credentials,
&salt,
authenticator.await_time,
pin.as_deref(),
)
.map(|(secret, cred)| (secret[..].to_vec(), Some(cred)))?)
}
_ => Ok((
util::read_password_tty(salt_q, verify)?.as_bytes().to_vec(),
None,
)),
}
};
let secret =
|q: &str,
verify: bool,
credentials: &[HexEncoded]|
-> Fido2LuksResult<([u8; 32], PublicKeyCredentialDescriptor)> {
let (pin, salt) = inputs(q, verify)?;
prompt_interaction(interactive);
derive_secret(credentials, &salt, authenticator.await_time, pin.as_deref())
};
// Non overlap
match &args.command {
Command::AddKey {
exclusive,
generate_credential,
comment,
..
} => {
let (existing_secret, existing_credential) =
other_secret("Current password", false)?;
let excluded_credential = existing_credential.as_ref();
let exclude_list = excluded_credential
.as_ref()
.map(core::slice::from_ref)
.unwrap_or_default();
existing_credential.iter().for_each(|cred| {
log(&|| {
format!(
"using credential to unlock container: {}",
hex::encode(&cred.id)
)
})
});
let (new_secret, cred) = if *generate_credential && luks2 {
let cred = make_credential_id(
Some(derive_credential_name(luks.device.as_path()).as_str()),
(if authenticator.pin && may_require_pin()? {
//TODO: not ideal since it ignores pin-prefixed
Some(read_pin()?)
} else {
None
})
.as_deref(),
dbg!(exclude_list),
)?;
log(&|| {
format!(
"generated credential: {}\ncredential username: {:?}",
hex::encode(&cred.id),
derive_credential_name(luks.device.as_path())
)
});
let creds = vec![HexEncoded(cred.id)];
secret("Password to be added", true, &creds)
} else {
secret("Password to be added", true, &credentials)
}?; }?;
let added_slot = luks::add_key(device.clone(), &secret, &old_secret[..], Some(10))?; log(&|| format!("credential used: {}", hex::encode(&cred.id)));
let added_slot = luks_dev.add_key(
&new_secret,
&existing_secret[..],
luks_mod.kdf_time.or(Some(10)),
Some(&cred.id[..])
.filter(|_| !luks.disable_token || *generate_credential)
.filter(|_| luks2),
comment.as_deref().map(String::from),
)?;
if *exclusive { if *exclusive {
let destroyed = luks::remove_keyslots(&device, &[added_slot])?; let destroyed = luks_dev.remove_keyslots(&[added_slot])?;
println!( println!(
"Added to key to device {}, slot: {}\nRemoved {} old keys", "Added to key to device {}, slot: {}\nRemoved {} old keys",
device.display(), luks.device.display(),
added_slot, added_slot,
destroyed destroyed
); );
} else { } else {
println!( println!(
"Added to key to device {}, slot: {}", "Added to key to device {}, slot: {}",
device.display(), luks.device.display(),
added_slot added_slot
); );
} }
Ok(()) Ok(())
} }
Command::ReplaceKey { Command::ReplaceKey {
device,
add_password, add_password,
keyfile, remove_cred,
ref secret_gen, ..
} => { } => {
let secret = secret_gen.patch(&args).obtain_secret()?; let (existing_secret, _prev_cred) =
let new_secret = if let Some(keyfile) = keyfile.clone() { secret("Current password", false, &credentials)?;
util::read_keyfile(keyfile.clone()) let (replacement_secret, cred) = other_secret("Replacement password", true)?;
} else {
util::read_password("Password to add", *add_password).map(|p| p.as_bytes().to_vec())
}?;
let slot = if *add_password { let slot = if *add_password {
luks::add_key(device, &new_secret[..], &secret, None) luks_dev.add_key(
&replacement_secret[..],
&existing_secret,
luks_mod.kdf_time,
cred.as_ref()
.filter(|_| !luks.disable_token)
.filter(|_| luks2)
.map(|cred| &cred.id[..]),
None,
)
} else { } else {
luks::replace_key(device, &new_secret[..], &secret, Some(5)) let slot = luks_dev.replace_key(
&replacement_secret[..],
&existing_secret,
luks_mod.kdf_time,
cred.as_ref()
.filter(|_| !luks.disable_token)
.filter(|_| luks2)
.map(|cred| &cred.id[..]),
)?;
if *remove_cred && cred.is_none() {
luks_dev.remove_token_slot(slot)?;
}
Ok(slot)
}?; }?;
if let Some(cred) = cred {
log(&|| format!("credential used: {}", hex::encode(&cred.id)));
}
println!( println!(
"Added to password to device {}, slot: {}", "Added to password to device {}, slot: {}",
device.display(), luks.device.display(),
slot slot
); );
Ok(()) Ok(())
} }
_ => unreachable!(),
}
}
Command::Open { Command::Open {
device, luks,
authenticator,
secret,
name, name,
credentials,
retries, retries,
ref secret_gen, dry_run,
allow_discards,
..
} => { } => {
let inputs = |q: &str, verify: bool| -> Fido2LuksResult<(Option<String>, [u8; 32])> {
get_input(&secret, &authenticator, args.interactive, q, verify)
};
// Cow shouldn't be necessary
let secret = |credentials: Cow<'_, Vec<HexEncoded>>| {
let (pin, salt) = inputs("Password", false)?;
prompt_interaction(interactive);
derive_secret(
credentials.as_ref(),
&salt,
authenticator.await_time,
pin.as_deref(),
)
};
let mut retries = *retries; let mut retries = *retries;
let mut luks_dev = LuksDevice::load(&luks.device)?;
let luks2 = luks_dev.is_luks2()?;
log(&|| format!("luks2 supported: {}", luks2));
loop { loop {
let secret = secret_gen.patch(&args).obtain_secret()?; let slot = if let Some(ref credentials) = credentials.ids {
match luks::open_container(&device, &name, &secret) { log(&|| {
Err(e) => match e { format!(
Fido2LuksError::WrongSecret if retries > 0 => { "credentials: {}",
credentials
.0
.iter()
.map(ToString::to_string)
.collect::<Vec<_>>()
.join(", ")
)
});
secret(Cow::Borrowed(&credentials.0)).and_then(|(secret, cred)| {
log(&|| format!("credential used: {}", hex::encode(&cred.id)));
luks_dev.activate(&name, &secret, luks.slot, *dry_run, *allow_discards)
})
} else if luks2 && !luks.disable_token {
luks_dev.activate_token(
&name,
Box::new(|credentials: Vec<String>| {
log(&|| format!("credentials: {}", credentials.join(", ")));
let creds = credentials
.into_iter()
.flat_map(|cred| HexEncoded::from_str(cred.as_ref()).ok())
.collect::<Vec<_>>();
secret(Cow::Owned(creds)).map(|(secret, cred)| {
log(&|| format!("credential used: {}", hex::encode(&cred.id)));
(secret, hex::encode(&cred.id))
})
}),
luks.slot,
*dry_run,
*allow_discards,
)
} else if luks_dev.is_luks2()? && luks.disable_token {
// disable-token is mostly cosmetic in this instance
return Err(Fido2LuksError::InsufficientCredentials);
} else {
return Err(Fido2LuksError::WrongSecret);
};
match slot {
Err(e) => {
match e {
Fido2LuksError::WrongSecret if retries > 0 => {}
//Fido2LuksError::AuthenticatorError { ref cause }
// if cause.kind() == FidoErrorKind::Timeout && retries > 0 => {}
e => return Err(e),
};
retries -= 1; retries -= 1;
eprintln!("{}", e); eprintln!("{}", e);
continue;
} }
e => Err(e)?, Ok(slot) => {
}, log(&|| format!("keyslot: {}", slot));
res => break res, break Ok(());
}
} }
} }
} }
@@ -278,5 +544,199 @@ pub fn run_cli() -> Fido2LuksResult<()> {
} }
_ => exit(1), _ => exit(1),
}, },
Command::Token(cmd) => match cmd {
TokenCommand::List {
device,
csv: dump_credentials,
} => {
let mut dev = LuksDevice::load(device)?;
let mut creds = Vec::new();
for token in dev.tokens()? {
let (id, token) = token?;
for cred in token.credential.iter() {
if !creds.contains(cred) {
creds.push(cred.clone());
if *dump_credentials {
print!("{}{}", if creds.len() == 1 { "" } else { "," }, cred);
}
}
}
if *dump_credentials {
continue;
}
println!(
"{}{}:\n\tSlots: {}\n\tCredentials: {}",
id,
token
.comment
.as_deref()
.map(|comment| format!(" - {}", comment))
.unwrap_or_default(),
if token.keyslots.is_empty() {
"None".into()
} else {
token.keyslots.iter().cloned().collect::<Vec<_>>().join(",")
},
token
.credential
.iter()
.map(|cred| format!(
"{} ({})",
cred,
creds.iter().position(|c| c == cred).unwrap().to_string()
))
.collect::<Vec<_>>()
.join(",")
);
}
if *dump_credentials {
println!();
}
Ok(())
}
TokenCommand::Add {
device,
credentials,
comment,
slot,
} => {
let mut dev = LuksDevice::load(device)?;
let mut tokens = Vec::new();
for token in dev.tokens()? {
let (id, token) = token?;
if token.keyslots.contains(&slot.to_string()) {
tokens.push((id, token));
}
}
let count = if tokens.is_empty() {
dev.add_token(&Fido2LuksToken::with_credentials(
&credentials.0,
*slot,
comment.as_deref().map(String::from),
))?;
1
} else {
tokens.len()
};
for (id, mut token) in tokens {
token
.credential
.extend(credentials.0.iter().map(|h| h.to_string()));
dev.update_token(id, &token)?;
}
println!("Updated {} tokens", count);
Ok(())
}
TokenCommand::Remove {
device,
credentials,
token_id,
} => {
let mut dev = LuksDevice::load(device)?;
let mut tokens = Vec::new();
for token in dev.tokens()? {
let (id, token) = token?;
if let Some(token_id) = token_id {
if id == *token_id {
tokens.push((id, token));
}
} else {
tokens.push((id, token));
}
}
let count = tokens.len();
for (id, mut token) in tokens {
token.credential = token
.credential
.into_iter()
.filter(|cred| !credentials.0.iter().any(|h| &h.to_string() == cred))
.collect();
dev.update_token(id, &token)?;
}
println!("Updated {} tokens", count);
Ok(())
}
TokenCommand::GC { device } => {
let mut dev = LuksDevice::load(device)?;
let mut creds: HashSet<String> = HashSet::new();
let mut remove = Vec::new();
for token in dev.tokens()? {
let (id, token) = token?;
if token.keyslots.is_empty() || token.credential.is_empty() {
creds.extend(token.credential);
remove.push(id);
}
}
for id in remove.iter().rev() {
dev.remove_token(*id)?;
}
println!(
"Removed {} tokens, affected credentials: {}",
remove.len(),
creds.into_iter().collect::<Vec<_>>().join(",")
);
Ok(())
}
},
Command::GenerateCompletions { shell, out_dir } => {
// zsh won't work atm https://github.com/clap-rs/clap/issues/1822
if let Some(s) = shell {
if s.as_str() == "zsh" {
unimplemented!("zsh completions are broken atm: see https://github.com/clap-rs/clap/issues/1822")
}
}
for variant in Shell::variants().iter().filter(|v| *v != &"zsh") {
if let Some(s) = shell {
if *variant != s.as_str() {
break;
}
}
Args::clap().gen_completions(
env!("CARGO_PKG_NAME"),
Shell::from_str(variant)
.expect("structopt shouldn't allow us to reach this point"),
&out_dir,
);
}
Ok(())
}
}
}
#[cfg(test)]
mod test {
use super::*;
#[test]
fn test_read_password_pin_prefixed() {
// 1234:test -> PIN: 1234, password: test
assert_eq!(
read_password_pin_prefixed(|| Ok("1234:test".into())).unwrap(),
(Some("1234".to_string()), util::sha256(&["test".as_bytes()]))
);
// :test -> PIN: None, password: test
assert_eq!(
read_password_pin_prefixed(|| Ok(":test".into())).unwrap(),
(None, util::sha256(&["test".as_bytes()]))
);
// 1234::test -> PIN: 1234, password: :test
assert_eq!(
read_password_pin_prefixed(|| Ok("1234::test".into())).unwrap(),
(
Some("1234".to_string()),
util::sha256(&[":test".as_bytes()])
)
);
// 1234 -> PIN: 1234, password: empty
assert_eq!(
read_password_pin_prefixed(|| Ok("1234".into())).unwrap(),
(Some("1234".to_string()), util::sha256(&["".as_bytes()]))
);
// 1234:test -> PIN: None, password: test
assert_eq!(
read_password_pin_prefixed(|| Ok(":test".into())).unwrap(),
(None, util::sha256(&["test".as_bytes()]))
);
} }
} }

107
src/config.rs → src/cli_args/config.rs
View File

@@ -7,36 +7,37 @@ use std::fs::File;
use std::io::Read; use std::io::Read;
use std::path::PathBuf; use std::path::PathBuf;
use std::process::Command; use std::process::Command;
use std::process::Stdio;
use std::str::FromStr; use std::str::FromStr;
#[derive(Debug, Clone, PartialEq)] #[derive(Debug, Clone, PartialEq)]
pub enum InputSalt { pub enum SecretInput {
AskPassword, AskPassword,
String(String), String(String),
File { path: PathBuf }, File { path: PathBuf },
} }
impl Default for InputSalt { impl Default for SecretInput {
fn default() -> Self { fn default() -> Self {
InputSalt::AskPassword SecretInput::AskPassword
} }
} }
impl From<&str> for InputSalt { impl From<&str> for SecretInput {
fn from(s: &str) -> Self { fn from(s: &str) -> Self {
let mut parts = s.split(":").into_iter(); let mut parts = s.split(':');
match parts.next() { match parts.next() {
Some("ask") | Some("Ask") => InputSalt::AskPassword, Some("ask") | Some("Ask") => SecretInput::AskPassword,
Some("file") => InputSalt::File { Some("file") => SecretInput::File {
path: parts.collect::<Vec<_>>().join(":").into(), path: parts.collect::<Vec<_>>().join(":").into(),
}, },
Some("string") => InputSalt::String(parts.collect::<Vec<_>>().join(":")), Some("string") => SecretInput::String(parts.collect::<Vec<_>>().join(":")),
_ => Self::default(), _ => Self::default(),
} }
} }
} }
impl FromStr for InputSalt { impl FromStr for SecretInput {
type Err = Fido2LuksError; type Err = Fido2LuksError;
fn from_str(s: &str) -> Result<Self, Self::Err> { fn from_str(s: &str) -> Result<Self, Self::Err> {
@@ -44,21 +45,54 @@ impl FromStr for InputSalt {
} }
} }
impl fmt::Display for InputSalt { impl fmt::Display for SecretInput {
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> Result<(), fmt::Error> { fn fmt(&self, f: &mut fmt::Formatter<'_>) -> Result<(), fmt::Error> {
f.write_str(&match self { f.write_str(&match self {
InputSalt::AskPassword => "ask".to_string(), SecretInput::AskPassword => "ask".to_string(),
InputSalt::String(s) => ["string", s].join(":"), SecretInput::String(s) => ["string", s].join(":"),
InputSalt::File { path } => ["file", path.display().to_string().as_str()].join(":"), SecretInput::File { path } => ["file", path.display().to_string().as_str()].join(":"),
}) })
} }
} }
impl InputSalt { impl SecretInput {
pub fn obtain(&self, password_helper: &PasswordHelper) -> Fido2LuksResult<[u8; 32]> { pub fn obtain_string(
&self,
password_helper: Option<impl FnOnce() -> Fido2LuksResult<String>>,
) -> Fido2LuksResult<String> {
Ok(String::from_utf8(self.obtain(password_helper)?)?)
}
pub fn obtain(
&self,
password_helper: Option<impl FnOnce() -> Fido2LuksResult<String>>,
) -> Fido2LuksResult<Vec<u8>> {
let mut secret = Vec::new();
match self {
SecretInput::File { path } => {
//TODO: replace with try_blocks
let mut do_io = || File::open(path)?.read_to_end(&mut secret);
do_io().map_err(|cause| Fido2LuksError::KeyfileError { cause })?;
}
SecretInput::AskPassword => secret.extend_from_slice(
password_helper.ok_or_else(|| Fido2LuksError::AskPassError {
cause: AskPassError::FailedHelper,
})?()?
.as_bytes(),
),
SecretInput::String(s) => secret.extend_from_slice(s.as_bytes()),
}
Ok(secret)
}
pub fn obtain_sha256(
&self,
password_helper: Option<impl FnOnce() -> Fido2LuksResult<String>>,
) -> Fido2LuksResult<[u8; 32]> {
let mut digest = digest::Context::new(&digest::SHA256); let mut digest = digest::Context::new(&digest::SHA256);
match self { match self {
InputSalt::File { path } => { SecretInput::File { path } => {
let mut do_io = || { let mut do_io = || {
let mut reader = File::open(path)?; let mut reader = File::open(path)?;
let mut buf = [0u8; 512]; let mut buf = [0u8; 512];
@@ -73,10 +107,7 @@ impl InputSalt {
}; };
do_io().map_err(|cause| Fido2LuksError::KeyfileError { cause })?; do_io().map_err(|cause| Fido2LuksError::KeyfileError { cause })?;
} }
InputSalt::AskPassword => { _ => digest.update(self.obtain(password_helper)?.as_slice()),
digest.update(password_helper.obtain()?.as_bytes());
}
InputSalt::String(s) => digest.update(s.as_bytes()),
} }
let mut salt = [0u8; 32]; let mut salt = [0u8; 32];
salt.as_mut().copy_from_slice(digest.finish().as_ref()); salt.as_mut().copy_from_slice(digest.finish().as_ref());
@@ -84,9 +115,10 @@ impl InputSalt {
} }
} }
#[derive(Debug, Clone)] #[derive(Debug, Clone, PartialEq, Eq)]
pub enum PasswordHelper { pub enum PasswordHelper {
Script(String), Script(String),
#[allow(dead_code)]
Systemd, Systemd,
Stdin, Stdin,
} }
@@ -132,12 +164,13 @@ impl PasswordHelper {
use PasswordHelper::*; use PasswordHelper::*;
match self { match self {
Systemd => unimplemented!(), Systemd => unimplemented!(),
Stdin => Ok(util::read_password("Password", true)?), Stdin => Ok(util::read_password("Password", true, false)?),
Script(password_helper) => { Script(password_helper) => {
let mut helper_parts = password_helper.split(" "); let password = Command::new("sh")
.arg("-c")
let password = Command::new((&mut helper_parts).next().unwrap()) .arg(&password_helper)
.args(helper_parts) .stdin(Stdio::inherit())
.stderr(Stdio::inherit())
.output() .output()
.map_err(|e| Fido2LuksError::AskPassError { .map_err(|e| Fido2LuksError::AskPassError {
cause: error::AskPassError::IO(e), cause: error::AskPassError::IO(e),
@@ -157,24 +190,30 @@ mod test {
#[test] #[test]
fn input_salt_from_str() { fn input_salt_from_str() {
assert_eq!( assert_eq!(
"file:/tmp/abc".parse::<InputSalt>().unwrap(), "file:/tmp/abc".parse::<SecretInput>().unwrap(),
InputSalt::File { SecretInput::File {
path: "/tmp/abc".into() path: "/tmp/abc".into()
} }
); );
assert_eq!( assert_eq!(
"string:abc".parse::<InputSalt>().unwrap(), "string:abc".parse::<SecretInput>().unwrap(),
InputSalt::String("abc".into()) SecretInput::String("abc".into())
);
assert_eq!(
"ask".parse::<SecretInput>().unwrap(),
SecretInput::AskPassword
);
assert_eq!(
"lol".parse::<SecretInput>().unwrap(),
SecretInput::default()
); );
assert_eq!("ask".parse::<InputSalt>().unwrap(), InputSalt::AskPassword);
assert_eq!("lol".parse::<InputSalt>().unwrap(), InputSalt::default());
} }
#[test] #[test]
fn input_salt_obtain() { fn input_salt_obtain() {
assert_eq!( assert_eq!(
InputSalt::String("abc".into()) SecretInput::String("abc".into())
.obtain(&PasswordHelper::Stdin) .obtain_sha256(Some(|| Ok("123456".to_string())))
.unwrap(), .unwrap(),
[ [
186, 120, 22, 191, 143, 1, 207, 234, 65, 65, 64, 222, 93, 174, 34, 35, 176, 3, 97, 186, 120, 22, 191, 143, 1, 207, 234, 65, 65, 64, 222, 93, 174, 34, 35, 176, 3, 97,

329
src/cli_args/mod.rs Normal file
View File

@@ -0,0 +1,329 @@
use std::fmt::{Display, Error, Formatter};
use std::hash::{Hash, Hasher};
use std::path::PathBuf;
use std::str::FromStr;
use structopt::clap::{AppSettings, Shell};
use structopt::StructOpt;
mod config;
pub use config::*;
#[derive(Debug, Eq, PartialEq, Clone)]
pub struct HexEncoded(pub Vec<u8>);
impl Display for HexEncoded {
fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error> {
f.write_str(&hex::encode(&self.0))
}
}
impl AsRef<[u8]> for HexEncoded {
fn as_ref(&self) -> &[u8] {
&self.0[..]
}
}
impl FromStr for HexEncoded {
type Err = hex::FromHexError;
fn from_str(s: &str) -> Result<Self, Self::Err> {
Ok(HexEncoded(hex::decode(s)?))
}
}
impl Hash for HexEncoded {
fn hash<H: Hasher>(&self, state: &mut H) {
self.0.hash(state)
}
}
#[derive(Debug, Eq, PartialEq, Clone)]
pub struct CommaSeparated<T: FromStr + Display>(pub Vec<T>);
impl<T: Display + FromStr> Display for CommaSeparated<T> {
fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error> {
for i in &self.0 {
f.write_str(&i.to_string())?;
f.write_str(",")?;
}
Ok(())
}
}
impl<T: Display + FromStr> FromStr for CommaSeparated<T> {
type Err = <T as FromStr>::Err;
fn from_str(s: &str) -> Result<Self, Self::Err> {
Ok(CommaSeparated(
s.split(',')
.map(|part| <T as FromStr>::from_str(part))
.collect::<Result<Vec<_>, _>>()?,
))
}
}
#[derive(Debug, StructOpt)]
pub struct Credentials {
/// FIDO credential ids, separated by ',' generate using fido2luks credential
#[structopt(
name = "credential-ids",
env = "FIDO2LUKS_CREDENTIAL_ID",
short = "c",
long = "creds"
)]
pub ids: Option<CommaSeparated<HexEncoded>>,
}
#[derive(Debug, StructOpt)]
pub struct AuthenticatorParameters {
/// Request a PIN to unlock the authenticator if required
#[structopt(short = "P", long = "pin")]
pub pin: bool,
/// Request PIN and password combined `pin:password` when using an password helper
#[structopt(long = "pin-prefixed")]
pub pin_prefixed: bool,
/// Await for an authenticator to be connected, timeout after n seconds
#[structopt(
long = "await-dev",
name = "await-dev",
env = "FIDO2LUKS_DEVICE_AWAIT",
default_value = "15"
)]
pub await_time: u64,
}
#[derive(Debug, StructOpt)]
pub struct LuksParameters {
#[structopt(env = "FIDO2LUKS_DEVICE")]
pub device: PathBuf,
/// Try to unlock the device using a specifc keyslot, ignore all other slots
#[structopt(long = "slot", env = "FIDO2LUKS_DEVICE_SLOT")]
pub slot: Option<u32>,
/// Disable implicit use of LUKS2 tokens
#[structopt(
long = "disable-token",
// env = "FIDO2LUKS_DISABLE_TOKEN" // unfortunately clap will convert flags into args if they have an env attribute
)]
pub disable_token: bool,
}
#[derive(Debug, StructOpt, Clone)]
pub struct LuksModParameters {
/// Number of milliseconds required to derive the volume decryption key
/// Defaults to 10ms when using an authenticator or the default by cryptsetup when using a password
#[structopt(long = "kdf-time", name = "kdf-time", env = "FIDO2LUKS_KDF_TIME")]
pub kdf_time: Option<u64>,
}
#[derive(Debug, StructOpt)]
pub struct SecretParameters {
/// Salt for secret generation, defaults to 'ask'
///
/// Options:{n}
/// - ask : Prompt user using password helper{n}
/// - file:<PATH> : Will read <FILE>{n}
/// - string:<STRING> : Will use <STRING>, which will be handled like a password provided to the 'ask' option{n}
#[structopt(
name = "salt",
long = "salt",
env = "FIDO2LUKS_SALT",
default_value = "ask"
)]
pub salt: SecretInput,
/// Script used to obtain passwords, overridden by --interactive flag
#[structopt(
name = "password-helper",
env = "FIDO2LUKS_PASSWORD_HELPER",
long = "password-helper"
)]
pub password_helper: Option<PasswordHelper>,
}
#[derive(Debug, StructOpt)]
pub struct Args {
/// Request passwords via Stdin instead of using the password helper
#[structopt(short = "i", long = "interactive")]
pub interactive: bool,
#[structopt(short = "v", long = "verbose")]
pub verbose: bool,
#[structopt(subcommand)]
pub command: Command,
}
#[derive(Debug, StructOpt, Clone)]
pub struct OtherSecret {
/// Use a keyfile instead of a password
#[structopt(short = "d", long = "keyfile", conflicts_with = "fido_device")]
pub keyfile: Option<PathBuf>,
/// Use another fido device instead of a password
/// Note: this requires for the credential for the other device to be passed as argument as well
#[structopt(short = "f", long = "fido-device", conflicts_with = "keyfile")]
pub fido_device: bool,
}
#[derive(Debug, StructOpt)]
pub enum Command {
#[structopt(name = "print-secret")]
PrintSecret {
// version 0.3.0 will store use the lower case ascii encoded hex string making binary output unnecessary
/// Prints the secret as binary instead of hex encoded
#[structopt(hidden = true, short = "b", long = "bin")]
binary: bool,
#[structopt(flatten)]
credentials: Credentials,
#[structopt(flatten)]
authenticator: AuthenticatorParameters,
#[structopt(flatten)]
secret: SecretParameters,
/// Load credentials from LUKS header
#[structopt(env = "FIDO2LUKS_DEVICE")]
device: Option<PathBuf>,
},
/// Adds a generated key to the specified LUKS device
#[structopt(name = "add-key")]
AddKey {
#[structopt(flatten)]
luks: LuksParameters,
#[structopt(flatten)]
credentials: Credentials,
/// Comment to be associated with this credential
#[structopt(long = "comment")]
comment: Option<String>,
#[structopt(flatten)]
authenticator: AuthenticatorParameters,
#[structopt(flatten)]
secret: SecretParameters,
/// Will wipe all other keys
#[structopt(short = "e", long = "exclusive")]
exclusive: bool,
/// Will generate an credential while adding a new key to this LUKS device if supported
#[structopt(short = "g", long = "gen-cred")]
generate_credential: bool,
#[structopt(flatten)]
existing_secret: OtherSecret,
#[structopt(flatten)]
luks_mod: LuksModParameters,
},
/// Replace a previously added key with a password
#[structopt(name = "replace-key")]
ReplaceKey {
#[structopt(flatten)]
luks: LuksParameters,
#[structopt(flatten)]
credentials: Credentials,
#[structopt(flatten)]
authenticator: AuthenticatorParameters,
#[structopt(flatten)]
secret: SecretParameters,
/// Add the password and keep the key
#[structopt(short = "a", long = "add-password")]
add_password: bool,
/// Remove the affected credential from LUKS header
#[structopt(short = "r", long = "remove-cred")]
remove_cred: bool,
#[structopt(flatten)]
replacement: OtherSecret,
#[structopt(flatten)]
luks_mod: LuksModParameters,
},
/// Open the LUKS device
#[structopt(name = "open", alias = "open-token")]
Open {
#[structopt(flatten)]
luks: LuksParameters,
#[structopt(env = "FIDO2LUKS_MAPPER_NAME")]
name: String,
#[structopt(flatten)]
credentials: Credentials,
#[structopt(flatten)]
authenticator: AuthenticatorParameters,
#[structopt(flatten)]
secret: SecretParameters,
#[structopt(short = "r", long = "max-retries", default_value = "0")]
retries: i32,
/// Perform the whole procedure without mounting the LUKS volume on success
#[structopt(long = "dry-run")]
dry_run: bool,
/// Pass SSD trim instructions to the underlying block device
#[structopt(long = "allow-discards")]
allow_discards: bool,
},
/// Generate a new FIDO credential
#[structopt(name = "credential")]
Credential {
#[structopt(flatten)]
authenticator: AuthenticatorParameters,
/// Name to be displayed on the authenticator display
#[structopt(env = "FIDO2LUKS_CREDENTIAL_NAME", default_value = "")]
name: String,
},
/// Check if an authenticator is connected
#[structopt(name = "connected")]
Connected,
Token(TokenCommand),
/// Generate bash completion scripts
/// Example: fido2luks completions --shell bash /usr/share/bash-completion/completions
#[structopt(name = "completions", setting = AppSettings::Hidden)]
GenerateCompletions {
/// Shell to generate completions for
#[structopt(short = "s", long = "shell",possible_values = &Shell::variants()[..])]
shell: Option<String>,
out_dir: PathBuf,
},
}
///LUKS2 token related operations
#[derive(Debug, StructOpt)]
pub enum TokenCommand {
/// List all tokens associated with the specified device
List {
#[structopt(env = "FIDO2LUKS_DEVICE")]
device: PathBuf,
/// Dump all credentials as CSV
#[structopt(long = "csv")]
csv: bool,
},
/// Add credential to a keyslot
Add {
#[structopt(env = "FIDO2LUKS_DEVICE")]
device: PathBuf,
/// FIDO credential ids, separated by ',' generate using fido2luks credential
#[structopt(
name = "credential-ids",
env = "FIDO2LUKS_CREDENTIAL_ID",
short = "c",
long = "creds"
)]
credentials: CommaSeparated<HexEncoded>,
/// Comment to be associated with this credential
#[structopt(long = "comment")]
comment: Option<String>,
/// Slot to which the credentials will be added
#[structopt(long = "slot", env = "FIDO2LUKS_DEVICE_SLOT")]
slot: u32,
},
/// Remove credentials from token(s)
Remove {
#[structopt(env = "FIDO2LUKS_DEVICE")]
device: PathBuf,
/// FIDO credential ids, separated by ',' generate using fido2luks credential
#[structopt(
name = "credential-ids",
env = "FIDO2LUKS_CREDENTIAL_ID",
short = "c",
long = "creds"
)]
credentials: CommaSeparated<HexEncoded>,
/// Token from which the credentials will be removed
#[structopt(long = "token")]
token_id: Option<u32>,
},
/// Remove all unassigned tokens
GC {
#[structopt(env = "FIDO2LUKS_DEVICE")]
device: PathBuf,
},
}

202
src/device.rs
View File

@@ -1,103 +1,133 @@
use crate::error::*; use crate::error::*;
use crate::util::sha256;
use ctap::{ use crate::util;
self, use ctap_hid_fido2;
extensions::hmac::{FidoHmacCredential, HmacExtension}, use ctap_hid_fido2::fidokey::get_assertion::get_assertion_params;
AuthenticatorOptions, FidoDevice, FidoError, FidoErrorKind, PublicKeyCredentialRpEntity, use ctap_hid_fido2::fidokey::make_credential::make_credential_params;
PublicKeyCredentialUserEntity, use ctap_hid_fido2::fidokey::GetAssertionArgsBuilder;
}; use ctap_hid_fido2::fidokey::MakeCredentialArgsBuilder;
use ctap_hid_fido2::get_fidokey_devices;
use ctap_hid_fido2::public_key_credential_descriptor::PublicKeyCredentialDescriptor;
use ctap_hid_fido2::public_key_credential_user_entity::PublicKeyCredentialUserEntity;
use ctap_hid_fido2::FidoKeyHidFactory;
use ctap_hid_fido2::HidInfo;
use ctap_hid_fido2::LibCfg;
use std::time::Duration;
const RP_ID: &'static str = "fido2luks"; const RP_ID: &str = "fido2luks";
fn authenticator_options() -> Option<AuthenticatorOptions> { fn lib_cfg() -> LibCfg {
Some(AuthenticatorOptions { let mut cfg = LibCfg::init();
uv: false, //TODO: should get this from config cfg.enable_log = false;
rk: true, cfg.keep_alive_msg = String::new();
cfg
}
pub fn make_credential_id(
name: Option<&str>,
pin: Option<&str>,
exclude: &[&PublicKeyCredentialDescriptor],
) -> Fido2LuksResult<PublicKeyCredentialDescriptor> {
let mut req = MakeCredentialArgsBuilder::new(RP_ID, &[])
.extensions(&[make_credential_params::Extension::HmacSecret(Some(true))]);
if let Some(pin) = pin {
req = req.pin(pin);
} else {
req = req.without_pin_and_uv();
}
for cred in exclude {
req = req.exclude_authenticator(cred.id.as_ref());
}
if let Some(_) = name {
req = req.user_entity(&PublicKeyCredentialUserEntity::new(
Some(b"00"),
name.clone(),
name,
));
}
let devices = get_devices()?;
let mut err: Option<Fido2LuksError> = None;
let req = req.build();
for dev in devices {
let handle = FidoKeyHidFactory::create_by_params(&vec![dev.param], &lib_cfg()).unwrap();
match handle.make_credential_with_args(&req) {
Ok(resp) => return Ok(resp.credential_descriptor),
Err(e) => err = Some(e.into()),
}
}
Err(err.unwrap_or(Fido2LuksError::NoAuthenticatorError))
}
pub fn perform_challenge<'a>(
credentials: &'a [&'a PublicKeyCredentialDescriptor],
salt: &[u8; 32],
_timeout: Duration,
pin: Option<&str>,
) -> Fido2LuksResult<([u8; 32], &'a PublicKeyCredentialDescriptor)> {
if credentials.is_empty() {
return Err(Fido2LuksError::InsufficientCredentials);
}
let mut req = GetAssertionArgsBuilder::new(RP_ID, &[]).extensions(&[
get_assertion_params::Extension::HmacSecret(Some(util::sha256(&[&salt[..]]))),
]);
for cred in credentials {
req = req.add_credential_id(&cred.id);
}
if let Some(pin) = pin {
req = req.pin(pin);
} else {
req = req.without_pin_and_uv();
}
let process_response = |resp: Vec<get_assertion_params::Assertion>| -> Fido2LuksResult<([u8; 32], &'a PublicKeyCredentialDescriptor)> {
for att in resp {
for ext in att.extensions.iter() {
match ext {
get_assertion_params::Extension::HmacSecret(Some(secret)) => {
//TODO: eliminate unwrap
let cred_used = credentials
.iter()
.copied()
.find(|cred| {
att.credential_id == cred.id
}) })
} .unwrap();
return Ok((secret.clone(), cred_used));
fn authenticator_rp() -> PublicKeyCredentialRpEntity<'static> {
PublicKeyCredentialRpEntity {
id: RP_ID,
name: None,
icon: None,
} }
} _ => continue,
fn authenticator_user(name: Option<&str>) -> PublicKeyCredentialUserEntity {
PublicKeyCredentialUserEntity {
id: &[0u8],
name: name.unwrap_or(""),
icon: None,
display_name: name,
}
}
pub fn make_credential_id(name: Option<&str>) -> Fido2LuksResult<FidoHmacCredential> {
let mut errs = Vec::new();
match get_devices()? {
ref devs if devs.is_empty() => Err(Fido2LuksError::NoAuthenticatorError)?,
devs => {
for mut dev in devs.into_iter() {
match dev
.make_hmac_credential_full(
authenticator_rp(),
authenticator_user(name),
&[0u8; 32],
&[],
authenticator_options(),
)
.map(|cred| cred.into())
{
//TODO: make credentials device specific
Ok(cred) => {
return Ok(cred);
}
Err(e) => {
errs.push(e);
} }
} }
} }
} Err(Fido2LuksError::WrongSecret)
}
Err(errs.pop().ok_or(Fido2LuksError::NoAuthenticatorError)?)?
}
pub fn perform_challenge(credential_id: &[u8], salt: &[u8; 32]) -> Fido2LuksResult<[u8; 32]> {
let cred = FidoHmacCredential {
id: credential_id.to_vec(),
rp_id: RP_ID.to_string(),
}; };
let mut errs = Vec::new();
match get_devices()? { let devices = get_devices()?;
ref devs if devs.is_empty() => Err(Fido2LuksError::NoAuthenticatorError)?, let mut err: Option<Fido2LuksError> = None;
devs => { let req = req.build();
for mut dev in devs.into_iter() { for dev in devices {
match dev.get_hmac_assertion(&cred, &sha256(&[&salt[..]]), None, None) { let handle = FidoKeyHidFactory::create_by_params(&vec![dev.param], &lib_cfg()).unwrap();
Ok(secret) => { match handle.get_assertion_with_args(&req) {
return Ok(secret.0); Ok(resp) => return process_response(resp),
} Err(e) => err = Some(e.into()),
Err(e) => {
errs.push(e);
} }
} }
} Err(err.unwrap_or(Fido2LuksError::NoAuthenticatorError))
}
}
Err(errs.pop().ok_or(Fido2LuksError::NoAuthenticatorError)?)?
} }
pub fn get_devices() -> Fido2LuksResult<Vec<FidoDevice>> { pub fn may_require_pin() -> Fido2LuksResult<bool> {
let mut devices = Vec::with_capacity(2); for dev in get_devices()? {
for di in ctap::get_devices()? { let handle = FidoKeyHidFactory::create_by_params(&vec![dev.param], &lib_cfg()).unwrap();
match FidoDevice::new(&di) { let info = handle.get_info()?;
Err(e) => match e.kind() { let needs_pin = info
FidoErrorKind::ParseCtap | FidoErrorKind::DeviceUnsupported => (), .options
err => Err(FidoError::from(err))?, .iter()
}, .any(|(name, val)| &name[..] == "clientPin" && *val);
Ok(dev) => devices.push(dev), if needs_pin {
return Ok(true);
} }
} }
Ok(devices) Ok(false)
}
pub fn get_devices() -> Fido2LuksResult<Vec<HidInfo>> {
Ok(get_fidokey_devices())
} }

65
src/error.rs
View File

@@ -1,5 +1,9 @@
use ctap::FidoError; use anyhow;
use libcryptsetup_rs::LibcryptErr;
use std::io; use std::io;
use std::io::ErrorKind;
use std::string::FromUtf8Error;
use Fido2LuksError::*;
pub type Fido2LuksResult<T> = Result<T, Fido2LuksError>; pub type Fido2LuksResult<T> = Result<T, Fido2LuksError>;
@@ -10,19 +14,31 @@ pub enum Fido2LuksError {
#[fail(display = "unable to read keyfile: {}", cause)] #[fail(display = "unable to read keyfile: {}", cause)]
KeyfileError { cause: io::Error }, KeyfileError { cause: io::Error },
#[fail(display = "authenticator error: {}", cause)] #[fail(display = "authenticator error: {}", cause)]
AuthenticatorError { cause: ctap::FidoError }, AuthenticatorError { cause: anyhow::Error },
#[fail(display = "no authenticator found, please ensure your device is plugged in")] #[fail(display = "no authenticator found, please ensure your device is plugged in")]
NoAuthenticatorError, NoAuthenticatorError,
#[fail(display = "luks err")] #[fail(display = " {}", cause)]
LuksError { CryptsetupError {
cause: libcryptsetup_rs::LibcryptErr, cause: libcryptsetup_rs::LibcryptErr,
}, },
#[fail(display = "no authenticator found, please ensure your device is plugged in")] #[fail(display = "{}", cause)]
LuksError { cause: LuksError },
#[fail(display = "{}", cause)]
IoError { cause: io::Error }, IoError { cause: io::Error },
#[fail(display = "supplied secret isn't valid for this device")] #[fail(display = "supplied secret isn't valid for this device")]
WrongSecret, WrongSecret,
#[fail(display = "not an utf8 string")] #[fail(display = "not an utf8 string")]
StringEncodingError { cause: FromUtf8Error }, StringEncodingError { cause: FromUtf8Error },
#[fail(display = "not an hex string: {}", string)]
HexEncodingError { string: String },
#[fail(display = "couldn't obtain at least one credential")]
InsufficientCredentials,
}
impl From<anyhow::Error> for Fido2LuksError {
fn from(cause: anyhow::Error) -> Self {
Fido2LuksError::AuthenticatorError { cause }
}
} }
impl Fido2LuksError { impl Fido2LuksError {
@@ -44,15 +60,40 @@ pub enum AskPassError {
IO(io::Error), IO(io::Error),
#[fail(display = "provided passwords don't match")] #[fail(display = "provided passwords don't match")]
Mismatch, Mismatch,
#[fail(display = "failed to call password helper")]
FailedHelper,
} }
use libcryptsetup_rs::LibcryptErr; #[derive(Debug, Fail)]
use std::string::FromUtf8Error; pub enum LuksError {
use Fido2LuksError::*; #[fail(display = "This feature requires to the LUKS device to be formatted as LUKS 2")]
Luks2Required,
#[fail(display = "Invalid token: {}", _0)]
InvalidToken(String),
#[fail(display = "No token found")]
NoToken,
#[fail(display = "The device already exists")]
DeviceExists,
}
impl From<FidoError> for Fido2LuksError { impl LuksError {
fn from(e: FidoError) -> Self { pub fn activate(e: LibcryptErr) -> Fido2LuksError {
AuthenticatorError { cause: e } match e {
LibcryptErr::IOError(ref io) => match io.raw_os_error() {
Some(1) if io.kind() == ErrorKind::PermissionDenied => Fido2LuksError::WrongSecret,
Some(17) => Fido2LuksError::LuksError {
cause: LuksError::DeviceExists,
},
_ => return Fido2LuksError::CryptsetupError { cause: e },
},
_ => Fido2LuksError::CryptsetupError { cause: e },
}
}
}
impl From<LuksError> for Fido2LuksError {
fn from(e: LuksError) -> Self {
Fido2LuksError::LuksError { cause: e }
} }
} }
@@ -62,7 +103,7 @@ impl From<LibcryptErr> for Fido2LuksError {
LibcryptErr::IOError(e) if e.raw_os_error().iter().any(|code| code == &1i32) => { LibcryptErr::IOError(e) if e.raw_os_error().iter().any(|code| code == &1i32) => {
WrongSecret WrongSecret
} }
_ => LuksError { cause: e }, _ => CryptsetupError { cause: e },
} }
} }
} }

391
src/luks.rs
View File

@@ -1,85 +1,366 @@
use crate::error::*; use crate::error::*;
use libcryptsetup_rs::{CryptActivateFlags, CryptDevice, CryptInit, EncryptionFormat, KeyslotInfo}; use libcryptsetup_rs::{
CryptActivateFlag, CryptActivateFlags, CryptDevice, CryptInit, CryptTokenInfo,
EncryptionFormat, KeyslotInfo, TokenInput,
};
use std::collections::{HashMap, HashSet};
use std::path::Path; use std::path::Path;
fn load_device_handle<P: AsRef<Path>>(path: P) -> Fido2LuksResult<CryptDevice> { pub struct LuksDevice {
device: CryptDevice,
luks2: Option<bool>,
}
impl LuksDevice {
pub fn load<P: AsRef<Path>>(path: P) -> Fido2LuksResult<LuksDevice> {
let mut device = CryptInit::init(path.as_ref())?; let mut device = CryptInit::init(path.as_ref())?;
//TODO: determine luks version some way other way than just trying device.context_handle().load::<()>(None, None)?;
let mut load = |format| device.context_handle().load::<()>(format, None).map(|_| ()); Ok(Self {
vec![EncryptionFormat::Luks2, EncryptionFormat::Luks1] device,
.into_iter() luks2: None,
.fold(None, |res, format| match res {
Some(Ok(())) => res,
Some(e) => Some(e.or(load(format))),
None => Some(load(format)),
}) })
.unwrap()?; }
Ok(device)
}
pub fn open_container<P: AsRef<Path>>(path: P, name: &str, secret: &[u8]) -> Fido2LuksResult<()> { pub fn is_luks2(&mut self) -> Fido2LuksResult<bool> {
let mut device = load_device_handle(path)?; if let Some(luks2) = self.luks2 {
device Ok(luks2)
.activate_handle() } else {
.activate_by_passphrase(Some(name), None, secret, CryptActivateFlags::empty()) self.luks2 = Some(match self.device.format_handle().get_type()? {
.map(|_slot| ()) EncryptionFormat::Luks2 => true,
.map_err(|_e| Fido2LuksError::WrongSecret) _ => false,
} });
self.is_luks2()
}
}
pub fn add_key<P: AsRef<Path>>( fn require_luks2(&mut self) -> Fido2LuksResult<()> {
path: P, if !self.is_luks2()? {
return Err(LuksError::Luks2Required.into());
}
Ok(())
}
pub fn tokens<'a>(
&'a mut self,
) -> Fido2LuksResult<Box<dyn Iterator<Item = Fido2LuksResult<(u32, Fido2LuksToken)>> + 'a>>
{
self.require_luks2()?;
Ok(Box::new(
(0..32)
.map(move |i| {
let status = match self.device.token_handle().status(i) {
Ok(status) => status,
Err(err) => return Some(Err(Fido2LuksError::from(err))),
};
match status {
CryptTokenInfo::Inactive => return None,
CryptTokenInfo::Internal(s)
| CryptTokenInfo::InternalUnknown(s)
| CryptTokenInfo::ExternalUnknown(s)
| CryptTokenInfo::External(s)
if &s != Fido2LuksToken::default_type() =>
{
return None
}
_ => (),
};
let json = match self.device.token_handle().json_get(i) {
Ok(json) => json,
Err(err) => return Some(Err(Fido2LuksError::from(err))),
};
let info: Fido2LuksToken =
match serde_json::from_value(json.clone()).map_err(|_| {
Fido2LuksError::LuksError {
cause: LuksError::InvalidToken(json.to_string()),
}
}) {
Ok(info) => info,
Err(err) => return Some(Err(Fido2LuksError::from(err))),
};
Some(Ok((i, info)))
})
.filter_map(|o| o),
))
}
pub fn find_token(&mut self, slot: u32) -> Fido2LuksResult<Option<(u32, Fido2LuksToken)>> {
let slot_str = slot.to_string();
for token in self.tokens()? {
let (id, token) = token?;
if token.keyslots.contains(&slot_str) {
return Ok(Some((id, token)));
}
}
Ok(None)
}
pub fn add_token(&mut self, data: &Fido2LuksToken) -> Fido2LuksResult<()> {
self.require_luks2()?;
self.device
.token_handle()
.json_set(TokenInput::AddToken(&serde_json::to_value(&data).unwrap()))?;
Ok(())
}
pub fn remove_token(&mut self, token: u32) -> Fido2LuksResult<()> {
self.require_luks2()?;
self.device
.token_handle()
.json_set(TokenInput::RemoveToken(token))?;
Ok(())
}
pub fn remove_token_slot(&mut self, slot: u32) -> Fido2LuksResult<()> {
let mut remove = HashSet::new();
for token in self.tokens()? {
let (id, token) = token?;
if token.keyslots.contains(&slot.to_string()) {
remove.insert(id);
}
}
for rm in remove {
self.remove_token(rm)?;
}
Ok(())
}
pub fn update_token(&mut self, token: u32, data: &Fido2LuksToken) -> Fido2LuksResult<()> {
self.require_luks2()?;
self.device
.token_handle()
.json_set(TokenInput::ReplaceToken(
token,
&serde_json::to_value(&data).unwrap(),
))?;
Ok(())
}
pub fn add_key(
&mut self,
secret: &[u8], secret: &[u8],
old_secret: &[u8], old_secret: &[u8],
iteration_time: Option<u64>, iteration_time: Option<u64>,
) -> Fido2LuksResult<u32> { credential_id: Option<&[u8]>,
let mut device = load_device_handle(path)?; comment: Option<String>,
// Set iteration time not sure wether this applies to luks2 as well ) -> Fido2LuksResult<u32> {
if let Some(millis) = iteration_time { if let Some(millis) = iteration_time {
device.settings_handle().set_iteration_time(millis) self.device.settings_handle().set_iteration_time(millis)
}
let slot = self
.device
.keyslot_handle()
.add_by_passphrase(None, old_secret, secret)?;
if let Some(id) = credential_id {
self.device.token_handle().json_set(TokenInput::AddToken(
&serde_json::to_value(&Fido2LuksToken::new(id, slot, comment)).unwrap(),
))?;
} }
let slot = device
.keyslot_handle(None)
.add_by_passphrase(old_secret, secret)?;
Ok(slot)
}
pub fn remove_keyslots<P: AsRef<Path>>(path: P, exclude: &[u32]) -> Fido2LuksResult<u32> { Ok(slot)
let mut device = load_device_handle(path)?; }
let mut slot = 0;
let mut handle; pub fn remove_keyslots(&mut self, exclude: &[u32]) -> Fido2LuksResult<u32> {
let mut destroyed = 0; let mut destroyed = 0;
loop { let mut tokens = Vec::new();
handle = device.keyslot_handle(Some(slot)); for slot in 0..256 {
match handle.status()? { match self.device.keyslot_handle().status(slot)? {
KeyslotInfo::Inactive => continue, KeyslotInfo::Inactive => continue,
KeyslotInfo::Active if !exclude.contains(&slot) => { KeyslotInfo::Active | KeyslotInfo::ActiveLast if !exclude.contains(&slot) => {
handle.destroy()?; if self.is_luks2()? {
if let Some((id, _token)) = self.find_token(slot)? {
tokens.push(id);
}
}
self.device.keyslot_handle().destroy(slot)?;
destroyed += 1; destroyed += 1;
} }
_ => (),
}
match handle.status()? {
KeyslotInfo::ActiveLast => break, KeyslotInfo::ActiveLast => break,
_ => (), _ => (),
} }
slot += 1; if self.device.keyslot_handle().status(slot)? == KeyslotInfo::ActiveLast {
break;
}
}
// Ensure indices stay valid
tokens.sort();
for token in tokens.iter().rev() {
self.remove_token(*token)?;
} }
Ok(destroyed) Ok(destroyed)
} }
pub fn replace_key<P: AsRef<Path>>( pub fn replace_key(
path: P, &mut self,
secret: &[u8], secret: &[u8],
old_secret: &[u8], old_secret: &[u8],
iteration_time: Option<u64>, iteration_time: Option<u64>,
) -> Fido2LuksResult<u32> { credential_id: Option<&[u8]>,
let mut device = load_device_handle(path)?; ) -> Fido2LuksResult<u32> {
// Set iteration time not sure wether this applies to luks2 as well
if let Some(millis) = iteration_time { if let Some(millis) = iteration_time {
device.settings_handle().set_iteration_time(millis) self.device.settings_handle().set_iteration_time(millis)
}
// Use activate dry-run to locate keyslot
let slot = self.device.activate_handle().activate_by_passphrase(
None,
None,
old_secret,
CryptActivateFlags::empty(),
)?;
// slot should stay the same but better be safe than sorry
let slot = self.device.keyslot_handle().change_by_passphrase(
Some(slot),
Some(slot),
old_secret,
secret,
)? as u32;
if let Some(id) = credential_id {
if self.is_luks2()? {
let (token_id, token_data) = match self.find_token(slot)? {
Some((id, data)) => (Some(id), Some(data)),
_ => (None, None),
};
let json = serde_json::to_value(&Fido2LuksToken::new(
id,
slot,
// retain comment on replace
token_data.map(|data| data.comment).flatten(),
))
.unwrap();
if let Some(token) = token_id {
self.device
.token_handle()
.json_set(TokenInput::ReplaceToken(token, &json))?;
} else {
self.device
.token_handle()
.json_set(TokenInput::AddToken(&json))?;
}
}
}
Ok(slot)
}
pub fn activate(
&mut self,
name: &str,
secret: &[u8],
slot_hint: Option<u32>,
dry_run: bool,
allow_discard: bool,
) -> Fido2LuksResult<u32> {
let mut flags = CryptActivateFlags::empty();
if allow_discard {
flags = CryptActivateFlags::new(vec![CryptActivateFlag::AllowDiscards]);
}
self.device
.activate_handle()
.activate_by_passphrase(Some(name).filter(|_| !dry_run), slot_hint, secret, flags)
.map_err(LuksError::activate)
}
pub fn activate_token(
&mut self,
name: &str,
secret: impl Fn(Vec<String>) -> Fido2LuksResult<([u8; 32], String)>,
slot_hint: Option<u32>,
dry_run: bool,
allow_discard: bool,
) -> Fido2LuksResult<u32> {
if !self.is_luks2()? {
return Err(LuksError::Luks2Required.into());
}
let mut creds: HashMap<String, HashSet<u32>> = HashMap::new();
for token in self.tokens()? {
let token = match token {
Ok((_id, t)) => t,
_ => continue, // An corrupted token should't lock the user out
};
let slots = || {
token
.keyslots
.iter()
.filter_map(|slot| slot.parse::<u32>().ok())
};
for cred in token.credential.iter() {
creds
.entry(cred.clone())
.or_insert_with(|| slots().collect::<HashSet<u32>>())
.extend(slots());
}
}
if creds.is_empty() {
return Err(Fido2LuksError::LuksError {
cause: LuksError::NoToken,
});
}
let (secret, credential) = secret(creds.keys().cloned().collect())?;
let empty;
let slots = if let Some(slots) = creds.get(&credential) {
slots
} else {
empty = HashSet::new();
&empty
};
//Try slots associated with the credential used
let slots = slots.iter().cloned().map(Option::Some).chain(
std::iter::once(slot_hint) // Try slot hint if there is one
.take(slot_hint.is_some() as usize)
.chain(std::iter::once(None).take(slots.is_empty() as usize)), // Try all slots as last resort
);
for slot in slots {
match self.activate(name, &secret, slot, dry_run, allow_discard) {
Err(Fido2LuksError::WrongSecret) => (),
res => return res,
}
}
Err(Fido2LuksError::WrongSecret)
}
}
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct Fido2LuksToken {
#[serde(rename = "type")]
pub type_: String,
pub credential: HashSet<String>,
pub keyslots: HashSet<String>,
#[serde(skip_serializing_if = "Option::is_none")]
pub comment: Option<String>,
}
impl Fido2LuksToken {
pub fn new(credential_id: impl AsRef<[u8]>, slot: u32, comment: Option<String>) -> Self {
Self::with_credentials(std::iter::once(credential_id), slot, comment)
}
pub fn with_credentials<I: IntoIterator<Item = B>, B: AsRef<[u8]>>(
credentials: I,
slot: u32,
comment: Option<String>,
) -> Self {
Self {
credential: credentials
.into_iter()
.map(|cred| hex::encode(cred.as_ref()))
.collect(),
keyslots: vec![slot.to_string()].into_iter().collect(),
comment,
..Default::default()
}
}
pub fn default_type() -> &'static str {
"fido2luks"
}
}
impl Default for Fido2LuksToken {
fn default() -> Self {
Self {
type_: Self::default_type().into(),
credential: HashSet::new(),
keyslots: HashSet::new(),
comment: None,
}
} }
Ok(device
.keyslot_handle(None)
.change_by_passphrase(None, None, old_secret, secret)? as u32)
} }

31
src/main.rs
View File

@@ -1,51 +1,26 @@
#[macro_use] #[macro_use]
extern crate failure; extern crate failure;
extern crate ctap_hmac as ctap; #[macro_use]
extern crate serde_derive;
use crate::cli::*; use crate::cli::*;
use crate::config::*;
use crate::device::*; use crate::device::*;
use crate::error::*; use crate::error::*;
use std::io; use std::io;
use std::path::PathBuf;
use std::process::exit; use std::process::exit;
mod cli; mod cli;
mod config; pub mod cli_args;
mod device; mod device;
mod error; mod error;
mod luks; mod luks;
mod util; mod util;
fn assemble_secret(hmac_result: &[u8], salt: &[u8]) -> [u8; 32] {
util::sha256(&[salt, hmac_result])
}
fn main() -> Fido2LuksResult<()> { fn main() -> Fido2LuksResult<()> {
match run_cli() { match run_cli() {
Err(e) => { Err(e) => {
#[cfg(debug_assertions)]
eprintln!("{:?}", e); eprintln!("{:?}", e);
#[cfg(not(debug_assertions))]
eprintln!("{}", e);
exit(e.exit_code()) exit(e.exit_code())
} }
_ => exit(0), _ => exit(0),
} }
} }
#[cfg(test)]
mod test {
use super::*;
#[test]
fn test_assemble_secret() {
assert_eq!(
assemble_secret(b"abc", b"def"),
[
46, 82, 82, 140, 142, 159, 249, 196, 227, 160, 142, 72, 151, 77, 59, 62, 180, 36,
33, 47, 241, 94, 17, 232, 133, 103, 247, 32, 152, 253, 43, 19
]
)
}
}

0
src/setup.rs
View File

18
src/util.rs
View File

@@ -4,7 +4,7 @@ use std::fs::File;
use std::io::Read; use std::io::Read;
use std::path::PathBuf; use std::path::PathBuf;
pub fn sha256<'a>(messages: &[&[u8]]) -> [u8; 32] { pub fn sha256(messages: &[&[u8]]) -> [u8; 32] {
let mut digest = digest::Context::new(&digest::SHA256); let mut digest = digest::Context::new(&digest::SHA256);
for m in messages.iter() { for m in messages.iter() {
digest.update(m); digest.update(m);
@@ -13,9 +13,17 @@ pub fn sha256<'a>(messages: &[&[u8]]) -> [u8; 32] {
secret.as_mut().copy_from_slice(digest.finish().as_ref()); secret.as_mut().copy_from_slice(digest.finish().as_ref());
secret secret
} }
pub fn read_password_tty(q: &str, verify: bool) -> Fido2LuksResult<String> {
pub fn read_password(q: &str, verify: bool) -> Fido2LuksResult<String> { read_password(q, verify, true)
match rpassword::read_password_from_tty(Some(&[q, ": "].join("")))? { }
pub fn read_password(q: &str, verify: bool, tty: bool) -> Fido2LuksResult<String> {
let res = if tty {
rpassword::read_password_from_tty(Some(&[q, ": "].join("")))
} else {
print!("{}: ", q);
rpassword::read_password()
}?;
match res {
ref pass ref pass
if verify if verify
&& &rpassword::read_password_from_tty(Some(&[q, "(again): "].join(" ")))? && &rpassword::read_password_from_tty(Some(&[q, "(again): "].join(" ")))?
@@ -23,7 +31,7 @@ pub fn read_password(q: &str, verify: bool) -> Fido2LuksResult<String> {
{ {
Err(Fido2LuksError::AskPassError { Err(Fido2LuksError::AskPassError {
cause: AskPassError::Mismatch, cause: AskPassError::Mismatch,
})? })
} }
pass => Ok(pass), pass => Ok(pass),
} }