shimun/fido2luks
1
0
Fork 0
Code Issues Pull Requests 3 Releases Wiki Activity

Compare commits

base: shimun:luks2_token
Branches Tags
shimun:master shimun:0.3.0-alpha shimun:ctap-hid-fido2 shimun:retry_pin shimun:0.3.0 shimun:debVM shimun:flake shimun:password_promt shimun:dracut shimun:initcpio shimun:pam_mod shimun:setup shimun:completions shimun:pkgbuild shimun:pin_source shimun:relicense shimun:deb shimun:initramfs-tools shimun:luks_refr shimun:0.2.8 shimun:luks2_token shimun:cli_reorg shimun:request_multiple shimun:luks2 shimun:cratesio shimun:isalt shimun:connected shimun:keyutils
shimun:0.2.20 shimun:0.2.19 shimun:0.2.18 shimun:0.2.17 shimun:0.2.16 shimun:0.2.15 shimun:0.2.14 shimun:0.2.13 shimun:0.2.12 shimun:0.2.11 shimun:0.2.10 shimun:0.2.9 shimun:0.2.8 shimun:0.2.7 shimun:0.2.6 shimun:0.2.5 shimun:0.2.4 shimun:0.2.3 shimun:0.2.2 shimun:0.2.1 shimun:0.2.0
...
compare: shimun:0.2.9
Branches Tags
shimun:0.3.0-alpha shimun:ctap-hid-fido2 shimun:retry_pin shimun:master shimun:0.3.0 shimun:debVM shimun:flake shimun:password_promt shimun:dracut shimun:initcpio shimun:pam_mod shimun:setup shimun:completions shimun:pkgbuild shimun:pin_source shimun:relicense shimun:deb shimun:initramfs-tools shimun:luks_refr shimun:0.2.8 shimun:luks2_token shimun:cli_reorg shimun:request_multiple shimun:luks2 shimun:cratesio shimun:isalt shimun:connected shimun:keyutils
shimun:0.2.20 shimun:0.2.19 shimun:0.2.18 shimun:0.2.17 shimun:0.2.16 shimun:0.2.15 shimun:0.2.14 shimun:0.2.13 shimun:0.2.12 shimun:0.2.11 shimun:0.2.10 shimun:0.2.9 shimun:0.2.8 shimun:0.2.7 shimun:0.2.6 shimun:0.2.5 shimun:0.2.4 shimun:0.2.3 shimun:0.2.2 shimun:0.2.1 shimun:0.2.0

18 Commits
luks2_toke ... 0.2.9

Author SHA1 Message Date
shimun
a498e1416f automate cargo publish
Some checks failed
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/tag Build is failing
Details
2020-06-23 23:55:07 +02:00
shimun
92e413de50 refactored luks operations
All checks were successful
continuous-integration/drone/push Build is passing
Details
2020-06-22 20:47:19 +00:00
shimun
023399bb14 use unstable cryptsetup
Some checks failed
continuous-integration/drone/push Build is failing
Details
2020-06-22 18:17:10 +02:00
shimun
a53a430c23 update drone
Some checks failed
continuous-integration/drone/push Build is failing
Details
2020-06-21 22:16:45 +02:00
shimun
5f107cd337 add non existing token
Some checks failed
continuous-integration/drone/push Build is failing
Details
2020-06-19 20:09:36 +02:00
shimun
ddfd24a098 ensure replace_key uses the same slot 2020-06-19 20:05:05 +02:00
shimun
743edf668a document --token 2020-06-13 14:35:46 +02:00
shimun
4507107fac update libcryptsetup-rs 2020-06-10 13:50:28 +02:00
shimun
a8482c50a2 handle tokens when replacing 2020-06-08 19:22:19 +02:00
shimun
09be5ef551 assemble secret in correct order 2020-06-08 18:08:24 +02:00
shimun
6f6c84ddba skip luks2 check until underlying issue is fixed 2020-06-07 14:14:51 +02:00
shimun
5a05cad695 more precise description 2020-06-06 23:39:23 +02:00
shimun
d8d24b40f5 Merge branch 'cli_reorg' 2020-06-06 23:37:22 +02:00
shimun
a26b79bcd6 reduced redundant code 2020-05-05 23:53:50 +02:00
shimun
69732a1ad6 restore order 2020-04-29 20:33:28 +02:00
shimun
b8ae9d91f0 rudimentary pin support 2020-04-29 19:56:18 +02:00
shimun
fcdd2a2d3d add option to specify keyslot 2020-04-29 18:55:25 +02:00
shimun
c3d6425e2d reorganised cli 2020-04-29 18:50:55 +02:00
11 changed files with 849 additions and 489 deletions
Expand all files Collapse all files

33
.drone.yml
View File

@@ -3,32 +3,27 @@ name: default
steps: steps:
- name: fmt - name: fmt
image: rust:1.37.0 image: rust:1.43.0
commands: commands:
- rustup component add rustfmt - rustup component add rustfmt
- cargo fmt --all -- --check - cargo fmt --all -- --check
- name: test - name: test
image: rust:1.37.0 image: rust:1.43.0
commands: commands:
- apt update && apt install -y libcryptsetup-dev libkeyutils-dev - apt update && apt install -y libkeyutils-dev libclang-dev clang pkg-config
- echo 'deb http://http.us.debian.org/debian unstable main non-free contrib' >> /etc/apt/sources.list.d/unstable.list && apt update && apt install -y libcryptsetup-dev
- cargo test - cargo test
- name: build
image: rust:1.37.0
commands:
- apt update && apt install -y libcryptsetup-dev libkeyutils-dev
- cargo install -f --path . --root .
when:
event: tag
- name: publish - name: publish
image: plugins/github-release image: rust:1.43.0
settings: environment:
api_key: CARGO_REGISTRY_TOKEN:
from_secret: github_release from_secret: cargo_tkn
files: commands:
- bin/fido2luks - grep -E 'version ?= ?"${DRONE_TAG}"' -i Cargo.toml || (printf "incorrect crate/tag version" && exit 1)
checksum: - apt update && apt install -y libkeyutils-dev libclang-dev clang pkg-config
- md5 - echo 'deb http://http.us.debian.org/debian unstable main non-free contrib' >> /etc/apt/sources.list.d/unstable.list && apt update && apt install -y libcryptsetup-dev
- sha256 - cargo package --all-features
- cargo publish --all-features
when: when:
event: tag event: tag

6
Cargo.lock generated
View File

@@ -369,7 +369,7 @@ dependencies = [
[[package]] [[package]]
name = "fido2luks" name = "fido2luks"
version = "0.2.8" version = "0.2.9"
dependencies = [ dependencies = [
"ctap_hmac", "ctap_hmac",
"failure", "failure",
@@ -472,9 +472,9 @@ checksum = "99e85c08494b21a9054e7fe1374a732aeadaff3980b6990b94bfd3a70f690005"
[[package]] [[package]]
name = "libcryptsetup-rs" name = "libcryptsetup-rs"
version = "0.4.0" version = "0.4.1"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "286a440a894fafd96c841b61c73e2053ff5b4d456820b3e04f7e88c4e8636a6b" checksum = "38cd24132ee0239515bc895782f65ab3e382a0f78e7cee30417159e5c6f81b6b"
dependencies = [ dependencies = [
"either", "either",
"libc", "libc",

4
Cargo.toml
View File

@@ -1,6 +1,6 @@
[package] [package]
name = "fido2luks" name = "fido2luks"
version = "0.2.8" version = "0.2.9"
authors = ["shimunn <shimun@shimun.net>"] authors = ["shimunn <shimun@shimun.net>"]
edition = "2018" edition = "2018"
@@ -20,7 +20,7 @@ ring = "0.13.5"
failure = "0.1.5" failure = "0.1.5"
rpassword = "4.0.1" rpassword = "4.0.1"
structopt = "0.3.2" structopt = "0.3.2"
libcryptsetup-rs = "0.4.0" libcryptsetup-rs = "0.4.1"
serde_json = "1.0.51" serde_json = "1.0.51"
serde_derive = "1.0.106" serde_derive = "1.0.106"
serde = "1.0.106" serde = "1.0.106"

4
README.md
View File

@@ -30,6 +30,8 @@ set -a
. /etc/fido2luks.conf . /etc/fido2luks.conf
# Repeat for each luks volume # Repeat for each luks volume
# You can also use the `--token` flag when using LUKS2 which will then store the credential in the LUKS header,
# enabling you to use `fido2luks open-token` without passing a credential as parameter
sudo -E fido2luks -i add-key /dev/disk/by-uuid/<DISK_UUID> sudo -E fido2luks -i add-key /dev/disk/by-uuid/<DISK_UUID>
# Test(only works if the luks container isn't active) # Test(only works if the luks container isn't active)
@@ -71,6 +73,8 @@ Just reboot and see if it works, if that's the case you should remove your old l
# Recommend in case you lose your authenticator, store this backupfile somewhere safe # Recommend in case you lose your authenticator, store this backupfile somewhere safe
cryptsetup luksHeaderBackup /dev/disk/by-uuid/<DISK_UUID> --header-backup-file luks_backup_<DISK_UUID> cryptsetup luksHeaderBackup /dev/disk/by-uuid/<DISK_UUID> --header-backup-file luks_backup_<DISK_UUID>
# There is no turning back if you mess this up, make sure you made a backup # There is no turning back if you mess this up, make sure you made a backup
# You can also pass `--token` if you're using LUKS2 which will then store the credential in the LUKS header,
# which will enable you to use `fido2luks open-token` without passing a credential as parameter
fido2luks -i add-key --exclusive /dev/disk/by-uuid/<DISK_UUID> fido2luks -i add-key --exclusive /dev/disk/by-uuid/<DISK_UUID>
``` ```

661
src/cli.rs
View File

@@ -1,5 +1,4 @@
use crate::error::*; use crate::error::*;
use crate::luks;
use crate::*; use crate::*;
use structopt::StructOpt; use structopt::StructOpt;
@@ -12,7 +11,10 @@ use std::io::Write;
use std::process::exit; use std::process::exit;
use std::thread; use std::thread;
use crate::util::read_password; use crate::luks::{Fido2LuksToken, LuksDevice};
use crate::util::sha256;
use std::borrow::Cow;
use std::collections::HashSet;
use std::time::SystemTime; use std::time::SystemTime;
#[derive(Debug, Eq, PartialEq, Clone)] #[derive(Debug, Eq, PartialEq, Clone)]
@@ -24,6 +26,12 @@ impl Display for HexEncoded {
} }
} }
impl AsRef<[u8]> for HexEncoded {
fn as_ref(&self) -> &[u8] {
&self.0[..]
}
}
impl FromStr for HexEncoded { impl FromStr for HexEncoded {
type Err = hex::FromHexError; type Err = hex::FromHexError;
@@ -57,19 +65,48 @@ impl<T: Display + FromStr> FromStr for CommaSeparated<T> {
} }
#[derive(Debug, StructOpt)] #[derive(Debug, StructOpt)]
pub struct Args { pub struct Credentials {
/// Request passwords via Stdin instead of using the password helper /// FIDO credential ids, separated by ',' generate using fido2luks credential
#[structopt(short = "i", long = "interactive")] #[structopt(name = "credential-id", env = "FIDO2LUKS_CREDENTIAL_ID")]
pub interactive: bool, pub ids: CommaSeparated<HexEncoded>,
#[structopt(subcommand)] }
pub command: Command,
#[derive(Debug, StructOpt)]
pub struct AuthenticatorParameters {
/// Request a PIN to unlock the authenticator
#[structopt(short = "P", long = "pin")]
pub pin: bool,
/// Await for an authenticator to be connected, timeout after n seconds
#[structopt(
long = "await-dev",
name = "await-dev",
env = "FIDO2LUKS_DEVICE_AWAIT",
default_value = "15"
)]
pub await_time: u64,
}
#[derive(Debug, StructOpt)]
pub struct LuksParameters {
#[structopt(env = "FIDO2LUKS_DEVICE")]
device: PathBuf,
/// Try to unlock the device using a specifc keyslot, ignore all other slots
#[structopt(long = "slot", env = "FIDO2LUKS_DEVICE_SLOT")]
slot: Option<u32>,
} }
#[derive(Debug, StructOpt, Clone)] #[derive(Debug, StructOpt, Clone)]
pub struct SecretGeneration { pub struct LuksModParameters {
/// FIDO credential ids, seperated by ',' generate using fido2luks credential /// Number of milliseconds required to derive the volume decryption key
#[structopt(name = "credential-id", env = "FIDO2LUKS_CREDENTIAL_ID")] /// Defaults to 10ms when using an authenticator or the default by cryptsetup when using a password
pub credential_ids: CommaSeparated<HexEncoded>, #[structopt(long = "kdf-time", name = "kdf-time")]
kdf_time: Option<u64>,
}
#[derive(Debug, StructOpt)]
pub struct SecretParameters {
/// Salt for secret generation, defaults to 'ask' /// Salt for secret generation, defaults to 'ask'
/// ///
/// Options:{n} /// Options:{n}
@@ -90,58 +127,15 @@ pub struct SecretGeneration {
default_value = "/usr/bin/env systemd-ask-password 'Please enter second factor for LUKS disk encryption!'" default_value = "/usr/bin/env systemd-ask-password 'Please enter second factor for LUKS disk encryption!'"
)] )]
pub password_helper: PasswordHelper, pub password_helper: PasswordHelper,
/// Await for an authenticator to be connected, timeout after n seconds
#[structopt(
long = "await-dev",
name = "await-dev",
env = "FIDO2LUKS_DEVICE_AWAIT",
default_value = "15"
)]
pub await_authenticator: u64,
/// Request the password twice to ensure it being correct
#[structopt(
long = "verify-password",
env = "FIDO2LUKS_VERIFY_PASSWORD",
hidden = true
)]
pub verify_password: Option<bool>,
} }
impl SecretGeneration { fn derive_secret(
pub fn patch(&self, args: &Args, verify_password: Option<bool>) -> Self { credentials: &[HexEncoded],
let mut me = self.clone(); salt: &[u8; 32],
if args.interactive { timeout: u64,
me.password_helper = PasswordHelper::Stdin; pin: Option<&str>,
} ) -> Fido2LuksResult<([u8; 32], FidoCredential)> {
me.verify_password = me.verify_password.or(verify_password); let timeout = Duration::from_secs(timeout);
me
}
pub fn obtain_secret(&self, password_query: &str) -> Fido2LuksResult<[u8; 32]> {
self.obtain_secret_and_credential(password_query)
.map(|(secret, _)| secret)
}
pub fn obtain_secret_and_credential(
&self,
password_query: &str,
) -> Fido2LuksResult<([u8; 32], FidoCredential)> {
let mut salt = [0u8; 32];
match self.password_helper {
PasswordHelper::Stdin if !self.verify_password.unwrap_or(true) => {
salt.copy_from_slice(&util::sha256(&[&read_password(
password_query,
self.verify_password.unwrap_or(true),
)?
.as_bytes()[..]]));
}
_ => {
salt = self.salt.obtain(&self.password_helper)?;
}
}
let timeout = Duration::from_secs(self.await_authenticator);
let start = SystemTime::now(); let start = SystemTime::now();
while let Ok(el) = start.elapsed() { while let Ok(el) = start.elapsed() {
@@ -156,28 +150,32 @@ impl SecretGeneration {
} }
thread::sleep(Duration::from_millis(500)); thread::sleep(Duration::from_millis(500));
} }
let credentials = &self
.credential_ids let credentials = credentials
.0
.iter() .iter()
.map(|HexEncoded(id)| FidoCredential { .map(|hex| FidoCredential {
id: id.to_vec(), id: hex.0.clone(),
public_key: None, public_key: None,
}) })
.collect::<Vec<_>>(); .collect::<Vec<_>>();
let credentials = credentials.iter().collect::<Vec<_>>(); let credentials = credentials.iter().collect::<Vec<_>>();
let (secret, credential) = let (unsalted, cred) =
perform_challenge(&credentials[..], &salt, timeout - start.elapsed().unwrap())?; perform_challenge(&credentials, salt, timeout - start.elapsed().unwrap(), pin)?;
Ok((assemble_secret(&secret, &salt), credential.clone()))
} Ok((sha256(&[salt, &unsalted[..]]), cred.clone()))
} }
#[derive(Debug, StructOpt, Clone)] fn read_pin() -> Fido2LuksResult<String> {
pub struct LuksSettings { util::read_password("Authenticator PIN", false)
/// Number of milliseconds required to derive the volume decryption key }
/// Defaults to 10ms when using an authenticator or the default by cryptsetup when using a password
#[structopt(long = "kdf-time", name = "kdf-time")] #[derive(Debug, StructOpt)]
kdf_time: Option<u64>, pub struct Args {
/// Request passwords via Stdin instead of using the password helper
#[structopt(short = "i", long = "interactive")]
pub interactive: bool,
#[structopt(subcommand)]
pub command: Command,
} }
#[derive(Debug, StructOpt, Clone)] #[derive(Debug, StructOpt, Clone)]
@@ -191,24 +189,6 @@ pub struct OtherSecret {
fido_device: bool, fido_device: bool,
} }
impl OtherSecret {
pub fn obtain(
&self,
secret_gen: &SecretGeneration,
verify_password: bool,
password_question: &str,
) -> Fido2LuksResult<Vec<u8>> {
match &self.keyfile {
Some(keyfile) => util::read_keyfile(keyfile.clone()),
None if self.fido_device => {
Ok(Vec::from(&secret_gen.obtain_secret(password_question)?[..]))
}
None => util::read_password(password_question, verify_password)
.map(|p| p.as_bytes().to_vec()),
}
}
}
#[derive(Debug, StructOpt)] #[derive(Debug, StructOpt)]
pub enum Command { pub enum Command {
#[structopt(name = "print-secret")] #[structopt(name = "print-secret")]
@@ -217,13 +197,23 @@ pub enum Command {
#[structopt(short = "b", long = "bin")] #[structopt(short = "b", long = "bin")]
binary: bool, binary: bool,
#[structopt(flatten)] #[structopt(flatten)]
secret_gen: SecretGeneration, credentials: Credentials,
#[structopt(flatten)]
authenticator: AuthenticatorParameters,
#[structopt(flatten)]
secret: SecretParameters,
}, },
/// Adds a generated key to the specified LUKS device /// Adds a generated key to the specified LUKS device
#[structopt(name = "add-key")] #[structopt(name = "add-key")]
AddKey { AddKey {
#[structopt(env = "FIDO2LUKS_DEVICE")] #[structopt(flatten)]
device: PathBuf, luks: LuksParameters,
#[structopt(flatten)]
credentials: Credentials,
#[structopt(flatten)]
authenticator: AuthenticatorParameters,
#[structopt(flatten)]
secret: SecretParameters,
/// Will wipe all other keys /// Will wipe all other keys
#[structopt(short = "e", long = "exclusive")] #[structopt(short = "e", long = "exclusive")]
exclusive: bool, exclusive: bool,
@@ -233,52 +223,65 @@ pub enum Command {
#[structopt(flatten)] #[structopt(flatten)]
existing_secret: OtherSecret, existing_secret: OtherSecret,
#[structopt(flatten)] #[structopt(flatten)]
secret_gen: SecretGeneration, luks_mod: LuksModParameters,
#[structopt(flatten)]
luks_settings: LuksSettings,
}, },
/// Replace a previously added key with a password /// Replace a previously added key with a password
#[structopt(name = "replace-key")] #[structopt(name = "replace-key")]
ReplaceKey { ReplaceKey {
#[structopt(env = "FIDO2LUKS_DEVICE")] #[structopt(flatten)]
device: PathBuf, luks: LuksParameters,
#[structopt(flatten)]
credentials: Credentials,
#[structopt(flatten)]
authenticator: AuthenticatorParameters,
#[structopt(flatten)]
secret: SecretParameters,
/// Add the password and keep the key /// Add the password and keep the key
#[structopt(short = "a", long = "add-password")] #[structopt(short = "a", long = "add-password")]
add_password: bool, add_password: bool,
// /// Will add an token to your LUKS 2 header, including the credential id /// Will add an token to your LUKS 2 header, including the credential id
// #[structopt(short = "t", long = "token")] #[structopt(short = "t", long = "token")]
// token: bool, token: bool,
#[structopt(flatten)] #[structopt(flatten)]
replacement: OtherSecret, replacement: OtherSecret,
#[structopt(flatten)] #[structopt(flatten)]
secret_gen: SecretGeneration, luks_mod: LuksModParameters,
#[structopt(flatten)]
luks_settings: LuksSettings,
}, },
/// Open the LUKS device /// Open the LUKS device
#[structopt(name = "open")] #[structopt(name = "open")]
Open { Open {
#[structopt(env = "FIDO2LUKS_DEVICE")] #[structopt(flatten)]
device: PathBuf, luks: LuksParameters,
#[structopt(env = "FIDO2LUKS_MAPPER_NAME")] #[structopt(env = "FIDO2LUKS_MAPPER_NAME")]
name: String, name: String,
#[structopt(flatten)]
credentials: Credentials,
#[structopt(flatten)]
authenticator: AuthenticatorParameters,
#[structopt(flatten)]
secret: SecretParameters,
#[structopt(short = "r", long = "max-retries", default_value = "0")] #[structopt(short = "r", long = "max-retries", default_value = "0")]
retries: i32, retries: i32,
#[structopt(flatten)]
secret_gen: SecretGeneration,
}, },
/// Open the LUKS device using information embedded into the LUKS 2 header /// Open the LUKS device using credentials embedded in the LUKS 2 header
#[structopt(name = "open-token")] #[structopt(name = "open-token")]
OpenToken { OpenToken {
#[structopt(env = "FIDO2LUKS_DEVICE")] #[structopt(flatten)]
device: PathBuf, luks: LuksParameters,
#[structopt(env = "FIDO2LUKS_MAPPER_NAME")] #[structopt(env = "FIDO2LUKS_MAPPER_NAME")]
name: String, name: String,
salt: String, #[structopt(flatten)]
authenticator: AuthenticatorParameters,
#[structopt(flatten)]
secret: SecretParameters,
#[structopt(short = "r", long = "max-retries", default_value = "0")]
retries: i32,
}, },
/// Generate a new FIDO credential /// Generate a new FIDO credential
#[structopt(name = "credential")] #[structopt(name = "credential")]
Credential { Credential {
#[structopt(flatten)]
authenticator: AuthenticatorParameters,
/// Name to be displayed on the authenticator if it has a display /// Name to be displayed on the authenticator if it has a display
#[structopt(env = "FIDO2LUKS_CREDENTIAL_NAME")] #[structopt(env = "FIDO2LUKS_CREDENTIAL_NAME")]
name: Option<String>, name: Option<String>,
@@ -286,6 +289,45 @@ pub enum Command {
/// Check if an authenticator is connected /// Check if an authenticator is connected
#[structopt(name = "connected")] #[structopt(name = "connected")]
Connected, Connected,
Token(TokenCommand),
}
///LUKS2 token related operations
#[derive(Debug, StructOpt)]
pub enum TokenCommand {
/// List all tokens associated with the specified device
List {
#[structopt(env = "FIDO2LUKS_DEVICE")]
device: PathBuf,
/// Dump all credentials as CSV
#[structopt(long = "csv")]
csv: bool,
},
/// Add credential to a keyslot
Add {
#[structopt(env = "FIDO2LUKS_DEVICE")]
device: PathBuf,
#[structopt(flatten)]
credentials: Credentials,
/// Slot to which the credentials will be added
#[structopt(long = "slot", env = "FIDO2LUKS_DEVICE_SLOT")]
slot: u32,
},
/// Remove credentials from token(s)
Remove {
#[structopt(env = "FIDO2LUKS_DEVICE")]
device: PathBuf,
#[structopt(flatten)]
credentials: Credentials,
/// Token from which the credentials will be removed
#[structopt(long = "token")]
token_id: Option<u32>,
},
/// Remove all unassigned tokens
GC {
#[structopt(env = "FIDO2LUKS_DEVICE")]
device: PathBuf,
},
} }
pub fn parse_cmdline() -> Args { pub fn parse_cmdline() -> Args {
@@ -295,19 +337,47 @@ pub fn parse_cmdline() -> Args {
pub fn run_cli() -> Fido2LuksResult<()> { pub fn run_cli() -> Fido2LuksResult<()> {
let mut stdout = io::stdout(); let mut stdout = io::stdout();
let args = parse_cmdline(); let args = parse_cmdline();
let interactive = args.interactive;
match &args.command { match &args.command {
Command::Credential { name } => { Command::Credential {
let cred = make_credential_id(name.as_ref().map(|n| n.as_ref()))?; authenticator,
name,
} => {
let pin_string;
let pin = if authenticator.pin {
pin_string = read_pin()?;
Some(pin_string.as_ref())
} else {
None
};
let cred = make_credential_id(name.as_ref().map(|n| n.as_ref()), pin)?;
println!("{}", hex::encode(&cred.id)); println!("{}", hex::encode(&cred.id));
Ok(()) Ok(())
} }
Command::PrintSecret { Command::PrintSecret {
binary, binary,
ref secret_gen, authenticator,
credentials,
secret,
} => { } => {
let secret = secret_gen let pin_string;
.patch(&args, Some(false)) let pin = if authenticator.pin {
.obtain_secret("Password")?; pin_string = read_pin()?;
Some(pin_string.as_ref())
} else {
None
};
let salt = if interactive || secret.password_helper == PasswordHelper::Stdin {
util::read_password_hashed("Password", false)
} else {
secret.salt.obtain(&secret.password_helper)
}?;
let (secret, _cred) = derive_secret(
credentials.ids.0.as_slice(),
&salt,
authenticator.await_time,
pin,
)?;
if *binary { if *binary {
stdout.write_all(&secret[..])?; stdout.write_all(&secret[..])?;
} else { } else {
@@ -316,88 +386,186 @@ pub fn run_cli() -> Fido2LuksResult<()> {
Ok(stdout.flush()?) Ok(stdout.flush()?)
} }
Command::AddKey { Command::AddKey {
device, luks,
exclusive, authenticator,
credentials,
secret,
luks_mod,
existing_secret: other_secret,
token, token,
existing_secret, ..
ref secret_gen, }
luks_settings, | Command::ReplaceKey {
luks,
authenticator,
credentials,
secret,
luks_mod,
replacement: other_secret,
token,
..
} => { } => {
let secret_gen = secret_gen.patch(&args, None); let pin = if authenticator.pin {
let old_secret = existing_secret.obtain(&secret_gen, false, "Existing password")?; Some(read_pin()?)
let (secret, credential) = secret_gen.obtain_secret_and_credential("Password")?; } else {
let added_slot = luks::add_key( None
device.clone(), };
&secret, let salt = |q: &str, verify: bool| -> Fido2LuksResult<[u8; 32]> {
&old_secret[..], if interactive || secret.password_helper == PasswordHelper::Stdin {
luks_settings.kdf_time.or(Some(10)), util::read_password_hashed(q, verify)
Some(&credential.id[..]).filter(|_| *token), } else {
secret.salt.obtain(&secret.password_helper)
}
};
let other_secret = |salt_q: &str,
verify: bool|
-> Fido2LuksResult<(Vec<u8>, Option<FidoCredential>)> {
match other_secret {
OtherSecret {
keyfile: Some(file),
..
} => Ok((util::read_keyfile(file)?, None)),
OtherSecret {
fido_device: true, ..
} => Ok(derive_secret(
&credentials.ids.0,
&salt(salt_q, verify)?,
authenticator.await_time,
pin.as_deref(),
)
.map(|(secret, cred)| (secret[..].to_vec(), Some(cred)))?),
_ => Ok((
util::read_password(salt_q, verify)?.as_bytes().to_vec(),
None,
)),
}
};
let secret = |verify: bool| -> Fido2LuksResult<([u8; 32], FidoCredential)> {
derive_secret(
&credentials.ids.0,
&salt("Password", verify)?,
authenticator.await_time,
pin.as_deref(),
)
};
let mut luks_dev = LuksDevice::load(&luks.device)?;
// Non overlap
match &args.command {
Command::AddKey { exclusive, .. } => {
let (existing_secret, _) = other_secret("Current password", false)?;
let (new_secret, cred) = secret(true)?;
let added_slot = luks_dev.add_key(
&new_secret,
&existing_secret[..],
luks_mod.kdf_time.or(Some(10)),
Some(&cred.id[..]).filter(|_| *token),
)?; )?;
if *exclusive { if *exclusive {
let destroyed = luks::remove_keyslots(&device, &[added_slot])?; let destroyed = luks_dev.remove_keyslots(&[added_slot])?;
println!( println!(
"Added to key to device {}, slot: {}\nRemoved {} old keys", "Added to key to device {}, slot: {}\nRemoved {} old keys",
device.display(), luks.device.display(),
added_slot, added_slot,
destroyed destroyed
); );
} else { } else {
println!( println!(
"Added to key to device {}, slot: {}", "Added to key to device {}, slot: {}",
device.display(), luks.device.display(),
added_slot added_slot
); );
} }
Ok(()) Ok(())
} }
Command::ReplaceKey { Command::ReplaceKey { add_password, .. } => {
device, let (existing_secret, _) = secret(false)?;
add_password, let (replacement_secret, cred) = other_secret("Replacement password", true)?;
//token,
replacement,
ref secret_gen,
luks_settings,
} => {
let secret_gen = secret_gen.patch(&args, Some(false));
let secret = secret_gen.obtain_secret("Password")?;
let new_secret = replacement.obtain(&secret_gen, true, "Replacement password")?;
let slot = if *add_password { let slot = if *add_password {
luks::add_key( luks_dev.add_key(
device, &replacement_secret[..],
&new_secret[..], &existing_secret,
&secret, luks_mod.kdf_time,
luks_settings.kdf_time, cred.as_ref().filter(|_| *token).map(|cred| &cred.id[..]),
None,
) )
} else { } else {
luks::replace_key( luks_dev.replace_key(
device, &replacement_secret[..],
&new_secret[..], &existing_secret,
&secret, luks_mod.kdf_time,
luks_settings.kdf_time, cred.as_ref().filter(|_| *token).map(|cred| &cred.id[..]),
None,
) )
}?; }?;
println!( println!(
"Added to password to device {}, slot: {}", "Added to password to device {}, slot: {}",
device.display(), luks.device.display(),
slot slot
); );
Ok(()) Ok(())
} }
_ => unreachable!(),
}
}
Command::Open { Command::Open {
device, luks,
authenticator,
secret,
name,
retries,
..
}
| Command::OpenToken {
luks,
authenticator,
secret,
name, name,
retries, retries,
ref secret_gen,
} => { } => {
let pin_string;
let pin = if authenticator.pin {
pin_string = read_pin()?;
Some(pin_string.as_ref())
} else {
None
};
let salt = |q: &str, verify: bool| -> Fido2LuksResult<[u8; 32]> {
if interactive || secret.password_helper == PasswordHelper::Stdin {
util::read_password_hashed(q, verify)
} else {
secret.salt.obtain(&secret.password_helper)
}
};
// Cow shouldn't be necessary
let secret = |credentials: Cow<'_, Vec<HexEncoded>>| {
derive_secret(
credentials.as_ref(),
&salt("Password", false)?,
authenticator.await_time,
pin,
)
};
let mut retries = *retries; let mut retries = *retries;
let mut luks_dev = LuksDevice::load(&luks.device)?;
loop { loop {
match secret_gen let secret = match &args.command {
.patch(&args, Some(false)) Command::Open { credentials, .. } => secret(Cow::Borrowed(&credentials.ids.0))
.obtain_secret("Password") .and_then(|(secret, _cred)| luks_dev.activate(&name, &secret, luks.slot)),
.and_then(|secret| luks::open_container(&device, &name, &secret)) Command::OpenToken { .. } => luks_dev.activate_token(
{ &name,
Box::new(|credentials: Vec<String>| {
let creds = credentials
.into_iter()
.flat_map(|cred| HexEncoded::from_str(cred.as_ref()).ok())
.collect::<Vec<_>>();
secret(Cow::Owned(creds))
.map(|(secret, cred)| (secret, hex::encode(&cred.id)))
}),
luks.slot,
),
_ => unreachable!(),
};
match secret {
Err(e) => { Err(e) => {
match e { match e {
Fido2LuksError::WrongSecret if retries > 0 => {} Fido2LuksError::WrongSecret if retries > 0 => {}
@@ -409,35 +577,10 @@ pub fn run_cli() -> Fido2LuksResult<()> {
retries -= 1; retries -= 1;
eprintln!("{}", e); eprintln!("{}", e);
} }
res => break res, res => break res.map(|_| ()),
} }
} }
} }
// TODO: utilise salt
Command::OpenToken {
device,
name,
salt: _,
} => luks::open_container_token(
device,
&name[..],
Box::new(|creds| {
let (secret, cred) = SecretGeneration {
credential_ids: CommaSeparated(
creds
.iter()
.map(|c| HexEncoded::from_str(&c[..]).unwrap())
.collect(),
),
salt: InputSalt::String("".into()),
password_helper: Default::default(),
await_authenticator: 100,
verify_password: None,
}
.obtain_secret_and_credential("Password")?;
Ok((secret, hex::encode(cred.id)))
}),
),
Command::Connected => match get_devices() { Command::Connected => match get_devices() {
Ok(ref devs) if !devs.is_empty() => { Ok(ref devs) if !devs.is_empty() => {
println!("Found {} devices", devs.len()); println!("Found {} devices", devs.len());
@@ -445,5 +588,129 @@ pub fn run_cli() -> Fido2LuksResult<()> {
} }
_ => exit(1), _ => exit(1),
}, },
Command::Token(cmd) => match cmd {
TokenCommand::List {
device,
csv: dump_credentials,
} => {
let mut dev = LuksDevice::load(device)?;
let mut creds = Vec::new();
for token in dev.tokens()? {
let (id, token) = token?;
for cred in token.credential.iter() {
if !creds.contains(cred) {
creds.push(cred.clone());
if *dump_credentials {
print!("{}{}", if creds.len() == 1 { "" } else { "," }, cred);
}
}
}
if *dump_credentials {
continue;
}
println!(
"{}:\n\tSlots: {}\n\tCredentials: {}",
id,
if token.keyslots.is_empty() {
"None".into()
} else {
token.keyslots.iter().cloned().collect::<Vec<_>>().join(",")
},
token
.credential
.iter()
.map(|cred| format!(
"{} ({})",
cred,
creds.iter().position(|c| c == cred).unwrap().to_string()
))
.collect::<Vec<_>>()
.join(",")
);
}
if *dump_credentials {
println!();
}
Ok(())
}
TokenCommand::Add {
device,
credentials,
slot,
} => {
let mut dev = LuksDevice::load(device)?;
let mut tokens = Vec::new();
for token in dev.tokens()? {
let (id, token) = token?;
if token.keyslots.contains(&slot.to_string()) {
tokens.push((id, token));
}
}
let count = if tokens.is_empty() {
dev.add_token(&Fido2LuksToken::with_credentials(&credentials.ids.0, *slot))?;
1
} else {
tokens.len()
};
for (id, mut token) in tokens {
token
.credential
.extend(credentials.ids.0.iter().map(|h| h.to_string()));
dev.update_token(id, &token)?;
}
println!("Updated {} tokens", count);
Ok(())
}
TokenCommand::Remove {
device,
credentials,
token_id,
} => {
let mut dev = LuksDevice::load(device)?;
let mut tokens = Vec::new();
for token in dev.tokens()? {
let (id, token) = token?;
if let Some(token_id) = token_id {
if id == *token_id {
tokens.push((id, token));
}
} else {
tokens.push((id, token));
}
}
let count = tokens.len();
for (id, mut token) in tokens {
token.credential = token
.credential
.into_iter()
.filter(|cred| !credentials.ids.0.iter().any(|h| &h.to_string() == cred))
.collect();
dev.update_token(id, &token)?;
}
println!("Updated {} tokens", count);
Ok(())
}
TokenCommand::GC { device } => {
let mut dev = LuksDevice::load(device)?;
let mut creds: HashSet<String> = HashSet::new();
let mut remove = Vec::new();
for token in dev.tokens()? {
let (id, token) = token?;
if token.keyslots.is_empty() || token.credential.is_empty() {
creds.extend(token.credential);
remove.push(id);
}
}
for id in remove.iter().rev() {
dev.remove_token(*id)?;
}
println!(
"Removed {} tokens, affected credentials: {}",
remove.len(),
creds.into_iter().collect::<Vec<_>>().join(",")
);
Ok(())
}
},
} }
} }

2
src/config.rs
View File

@@ -84,7 +84,7 @@ impl InputSalt {
} }
} }
#[derive(Debug, Clone)] #[derive(Debug, Clone, PartialEq, Eq)]
pub enum PasswordHelper { pub enum PasswordHelper {
Script(String), Script(String),
#[allow(dead_code)] #[allow(dead_code)]

16
src/device.rs
View File

@@ -9,13 +9,21 @@ use std::time::Duration;
const RP_ID: &str = "fido2luks"; const RP_ID: &str = "fido2luks";
pub fn make_credential_id(name: Option<&str>) -> Fido2LuksResult<FidoCredential> { pub fn make_credential_id(
name: Option<&str>,
pin: Option<&str>,
) -> Fido2LuksResult<FidoCredential> {
let mut request = FidoCredentialRequestBuilder::default().rp_id(RP_ID); let mut request = FidoCredentialRequestBuilder::default().rp_id(RP_ID);
if let Some(user_name) = name { if let Some(user_name) = name {
request = request.user_name(user_name); request = request.user_name(user_name);
} }
let request = request.build().unwrap(); let request = request.build().unwrap();
let make_credential = |device: &mut FidoDevice| device.make_hmac_credential(&request); let make_credential = |device: &mut FidoDevice| {
if let Some(pin) = pin {
device.unlock(pin)?;
}
device.make_hmac_credential(&request)
};
Ok(request_multiple_devices( Ok(request_multiple_devices(
get_devices()? get_devices()?
.iter_mut() .iter_mut()
@@ -28,6 +36,7 @@ pub fn perform_challenge<'a>(
credentials: &'a [&'a FidoCredential], credentials: &'a [&'a FidoCredential],
salt: &[u8; 32], salt: &[u8; 32],
timeout: Duration, timeout: Duration,
pin: Option<&str>,
) -> Fido2LuksResult<([u8; 32], &'a FidoCredential)> { ) -> Fido2LuksResult<([u8; 32], &'a FidoCredential)> {
let request = FidoAssertionRequestBuilder::default() let request = FidoAssertionRequestBuilder::default()
.rp_id(RP_ID) .rp_id(RP_ID)
@@ -35,6 +44,9 @@ pub fn perform_challenge<'a>(
.build() .build()
.unwrap(); .unwrap();
let get_assertion = |device: &mut FidoDevice| { let get_assertion = |device: &mut FidoDevice| {
if let Some(pin) = pin {
device.unlock(pin)?;
}
device.get_hmac_assertion(&request, &util::sha256(&[&salt[..]]), None) device.get_hmac_assertion(&request, &util::sha256(&[&salt[..]]), None)
}; };
let (credential, (secret, _)) = request_multiple_devices( let (credential, (secret, _)) = request_multiple_devices(

6
src/error.rs
View File

@@ -75,6 +75,12 @@ impl LuksError {
} }
} }
impl From<LuksError> for Fido2LuksError {
fn from(e: LuksError) -> Self {
Fido2LuksError::LuksError { cause: e }
}
}
use libcryptsetup_rs::LibcryptErr; use libcryptsetup_rs::LibcryptErr;
use std::io::ErrorKind; use std::io::ErrorKind;
use std::string::FromUtf8Error; use std::string::FromUtf8Error;

439
src/luks.rs
View File

@@ -7,84 +7,251 @@ use libcryptsetup_rs::{
use std::collections::{HashMap, HashSet}; use std::collections::{HashMap, HashSet};
use std::path::Path; use std::path::Path;
fn load_device_handle<P: AsRef<Path>>(path: P) -> Fido2LuksResult<CryptDevice> { pub struct LuksDevice {
device: CryptDevice,
luks2: Option<bool>,
}
impl LuksDevice {
pub fn load<P: AsRef<Path>>(path: P) -> Fido2LuksResult<LuksDevice> {
let mut device = CryptInit::init(path.as_ref())?; let mut device = CryptInit::init(path.as_ref())?;
device.context_handle().load::<()>(None, None)?; device.context_handle().load::<()>(None, None)?;
Ok(device) Ok(Self {
} device,
luks2: None,
fn check_luks2(device: &mut CryptDevice) -> Fido2LuksResult<()> { })
match device.format_handle().get_type()? {
EncryptionFormat::Luks2 => Ok(()),
_ => Err(Fido2LuksError::LuksError {
cause: LuksError::Luks2Required,
}),
} }
}
#[derive(Debug, Clone, Serialize, Deserialize)] pub fn is_luks2(&mut self) -> Fido2LuksResult<bool> {
struct Fido2LuksToken { if let Some(luks2) = self.luks2 {
#[serde(rename = "type")] Ok(luks2)
type_: String, } else {
credential: Vec<String>, self.luks2 = Some(match self.device.format_handle().get_type()? {
keyslots: Vec<String>, EncryptionFormat::Luks2 => true,
} _ => false,
});
impl Fido2LuksToken { self.is_luks2()
fn new(credential_id: impl AsRef<[u8]>, slot: u32) -> Self {
Self {
type_: "fido2luks\0".into(), // Doubles as c style string
credential: vec![hex::encode(credential_id)],
keyslots: vec![slot.to_string()],
} }
} }
}
pub fn open_container<P: AsRef<Path>>(path: P, name: &str, secret: &[u8]) -> Fido2LuksResult<()> { fn require_luks2(&mut self) -> Fido2LuksResult<()> {
let mut device = load_device_handle(path)?; if !self.is_luks2()? {
device return Err(LuksError::Luks2Required.into());
.activate_handle() }
.activate_by_passphrase(Some(name), None, secret, CryptActivateFlags::empty()) Ok(())
.map(|_slot| ()) }
.map_err(|_e| Fido2LuksError::WrongSecret)
}
pub fn open_container_token<P: AsRef<Path>>( pub fn tokens<'a>(
path: P, &'a mut self,
name: &str, ) -> Fido2LuksResult<Box<dyn Iterator<Item = Fido2LuksResult<(u32, Fido2LuksToken)>> + 'a>>
secret: Box<dyn Fn(Vec<String>) -> Fido2LuksResult<([u8; 32], String)>>, {
) -> Fido2LuksResult<()> { self.require_luks2()?;
let mut device = load_device_handle(path)?; Ok(Box::new(
check_luks2(&mut device)?; (0..32)
.map(move |i| {
let mut creds = HashMap::new(); let status = match self.device.token_handle().status(i) {
for i in 0..256 { Ok(status) => status,
let status = device.token_handle().status(i)?; Err(err) => return Some(Err(Fido2LuksError::from(err))),
};
match status { match status {
CryptTokenInfo::Inactive => break, CryptTokenInfo::Inactive => return None,
CryptTokenInfo::Internal(s) CryptTokenInfo::Internal(s)
| CryptTokenInfo::InternalUnknown(s) | CryptTokenInfo::InternalUnknown(s)
| CryptTokenInfo::ExternalUnknown(s) | CryptTokenInfo::ExternalUnknown(s)
| CryptTokenInfo::External(s) | CryptTokenInfo::External(s)
if &s != "fido2luks" => if &s != Fido2LuksToken::default_type() =>
{ {
continue return None
} }
_ => (), _ => (),
}; };
let json = device.token_handle().json_get(i)?; let json = match self.device.token_handle().json_get(i) {
Ok(json) => json,
Err(err) => return Some(Err(Fido2LuksError::from(err))),
};
let info: Fido2LuksToken = let info: Fido2LuksToken =
serde_json::from_value(json.clone()).map_err(|_| Fido2LuksError::LuksError { match serde_json::from_value(json.clone()).map_err(|_| {
Fido2LuksError::LuksError {
cause: LuksError::InvalidToken(json.to_string()), cause: LuksError::InvalidToken(json.to_string()),
})?; }
}) {
Ok(info) => info,
Err(err) => return Some(Err(Fido2LuksError::from(err))),
};
Some(Ok((i, info)))
})
.filter_map(|o| o),
))
}
pub fn find_token(&mut self, slot: u32) -> Fido2LuksResult<Option<(u32, Fido2LuksToken)>> {
let slot_str = slot.to_string();
for token in self.tokens()? {
let (id, token) = token?;
if token.keyslots.contains(&slot_str) {
return Ok(Some((id, token)));
}
}
Ok(None)
}
pub fn add_token(&mut self, data: &Fido2LuksToken) -> Fido2LuksResult<()> {
self.require_luks2()?;
self.device
.token_handle()
.json_set(TokenInput::AddToken(&serde_json::to_value(&data).unwrap()))?;
Ok(())
}
pub fn remove_token(&mut self, token: u32) -> Fido2LuksResult<()> {
self.require_luks2()?;
self.device
.token_handle()
.json_set(TokenInput::RemoveToken(token))?;
Ok(())
}
pub fn update_token(&mut self, token: u32, data: &Fido2LuksToken) -> Fido2LuksResult<()> {
self.require_luks2()?;
self.device
.token_handle()
.json_set(TokenInput::ReplaceToken(
token,
&serde_json::to_value(&data).unwrap(),
))?;
Ok(())
}
pub fn add_key(
&mut self,
secret: &[u8],
old_secret: &[u8],
iteration_time: Option<u64>,
credential_id: Option<&[u8]>,
) -> Fido2LuksResult<u32> {
if let Some(millis) = iteration_time {
self.device.settings_handle().set_iteration_time(millis)
}
let slot = self
.device
.keyslot_handle()
.add_by_passphrase(None, old_secret, secret)?;
if let Some(id) = credential_id {
self.device.token_handle().json_set(TokenInput::AddToken(
&serde_json::to_value(&Fido2LuksToken::new(id, slot)).unwrap(),
))?;
}
Ok(slot)
}
pub fn remove_keyslots(&mut self, exclude: &[u32]) -> Fido2LuksResult<u32> {
let mut destroyed = 0;
let mut tokens = Vec::new();
for slot in 0..256 {
match self.device.keyslot_handle().status(slot)? {
KeyslotInfo::Inactive => continue,
KeyslotInfo::Active | KeyslotInfo::ActiveLast if !exclude.contains(&slot) => {
if self.is_luks2()? {
if let Some((id, _token)) = self.find_token(slot)? {
tokens.push(id);
}
}
self.device.keyslot_handle().destroy(slot)?;
destroyed += 1;
}
KeyslotInfo::ActiveLast => break,
_ => (),
}
if self.device.keyslot_handle().status(slot)? == KeyslotInfo::ActiveLast {
break;
}
}
// Ensure indices stay valid
tokens.sort();
for token in tokens.iter().rev() {
self.remove_token(*token)?;
}
Ok(destroyed)
}
pub fn replace_key(
&mut self,
secret: &[u8],
old_secret: &[u8],
iteration_time: Option<u64>,
credential_id: Option<&[u8]>,
) -> Fido2LuksResult<u32> {
if let Some(millis) = iteration_time {
self.device.settings_handle().set_iteration_time(millis)
}
// Use activate dry-run to locate keyslot
let slot = self.device.activate_handle().activate_by_passphrase(
None,
None,
old_secret,
CryptActivateFlags::empty(),
)?;
self.device.keyslot_handle().change_by_passphrase(
Some(slot),
Some(slot),
old_secret,
secret,
)? as u32;
if let Some(id) = credential_id {
if self.is_luks2()? {
let token = self.find_token(slot)?.map(|(t, _)| t);
let json = serde_json::to_value(&Fido2LuksToken::new(id, slot)).unwrap();
if let Some(token) = token {
self.device
.token_handle()
.json_set(TokenInput::ReplaceToken(token, &json))?;
} else {
self.device
.token_handle()
.json_set(TokenInput::AddToken(&json))?;
}
}
}
Ok(slot)
}
pub fn activate(
&mut self,
name: &str,
secret: &[u8],
slot_hint: Option<u32>,
) -> Fido2LuksResult<u32> {
self.device
.activate_handle()
.activate_by_passphrase(Some(name), slot_hint, secret, CryptActivateFlags::empty())
.map_err(LuksError::activate)
}
pub fn activate_token(
&mut self,
name: &str,
secret: impl Fn(Vec<String>) -> Fido2LuksResult<([u8; 32], String)>,
slot_hint: Option<u32>,
) -> Fido2LuksResult<u32> {
if !self.is_luks2()? {
return Err(LuksError::Luks2Required.into());
}
let mut creds: HashMap<String, HashSet<u32>> = HashMap::new();
for token in self.tokens()? {
let token = match token {
Ok((_id, t)) => t,
_ => continue, // An corrupted token should't lock the user out
};
let slots = || { let slots = || {
info.keyslots token
.keyslots
.iter() .iter()
.filter_map(|slot| slot.parse::<u32>().ok()) .filter_map(|slot| slot.parse::<u32>().ok())
}; };
for cred in info.credential.iter().cloned() { for cred in token.credential.iter() {
creds creds
.entry(cred) .entry(cred.clone())
.or_insert_with(|| slots().collect::<HashSet<u32>>()) .or_insert_with(|| slots().collect::<HashSet<u32>>())
.extend(slots()); .extend(slots());
} }
@@ -95,140 +262,66 @@ pub fn open_container_token<P: AsRef<Path>>(
}); });
} }
let (secret, credential) = secret(creds.keys().cloned().collect())?; let (secret, credential) = secret(creds.keys().cloned().collect())?;
let slots = creds.get(&credential).unwrap(); let empty;
let slots = slots let slots = if let Some(slots) = creds.get(&credential) {
.iter() slots
.cloned() } else {
.map(Option::Some) empty = HashSet::new();
.chain(std::iter::once(None).take(slots.is_empty() as usize)); &empty
};
//Try slots associated with the credential used
let slots = slots.iter().cloned().map(Option::Some).chain(
std::iter::once(slot_hint) // Try slot hint if there is one
.take(slot_hint.is_some() as usize)
.chain(std::iter::once(None).take(slots.is_empty() as usize)), // Try all slots as last resort
);
for slot in slots { for slot in slots {
match device match self.activate(name, &secret, slot) {
.activate_handle()
.activate_by_passphrase(Some(name), slot, &secret, CryptActivateFlags::empty())
.map(|_slot| ())
.map_err(LuksError::activate)
{
Err(Fido2LuksError::WrongSecret) => (), Err(Fido2LuksError::WrongSecret) => (),
res => return res, res => return res,
} }
} }
Err(Fido2LuksError::WrongSecret) Err(Fido2LuksError::WrongSecret)
}
} }
pub fn add_key<P: AsRef<Path>>( #[derive(Debug, Clone, Serialize, Deserialize)]
path: P, pub struct Fido2LuksToken {
secret: &[u8], #[serde(rename = "type")]
old_secret: &[u8], pub type_: String,
iteration_time: Option<u64>, pub credential: HashSet<String>,
credential_id: Option<&[u8]>, pub keyslots: HashSet<String>,
) -> Fido2LuksResult<u32> {
let mut device = load_device_handle(path)?;
if let Some(millis) = iteration_time {
device.settings_handle().set_iteration_time(millis)
}
let slot = device
.keyslot_handle()
.add_by_passphrase(None, old_secret, secret)?;
if let Some(id) = credential_id {
/* if let e @ Err(_) = check_luks2(&mut device) {
//rollback
device.keyslot_handle(Some(slot)).destroy()?;
return e.map(|_| 0u32);
}*/
device.token_handle().json_set(TokenInput::AddToken(
&serde_json::to_value(&Fido2LuksToken::new(id, slot)).unwrap(),
))?;
}
Ok(slot)
} }
fn find_token( impl Fido2LuksToken {
device: &mut CryptDevice, pub fn new(credential_id: impl AsRef<[u8]>, slot: u32) -> Self {
Self::with_credentials(std::iter::once(credential_id), slot)
}
pub fn with_credentials<I: IntoIterator<Item = B>, B: AsRef<[u8]>>(
credentials: I,
slot: u32, slot: u32,
) -> Fido2LuksResult<Option<(u32, Fido2LuksToken)>> { ) -> Self {
for i in 0..256 { Self {
let status = device.token_handle().status(i)?; credential: credentials
match status { .into_iter()
CryptTokenInfo::Inactive => break, .map(|cred| hex::encode(cred.as_ref()))
CryptTokenInfo::Internal(s) .collect(),
| CryptTokenInfo::InternalUnknown(s) keyslots: vec![slot.to_string()].into_iter().collect(),
| CryptTokenInfo::ExternalUnknown(s) ..Default::default()
| CryptTokenInfo::External(s)
if &s != "fido2luks" =>
{
continue
}
_ => (),
};
let json = device.token_handle().json_get(i)?;
let info: Fido2LuksToken =
serde_json::from_value(json.clone()).map_err(|_| Fido2LuksError::LuksError {
cause: LuksError::InvalidToken(json.to_string()),
})?;
if info.keyslots.contains(&slot.to_string()) {
return Ok(Some((i, info)));
} }
} }
Ok(None) pub fn default_type() -> &'static str {
"fido2luks"
}
} }
pub fn remove_keyslots<P: AsRef<Path>>(path: P, exclude: &[u32]) -> Fido2LuksResult<u32> { impl Default for Fido2LuksToken {
let mut device = load_device_handle(path)?; fn default() -> Self {
let mut destroyed = 0; Self {
let mut tokens = Vec::new(); type_: Self::default_type().into(),
for slot in 0..256 { credential: HashSet::new(),
match device.keyslot_handle().status(slot)? { keyslots: HashSet::new(),
KeyslotInfo::Inactive => continue,
KeyslotInfo::Active | KeyslotInfo::ActiveLast if !exclude.contains(&slot) => {
if let Ok(_) = check_luks2(&mut device) {
if let Some((token, _)) = dbg!(find_token(&mut device, slot))? {
tokens.push(token);
} }
} }
device.keyslot_handle().destroy(slot)?;
destroyed += 1;
}
KeyslotInfo::ActiveLast => break,
_ => (),
}
if device.keyslot_handle().status(slot)? == KeyslotInfo::ActiveLast {
break;
}
}
for token in tokens.iter() {
device
.token_handle()
.json_set(TokenInput::RemoveToken(*token))?;
}
Ok(destroyed)
}
pub fn replace_key<P: AsRef<Path>>(
path: P,
secret: &[u8],
old_secret: &[u8],
iteration_time: Option<u64>,
credential_id: Option<&[u8]>,
) -> Fido2LuksResult<u32> {
let mut device = load_device_handle(path)?;
// Set iteration time not sure wether this applies to luks2 as well
if let Some(millis) = iteration_time {
device.settings_handle().set_iteration_time(millis)
}
let slot = device
.keyslot_handle()
.change_by_passphrase(None, None, old_secret, secret)? as u32;
if let Some(id) = credential_id {
if check_luks2(&mut device).is_ok() {
let token = find_token(&mut device, slot)?.map(|(t, _)| t);
if let Some(token) = token {
device.token_handle().json_set(TokenInput::ReplaceToken(
token,
&serde_json::to_value(&Fido2LuksToken::new(id, slot)).unwrap(),
))?;
}
}
}
Ok(slot)
} }

21
src/main.rs
View File

@@ -18,10 +18,6 @@ mod error;
mod luks; mod luks;
mod util; mod util;
fn assemble_secret(hmac_result: &[u8], salt: &[u8]) -> [u8; 32] {
util::sha256(&[salt, hmac_result])
}
fn main() -> Fido2LuksResult<()> { fn main() -> Fido2LuksResult<()> {
match run_cli() { match run_cli() {
Err(e) => { Err(e) => {
@@ -34,20 +30,3 @@ fn main() -> Fido2LuksResult<()> {
_ => exit(0), _ => exit(0),
} }
} }
#[cfg(test)]
mod test {
use super::*;
#[test]
fn test_assemble_secret() {
assert_eq!(
assemble_secret(b"abc", b"def"),
[
46, 82, 82, 140, 142, 159, 249, 196, 227, 160, 142, 72, 151, 77, 59, 62, 180, 36,
33, 47, 241, 94, 17, 232, 133, 103, 247, 32, 152, 253, 43, 19
]
)
}
}

4
src/util.rs
View File

@@ -29,6 +29,10 @@ pub fn read_password(q: &str, verify: bool) -> Fido2LuksResult<String> {
} }
} }
pub fn read_password_hashed(q: &str, verify: bool) -> Fido2LuksResult<[u8; 32]> {
read_password(q, verify).map(|pass| sha256(&[pass.as_bytes()]))
}
pub fn read_keyfile<P: Into<PathBuf>>(path: P) -> Fido2LuksResult<Vec<u8>> { pub fn read_keyfile<P: Into<PathBuf>>(path: P) -> Fido2LuksResult<Vec<u8>> {
let mut file = File::open(path.into())?; let mut file = File::open(path.into())?;
let mut key = Vec::new(); let mut key = Vec::new();