Compare commits
12 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
cd90564f60
|
|||
|
0f6d79a7e4
|
|||
|
4136b1bfad
|
|||
|
81016a1a42
|
|||
|
840868468b
|
|||
|
97880e4f41
|
|||
|
e798ba5c70
|
|||
|
298e05fed7
|
|||
|
a498e1416f
|
|||
| 92e413de50 | |||
|
023399bb14
|
|||
|
a53a430c23
|
33
.drone.yml
33
.drone.yml
@@ -3,32 +3,27 @@ name: default
|
||||
|
||||
steps:
|
||||
- name: fmt
|
||||
image: rust:1.37.0
|
||||
image: rust:1.43.0
|
||||
commands:
|
||||
- rustup component add rustfmt
|
||||
- cargo fmt --all -- --check
|
||||
- name: test
|
||||
image: rust:1.37.0
|
||||
image: rust:1.43.0
|
||||
commands:
|
||||
- apt update && apt install -y libcryptsetup-dev libkeyutils-dev
|
||||
- apt update && apt install -y libkeyutils-dev libclang-dev clang pkg-config
|
||||
- echo 'deb http://http.us.debian.org/debian unstable main non-free contrib' >> /etc/apt/sources.list.d/unstable.list && apt update && apt install -y libcryptsetup-dev
|
||||
- cargo test
|
||||
|
||||
- name: build
|
||||
image: rust:1.37.0
|
||||
commands:
|
||||
- apt update && apt install -y libcryptsetup-dev libkeyutils-dev
|
||||
- cargo install -f --path . --root .
|
||||
when:
|
||||
event: tag
|
||||
- name: publish
|
||||
image: plugins/github-release
|
||||
settings:
|
||||
api_key:
|
||||
from_secret: github_release
|
||||
files:
|
||||
- bin/fido2luks
|
||||
checksum:
|
||||
- md5
|
||||
- sha256
|
||||
image: rust:1.43.0
|
||||
environment:
|
||||
CARGO_REGISTRY_TOKEN:
|
||||
from_secret: cargo_tkn
|
||||
commands:
|
||||
- grep -E 'version ?= ?"${DRONE_TAG}"' -i Cargo.toml || (printf "incorrect crate/tag version" && exit 1)
|
||||
- apt update && apt install -y libkeyutils-dev libclang-dev clang pkg-config
|
||||
- echo 'deb http://http.us.debian.org/debian unstable main non-free contrib' >> /etc/apt/sources.list.d/unstable.list && apt update && apt install -y libcryptsetup-dev
|
||||
- cargo package --all-features
|
||||
- cargo publish --all-features
|
||||
when:
|
||||
event: tag
|
||||
|
||||
304
Cargo.lock
generated
304
Cargo.lock
generated
@@ -1,10 +1,25 @@
|
||||
# This file is automatically @generated by Cargo.
|
||||
# It is not intended for manual editing.
|
||||
[[package]]
|
||||
name = "aho-corasick"
|
||||
version = "0.7.10"
|
||||
name = "addr2line"
|
||||
version = "0.13.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "8716408b8bc624ed7f65d223ddb9ac2d044c0547b6fa4b0d554f3a9540496ada"
|
||||
checksum = "1b6a2d3371669ab3ca9797670853d61402b03d0b4b9ebf33d677dfa720203072"
|
||||
dependencies = [
|
||||
"gimli",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "adler"
|
||||
version = "0.2.3"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "ee2a4ec343196209d6594e19543ae87a39f96d5534d7174822a3ad825dd6ed7e"
|
||||
|
||||
[[package]]
|
||||
name = "aho-corasick"
|
||||
version = "0.7.13"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "043164d8ba5c4c3035fec9bbee8647c0261d788f3474306f93bb65901cae0e86"
|
||||
dependencies = [
|
||||
"memchr",
|
||||
]
|
||||
@@ -43,31 +58,23 @@ checksum = "f8aac770f1885fd7e387acedd76065302551364496e46b3dd00860b2f8359b9d"
|
||||
|
||||
[[package]]
|
||||
name = "backtrace"
|
||||
version = "0.3.46"
|
||||
version = "0.3.50"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "b1e692897359247cc6bb902933361652380af0f1b7651ae5c5013407f30e109e"
|
||||
checksum = "46254cf2fdcdf1badb5934448c1bcbe046a56537b3987d96c51a7afc5d03f293"
|
||||
dependencies = [
|
||||
"backtrace-sys",
|
||||
"addr2line",
|
||||
"cfg-if",
|
||||
"libc",
|
||||
"miniz_oxide",
|
||||
"object",
|
||||
"rustc-demangle",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "backtrace-sys"
|
||||
version = "0.1.36"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "78848718ee1255a2485d1309ad9cdecfc2e7d0362dd11c6829364c6b35ae1bc7"
|
||||
dependencies = [
|
||||
"cc",
|
||||
"libc",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "bindgen"
|
||||
version = "0.53.2"
|
||||
version = "0.54.1"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "6bb26d6a69a335b8cb0e7c7e9775cd5666611dc50a37177c3f2cedcfc040e8c8"
|
||||
checksum = "f4d49b80beb70d76cdac92f5681e666f9a697c737c4f4117a67229a0386dc736"
|
||||
dependencies = [
|
||||
"bitflags",
|
||||
"cexpr",
|
||||
@@ -79,8 +86,8 @@ dependencies = [
|
||||
"lazycell",
|
||||
"log",
|
||||
"peeking_take_while",
|
||||
"proc-macro2 1.0.10",
|
||||
"quote 1.0.3",
|
||||
"proc-macro2 1.0.19",
|
||||
"quote 1.0.7",
|
||||
"regex",
|
||||
"rustc-hash",
|
||||
"shlex",
|
||||
@@ -111,9 +118,9 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "cc"
|
||||
version = "1.0.52"
|
||||
version = "1.0.58"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "c3d87b23d6a92cd03af510a5ade527033f6aa6fa92161e2d5863a907d4c5e31d"
|
||||
checksum = "f9a06fb2e53271d7c279ec1efea6ab691c35a2ae67ec0d91d7acec0caf13b518"
|
||||
|
||||
[[package]]
|
||||
name = "cexpr"
|
||||
@@ -143,9 +150,9 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "clap"
|
||||
version = "2.33.0"
|
||||
version = "2.33.2"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "5067f5bb2d80ef5d68b4c87db81601f0b75bca627bc2ef76b141d7b846a3c6d9"
|
||||
checksum = "10040cdf04294b565d9e0319955430099ec3813a64c952b86a41200ad714ae48"
|
||||
dependencies = [
|
||||
"ansi_term",
|
||||
"atty",
|
||||
@@ -181,12 +188,12 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "crossbeam-channel"
|
||||
version = "0.4.2"
|
||||
version = "0.4.3"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "cced8691919c02aac3cb0a1bc2e9b73d89e832bf9a06fc579d4e71b68a2da061"
|
||||
checksum = "09ee0cc8804d5393478d743b035099520087a5186f3b93fa58cec08fa62407b6"
|
||||
dependencies = [
|
||||
"cfg-if",
|
||||
"crossbeam-utils",
|
||||
"maybe-uninit",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
@@ -217,12 +224,13 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "crossbeam-queue"
|
||||
version = "0.2.1"
|
||||
version = "0.2.3"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "c695eeca1e7173472a32221542ae469b3e9aac3a4fc81f7696bcad82029493db"
|
||||
checksum = "774ba60a54c213d409d5353bda12d49cd68d14e45036a285234c8d6f91f92570"
|
||||
dependencies = [
|
||||
"cfg-if",
|
||||
"crossbeam-utils",
|
||||
"maybe-uninit",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
@@ -284,10 +292,10 @@ checksum = "f0c960ae2da4de88a91b2d920c2a7233b400bc33cb28453a2987822d8392519b"
|
||||
dependencies = [
|
||||
"fnv",
|
||||
"ident_case",
|
||||
"proc-macro2 1.0.10",
|
||||
"quote 1.0.3",
|
||||
"proc-macro2 1.0.19",
|
||||
"quote 1.0.7",
|
||||
"strsim 0.9.3",
|
||||
"syn 1.0.18",
|
||||
"syn 1.0.38",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
@@ -297,8 +305,8 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "d9b5a2f4ac4969822c62224815d069952656cadc7084fdca9751e6d959189b72"
|
||||
dependencies = [
|
||||
"darling_core",
|
||||
"quote 1.0.3",
|
||||
"syn 1.0.18",
|
||||
"quote 1.0.7",
|
||||
"syn 1.0.38",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
@@ -309,9 +317,9 @@ checksum = "a2658621297f2cf68762a6f7dc0bb7e1ff2cfd6583daef8ee0fed6f7ec468ec0"
|
||||
dependencies = [
|
||||
"darling",
|
||||
"derive_builder_core",
|
||||
"proc-macro2 1.0.10",
|
||||
"quote 1.0.3",
|
||||
"syn 1.0.18",
|
||||
"proc-macro2 1.0.19",
|
||||
"quote 1.0.7",
|
||||
"syn 1.0.38",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
@@ -321,16 +329,16 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "2791ea3e372c8495c0bc2033991d76b512cd799d07491fbd6890124db9458bef"
|
||||
dependencies = [
|
||||
"darling",
|
||||
"proc-macro2 1.0.10",
|
||||
"quote 1.0.3",
|
||||
"syn 1.0.18",
|
||||
"proc-macro2 1.0.19",
|
||||
"quote 1.0.7",
|
||||
"syn 1.0.38",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "either"
|
||||
version = "1.5.3"
|
||||
version = "1.6.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "bb1f6b1ce1c140482ea30ddd3335fc0024ac7ee112895426e0a629a6c20adfe3"
|
||||
checksum = "cd56b59865bce947ac5958779cfa508f6c3b9497cc762b7e24a12d11ccde2c4f"
|
||||
|
||||
[[package]]
|
||||
name = "env_logger"
|
||||
@@ -347,9 +355,9 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "failure"
|
||||
version = "0.1.7"
|
||||
version = "0.1.8"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "b8529c2421efa3066a5cbd8063d2244603824daccb6936b079010bb2aa89464b"
|
||||
checksum = "d32e9bd16cc02eae7db7ef620b392808b89f6a5e16bb3497d159c6b92a0f4f86"
|
||||
dependencies = [
|
||||
"backtrace",
|
||||
"failure_derive",
|
||||
@@ -357,19 +365,19 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "failure_derive"
|
||||
version = "0.1.7"
|
||||
version = "0.1.8"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "030a733c8287d6213886dd487564ff5c8f6aae10278b3588ed177f9d18f8d231"
|
||||
checksum = "aa4da3c766cd7a0db8242e326e9e4e081edd567072893ed320008189715366a4"
|
||||
dependencies = [
|
||||
"proc-macro2 1.0.10",
|
||||
"quote 1.0.3",
|
||||
"syn 1.0.18",
|
||||
"proc-macro2 1.0.19",
|
||||
"quote 1.0.7",
|
||||
"syn 1.0.38",
|
||||
"synstructure",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "fido2luks"
|
||||
version = "0.2.9"
|
||||
version = "0.2.10"
|
||||
dependencies = [
|
||||
"ctap_hmac",
|
||||
"failure",
|
||||
@@ -385,9 +393,9 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "fnv"
|
||||
version = "1.0.6"
|
||||
version = "1.0.7"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "2fad85553e09a6f881f739c29f0b00b0f01357c743266d478b68951ce23285f3"
|
||||
checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1"
|
||||
|
||||
[[package]]
|
||||
name = "fuchsia-cprng"
|
||||
@@ -401,6 +409,12 @@ version = "0.3.55"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "8f5f3913fa0bfe7ee1fd8248b6b9f42a5af4b9d65ec2dd2c3c26132b950ecfc2"
|
||||
|
||||
[[package]]
|
||||
name = "gimli"
|
||||
version = "0.22.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "aaf91faf136cb47367fa430cd46e37a788775e7fa104f8b4bcb3861dc389b724"
|
||||
|
||||
[[package]]
|
||||
name = "glob"
|
||||
version = "0.3.0"
|
||||
@@ -418,9 +432,9 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "hermit-abi"
|
||||
version = "0.1.12"
|
||||
version = "0.1.15"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "61565ff7aaace3525556587bd2dc31d4a07071957be715e63ce7b1eccf51a8f4"
|
||||
checksum = "3deed196b6e7f9e44a2ae8d94225d80302d81208b1bb673fd21fe634645c85a9"
|
||||
dependencies = [
|
||||
"libc",
|
||||
]
|
||||
@@ -448,9 +462,9 @@ checksum = "b9e0384b61958566e926dc50660321d12159025e767c18e043daf26b70104c39"
|
||||
|
||||
[[package]]
|
||||
name = "itoa"
|
||||
version = "0.4.5"
|
||||
version = "0.4.6"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "b8b7a7c0c47db5545ed3fef7468ee7bb5b74691498139e4b3f6a20685dc6dd8e"
|
||||
checksum = "dc6f3ad7b9d11a0c00842ff8de1b60ee58661048eb8049ed33c73594f359d7e6"
|
||||
|
||||
[[package]]
|
||||
name = "lazy_static"
|
||||
@@ -466,15 +480,15 @@ checksum = "b294d6fa9ee409a054354afc4352b0b9ef7ca222c69b8812cbea9e7d2bf3783f"
|
||||
|
||||
[[package]]
|
||||
name = "libc"
|
||||
version = "0.2.69"
|
||||
version = "0.2.74"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "99e85c08494b21a9054e7fe1374a732aeadaff3980b6990b94bfd3a70f690005"
|
||||
checksum = "a2f02823cf78b754822df5f7f268fb59822e7296276d3e069d8e8cb26a14bd10"
|
||||
|
||||
[[package]]
|
||||
name = "libcryptsetup-rs"
|
||||
version = "0.4.1"
|
||||
version = "0.4.2"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "38cd24132ee0239515bc895782f65ab3e382a0f78e7cee30417159e5c6f81b6b"
|
||||
checksum = "b9042dbf4b7e4309494949696496e230c9052af64559d3441627d639898c172c"
|
||||
dependencies = [
|
||||
"either",
|
||||
"libc",
|
||||
@@ -487,9 +501,9 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "libcryptsetup-rs-sys"
|
||||
version = "0.1.2"
|
||||
version = "0.1.4"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "0c605998e81e2a99c1f4c5d0be45ea1df6f1dc45dc64f5ca2847b0dbebf49ae7"
|
||||
checksum = "4b75a2b946509fb39fdb4b232c973166da14be373d09a43eb36b82f775d8244e"
|
||||
dependencies = [
|
||||
"bindgen",
|
||||
"cc",
|
||||
@@ -509,9 +523,9 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "log"
|
||||
version = "0.4.8"
|
||||
version = "0.4.11"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "14b6052be84e6b71ab17edffc2eeabf5c2c3ae1fdb464aae35ac50c67a44e1f7"
|
||||
checksum = "4fabed175da42fed1fa0746b0ea71f412aa9d35e76e95e59b192c64b9dc2bf8b"
|
||||
dependencies = [
|
||||
"cfg-if",
|
||||
]
|
||||
@@ -530,18 +544,27 @@ checksum = "3728d817d99e5ac407411fa471ff9800a778d88a24685968b36824eaf4bee400"
|
||||
|
||||
[[package]]
|
||||
name = "memoffset"
|
||||
version = "0.5.4"
|
||||
version = "0.5.5"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "b4fc2c02a7e374099d4ee95a193111f72d2110197fe200272371758f6c3643d8"
|
||||
checksum = "c198b026e1bbf08a937e94c6c60f9ec4a2267f5b0d2eec9c1b21b061ce2be55f"
|
||||
dependencies = [
|
||||
"autocfg 1.0.0",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "nom"
|
||||
version = "5.1.1"
|
||||
name = "miniz_oxide"
|
||||
version = "0.4.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "0b471253da97532da4b61552249c521e01e736071f71c1a4f7ebbfbf0a06aad6"
|
||||
checksum = "be0f75932c1f6cfae3c04000e40114adf955636e19040f9c0a2c380702aa1c7f"
|
||||
dependencies = [
|
||||
"adler",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "nom"
|
||||
version = "5.1.2"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "ffb4262d26ed83a1c0a33a38fe2bb15797329c85770da05e6b828ddb782627af"
|
||||
dependencies = [
|
||||
"memchr",
|
||||
"version_check",
|
||||
@@ -560,13 +583,19 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "num-traits"
|
||||
version = "0.2.11"
|
||||
version = "0.2.12"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "c62be47e61d1842b9170f0fdeec8eba98e60e90e5446449a0545e5152acd7096"
|
||||
checksum = "ac267bcc07f48ee5f8935ab0d24f316fb722d7a1292e2913f0cc196b29ffd611"
|
||||
dependencies = [
|
||||
"autocfg 1.0.0",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "object"
|
||||
version = "0.20.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "1ab52be62400ca80aa00285d25253d7f7c437b7375c4de678f5405d3afe82ca5"
|
||||
|
||||
[[package]]
|
||||
name = "peeking_take_while"
|
||||
version = "0.1.2"
|
||||
@@ -575,33 +604,31 @@ checksum = "19b17cddbe7ec3f8bc800887bab5e717348c95ea2ca0b1bf0837fb964dc67099"
|
||||
|
||||
[[package]]
|
||||
name = "pkg-config"
|
||||
version = "0.3.17"
|
||||
version = "0.3.18"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "05da548ad6865900e60eaba7f589cc0783590a92e940c26953ff81ddbab2d677"
|
||||
checksum = "d36492546b6af1463394d46f0c834346f31548646f6ba10849802c9c9a27ac33"
|
||||
|
||||
[[package]]
|
||||
name = "proc-macro-error"
|
||||
version = "1.0.2"
|
||||
version = "1.0.4"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "98e9e4b82e0ef281812565ea4751049f1bdcdfccda7d3f459f2e138a40c08678"
|
||||
checksum = "da25490ff9892aab3fcf7c36f08cfb902dd3e71ca0f9f9517bea02a73a5ce38c"
|
||||
dependencies = [
|
||||
"proc-macro-error-attr",
|
||||
"proc-macro2 1.0.10",
|
||||
"quote 1.0.3",
|
||||
"syn 1.0.18",
|
||||
"proc-macro2 1.0.19",
|
||||
"quote 1.0.7",
|
||||
"syn 1.0.38",
|
||||
"version_check",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "proc-macro-error-attr"
|
||||
version = "1.0.2"
|
||||
version = "1.0.4"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "4f5444ead4e9935abd7f27dc51f7e852a0569ac888096d5ec2499470794e2e53"
|
||||
checksum = "a1be40180e52ecc98ad80b184934baf3d0d29f979574e439af5a55274b35f869"
|
||||
dependencies = [
|
||||
"proc-macro2 1.0.10",
|
||||
"quote 1.0.3",
|
||||
"syn 1.0.18",
|
||||
"syn-mid",
|
||||
"proc-macro2 1.0.19",
|
||||
"quote 1.0.7",
|
||||
"version_check",
|
||||
]
|
||||
|
||||
@@ -616,11 +643,11 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "proc-macro2"
|
||||
version = "1.0.10"
|
||||
version = "1.0.19"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "df246d292ff63439fea9bc8c0a270bed0e390d5ebd4db4ba15aba81111b5abe3"
|
||||
checksum = "04f5f085b5d71e2188cb8271e5da0161ad52c3f227a661a3c135fdf28e258b12"
|
||||
dependencies = [
|
||||
"unicode-xid 0.2.0",
|
||||
"unicode-xid 0.2.1",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
@@ -640,11 +667,11 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "quote"
|
||||
version = "1.0.3"
|
||||
version = "1.0.7"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "2bdc6c187c65bca4260c9011c9e3132efe4909da44726bad24cf7572ae338d7f"
|
||||
checksum = "aa563d17ecb180e500da1cfd2b028310ac758de548efdd203e18f283af693f37"
|
||||
dependencies = [
|
||||
"proc-macro2 1.0.10",
|
||||
"proc-macro2 1.0.19",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
@@ -787,9 +814,9 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "regex"
|
||||
version = "1.3.7"
|
||||
version = "1.3.9"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "a6020f034922e3194c711b82a627453881bc4682166cabb07134a10c26ba7692"
|
||||
checksum = "9c3780fcf44b193bc4d09f36d2a3c87b251da4a046c87795a0d35f4f927ad8e6"
|
||||
dependencies = [
|
||||
"aho-corasick",
|
||||
"memchr",
|
||||
@@ -799,9 +826,9 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "regex-syntax"
|
||||
version = "0.6.17"
|
||||
version = "0.6.18"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "7fe5bd57d1d7414c6b5ed48563a2c855d995ff777729dcd91c369ec7fea395ae"
|
||||
checksum = "26412eb97c6b088a6997e05f69403a802a92d520de2f8e63c2b65f9e0f47c4e8"
|
||||
|
||||
[[package]]
|
||||
name = "ring"
|
||||
@@ -858,9 +885,9 @@ checksum = "dcf128d1287d2ea9d80910b5f1120d0b8eede3fbf1abe91c40d39ea7d51e6fda"
|
||||
|
||||
[[package]]
|
||||
name = "ryu"
|
||||
version = "1.0.4"
|
||||
version = "1.0.5"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "ed3d612bc64430efeb3f7ee6ef26d590dce0c43249217bddc62112540c7941e1"
|
||||
checksum = "71d301d4193d031abdd79ff7e3dd721168a9572ef3fe51a1517aba235bd8f86e"
|
||||
|
||||
[[package]]
|
||||
name = "scopeguard"
|
||||
@@ -885,26 +912,26 @@ checksum = "388a1df253eca08550bef6c72392cfe7c30914bf41df5269b68cbd6ff8f570a3"
|
||||
|
||||
[[package]]
|
||||
name = "serde"
|
||||
version = "1.0.106"
|
||||
version = "1.0.115"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "36df6ac6412072f67cf767ebbde4133a5b2e88e76dc6187fa7104cd16f783399"
|
||||
checksum = "e54c9a88f2da7238af84b5101443f0c0d0a3bbdc455e34a5c9497b1903ed55d5"
|
||||
|
||||
[[package]]
|
||||
name = "serde_derive"
|
||||
version = "1.0.106"
|
||||
version = "1.0.115"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "9e549e3abf4fb8621bd1609f11dfc9f5e50320802273b12f3811a67e6716ea6c"
|
||||
checksum = "609feed1d0a73cc36a0182a840a9b37b4a82f0b1150369f0536a9e3f2a31dc48"
|
||||
dependencies = [
|
||||
"proc-macro2 1.0.10",
|
||||
"quote 1.0.3",
|
||||
"syn 1.0.18",
|
||||
"proc-macro2 1.0.19",
|
||||
"quote 1.0.7",
|
||||
"syn 1.0.38",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "serde_json"
|
||||
version = "1.0.51"
|
||||
version = "1.0.57"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "da07b57ee2623368351e9a0488bb0b261322a15a6e0ae53e243cbdc0f4208da9"
|
||||
checksum = "164eacbdb13512ec2745fb09d51fd5b22b0d65ed294a1dcf7285a360c80a675c"
|
||||
dependencies = [
|
||||
"itoa",
|
||||
"ryu",
|
||||
@@ -931,9 +958,9 @@ checksum = "6446ced80d6c486436db5c078dde11a9f73d42b57fb273121e160b84f63d894c"
|
||||
|
||||
[[package]]
|
||||
name = "structopt"
|
||||
version = "0.3.14"
|
||||
version = "0.3.16"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "863246aaf5ddd0d6928dfeb1a9ca65f505599e4e1b399935ef7e75107516b4ef"
|
||||
checksum = "de5472fb24d7e80ae84a7801b7978f95a19ec32cb1876faea59ab711eb901976"
|
||||
dependencies = [
|
||||
"clap",
|
||||
"lazy_static",
|
||||
@@ -942,15 +969,15 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "structopt-derive"
|
||||
version = "0.4.7"
|
||||
version = "0.4.9"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "d239ca4b13aee7a2142e6795cbd69e457665ff8037aed33b3effdc430d2f927a"
|
||||
checksum = "1e0eb37335aeeebe51be42e2dc07f031163fbabfa6ac67d7ea68b5c2f68d5f99"
|
||||
dependencies = [
|
||||
"heck",
|
||||
"proc-macro-error",
|
||||
"proc-macro2 1.0.10",
|
||||
"quote 1.0.3",
|
||||
"syn 1.0.18",
|
||||
"proc-macro2 1.0.19",
|
||||
"quote 1.0.7",
|
||||
"syn 1.0.38",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
@@ -966,36 +993,25 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "syn"
|
||||
version = "1.0.18"
|
||||
version = "1.0.38"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "410a7488c0a728c7ceb4ad59b9567eb4053d02e8cc7f5c0e0eeeb39518369213"
|
||||
checksum = "e69abc24912995b3038597a7a593be5053eb0fb44f3cc5beec0deb421790c1f4"
|
||||
dependencies = [
|
||||
"proc-macro2 1.0.10",
|
||||
"quote 1.0.3",
|
||||
"unicode-xid 0.2.0",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "syn-mid"
|
||||
version = "0.5.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "7be3539f6c128a931cf19dcee741c1af532c7fd387baa739c03dd2e96479338a"
|
||||
dependencies = [
|
||||
"proc-macro2 1.0.10",
|
||||
"quote 1.0.3",
|
||||
"syn 1.0.18",
|
||||
"proc-macro2 1.0.19",
|
||||
"quote 1.0.7",
|
||||
"unicode-xid 0.2.1",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "synstructure"
|
||||
version = "0.12.3"
|
||||
version = "0.12.4"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "67656ea1dc1b41b1451851562ea232ec2e5a80242139f7e679ceccfb5d61f545"
|
||||
checksum = "b834f2d66f734cb897113e34aaff2f1ab4719ca946f9a7358dba8f8064148701"
|
||||
dependencies = [
|
||||
"proc-macro2 1.0.10",
|
||||
"quote 1.0.3",
|
||||
"syn 1.0.18",
|
||||
"unicode-xid 0.2.0",
|
||||
"proc-macro2 1.0.19",
|
||||
"quote 1.0.7",
|
||||
"syn 1.0.38",
|
||||
"unicode-xid 0.2.1",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
@@ -1043,9 +1059,9 @@ checksum = "e83e153d1053cbb5a118eeff7fd5be06ed99153f00dbcd8ae310c5fb2b22edc0"
|
||||
|
||||
[[package]]
|
||||
name = "unicode-width"
|
||||
version = "0.1.7"
|
||||
version = "0.1.8"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "caaa9d531767d1ff2150b9332433f32a24622147e5ebb1f26409d5da67afd479"
|
||||
checksum = "9337591893a19b88d8d87f2cec1e73fad5cdfd10e5a6f349f498ad6ea2ffb1e3"
|
||||
|
||||
[[package]]
|
||||
name = "unicode-xid"
|
||||
@@ -1055,9 +1071,9 @@ checksum = "fc72304796d0818e357ead4e000d19c9c174ab23dc11093ac919054d20a6a7fc"
|
||||
|
||||
[[package]]
|
||||
name = "unicode-xid"
|
||||
version = "0.2.0"
|
||||
version = "0.2.1"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "826e7639553986605ec5979c7dd957c7895e93eabed50ab2ffa7f6128a75097c"
|
||||
checksum = "f7fe0bb3479651439c9112f72b6c505038574c9fbb575ed1bf3b797fa39dd564"
|
||||
|
||||
[[package]]
|
||||
name = "untrusted"
|
||||
@@ -1076,15 +1092,15 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "vec_map"
|
||||
version = "0.8.1"
|
||||
version = "0.8.2"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "05c78687fb1a80548ae3250346c3db86a80a7cdd77bda190189f2d0a0987c81a"
|
||||
checksum = "f1bddf1187be692e79c5ffeab891132dfb0f236ed36a43c7ed39f1165ee20191"
|
||||
|
||||
[[package]]
|
||||
name = "version_check"
|
||||
version = "0.9.1"
|
||||
version = "0.9.2"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "078775d0255232fb988e6fccf26ddc9d1ac274299aaedcedce21c6f72cc533ce"
|
||||
checksum = "b5a972e5669d67ba988ce3dc826706fb0a8b01471c088cb0b6110b805cc36aed"
|
||||
|
||||
[[package]]
|
||||
name = "which"
|
||||
@@ -1097,9 +1113,9 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "winapi"
|
||||
version = "0.3.8"
|
||||
version = "0.3.9"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "8093091eeb260906a183e6ae1abdba2ef5ef2257a21801128899c3fc699229c6"
|
||||
checksum = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419"
|
||||
dependencies = [
|
||||
"winapi-i686-pc-windows-gnu",
|
||||
"winapi-x86_64-pc-windows-gnu",
|
||||
|
||||
16
Cargo.toml
16
Cargo.toml
@@ -1,6 +1,6 @@
|
||||
[package]
|
||||
name = "fido2luks"
|
||||
version = "0.2.9"
|
||||
version = "0.2.10"
|
||||
authors = ["shimunn <shimun@shimun.net>"]
|
||||
edition = "2018"
|
||||
|
||||
@@ -11,7 +11,7 @@ repository = "https://github.com/shimunn/fido2luks"
|
||||
readme = "README.md"
|
||||
keywords = ["luks", "fido2", "u2f"]
|
||||
categories = ["command-line-utilities"]
|
||||
license-file = "LICENSE"
|
||||
license = "MPL-2.0"
|
||||
|
||||
[dependencies]
|
||||
ctap_hmac = { version="0.4.2", features = ["request_multiple"] }
|
||||
@@ -31,3 +31,15 @@ opt-level = 'z'
|
||||
panic = 'abort'
|
||||
incremental = false
|
||||
overflow-checks = false
|
||||
|
||||
[package.metadata.deb]
|
||||
depends = "$auto, cryptsetup"
|
||||
build-depends = "libclang-dev, libcryptsetup-dev"
|
||||
extended-description = "Decrypt your LUKS partition using a FIDO2 compatible authenticator"
|
||||
assets = [
|
||||
["target/release/fido2luks", "usr/bin/", "755"],
|
||||
["initramfs-tools/keyscript.sh", "/lib/cryptsetup/scripts/fido2luks", "755" ],
|
||||
["initramfs-tools/hook/fido2luks.sh", "etc/initramfs-tools/hooks/", "755" ],
|
||||
["initramfs-tools/fido2luks.conf", "etc/", "644"],
|
||||
]
|
||||
conf-files = ["/etc/fido2luks.conf"]
|
||||
|
||||
16
README.md
16
README.md
@@ -2,7 +2,7 @@
|
||||
|
||||
This will allow you to unlock your luks encrypted disk with an fido2 compatible key
|
||||
|
||||
Note: This has only been tested under Fedora 31 using a Solo Key, Trezor Model T
|
||||
Note: This has only been tested under Fedora 31, [Ubuntu 20.04](initramfs-tools/), [NixOS](https://nixos.org/nixos/manual/#sec-luks-file-systems-fido2) using a Solo Key, Trezor Model T
|
||||
|
||||
## Setup
|
||||
|
||||
@@ -107,3 +107,17 @@ sudo -E fido2luks -i replace-key /dev/disk/by-uuid/<DISK_UUID>
|
||||
|
||||
sudo rm -rf /usr/lib/dracut/modules.d/96luks-2fa /etc/dracut.conf.d/luks-2fa.conf /etc/fido2luks.conf
|
||||
```
|
||||
|
||||
## License
|
||||
|
||||
Licensed under
|
||||
|
||||
* Mozilla Public License 2.0, ([LICENSE-MPL](LICENSE-MPL) or https://www.mozilla.org/en-US/MPL/2.0/)
|
||||
|
||||
### Contribution
|
||||
|
||||
Unless you explicitly state otherwise, any contribution intentionally
|
||||
submitted for inclusion in the work by you, as defined in the MPL 2.0
|
||||
license, shall be licensed as above, without any additional terms or
|
||||
conditions.
|
||||
|
||||
|
||||
11
initramfs-tools/Makefile
Normal file
11
initramfs-tools/Makefile
Normal file
@@ -0,0 +1,11 @@
|
||||
.PHONY: install
|
||||
install:
|
||||
chmod +x hook/fido2luks.sh keyscript.sh
|
||||
cp -f hook/fido2luks.sh /etc/initramfs-tools/hooks/
|
||||
mkdir -p /usr/share/fido2luks
|
||||
cp -f keyscript.sh /lib/cryptsetup/scripts/fido2luks
|
||||
update-initramfs -u
|
||||
remove:
|
||||
sh -c "grep 'keyscript=fido2luks' -i /etc/crypttab && ( echo 'ERROR: your system is still setup to use fido2luks during boot' && exit 1) || exit 0"
|
||||
rm /etc/initramfs-tools/hooks/fido2luks.sh /lib/cryptsetup/scripts/fido2luks
|
||||
update-initramfs -u
|
||||
13
initramfs-tools/README.md
Normal file
13
initramfs-tools/README.md
Normal file
@@ -0,0 +1,13 @@
|
||||
## Initramfs-tools based systems(Ubuntu and derivatives)
|
||||
|
||||
After installation generate your credentials and add keys to your disk as described in the top-level README
|
||||
then add `initramfs,keyscript=fido2luks` to your `/etc/crypttab`
|
||||
|
||||
Example:
|
||||
```
|
||||
sda6_crypt UUID=9793d81a-4cfb-4712-85f3-c7a8d715112c none luks,discard,initramfs,keyscript=fido2luks
|
||||
```
|
||||
|
||||
But don't forget to run `make install` which will install all necessary scripts and regenerate your intrid.
|
||||
|
||||
[Recording showing part of the setup](https://shimun.net/fido2luks/setup.svg)
|
||||
3
initramfs-tools/fido2luks.conf
Normal file
3
initramfs-tools/fido2luks.conf
Normal file
@@ -0,0 +1,3 @@
|
||||
FIDO2LUKS_SALT=Ask
|
||||
#FIDO2LUKS_PASSWORD_HELPER="/usr/bin/plymouth ask-for-password --promt 'FIDO2 password salt'"
|
||||
FIDO2LUKS_CREDENTIAL_ID=
|
||||
14
initramfs-tools/hook/fido2luks.sh
Executable file
14
initramfs-tools/hook/fido2luks.sh
Executable file
@@ -0,0 +1,14 @@
|
||||
#!/bin/sh
|
||||
|
||||
case "$1" in
|
||||
prereqs)
|
||||
echo ""
|
||||
exit 0
|
||||
;;
|
||||
|
||||
esac
|
||||
|
||||
. /usr/share/initramfs-tools/hook-functions
|
||||
copy_file config /etc/fido2luks.conf /etc/fido2luks.conf
|
||||
copy_exec /usr/bin/fido2luks
|
||||
exit 0
|
||||
11
initramfs-tools/keyscript.sh
Executable file
11
initramfs-tools/keyscript.sh
Executable file
@@ -0,0 +1,11 @@
|
||||
#!/bin/sh
|
||||
set -a
|
||||
. /etc/fido2luks.conf
|
||||
|
||||
if [ -z "$FIDO2LUKS_PASSWORD_HELPER" ]; then
|
||||
MSG="FIDO2 password salt for $CRYPTTAB_NAME"
|
||||
export FIDO2LUKS_PASSWORD_HELPER="plymouth ask-for-password --promt '$MSG'"
|
||||
plymouth message --text "$MSG"
|
||||
fi
|
||||
|
||||
fido2luks print-secret --bin
|
||||
332
initramfs-tools/setup.svg
Normal file
332
initramfs-tools/setup.svg
Normal file
File diff suppressed because one or more lines are too long
|
After Width: | Height: | Size: 550 KiB |
210
src/cli.rs
210
src/cli.rs
@@ -1,5 +1,4 @@
|
||||
use crate::error::*;
|
||||
use crate::luks;
|
||||
use crate::*;
|
||||
|
||||
use structopt::StructOpt;
|
||||
@@ -12,8 +11,10 @@ use std::io::Write;
|
||||
use std::process::exit;
|
||||
use std::thread;
|
||||
|
||||
use crate::luks::{Fido2LuksToken, LuksDevice};
|
||||
use crate::util::sha256;
|
||||
use std::borrow::Cow;
|
||||
use std::collections::HashSet;
|
||||
use std::time::SystemTime;
|
||||
|
||||
#[derive(Debug, Eq, PartialEq, Clone)]
|
||||
@@ -25,6 +26,12 @@ impl Display for HexEncoded {
|
||||
}
|
||||
}
|
||||
|
||||
impl AsRef<[u8]> for HexEncoded {
|
||||
fn as_ref(&self) -> &[u8] {
|
||||
&self.0[..]
|
||||
}
|
||||
}
|
||||
|
||||
impl FromStr for HexEncoded {
|
||||
type Err = hex::FromHexError;
|
||||
|
||||
@@ -59,7 +66,7 @@ impl<T: Display + FromStr> FromStr for CommaSeparated<T> {
|
||||
|
||||
#[derive(Debug, StructOpt)]
|
||||
pub struct Credentials {
|
||||
/// FIDO credential ids, seperated by ',' generate using fido2luks credential
|
||||
/// FIDO credential ids, separated by ',' generate using fido2luks credential
|
||||
#[structopt(name = "credential-id", env = "FIDO2LUKS_CREDENTIAL_ID")]
|
||||
pub ids: CommaSeparated<HexEncoded>,
|
||||
}
|
||||
@@ -282,6 +289,45 @@ pub enum Command {
|
||||
/// Check if an authenticator is connected
|
||||
#[structopt(name = "connected")]
|
||||
Connected,
|
||||
Token(TokenCommand),
|
||||
}
|
||||
|
||||
///LUKS2 token related operations
|
||||
#[derive(Debug, StructOpt)]
|
||||
pub enum TokenCommand {
|
||||
/// List all tokens associated with the specified device
|
||||
List {
|
||||
#[structopt(env = "FIDO2LUKS_DEVICE")]
|
||||
device: PathBuf,
|
||||
/// Dump all credentials as CSV
|
||||
#[structopt(long = "csv")]
|
||||
csv: bool,
|
||||
},
|
||||
/// Add credential to a keyslot
|
||||
Add {
|
||||
#[structopt(env = "FIDO2LUKS_DEVICE")]
|
||||
device: PathBuf,
|
||||
#[structopt(flatten)]
|
||||
credentials: Credentials,
|
||||
/// Slot to which the credentials will be added
|
||||
#[structopt(long = "slot", env = "FIDO2LUKS_DEVICE_SLOT")]
|
||||
slot: u32,
|
||||
},
|
||||
/// Remove credentials from token(s)
|
||||
Remove {
|
||||
#[structopt(env = "FIDO2LUKS_DEVICE")]
|
||||
device: PathBuf,
|
||||
#[structopt(flatten)]
|
||||
credentials: Credentials,
|
||||
/// Token from which the credentials will be removed
|
||||
#[structopt(long = "token")]
|
||||
token_id: Option<u32>,
|
||||
},
|
||||
/// Remove all unassigned tokens
|
||||
GC {
|
||||
#[structopt(env = "FIDO2LUKS_DEVICE")]
|
||||
device: PathBuf,
|
||||
},
|
||||
}
|
||||
|
||||
pub fn parse_cmdline() -> Args {
|
||||
@@ -371,7 +417,9 @@ pub fn run_cli() -> Fido2LuksResult<()> {
|
||||
secret.salt.obtain(&secret.password_helper)
|
||||
}
|
||||
};
|
||||
let other_secret = |salt_q: &str, verify: bool| -> Fido2LuksResult<(Vec<u8>, Option<FidoCredential>)> {
|
||||
let other_secret = |salt_q: &str,
|
||||
verify: bool|
|
||||
-> Fido2LuksResult<(Vec<u8>, Option<FidoCredential>)> {
|
||||
match other_secret {
|
||||
OtherSecret {
|
||||
keyfile: Some(file),
|
||||
@@ -386,7 +434,10 @@ pub fn run_cli() -> Fido2LuksResult<()> {
|
||||
pin.as_deref(),
|
||||
)
|
||||
.map(|(secret, cred)| (secret[..].to_vec(), Some(cred)))?),
|
||||
_ => Ok((util::read_password(salt_q, verify)?.as_bytes().to_vec(), None)),
|
||||
_ => Ok((
|
||||
util::read_password(salt_q, verify)?.as_bytes().to_vec(),
|
||||
None,
|
||||
)),
|
||||
}
|
||||
};
|
||||
let secret = |verify: bool| -> Fido2LuksResult<([u8; 32], FidoCredential)> {
|
||||
@@ -397,22 +448,20 @@ pub fn run_cli() -> Fido2LuksResult<()> {
|
||||
pin.as_deref(),
|
||||
)
|
||||
};
|
||||
let mut luks_dev = LuksDevice::load(&luks.device)?;
|
||||
// Non overlap
|
||||
match &args.command {
|
||||
Command::AddKey {
|
||||
exclusive, ..
|
||||
} => {
|
||||
Command::AddKey { exclusive, .. } => {
|
||||
let (existing_secret, _) = other_secret("Current password", false)?;
|
||||
let (new_secret, cred) = secret(true)?;
|
||||
let added_slot = luks::add_key(
|
||||
&luks.device,
|
||||
let added_slot = luks_dev.add_key(
|
||||
&new_secret,
|
||||
&existing_secret[..],
|
||||
luks_mod.kdf_time.or(Some(10)),
|
||||
Some(&cred.id[..]).filter(|_| *token),
|
||||
)?;
|
||||
if *exclusive {
|
||||
let destroyed = luks::remove_keyslots(&luks.device, &[added_slot])?;
|
||||
let destroyed = luks_dev.remove_keyslots(&[added_slot])?;
|
||||
println!(
|
||||
"Added to key to device {}, slot: {}\nRemoved {} old keys",
|
||||
luks.device.display(),
|
||||
@@ -432,16 +481,14 @@ pub fn run_cli() -> Fido2LuksResult<()> {
|
||||
let (existing_secret, _) = secret(false)?;
|
||||
let (replacement_secret, cred) = other_secret("Replacement password", true)?;
|
||||
let slot = if *add_password {
|
||||
luks::add_key(
|
||||
&luks.device,
|
||||
luks_dev.add_key(
|
||||
&replacement_secret[..],
|
||||
&existing_secret,
|
||||
luks_mod.kdf_time,
|
||||
cred.as_ref().filter(|_| *token).map(|cred| &cred.id[..]),
|
||||
)
|
||||
} else {
|
||||
luks::replace_key(
|
||||
&luks.device,
|
||||
luks_dev.replace_key(
|
||||
&replacement_secret[..],
|
||||
&existing_secret,
|
||||
luks_mod.kdf_time,
|
||||
@@ -499,14 +546,12 @@ pub fn run_cli() -> Fido2LuksResult<()> {
|
||||
};
|
||||
|
||||
let mut retries = *retries;
|
||||
let mut luks_dev = LuksDevice::load(&luks.device)?;
|
||||
loop {
|
||||
let secret = match &args.command {
|
||||
Command::Open { credentials, .. } => secret(Cow::Borrowed(&credentials.ids.0))
|
||||
.and_then(|(secret, _cred)| {
|
||||
luks::open_container(&luks.device, &name, &secret, luks.slot)
|
||||
}),
|
||||
Command::OpenToken { .. } => luks::open_container_token(
|
||||
&luks.device,
|
||||
.and_then(|(secret, _cred)| luks_dev.activate(&name, &secret, luks.slot)),
|
||||
Command::OpenToken { .. } => luks_dev.activate_token(
|
||||
&name,
|
||||
Box::new(|credentials: Vec<String>| {
|
||||
let creds = credentials
|
||||
@@ -516,6 +561,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
|
||||
secret(Cow::Owned(creds))
|
||||
.map(|(secret, cred)| (secret, hex::encode(&cred.id)))
|
||||
}),
|
||||
luks.slot,
|
||||
),
|
||||
_ => unreachable!(),
|
||||
};
|
||||
@@ -531,7 +577,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
|
||||
retries -= 1;
|
||||
eprintln!("{}", e);
|
||||
}
|
||||
res => break res,
|
||||
res => break res.map(|_| ()),
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -542,5 +588,129 @@ pub fn run_cli() -> Fido2LuksResult<()> {
|
||||
}
|
||||
_ => exit(1),
|
||||
},
|
||||
Command::Token(cmd) => match cmd {
|
||||
TokenCommand::List {
|
||||
device,
|
||||
csv: dump_credentials,
|
||||
} => {
|
||||
let mut dev = LuksDevice::load(device)?;
|
||||
let mut creds = Vec::new();
|
||||
for token in dev.tokens()? {
|
||||
let (id, token) = token?;
|
||||
for cred in token.credential.iter() {
|
||||
if !creds.contains(cred) {
|
||||
creds.push(cred.clone());
|
||||
if *dump_credentials {
|
||||
print!("{}{}", if creds.len() == 1 { "" } else { "," }, cred);
|
||||
}
|
||||
}
|
||||
}
|
||||
if *dump_credentials {
|
||||
continue;
|
||||
}
|
||||
println!(
|
||||
"{}:\n\tSlots: {}\n\tCredentials: {}",
|
||||
id,
|
||||
if token.keyslots.is_empty() {
|
||||
"None".into()
|
||||
} else {
|
||||
token.keyslots.iter().cloned().collect::<Vec<_>>().join(",")
|
||||
},
|
||||
token
|
||||
.credential
|
||||
.iter()
|
||||
.map(|cred| format!(
|
||||
"{} ({})",
|
||||
cred,
|
||||
creds.iter().position(|c| c == cred).unwrap().to_string()
|
||||
))
|
||||
.collect::<Vec<_>>()
|
||||
.join(",")
|
||||
);
|
||||
}
|
||||
if *dump_credentials {
|
||||
println!();
|
||||
}
|
||||
Ok(())
|
||||
}
|
||||
TokenCommand::Add {
|
||||
device,
|
||||
credentials,
|
||||
slot,
|
||||
} => {
|
||||
let mut dev = LuksDevice::load(device)?;
|
||||
let mut tokens = Vec::new();
|
||||
for token in dev.tokens()? {
|
||||
let (id, token) = token?;
|
||||
if token.keyslots.contains(&slot.to_string()) {
|
||||
tokens.push((id, token));
|
||||
}
|
||||
}
|
||||
let count = if tokens.is_empty() {
|
||||
dev.add_token(&Fido2LuksToken::with_credentials(&credentials.ids.0, *slot))?;
|
||||
1
|
||||
} else {
|
||||
tokens.len()
|
||||
};
|
||||
for (id, mut token) in tokens {
|
||||
token
|
||||
.credential
|
||||
.extend(credentials.ids.0.iter().map(|h| h.to_string()));
|
||||
dev.update_token(id, &token)?;
|
||||
}
|
||||
println!("Updated {} tokens", count);
|
||||
Ok(())
|
||||
}
|
||||
TokenCommand::Remove {
|
||||
device,
|
||||
credentials,
|
||||
token_id,
|
||||
} => {
|
||||
let mut dev = LuksDevice::load(device)?;
|
||||
let mut tokens = Vec::new();
|
||||
for token in dev.tokens()? {
|
||||
let (id, token) = token?;
|
||||
if let Some(token_id) = token_id {
|
||||
if id == *token_id {
|
||||
tokens.push((id, token));
|
||||
}
|
||||
} else {
|
||||
tokens.push((id, token));
|
||||
}
|
||||
}
|
||||
let count = tokens.len();
|
||||
for (id, mut token) in tokens {
|
||||
token.credential = token
|
||||
.credential
|
||||
.into_iter()
|
||||
.filter(|cred| !credentials.ids.0.iter().any(|h| &h.to_string() == cred))
|
||||
.collect();
|
||||
dev.update_token(id, &token)?;
|
||||
}
|
||||
println!("Updated {} tokens", count);
|
||||
Ok(())
|
||||
}
|
||||
TokenCommand::GC { device } => {
|
||||
let mut dev = LuksDevice::load(device)?;
|
||||
let mut creds: HashSet<String> = HashSet::new();
|
||||
let mut remove = Vec::new();
|
||||
for token in dev.tokens()? {
|
||||
let (id, token) = token?;
|
||||
if token.keyslots.is_empty() || token.credential.is_empty() {
|
||||
creds.extend(token.credential);
|
||||
remove.push(id);
|
||||
}
|
||||
}
|
||||
for id in remove.iter().rev() {
|
||||
dev.remove_token(*id)?;
|
||||
}
|
||||
println!(
|
||||
"Removed {} tokens, affected credentials: {}",
|
||||
remove.len(),
|
||||
creds.into_iter().collect::<Vec<_>>().join(",")
|
||||
);
|
||||
Ok(())
|
||||
}
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
@@ -75,6 +75,12 @@ impl LuksError {
|
||||
}
|
||||
}
|
||||
|
||||
impl From<LuksError> for Fido2LuksError {
|
||||
fn from(e: LuksError) -> Self {
|
||||
Fido2LuksError::LuksError { cause: e }
|
||||
}
|
||||
}
|
||||
|
||||
use libcryptsetup_rs::LibcryptErr;
|
||||
use std::io::ErrorKind;
|
||||
use std::string::FromUtf8Error;
|
||||
|
||||
524
src/luks.rs
524
src/luks.rs
@@ -7,245 +7,321 @@ use libcryptsetup_rs::{
|
||||
use std::collections::{HashMap, HashSet};
|
||||
use std::path::Path;
|
||||
|
||||
fn load_device_handle<P: AsRef<Path>>(path: P) -> Fido2LuksResult<CryptDevice> {
|
||||
let mut device = CryptInit::init(path.as_ref())?;
|
||||
device.context_handle().load::<()>(None, None)?;
|
||||
Ok(device)
|
||||
pub struct LuksDevice {
|
||||
device: CryptDevice,
|
||||
luks2: Option<bool>,
|
||||
}
|
||||
|
||||
fn check_luks2(device: &mut CryptDevice) -> Fido2LuksResult<()> {
|
||||
match device.format_handle().get_type()? {
|
||||
EncryptionFormat::Luks2 => Ok(()),
|
||||
_ => Err(Fido2LuksError::LuksError {
|
||||
cause: LuksError::Luks2Required,
|
||||
}),
|
||||
impl LuksDevice {
|
||||
pub fn load<P: AsRef<Path>>(path: P) -> Fido2LuksResult<LuksDevice> {
|
||||
let mut device = CryptInit::init(path.as_ref())?;
|
||||
device.context_handle().load::<()>(None, None)?;
|
||||
Ok(Self {
|
||||
device,
|
||||
luks2: None,
|
||||
})
|
||||
}
|
||||
|
||||
pub fn is_luks2(&mut self) -> Fido2LuksResult<bool> {
|
||||
if let Some(luks2) = self.luks2 {
|
||||
Ok(luks2)
|
||||
} else {
|
||||
self.luks2 = Some(match self.device.format_handle().get_type()? {
|
||||
EncryptionFormat::Luks2 => true,
|
||||
_ => false,
|
||||
});
|
||||
self.is_luks2()
|
||||
}
|
||||
}
|
||||
|
||||
fn require_luks2(&mut self) -> Fido2LuksResult<()> {
|
||||
if !self.is_luks2()? {
|
||||
return Err(LuksError::Luks2Required.into());
|
||||
}
|
||||
Ok(())
|
||||
}
|
||||
|
||||
pub fn tokens<'a>(
|
||||
&'a mut self,
|
||||
) -> Fido2LuksResult<Box<dyn Iterator<Item = Fido2LuksResult<(u32, Fido2LuksToken)>> + 'a>>
|
||||
{
|
||||
self.require_luks2()?;
|
||||
Ok(Box::new(
|
||||
(0..32)
|
||||
.map(move |i| {
|
||||
let status = match self.device.token_handle().status(i) {
|
||||
Ok(status) => status,
|
||||
Err(err) => return Some(Err(Fido2LuksError::from(err))),
|
||||
};
|
||||
match status {
|
||||
CryptTokenInfo::Inactive => return None,
|
||||
CryptTokenInfo::Internal(s)
|
||||
| CryptTokenInfo::InternalUnknown(s)
|
||||
| CryptTokenInfo::ExternalUnknown(s)
|
||||
| CryptTokenInfo::External(s)
|
||||
if &s != Fido2LuksToken::default_type() =>
|
||||
{
|
||||
return None
|
||||
}
|
||||
_ => (),
|
||||
};
|
||||
let json = match self.device.token_handle().json_get(i) {
|
||||
Ok(json) => json,
|
||||
Err(err) => return Some(Err(Fido2LuksError::from(err))),
|
||||
};
|
||||
let info: Fido2LuksToken =
|
||||
match serde_json::from_value(json.clone()).map_err(|_| {
|
||||
Fido2LuksError::LuksError {
|
||||
cause: LuksError::InvalidToken(json.to_string()),
|
||||
}
|
||||
}) {
|
||||
Ok(info) => info,
|
||||
Err(err) => return Some(Err(Fido2LuksError::from(err))),
|
||||
};
|
||||
Some(Ok((i, info)))
|
||||
})
|
||||
.filter_map(|o| o),
|
||||
))
|
||||
}
|
||||
|
||||
pub fn find_token(&mut self, slot: u32) -> Fido2LuksResult<Option<(u32, Fido2LuksToken)>> {
|
||||
let slot_str = slot.to_string();
|
||||
for token in self.tokens()? {
|
||||
let (id, token) = token?;
|
||||
if token.keyslots.contains(&slot_str) {
|
||||
return Ok(Some((id, token)));
|
||||
}
|
||||
}
|
||||
Ok(None)
|
||||
}
|
||||
|
||||
pub fn add_token(&mut self, data: &Fido2LuksToken) -> Fido2LuksResult<()> {
|
||||
self.require_luks2()?;
|
||||
self.device
|
||||
.token_handle()
|
||||
.json_set(TokenInput::AddToken(&serde_json::to_value(&data).unwrap()))?;
|
||||
Ok(())
|
||||
}
|
||||
|
||||
pub fn remove_token(&mut self, token: u32) -> Fido2LuksResult<()> {
|
||||
self.require_luks2()?;
|
||||
self.device
|
||||
.token_handle()
|
||||
.json_set(TokenInput::RemoveToken(token))?;
|
||||
Ok(())
|
||||
}
|
||||
|
||||
pub fn update_token(&mut self, token: u32, data: &Fido2LuksToken) -> Fido2LuksResult<()> {
|
||||
self.require_luks2()?;
|
||||
self.device
|
||||
.token_handle()
|
||||
.json_set(TokenInput::ReplaceToken(
|
||||
token,
|
||||
&serde_json::to_value(&data).unwrap(),
|
||||
))?;
|
||||
Ok(())
|
||||
}
|
||||
|
||||
pub fn add_key(
|
||||
&mut self,
|
||||
secret: &[u8],
|
||||
old_secret: &[u8],
|
||||
iteration_time: Option<u64>,
|
||||
credential_id: Option<&[u8]>,
|
||||
) -> Fido2LuksResult<u32> {
|
||||
if let Some(millis) = iteration_time {
|
||||
self.device.settings_handle().set_iteration_time(millis)
|
||||
}
|
||||
let slot = self
|
||||
.device
|
||||
.keyslot_handle()
|
||||
.add_by_passphrase(None, old_secret, secret)?;
|
||||
if let Some(id) = credential_id {
|
||||
self.device.token_handle().json_set(TokenInput::AddToken(
|
||||
&serde_json::to_value(&Fido2LuksToken::new(id, slot)).unwrap(),
|
||||
))?;
|
||||
}
|
||||
|
||||
Ok(slot)
|
||||
}
|
||||
|
||||
pub fn remove_keyslots(&mut self, exclude: &[u32]) -> Fido2LuksResult<u32> {
|
||||
let mut destroyed = 0;
|
||||
let mut tokens = Vec::new();
|
||||
for slot in 0..256 {
|
||||
match self.device.keyslot_handle().status(slot)? {
|
||||
KeyslotInfo::Inactive => continue,
|
||||
KeyslotInfo::Active | KeyslotInfo::ActiveLast if !exclude.contains(&slot) => {
|
||||
if self.is_luks2()? {
|
||||
if let Some((id, _token)) = self.find_token(slot)? {
|
||||
tokens.push(id);
|
||||
}
|
||||
}
|
||||
self.device.keyslot_handle().destroy(slot)?;
|
||||
destroyed += 1;
|
||||
}
|
||||
KeyslotInfo::ActiveLast => break,
|
||||
_ => (),
|
||||
}
|
||||
if self.device.keyslot_handle().status(slot)? == KeyslotInfo::ActiveLast {
|
||||
break;
|
||||
}
|
||||
}
|
||||
// Ensure indices stay valid
|
||||
tokens.sort();
|
||||
for token in tokens.iter().rev() {
|
||||
self.remove_token(*token)?;
|
||||
}
|
||||
Ok(destroyed)
|
||||
}
|
||||
|
||||
pub fn replace_key(
|
||||
&mut self,
|
||||
secret: &[u8],
|
||||
old_secret: &[u8],
|
||||
iteration_time: Option<u64>,
|
||||
credential_id: Option<&[u8]>,
|
||||
) -> Fido2LuksResult<u32> {
|
||||
if let Some(millis) = iteration_time {
|
||||
self.device.settings_handle().set_iteration_time(millis)
|
||||
}
|
||||
// Use activate dry-run to locate keyslot
|
||||
let slot = self.device.activate_handle().activate_by_passphrase(
|
||||
None,
|
||||
None,
|
||||
old_secret,
|
||||
CryptActivateFlags::empty(),
|
||||
)?;
|
||||
self.device.keyslot_handle().change_by_passphrase(
|
||||
Some(slot),
|
||||
Some(slot),
|
||||
old_secret,
|
||||
secret,
|
||||
)? as u32;
|
||||
if let Some(id) = credential_id {
|
||||
if self.is_luks2()? {
|
||||
let token = self.find_token(slot)?.map(|(t, _)| t);
|
||||
let json = serde_json::to_value(&Fido2LuksToken::new(id, slot)).unwrap();
|
||||
if let Some(token) = token {
|
||||
self.device
|
||||
.token_handle()
|
||||
.json_set(TokenInput::ReplaceToken(token, &json))?;
|
||||
} else {
|
||||
self.device
|
||||
.token_handle()
|
||||
.json_set(TokenInput::AddToken(&json))?;
|
||||
}
|
||||
}
|
||||
}
|
||||
Ok(slot)
|
||||
}
|
||||
|
||||
pub fn activate(
|
||||
&mut self,
|
||||
name: &str,
|
||||
secret: &[u8],
|
||||
slot_hint: Option<u32>,
|
||||
) -> Fido2LuksResult<u32> {
|
||||
self.device
|
||||
.activate_handle()
|
||||
.activate_by_passphrase(Some(name), slot_hint, secret, CryptActivateFlags::empty())
|
||||
.map_err(LuksError::activate)
|
||||
}
|
||||
|
||||
pub fn activate_token(
|
||||
&mut self,
|
||||
name: &str,
|
||||
secret: impl Fn(Vec<String>) -> Fido2LuksResult<([u8; 32], String)>,
|
||||
slot_hint: Option<u32>,
|
||||
) -> Fido2LuksResult<u32> {
|
||||
if !self.is_luks2()? {
|
||||
return Err(LuksError::Luks2Required.into());
|
||||
}
|
||||
let mut creds: HashMap<String, HashSet<u32>> = HashMap::new();
|
||||
for token in self.tokens()? {
|
||||
let token = match token {
|
||||
Ok((_id, t)) => t,
|
||||
_ => continue, // An corrupted token should't lock the user out
|
||||
};
|
||||
let slots = || {
|
||||
token
|
||||
.keyslots
|
||||
.iter()
|
||||
.filter_map(|slot| slot.parse::<u32>().ok())
|
||||
};
|
||||
for cred in token.credential.iter() {
|
||||
creds
|
||||
.entry(cred.clone())
|
||||
.or_insert_with(|| slots().collect::<HashSet<u32>>())
|
||||
.extend(slots());
|
||||
}
|
||||
}
|
||||
if creds.is_empty() {
|
||||
return Err(Fido2LuksError::LuksError {
|
||||
cause: LuksError::NoToken,
|
||||
});
|
||||
}
|
||||
let (secret, credential) = secret(creds.keys().cloned().collect())?;
|
||||
let empty;
|
||||
let slots = if let Some(slots) = creds.get(&credential) {
|
||||
slots
|
||||
} else {
|
||||
empty = HashSet::new();
|
||||
&empty
|
||||
};
|
||||
//Try slots associated with the credential used
|
||||
let slots = slots.iter().cloned().map(Option::Some).chain(
|
||||
std::iter::once(slot_hint) // Try slot hint if there is one
|
||||
.take(slot_hint.is_some() as usize)
|
||||
.chain(std::iter::once(None).take(slots.is_empty() as usize)), // Try all slots as last resort
|
||||
);
|
||||
for slot in slots {
|
||||
match self.activate(name, &secret, slot) {
|
||||
Err(Fido2LuksError::WrongSecret) => (),
|
||||
res => return res,
|
||||
}
|
||||
}
|
||||
Err(Fido2LuksError::WrongSecret)
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Debug, Clone, Serialize, Deserialize)]
|
||||
struct Fido2LuksToken {
|
||||
pub struct Fido2LuksToken {
|
||||
#[serde(rename = "type")]
|
||||
type_: String,
|
||||
credential: Vec<String>,
|
||||
keyslots: Vec<String>,
|
||||
pub type_: String,
|
||||
pub credential: HashSet<String>,
|
||||
pub keyslots: HashSet<String>,
|
||||
}
|
||||
|
||||
impl Fido2LuksToken {
|
||||
fn new(credential_id: impl AsRef<[u8]>, slot: u32) -> Self {
|
||||
pub fn new(credential_id: impl AsRef<[u8]>, slot: u32) -> Self {
|
||||
Self::with_credentials(std::iter::once(credential_id), slot)
|
||||
}
|
||||
|
||||
pub fn with_credentials<I: IntoIterator<Item = B>, B: AsRef<[u8]>>(
|
||||
credentials: I,
|
||||
slot: u32,
|
||||
) -> Self {
|
||||
Self {
|
||||
type_: "fido2luks\0".into(), // Doubles as c style string
|
||||
credential: vec![hex::encode(credential_id)],
|
||||
keyslots: vec![slot.to_string()],
|
||||
credential: credentials
|
||||
.into_iter()
|
||||
.map(|cred| hex::encode(cred.as_ref()))
|
||||
.collect(),
|
||||
keyslots: vec![slot.to_string()].into_iter().collect(),
|
||||
..Default::default()
|
||||
}
|
||||
}
|
||||
pub fn default_type() -> &'static str {
|
||||
"fido2luks"
|
||||
}
|
||||
}
|
||||
|
||||
pub fn open_container<P: AsRef<Path>>(
|
||||
path: P,
|
||||
name: &str,
|
||||
secret: &[u8],
|
||||
slot_hint: Option<u32>,
|
||||
) -> Fido2LuksResult<()> {
|
||||
let mut device = load_device_handle(path)?;
|
||||
device
|
||||
.activate_handle()
|
||||
.activate_by_passphrase(Some(name), slot_hint, secret, CryptActivateFlags::empty())
|
||||
.map(|_slot| ())
|
||||
.map_err(|_e| Fido2LuksError::WrongSecret)
|
||||
}
|
||||
|
||||
pub fn open_container_token<P: AsRef<Path>>(
|
||||
path: P,
|
||||
name: &str,
|
||||
secret: impl Fn(Vec<String>) -> Fido2LuksResult<([u8; 32], String)>,
|
||||
) -> Fido2LuksResult<()> {
|
||||
let mut device = load_device_handle(path)?;
|
||||
check_luks2(&mut device)?;
|
||||
|
||||
let mut creds = HashMap::new();
|
||||
for i in 0..256 {
|
||||
let status = device.token_handle().status(i)?;
|
||||
match status {
|
||||
CryptTokenInfo::Inactive => break,
|
||||
CryptTokenInfo::Internal(s)
|
||||
| CryptTokenInfo::InternalUnknown(s)
|
||||
| CryptTokenInfo::ExternalUnknown(s)
|
||||
| CryptTokenInfo::External(s)
|
||||
if &s != "fido2luks" =>
|
||||
{
|
||||
continue
|
||||
}
|
||||
_ => (),
|
||||
};
|
||||
let json = device.token_handle().json_get(i)?;
|
||||
let info: Fido2LuksToken =
|
||||
serde_json::from_value(json.clone()).map_err(|_| Fido2LuksError::LuksError {
|
||||
cause: LuksError::InvalidToken(json.to_string()),
|
||||
})?;
|
||||
let slots = || {
|
||||
info.keyslots
|
||||
.iter()
|
||||
.filter_map(|slot| slot.parse::<u32>().ok())
|
||||
};
|
||||
for cred in info.credential.iter().cloned() {
|
||||
creds
|
||||
.entry(cred)
|
||||
.or_insert_with(|| slots().collect::<HashSet<u32>>())
|
||||
.extend(slots());
|
||||
impl Default for Fido2LuksToken {
|
||||
fn default() -> Self {
|
||||
Self {
|
||||
type_: Self::default_type().into(),
|
||||
credential: HashSet::new(),
|
||||
keyslots: HashSet::new(),
|
||||
}
|
||||
}
|
||||
if creds.is_empty() {
|
||||
return Err(Fido2LuksError::LuksError {
|
||||
cause: LuksError::NoToken,
|
||||
});
|
||||
}
|
||||
let (secret, credential) = secret(creds.keys().cloned().collect())?;
|
||||
let slots = creds.get(&credential).unwrap();
|
||||
let slots = slots
|
||||
.iter()
|
||||
.cloned()
|
||||
.map(Option::Some)
|
||||
.chain(std::iter::once(None).take(slots.is_empty() as usize));
|
||||
for slot in slots {
|
||||
match device
|
||||
.activate_handle()
|
||||
.activate_by_passphrase(Some(name), slot, &secret, CryptActivateFlags::empty())
|
||||
.map(|_slot| ())
|
||||
.map_err(LuksError::activate)
|
||||
{
|
||||
Err(Fido2LuksError::WrongSecret) => (),
|
||||
res => return res,
|
||||
}
|
||||
}
|
||||
Err(Fido2LuksError::WrongSecret)
|
||||
}
|
||||
|
||||
pub fn add_key<P: AsRef<Path>>(
|
||||
path: P,
|
||||
secret: &[u8],
|
||||
old_secret: &[u8],
|
||||
iteration_time: Option<u64>,
|
||||
credential_id: Option<&[u8]>,
|
||||
) -> Fido2LuksResult<u32> {
|
||||
let mut device = load_device_handle(path)?;
|
||||
if let Some(millis) = iteration_time {
|
||||
device.settings_handle().set_iteration_time(millis)
|
||||
}
|
||||
let slot = device
|
||||
.keyslot_handle()
|
||||
.add_by_passphrase(None, old_secret, secret)?;
|
||||
if let Some(id) = credential_id {
|
||||
/* if let e @ Err(_) = check_luks2(&mut device) {
|
||||
//rollback
|
||||
device.keyslot_handle(Some(slot)).destroy()?;
|
||||
return e.map(|_| 0u32);
|
||||
}*/
|
||||
device.token_handle().json_set(TokenInput::AddToken(
|
||||
&serde_json::to_value(&Fido2LuksToken::new(id, slot)).unwrap(),
|
||||
))?;
|
||||
}
|
||||
|
||||
Ok(slot)
|
||||
}
|
||||
|
||||
fn find_token(
|
||||
device: &mut CryptDevice,
|
||||
slot: u32,
|
||||
) -> Fido2LuksResult<Option<(u32, Fido2LuksToken)>> {
|
||||
for i in 0..256 {
|
||||
let status = device.token_handle().status(i)?;
|
||||
match status {
|
||||
CryptTokenInfo::Inactive => break,
|
||||
CryptTokenInfo::Internal(s)
|
||||
| CryptTokenInfo::InternalUnknown(s)
|
||||
| CryptTokenInfo::ExternalUnknown(s)
|
||||
| CryptTokenInfo::External(s)
|
||||
if &s != "fido2luks" =>
|
||||
{
|
||||
continue
|
||||
}
|
||||
_ => (),
|
||||
};
|
||||
let json = device.token_handle().json_get(i)?;
|
||||
let info: Fido2LuksToken =
|
||||
serde_json::from_value(json.clone()).map_err(|_| Fido2LuksError::LuksError {
|
||||
cause: LuksError::InvalidToken(json.to_string()),
|
||||
})?;
|
||||
if info.keyslots.contains(&slot.to_string()) {
|
||||
return Ok(Some((i, info)));
|
||||
}
|
||||
}
|
||||
Ok(None)
|
||||
}
|
||||
|
||||
pub fn remove_keyslots<P: AsRef<Path>>(path: P, exclude: &[u32]) -> Fido2LuksResult<u32> {
|
||||
let mut device = load_device_handle(path)?;
|
||||
let mut destroyed = 0;
|
||||
let mut tokens = Vec::new();
|
||||
for slot in 0..256 {
|
||||
match device.keyslot_handle().status(slot)? {
|
||||
KeyslotInfo::Inactive => continue,
|
||||
KeyslotInfo::Active | KeyslotInfo::ActiveLast if !exclude.contains(&slot) => {
|
||||
if let Ok(_) = check_luks2(&mut device) {
|
||||
if let Some((token, _)) = find_token(&mut device, slot)? {
|
||||
tokens.push(token);
|
||||
}
|
||||
}
|
||||
device.keyslot_handle().destroy(slot)?;
|
||||
destroyed += 1;
|
||||
}
|
||||
KeyslotInfo::ActiveLast => break,
|
||||
_ => (),
|
||||
}
|
||||
if device.keyslot_handle().status(slot)? == KeyslotInfo::ActiveLast {
|
||||
break;
|
||||
}
|
||||
}
|
||||
// Ensure indices stay valid
|
||||
tokens.sort();
|
||||
for token in tokens.iter().rev() {
|
||||
device
|
||||
.token_handle()
|
||||
.json_set(TokenInput::RemoveToken(*token))?;
|
||||
}
|
||||
Ok(destroyed)
|
||||
}
|
||||
|
||||
pub fn replace_key<P: AsRef<Path>>(
|
||||
path: P,
|
||||
secret: &[u8],
|
||||
old_secret: &[u8],
|
||||
iteration_time: Option<u64>,
|
||||
credential_id: Option<&[u8]>,
|
||||
) -> Fido2LuksResult<u32> {
|
||||
let mut device = load_device_handle(path)?;
|
||||
if let Some(millis) = iteration_time {
|
||||
device.settings_handle().set_iteration_time(millis)
|
||||
}
|
||||
// Use activate dry-run to locate keyslot
|
||||
let slot = device.activate_handle().activate_by_passphrase(
|
||||
None,
|
||||
None,
|
||||
old_secret,
|
||||
CryptActivateFlags::empty(),
|
||||
)?;
|
||||
device
|
||||
.keyslot_handle()
|
||||
.change_by_passphrase(Some(slot), Some(slot), old_secret, secret)? as u32;
|
||||
if let Some(id) = credential_id {
|
||||
if check_luks2(&mut device).is_ok() {
|
||||
let token = find_token(&mut device, slot)?.map(|(t, _)| t);
|
||||
let json = serde_json::to_value(&Fido2LuksToken::new(id, slot)).unwrap();
|
||||
if let Some(token) = token {
|
||||
device
|
||||
.token_handle()
|
||||
.json_set(TokenInput::ReplaceToken(token, &json))?;
|
||||
} else {
|
||||
device
|
||||
.token_handle()
|
||||
.json_set(TokenInput::AddToken(&json))?;
|
||||
}
|
||||
}
|
||||
}
|
||||
Ok(slot)
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user