shimun/fido2luks
1
0
Fork 0
Code Issues Pull Requests 3 Releases Wiki Activity

Compare commits

base: shimun:master
Branches Tags
shimun:master
shimun:0.3.0-alpha
shimun:ctap-hid-fido2
shimun:retry_pin
shimun:0.3.0
shimun:debVM
shimun:flake
shimun:password_promt
shimun:dracut
shimun:initcpio
shimun:pam_mod
shimun:setup
shimun:completions
shimun:pkgbuild
shimun:pin_source
shimun:relicense
shimun:deb
shimun:initramfs-tools
shimun:luks_refr
shimun:0.2.8
shimun:luks2_token
shimun:cli_reorg
shimun:request_multiple
shimun:luks2
shimun:cratesio
shimun:isalt
shimun:connected
shimun:keyutils
shimun:0.2.20
shimun:0.2.19
shimun:0.2.18
shimun:0.2.17
shimun:0.2.16
shimun:0.2.15
shimun:0.2.14
shimun:0.2.13
shimun:0.2.12
shimun:0.2.11
shimun:0.2.10
shimun:0.2.9
shimun:0.2.8
shimun:0.2.7
shimun:0.2.6
shimun:0.2.5
shimun:0.2.4
shimun:0.2.3
shimun:0.2.2
shimun:0.2.1
shimun:0.2.0
..
compare: shimun:pam_mod
Branches Tags
shimun:0.3.0-alpha
shimun:ctap-hid-fido2
shimun:retry_pin
shimun:master
shimun:0.3.0
shimun:debVM
shimun:flake
shimun:password_promt
shimun:dracut
shimun:initcpio
shimun:pam_mod
shimun:setup
shimun:completions
shimun:pkgbuild
shimun:pin_source
shimun:relicense
shimun:deb
shimun:initramfs-tools
shimun:luks_refr
shimun:0.2.8
shimun:luks2_token
shimun:cli_reorg
shimun:request_multiple
shimun:luks2
shimun:cratesio
shimun:isalt
shimun:connected
shimun:keyutils
shimun:0.2.20
shimun:0.2.19
shimun:0.2.18
shimun:0.2.17
shimun:0.2.16
shimun:0.2.15
shimun:0.2.14
shimun:0.2.13
shimun:0.2.12
shimun:0.2.11
shimun:0.2.10
shimun:0.2.9
shimun:0.2.8
shimun:0.2.7
shimun:0.2.6
shimun:0.2.5
shimun:0.2.4
shimun:0.2.3
shimun:0.2.2
shimun:0.2.1
shimun:0.2.0

16 Commits
master ... pam_mod

Author SHA1 Message Date
shimun
ddaf3f9264
err
All checks were successful
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/pr Build is passing
Details
2020-09-29 20:32:00 +02:00
shimun
349807a6c4
hint pin input
All checks were successful
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/pr Build is passing
Details
2020-09-29 19:41:20 +02:00
shimun
4e3d799179
fix test
Some checks failed
continuous-integration/drone/push Build is failing
Details
continuous-integration/drone/pr Build is failing
Details
2020-09-29 19:36:24 +02:00
shimun
197d9f511c
wrap all error cases
Some checks failed
continuous-integration/drone/push Build is failing
Details
continuous-integration/drone/pr Build is failing
Details
2020-09-29 19:31:48 +02:00
shimun
11ac32d3f1
print error msg
Some checks failed
continuous-integration/drone/push Build is failing
Details
continuous-integration/drone/pr Build is failing
Details
2020-09-29 19:24:33 +02:00
shimun
f6627d887b
proper error messages
Some checks failed
continuous-integration/drone/push Build is failing
Details
continuous-integration/drone/pr Build is failing
Details
2020-09-29 19:21:44 +02:00
shimun
fbbf606631
sudo
Some checks failed
continuous-integration/drone/push Build is failing
Details
continuous-integration/drone/pr Build is failing
Details
2020-09-29 18:28:22 +02:00
shimun
7879d64e3a
Merge branch 'pam_mod' of git.shimun.net:shimun/fido2luks into pam_mod
Some checks failed
continuous-integration/drone/push Build is failing
Details
continuous-integration/drone/pr Build is failing
Details
2020-09-28 18:06:10 +02:00
shimun
31ee2dcbe7
libpam-dev
Some checks failed
continuous-integration/drone/push Build is failing
Details
continuous-integration/drone/pr Build is failing
Details
2020-09-28 17:27:13 +02:00
shimun
79849df284
add pam dependency 2020-09-25 01:38:17 +02:00
shimun
f2a8e412ac
salt
Some checks failed
continuous-integration/drone/push Build is failing
Details
2020-09-25 01:21:34 +02:00
shimun
985f6f664b
include password
Some checks failed
continuous-integration/drone/push Build is failing
Details
2020-09-25 01:19:47 +02:00
shimun
d4094b8a6a
dbg
Some checks reported errors
continuous-integration/drone/push Build encountered an error
Details
2020-09-25 01:00:59 +02:00
shimun
e524996693
add
Some checks failed
continuous-integration/drone/push Build is failing
Details
2020-09-25 00:52:31 +02:00
shimun
d6f6c7c218
ext
Some checks reported errors
continuous-integration/drone/push Build encountered an error
Details
2020-09-25 00:24:46 +02:00
shimun
63f29249d3
pam module
Some checks failed
continuous-integration/drone/push Build is failing
Details
2020-09-25 00:23:36 +02:00
21 changed files with 476 additions and 907 deletions
Show Stats Expand all files Collapse all files

4
.drone.yml
View File

@ -12,7 +12,7 @@ steps:
environment:
DEBIAN_FRONTEND: noninteractive
commands:
- apt update && apt install -y cargo libkeyutils-dev libclang-dev clang pkg-config libcryptsetup-dev
- apt update && apt install -y cargo libkeyutils-dev libclang-dev clang pkg-config libcryptsetup-dev libpam-dev
- cargo test --locked
- name: publish
image: ubuntu:focal
@ -22,7 +22,7 @@ steps:
from_secret: cargo_tkn
commands:
- grep -E 'version ?= ?"${DRONE_TAG}"' -i Cargo.toml || (printf "incorrect crate/tag version" && exit 1)
- apt update && apt install -y cargo libkeyutils-dev libclang-dev clang pkg-config libcryptsetup-dev
- apt update && apt install -y cargo libkeyutils-dev libclang-dev clang pkg-config libcryptsetup-dev libpam-dev
- cargo package --all-features
- cargo publish --all-features
when:

2
.gitignore vendored
View File

@ -6,5 +6,3 @@ fido2luks.bash
fido2luks.elv
fido2luks.fish
fido2luks.zsh
result
result-*

465
Cargo.lock generated
View File

@ -2,33 +2,33 @@
# It is not intended for manual editing.
[[package]]
name = "addr2line"
version = "0.17.0"
version = "0.13.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b9ecd88a8c8378ca913a680cd98f0f13ac67383d35993f86c90a70e3f137816b"
checksum = "1b6a2d3371669ab3ca9797670853d61402b03d0b4b9ebf33d677dfa720203072"
dependencies = [
"gimli",
]
[[package]]
name = "adler"
version = "1.0.2"
version = "0.2.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f26201604c87b1e01bd3d98f8d5d9a8fcbb815e8cedb41ffccbeb4bf593a35fe"
checksum = "ee2a4ec343196209d6594e19543ae87a39f96d5534d7174822a3ad825dd6ed7e"
[[package]]
name = "aho-corasick"
version = "0.7.18"
version = "0.7.13"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1e37cfd5e7657ada45f742d6e99ca5788580b5c529dc78faf11ece6dc702656f"
checksum = "043164d8ba5c4c3035fec9bbee8647c0261d788f3474306f93bb65901cae0e86"
dependencies = [
"memchr",
]
[[package]]
name = "ansi_term"
version = "0.12.1"
version = "0.11.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d52a9bb7ec0cf484c551830a7ce27bd20d67eac647e1befb56b0be4ee39a55d2"
checksum = "ee49baf6cb617b853aa8d93bf420db2383fab46d314482ca2803b40d5fde979b"
dependencies = [
"winapi",
]
@ -58,13 +58,12 @@ checksum = "cdb031dd78e28731d87d56cc8ffef4a8f36ca26c38fe2de700543e627f8a464a"
[[package]]
name = "backtrace"
version = "0.3.63"
version = "0.3.50"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "321629d8ba6513061f26707241fa9bc89524ff1cd7a915a97ef0c62c666ce1b6"
checksum = "46254cf2fdcdf1badb5934448c1bcbe046a56537b3987d96c51a7afc5d03f293"
dependencies = [
"addr2line",
"cc",
"cfg-if 1.0.0",
"cfg-if",
"libc",
"miniz_oxide",
"object",
@ -73,12 +72,13 @@ dependencies = [
[[package]]
name = "bindgen"
version = "0.59.2"
version = "0.54.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2bd2a9a458e8f4304c52c43ebb0cfbd520289f8379a52e329a38afda99bf8eb8"
checksum = "66c0bb6167449588ff70803f4127f0684f9063097eca5016f37eb52b92c2cf36"
dependencies = [
"bitflags",
"cexpr",
"cfg-if",
"clang-sys",
"clap",
"env_logger",
@ -86,8 +86,8 @@ dependencies = [
"lazycell",
"log",
"peeking_take_while",
"proc-macro2 1.0.36",
"quote 1.0.14",
"proc-macro2 1.0.20",
"quote 1.0.7",
"regex",
"rustc-hash",
"shlex",
@ -96,27 +96,15 @@ dependencies = [
[[package]]
name = "bitflags"
version = "1.3.2"
version = "1.2.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a"
[[package]]
name = "bstr"
version = "0.2.17"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ba3569f383e8f1598449f1a423e72e99569137b47740b1da11ef19af3d5c3223"
dependencies = [
"lazy_static",
"memchr",
"regex-automata",
"serde",
]
checksum = "cf1de2fe8c75bc145a2f577add951f8134889b4795d47466a54a5c846d691693"
[[package]]
name = "byteorder"
version = "1.4.3"
version = "1.3.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "14c189c53d098945499cdfa7ecc63567cf3886b3332b312a5b4585d8d3a6a610"
checksum = "08c48aae112d48ed9f069b33538ea9e3e90aa263cfa3d1c24309612b1f7472de"
[[package]]
name = "cbor-codec"
@ -130,15 +118,15 @@ dependencies = [
[[package]]
name = "cc"
version = "1.0.72"
version = "1.0.59"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "22a9137b95ea06864e018375b72adfb7db6e6f68cfc8df5a04d00288050485ee"
checksum = "66120af515773fb005778dc07c261bd201ec8ce50bd6e7144c927753fe013381"
[[package]]
name = "cexpr"
version = "0.6.0"
version = "0.4.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6fac387a98bb7c37292057cffc56d62ecb629900026402633ae9160df93a8766"
checksum = "f4aedb84272dbe89af497cf81375129abda4fc0a9e7c5d317498c15cc30c0d27"
dependencies = [
"nom",
]
@ -149,17 +137,11 @@ version = "0.1.10"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4785bdd1c96b2a846b2bd7cc02e86b6b3dbf14e7e53446c4f54c92a361040822"
[[package]]
name = "cfg-if"
version = "1.0.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd"
[[package]]
name = "clang-sys"
version = "1.3.0"
version = "0.29.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "fa66045b9cb23c2e9c1520732030608b02ee07e5cfaa5a521ec15ded7fa24c90"
checksum = "fe6837df1d5cba2397b835c8530f51723267e16abbf83892e9e5af4f0e5dd10a"
dependencies = [
"glob",
"libc",
@ -168,9 +150,9 @@ dependencies = [
[[package]]
name = "clap"
version = "2.34.0"
version = "2.33.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a0610544180c38b88101fecf2dd634b174a62eef6946f84dfc6a7127512b381c"
checksum = "37e58ac78573c40708d45522f0d80fa2f01cc4f9b4e2bf749807255454312002"
dependencies = [
"ansi_term",
"atty",
@ -196,7 +178,7 @@ version = "0.7.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "69323bff1fb41c635347b8ead484a5ca6c3f11914d784170b158d8449ab07f8e"
dependencies = [
"cfg-if 0.1.10",
"cfg-if",
"crossbeam-channel",
"crossbeam-deque",
"crossbeam-epoch",
@ -216,9 +198,9 @@ dependencies = [
[[package]]
name = "crossbeam-deque"
version = "0.7.4"
version = "0.7.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c20ff29ded3204c5106278a81a38f4b482636ed4fa1e6cfbeef193291beb29ed"
checksum = "9f02af974daeee82218205558e51ec8768b48cf524bd01d550abe5573a608285"
dependencies = [
"crossbeam-epoch",
"crossbeam-utils",
@ -232,7 +214,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "058ed274caafc1f60c4997b5fc07bf7dc7cca454af7c6e81edffe5f33f70dace"
dependencies = [
"autocfg 1.0.1",
"cfg-if 0.1.10",
"cfg-if",
"crossbeam-utils",
"lazy_static",
"maybe-uninit",
@ -246,7 +228,7 @@ version = "0.2.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "774ba60a54c213d409d5353bda12d49cd68d14e45036a285234c8d6f91f92570"
dependencies = [
"cfg-if 0.1.10",
"cfg-if",
"crossbeam-utils",
"maybe-uninit",
]
@ -258,23 +240,10 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c3c7c73a2d1e9fc0886a08b93e98eb643461230d5f1925e4036204d5f2e261a8"
dependencies = [
"autocfg 1.0.1",
"cfg-if 0.1.10",
"cfg-if",
"lazy_static",
]
[[package]]
name = "csv"
version = "1.1.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "22813a6dc45b335f9bade10bf7271dc477e81113e89eb251a0bc2a8a81c536e1"
dependencies = [
"bstr",
"csv-core",
"itoa 0.4.8",
"ryu",
"serde",
]
[[package]]
name = "csv-core"
version = "0.1.10"
@ -286,14 +255,14 @@ dependencies = [
[[package]]
name = "ctap_hmac"
version = "0.4.5"
version = "0.4.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e9c22d4c95aeeb4e2d41e823912d5460cfa1ebf672363eb97b32fa7c91cab89a"
checksum = "c5fec79b66e3a7bc6a7ace0f4c98f0748892b36d3c5c317fadfce0344fd185dc"
dependencies = [
"byteorder",
"cbor-codec",
"crossbeam",
"csv",
"csv-core",
"derive_builder",
"failure",
"failure_derive",
@ -302,8 +271,6 @@ dependencies = [
"rand 0.6.5",
"ring",
"rust-crypto",
"serde",
"serde_derive",
"untrusted",
]
@ -325,10 +292,10 @@ checksum = "f0c960ae2da4de88a91b2d920c2a7233b400bc33cb28453a2987822d8392519b"
dependencies = [
"fnv",
"ident_case",
"proc-macro2 1.0.36",
"quote 1.0.14",
"proc-macro2 1.0.20",
"quote 1.0.7",
"strsim 0.9.3",
"syn 1.0.84",
"syn 1.0.40",
]
[[package]]
@ -338,8 +305,8 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d9b5a2f4ac4969822c62224815d069952656cadc7084fdca9751e6d959189b72"
dependencies = [
"darling_core",
"quote 1.0.14",
"syn 1.0.84",
"quote 1.0.7",
"syn 1.0.40",
]
[[package]]
@ -350,9 +317,9 @@ checksum = "a2658621297f2cf68762a6f7dc0bb7e1ff2cfd6583daef8ee0fed6f7ec468ec0"
dependencies = [
"darling",
"derive_builder_core",
"proc-macro2 1.0.36",
"quote 1.0.14",
"syn 1.0.84",
"proc-macro2 1.0.20",
"quote 1.0.7",
"syn 1.0.40",
]
[[package]]
@ -362,22 +329,22 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2791ea3e372c8495c0bc2033991d76b512cd799d07491fbd6890124db9458bef"
dependencies = [
"darling",
"proc-macro2 1.0.36",
"quote 1.0.14",
"syn 1.0.84",
"proc-macro2 1.0.20",
"quote 1.0.7",
"syn 1.0.40",
]
[[package]]
name = "either"
version = "1.6.1"
version = "1.6.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e78d4f1cc4ae33bbfc157ed5d5a5ef3bc29227303d595861deb238fcec4e9457"
checksum = "cd56b59865bce947ac5958779cfa508f6c3b9497cc762b7e24a12d11ccde2c4f"
[[package]]
name = "env_logger"
version = "0.9.0"
version = "0.7.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0b2cf0344971ee6c64c31be0d530793fba457d322dfec2810c453d0ef228f9c3"
checksum = "44533bbbb3bb3c1fa17d9f2e4e38bbbaf8396ba82193c4cb1b6445d711445d36"
dependencies = [
"atty",
"humantime",
@ -402,26 +369,28 @@ version = "0.1.8"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "aa4da3c766cd7a0db8242e326e9e4e081edd567072893ed320008189715366a4"
dependencies = [
"proc-macro2 1.0.36",
"quote 1.0.14",
"syn 1.0.84",
"proc-macro2 1.0.20",
"quote 1.0.7",
"syn 1.0.40",
"synstructure",
]
[[package]]
name = "fido2luks"
version = "0.2.20"
version = "0.2.15"
dependencies = [
"ctap_hmac",
"failure",
"hex",
"libcryptsetup-rs",
"pamsm",
"ring",
"rpassword",
"serde",
"serde_derive",
"serde_json",
"structopt",
"sudo",
]
[[package]]
@ -442,22 +411,11 @@ version = "0.3.55"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8f5f3913fa0bfe7ee1fd8248b6b9f42a5af4b9d65ec2dd2c3c26132b950ecfc2"
[[package]]
name = "getrandom"
version = "0.2.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7fcd999463524c52659517fe2cea98493cfe485d10565e7b0fb07dbba7ad2753"
dependencies = [
"cfg-if 1.0.0",
"libc",
"wasi",
]
[[package]]
name = "gimli"
version = "0.26.1"
version = "0.22.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "78cc372d058dcf6d5ecd98510e7fbc9e5aec4d21de70f65fea8fecebcd881bd4"
checksum = "aaf91faf136cb47367fa430cd46e37a788775e7fa104f8b4bcb3861dc389b724"
[[package]]
name = "glob"
@ -467,18 +425,18 @@ checksum = "9b919933a397b79c37e33b77bb2aa3dc8eb6e165ad809e58ff75bc7db2e34574"
[[package]]
name = "heck"
version = "0.3.3"
version = "0.3.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6d621efb26863f0e9924c6ac577e8275e5e6b77455db64ffa6c65c904e9e132c"
checksum = "20564e78d53d2bb135c343b3f47714a56af2061f1c928fdb541dc7b9fdd94205"
dependencies = [
"unicode-segmentation",
]
[[package]]
name = "hermit-abi"
version = "0.1.19"
version = "0.1.15"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "62b467343b94ba476dcb2500d242dadbb39557df889310ac77c5d99100aaac33"
checksum = "3deed196b6e7f9e44a2ae8d94225d80302d81208b1bb673fd21fe634645c85a9"
dependencies = [
"libc",
]
@ -491,9 +449,12 @@ checksum = "805026a5d0141ffc30abb3be3173848ad46a1b1664fe632428479619a3644d77"
[[package]]
name = "humantime"
version = "2.1.0"
version = "1.3.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9a3a5bfb195931eeb336b2a7b4d761daec841b97f947d34394601737a7bba5e4"
checksum = "df004cfca50ef23c36850aaaa59ad52cc70d0e90243c3c7737a4dd32dc7a3c4f"
dependencies = [
"quick-error",
]
[[package]]
name = "ident_case"
@ -503,15 +464,9 @@ checksum = "b9e0384b61958566e926dc50660321d12159025e767c18e043daf26b70104c39"
[[package]]
name = "itoa"
version = "0.4.8"
version = "0.4.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b71991ff56294aa922b450139ee08b3bfc70982c6b2c7562771375cf73542dd4"
[[package]]
name = "itoa"
version = "1.0.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1aab8fc367588b89dcee83ab0fd66b72b50b72fa1904d7095045ace2b0c81c35"
checksum = "dc6f3ad7b9d11a0c00842ff8de1b60ee58661048eb8049ed33c73594f359d7e6"
[[package]]
name = "lazy_static"
@ -527,54 +482,54 @@ checksum = "830d08ce1d1d941e6b30645f1a0eb5643013d835ce3779a5fc208261dbe10f55"
[[package]]
name = "libc"
version = "0.2.112"
version = "0.2.76"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1b03d17f364a3a042d5e5d46b053bbbf82c92c9430c592dd4c064dc6ee997125"
checksum = "755456fae044e6fa1ebbbd1b3e902ae19e73097ed4ed87bb79934a867c007bc3"
[[package]]
name = "libcryptsetup-rs"
version = "0.4.4"
version = "0.4.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "dccc914e228f8b36aae1173b8dba2abf62eed833e9f816ec27b0917b26655d09"
checksum = "b9042dbf4b7e4309494949696496e230c9052af64559d3441627d639898c172c"
dependencies = [
"either",
"libc",
"libcryptsetup-rs-sys",
"pkg-config",
"semver 0.11.0",
"semver",
"serde_json",
"uuid",
]
[[package]]
name = "libcryptsetup-rs-sys"
version = "0.1.6"
version = "0.1.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "41ef25e923679fe233e3c109702829717404d1266c80d6f30236e82e7b2798dc"
checksum = "4b75a2b946509fb39fdb4b232c973166da14be373d09a43eb36b82f775d8244e"
dependencies = [
"bindgen",
"cc",
"pkg-config",
"semver 1.0.4",
"semver",
]
[[package]]
name = "libloading"
version = "0.7.2"
version = "0.5.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "afe203d669ec979b7128619bae5a63b7b42e9203c1b29146079ee05e2f604b52"
checksum = "f2b111a074963af1d37a139918ac6d49ad1d0d5e47f72fd55388619691a7d753"
dependencies = [
"cfg-if 1.0.0",
"cc",
"winapi",
]
[[package]]
name = "log"
version = "0.4.14"
version = "0.4.11"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "51b9bbe6c47d51fc3e1a9b945965946b4c44142ab8792c50835a980d362c2710"
checksum = "4fabed175da42fed1fa0746b0ea71f412aa9d35e76e95e59b192c64b9dc2bf8b"
dependencies = [
"cfg-if 1.0.0",
"cfg-if",
]
[[package]]
@ -585,43 +540,35 @@ checksum = "60302e4db3a61da70c0cb7991976248362f30319e88850c487b9b95bbf059e00"
[[package]]
name = "memchr"
version = "2.4.1"
version = "2.3.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "308cc39be01b73d0d18f82a0e7b2a3df85245f84af96fdddc5d202d27e47b86a"
checksum = "3728d817d99e5ac407411fa471ff9800a778d88a24685968b36824eaf4bee400"
[[package]]
name = "memoffset"
version = "0.5.6"
version = "0.5.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "043175f069eda7b85febe4a74abbaeff828d9f8b448515d3151a14a3542811aa"
checksum = "c198b026e1bbf08a937e94c6c60f9ec4a2267f5b0d2eec9c1b21b061ce2be55f"
dependencies = [
"autocfg 1.0.1",
]
[[package]]
name = "minimal-lexical"
version = "0.2.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "68354c5c6bd36d73ff3feceb05efa59b6acb7626617f4962be322a825e61f79a"
[[package]]
name = "miniz_oxide"
version = "0.4.4"
version = "0.4.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a92518e98c078586bc6c934028adcca4c92a53d6a958196de835170a01d84e4b"
checksum = "4d7559a8a40d0f97e1edea3220f698f78b1c5ab67532e49f68fde3910323b722"
dependencies = [
"adler",
"autocfg 1.0.1",
]
[[package]]
name = "nom"
version = "7.1.0"
version = "5.1.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1b1d11e1ef389c76fe5b81bcaf2ea32cf88b62bc494e19f493d0b30e7a930109"
checksum = "ffb4262d26ed83a1c0a33a38fe2bb15797329c85770da05e6b828ddb782627af"
dependencies = [
"memchr",
"minimal-lexical",
"version_check",
]
@ -638,21 +585,24 @@ dependencies = [
[[package]]
name = "num-traits"
version = "0.2.14"
version = "0.2.12"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9a64b1ec5cda2586e284722486d802acf1f7dbdc623e2bfc57e65ca1cd099290"
checksum = "ac267bcc07f48ee5f8935ab0d24f316fb722d7a1292e2913f0cc196b29ffd611"
dependencies = [
"autocfg 1.0.1",
]
[[package]]
name = "object"
version = "0.27.1"
version = "0.20.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "67ac1d3f9a1d3616fd9a60c8d74296f22406a238b6a72f5cc1e6f314df4ffbf9"
dependencies = [
"memchr",
]
checksum = "1ab52be62400ca80aa00285d25253d7f7c437b7375c4de678f5405d3afe82ca5"
[[package]]
name = "pamsm"
version = "0.4.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3580ed2ebe075c74db583233318abf4b07bc8d9a40c7691d0ae9c186e19e43dd"
[[package]]
name = "peeking_take_while"
@ -660,20 +610,11 @@ version = "0.1.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "19b17cddbe7ec3f8bc800887bab5e717348c95ea2ca0b1bf0837fb964dc67099"
[[package]]
name = "pest"
version = "2.1.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "10f4872ae94d7b90ae48754df22fd42ad52ce740b8f370b03da4835417403e53"
dependencies = [
"ucd-trie",
]
[[package]]
name = "pkg-config"
version = "0.3.24"
version = "0.3.18"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "58893f751c9b0412871a09abd62ecd2a00298c6c83befa223ef98c52aef40cbe"
checksum = "d36492546b6af1463394d46f0c834346f31548646f6ba10849802c9c9a27ac33"
[[package]]
name = "proc-macro-error"
@ -682,9 +623,9 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "da25490ff9892aab3fcf7c36f08cfb902dd3e71ca0f9f9517bea02a73a5ce38c"
dependencies = [
"proc-macro-error-attr",
"proc-macro2 1.0.36",
"quote 1.0.14",
"syn 1.0.84",
"proc-macro2 1.0.20",
"quote 1.0.7",
"syn 1.0.40",
"version_check",
]
@ -694,8 +635,8 @@ version = "1.0.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a1be40180e52ecc98ad80b184934baf3d0d29f979574e439af5a55274b35f869"
dependencies = [
"proc-macro2 1.0.36",
"quote 1.0.14",
"proc-macro2 1.0.20",
"quote 1.0.7",
"version_check",
]
@ -710,13 +651,19 @@ dependencies = [
[[package]]
name = "proc-macro2"
version = "1.0.36"
version = "1.0.20"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c7342d5883fbccae1cc37a2353b09c87c9b0f3afd73f5fb9bba687a1f733b029"
checksum = "175c513d55719db99da20232b06cda8bab6b83ec2d04e3283edf0213c37c1a29"
dependencies = [
"unicode-xid 0.2.2",
"unicode-xid 0.2.1",
]
[[package]]
name = "quick-error"
version = "1.2.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a1d01941d82fa2ab50be1e79e6714289dd7cde78eba4c074bc5a4374f650dfe0"
[[package]]
name = "quote"
version = "0.6.13"
@ -728,11 +675,11 @@ dependencies = [
[[package]]
name = "quote"
version = "1.0.14"
version = "1.0.7"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "47aa80447ce4daf1717500037052af176af5d38cc3e571d9ec1c7353fc10c87d"
checksum = "aa563d17ecb180e500da1cfd2b028310ac758de548efdd203e18f283af693f37"
dependencies = [
"proc-macro2 1.0.36",
"proc-macro2 1.0.20",
]
[[package]]
@ -875,26 +822,21 @@ dependencies = [
[[package]]
name = "regex"
version = "1.5.4"
version = "1.3.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d07a8629359eb56f1e2fb1652bb04212c072a87ba68546a04065d525673ac461"
checksum = "9c3780fcf44b193bc4d09f36d2a3c87b251da4a046c87795a0d35f4f927ad8e6"
dependencies = [
"aho-corasick",
"memchr",
"regex-syntax",
"thread_local",
]
[[package]]
name = "regex-automata"
version = "0.1.10"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6c230d73fb8d8c1b9c0b3135c5142a8acee3a0558fb8db5cf1cb65f8d7862132"
[[package]]
name = "regex-syntax"
version = "0.6.25"
version = "0.6.18"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f497285884f3fcff424ffc933e56d7cbca511def0c9831a7f9b5f6153e3cc89b"
checksum = "26412eb97c6b088a6997e05f69403a802a92d520de2f8e63c2b65f9e0f47c4e8"
[[package]]
name = "ring"
@ -933,9 +875,9 @@ dependencies = [
[[package]]
name = "rustc-demangle"
version = "0.1.21"
version = "0.1.16"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7ef03e0a2b150c7a90d01faf6254c9c48a41e95fb2a8c2ac1c6f0d2b9aefc342"
checksum = "4c691c0e608126e00913e33f0ccf3727d5fc84573623b8d65b2df340b5201783"
[[package]]
name = "rustc-hash"
@ -951,9 +893,9 @@ checksum = "dcf128d1287d2ea9d80910b5f1120d0b8eede3fbf1abe91c40d39ea7d51e6fda"
[[package]]
name = "ryu"
version = "1.0.9"
version = "1.0.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "73b4b750c782965c211b42f022f59af1fbceabdd026623714f104152f1ec149f"
checksum = "71d301d4193d031abdd79ff7e3dd721168a9572ef3fe51a1517aba235bd8f86e"
[[package]]
name = "scopeguard"
@ -963,61 +905,52 @@ checksum = "d29ab0c6d3fc0ee92fe66e2d99f700eab17a8d57d1c1d3b748380fb20baa78cd"
[[package]]
name = "semver"
version = "0.11.0"
version = "0.9.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f301af10236f6df4160f7c3f04eec6dbc70ace82d23326abad5edee88801c6b6"
checksum = "1d7eb9ef2c18661902cc47e535f9bc51b78acd254da71d375c2f6720d9a40403"
dependencies = [
"semver-parser",
]
[[package]]
name = "semver"
version = "1.0.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "568a8e6258aa33c13358f81fd834adb854c6f7c9468520910a9b1e8fac068012"
[[package]]
name = "semver-parser"
version = "0.10.2"
version = "0.7.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "00b0bef5b7f9e0df16536d3961cfb6e84331c065b4066afb39768d0e319411f7"
dependencies = [
"pest",
]
checksum = "388a1df253eca08550bef6c72392cfe7c30914bf41df5269b68cbd6ff8f570a3"
[[package]]
name = "serde"
version = "1.0.132"
version = "1.0.115"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8b9875c23cf305cd1fd7eb77234cbb705f21ea6a72c637a5c6db5fe4b8e7f008"
checksum = "e54c9a88f2da7238af84b5101443f0c0d0a3bbdc455e34a5c9497b1903ed55d5"
[[package]]
name = "serde_derive"
version = "1.0.132"
version = "1.0.115"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ecc0db5cb2556c0e558887d9bbdcf6ac4471e83ff66cf696e5419024d1606276"
checksum = "609feed1d0a73cc36a0182a840a9b37b4a82f0b1150369f0536a9e3f2a31dc48"
dependencies = [
"proc-macro2 1.0.36",
"quote 1.0.14",
"syn 1.0.84",
"proc-macro2 1.0.20",
"quote 1.0.7",
"syn 1.0.40",
]
[[package]]
name = "serde_json"
version = "1.0.73"
version = "1.0.57"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "bcbd0344bc6533bc7ec56df11d42fb70f1b912351c0825ccb7211b59d8af7cf5"
checksum = "164eacbdb13512ec2745fb09d51fd5b22b0d65ed294a1dcf7285a360c80a675c"
dependencies = [
"itoa 1.0.1",
"itoa",
"ryu",
"serde",
]
[[package]]
name = "shlex"
version = "1.1.0"
version = "0.1.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "43b2853a4d09f215c24cc5489c992ce46052d359b5109343cbafbf26bc62f8a3"
checksum = "7fdf1b9db47230893d76faad238fd6097fd6d6a9245cd7a4d90dbd639536bbd2"
[[package]]
name = "strsim"
@ -1033,9 +966,9 @@ checksum = "6446ced80d6c486436db5c078dde11a9f73d42b57fb273121e160b84f63d894c"
[[package]]
name = "structopt"
version = "0.3.25"
version = "0.3.17"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "40b9788f4202aa75c240ecc9c15c65185e6a39ccdeb0fd5d008b98825464c87c"
checksum = "6cc388d94ffabf39b5ed5fadddc40147cb21e605f53db6f8f36a625d27489ac5"
dependencies = [
"clap",
"lazy_static",
@ -1044,15 +977,25 @@ dependencies = [
[[package]]
name = "structopt-derive"
version = "0.4.18"
version = "0.4.10"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "dcb5ae327f9cc13b68763b5749770cb9e048a99bd9dfdfa58d0cf05d5f64afe0"
checksum = "5e2513111825077552a6751dfad9e11ce0fba07d7276a3943a037d7e93e64c5f"
dependencies = [
"heck",
"proc-macro-error",
"proc-macro2 1.0.36",
"quote 1.0.14",
"syn 1.0.84",
"proc-macro2 1.0.20",
"quote 1.0.7",
"syn 1.0.40",
]
[[package]]
name = "sudo"
version = "0.5.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2a88e74edf206f281aff2820aa2066c781331044c770626dcafe19491f214e05"
dependencies = [
"libc",
"log",
]
[[package]]
@ -1068,32 +1011,32 @@ dependencies = [
[[package]]
name = "syn"
version = "1.0.84"
version = "1.0.40"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ecb2e6da8ee5eb9a61068762a32fa9619cc591ceb055b3687f4cd4051ec2e06b"
checksum = "963f7d3cc59b59b9325165add223142bbf1df27655d07789f109896d353d8350"
dependencies = [
"proc-macro2 1.0.36",
"quote 1.0.14",
"unicode-xid 0.2.2",
"proc-macro2 1.0.20",
"quote 1.0.7",
"unicode-xid 0.2.1",
]
[[package]]
name = "synstructure"
version = "0.12.6"
version = "0.12.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f36bdaa60a83aca3921b5259d5400cbf5e90fc51931376a9bd4a0eb79aa7210f"
checksum = "b834f2d66f734cb897113e34aaff2f1ab4719ca946f9a7358dba8f8064148701"
dependencies = [
"proc-macro2 1.0.36",
"quote 1.0.14",
"syn 1.0.84",
"unicode-xid 0.2.2",
"proc-macro2 1.0.20",
"quote 1.0.7",
"syn 1.0.40",
"unicode-xid 0.2.1",
]
[[package]]
name = "termcolor"
version = "1.1.2"
version = "1.1.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2dfed899f0eb03f32ee8c6a0aabdb8a7949659e3466561fc0adf54e26d88c5f4"
checksum = "bb6bfa289a4d7c5766392812c0a1f4c1ba45afa1ad47803c11e1f407d846d75f"
dependencies = [
"winapi-util",
]
@ -1108,32 +1051,36 @@ dependencies = [
]
[[package]]
name = "time"
version = "0.1.43"
name = "thread_local"
version = "1.0.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ca8a50ef2360fbd1eeb0ecd46795a87a19024eb4b53c5dc916ca1fd95fe62438"
checksum = "d40c6d1b69745a6ec6fb1ca717914848da4b44ae29d9b3080cbee91d72a69b14"
dependencies = [
"lazy_static",
]
[[package]]
name = "time"
version = "0.1.44"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6db9e6914ab8b1ae1c260a4ae7a49b6c5611b40328a735b21862567685e73255"
dependencies = [
"libc",
"wasi",
"winapi",
]
[[package]]
name = "ucd-trie"
version = "0.1.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "56dee185309b50d1f11bfedef0fe6d036842e3fb77413abef29f8f8d1c5d4c1c"
[[package]]
name = "unicode-segmentation"
version = "1.8.0"
version = "1.6.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8895849a949e7845e06bd6dc1aa51731a103c42707010a5b591c0038fb73385b"
checksum = "e83e153d1053cbb5a118eeff7fd5be06ed99153f00dbcd8ae310c5fb2b22edc0"
[[package]]
name = "unicode-width"
version = "0.1.9"
version = "0.1.8"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3ed742d4ea2bd1176e236172c8429aaf54486e7ac098db29ffe6529e0ce50973"
checksum = "9337591893a19b88d8d87f2cec1e73fad5cdfd10e5a6f349f498ad6ea2ffb1e3"
[[package]]
name = "unicode-xid"
@ -1143,9 +1090,9 @@ checksum = "fc72304796d0818e357ead4e000d19c9c174ab23dc11093ac919054d20a6a7fc"
[[package]]
name = "unicode-xid"
version = "0.2.2"
version = "0.2.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8ccb82d61f80a663efe1f787a51b16b5a51e3314d6ac365b08639f52387b33f3"
checksum = "f7fe0bb3479651439c9112f72b6c505038574c9fbb575ed1bf3b797fa39dd564"
[[package]]
name = "untrusted"
@ -1155,11 +1102,11 @@ checksum = "55cd1f4b4e96b46aeb8d4855db4a7a9bd96eeeb5c6a1ab54593328761642ce2f"
[[package]]
name = "uuid"
version = "0.8.2"
version = "0.7.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "bc5cf98d8186244414c848017f0e2676b3fcb46807f6668a97dfe67359a3c4b7"
checksum = "90dbc611eb48397705a6b0f6e917da23ae517e4d127123d2cf7674206627d32a"
dependencies = [
"getrandom",
"rand 0.6.5",
]
[[package]]
@ -1170,24 +1117,22 @@ checksum = "f1bddf1187be692e79c5ffeab891132dfb0f236ed36a43c7ed39f1165ee20191"
[[package]]
name = "version_check"
version = "0.9.3"
version = "0.9.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5fecdca9a5291cc2b8dcf7dc02453fee791a280f3743cb0905f8822ae463b3fe"
checksum = "b5a972e5669d67ba988ce3dc826706fb0a8b01471c088cb0b6110b805cc36aed"
[[package]]
name = "wasi"
version = "0.10.2+wasi-snapshot-preview1"
version = "0.10.0+wasi-snapshot-preview1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "fd6fbd9a79829dd1ad0cc20627bf1ed606756a7f77edff7b66b7064f9cb327c6"
checksum = "1a143597ca7c7793eff794def352d41792a93c481eb1042423ff7ff72ba2c31f"
[[package]]
name = "which"
version = "4.2.2"
version = "3.1.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ea187a8ef279bc014ec368c27a920da2024d2a711109bfbe3440585d5cf27ad9"
checksum = "d011071ae14a2f6671d0b74080ae0cd8ebf3a6f8c9589a2cd45f23126fe29724"
dependencies = [
"either",
"lazy_static",
"libc",
]

22
Cargo.toml
View File

@ -1,6 +1,6 @@
[package]
name = "fido2luks"
version = "0.2.20"
version = "0.2.15"
authors = ["shimunn <shimun@shimun.net>"]
edition = "2018"
@ -14,7 +14,7 @@ categories = ["command-line-utilities"]
license = "MPL-2.0"
[dependencies]
ctap_hmac = { version="0.4.5", features = ["request_multiple"] }
ctap_hmac = { version="0.4.2", features = ["request_multiple"] }
hex = "0.3.2"
ring = "0.13.5"
failure = "0.1.5"
@ -24,14 +24,17 @@ libcryptsetup-rs = "0.4.1"
serde_json = "1.0.51"
serde_derive = "1.0.106"
serde = "1.0.106"
pamsm = { version = "0.4.1", features = ["libpam"] }
sudo = "0.5.0"
[build-dependencies]
ctap_hmac = { version="0.4.5", features = ["request_multiple"] }
ctap_hmac = { version="0.4.2", features = ["request_multiple"] }
hex = "0.3.2"
ring = "0.13.5"
failure = "0.1.5"
rpassword = "4.0.1"
libcryptsetup-rs = "0.4.1"
pamsm = { version = "0.4.1", features = ["libpam"] }
structopt = "0.3.2"
[profile.release]
@ -41,14 +44,23 @@ panic = 'abort'
incremental = false
overflow-checks = false
[[bin]]
name = "fido2luks"
path = "src/main.rs"
[lib]
name = "fido2luks_pam"
path = "src/lib.rs"
crate-type = ["cdylib"]
[package.metadata.deb]
depends = "$auto, cryptsetup"
build-depends = "libclang-dev, libcryptsetup-dev"
build-depends = "libclang-dev, libcryptsetup-dev, libpam-dev"
extended-description = "Decrypt your LUKS partition using a FIDO2 compatible authenticator"
assets = [
["target/release/fido2luks", "usr/bin/", "755"],
["target/release/libfido2luks_pam.so", "usr/lib/x86_64-linux-gnu/security/pam_fido2luks.so", "755"],
["fido2luks.bash", "usr/share/bash-completion/completions/fido2luks", "644"],
["pam_mount/fido2luksmounthelper.sh", "usr/bin/", "755"],
["initramfs-tools/keyscript.sh", "/lib/cryptsetup/scripts/fido2luks", "755" ],
["initramfs-tools/hook/fido2luks.sh", "etc/initramfs-tools/hooks/", "755" ],
["initramfs-tools/fido2luks.conf", "etc/", "644"],

24
PKGBUILD
View File

@ -1,37 +1,25 @@
# Maintainer: shimunn <shimun@shimun.net>
pkgname=fido2luks-git
pkgver=0.2.16.7e6b33a
pkgname=fido2luks
pkgver=0.2.12
pkgrel=1
makedepends=('rust' 'cargo' 'cryptsetup' 'clang' 'git')
makedepends=('rust' 'cargo' 'cryptsetup' 'clang')
depends=('cryptsetup')
arch=('i686' 'x86_64' 'armv6h' 'armv7h')
pkgdesc="Decrypt your LUKS partition using a FIDO2 compatible authenticator"
url="https://github.com/shimunn/fido2luks"
license=('MPL-2.0')
source=('git+https://github.com/shimunn/fido2luks')
sha512sums=('SKIP')
pkgver() {
cd fido2luks
# Use tag version if possible otherwise concat project version and git ref
git describe --exact-match --tags HEAD 2>/dev/null ||
git describe --exact-match --tags HEAD 2> /dev/null || \
echo "$(cargo pkgid | cut -d'#' -f2).$(git describe --always)"
}
build() {
cd fido2luks
cargo build --release --locked --all-features --target-dir=target
}
package() {
cd fido2luks
install -Dm 755 target/release/fido2luks -t "${pkgdir}/usr/bin"
install -Dm 755 pam_mount/fido2luksmounthelper.sh -t "${pkgdir}/usr/bin"
install -Dm 644 initcpio/hooks/fido2luks -t "${pkgdir}/usr/lib/initcpio/hooks"
install -Dm 644 initcpio/install/fido2luks -t "${pkgdir}/usr/lib/initcpio/install"
install -Dm 644 fido2luks.bash "${pkgdir}/usr/share/bash-completion/completions/fido2luks"
install -Dm 644 fido2luks.fish -t "${pkgdir}/usr/share/fish/vendor_completions.d"
install -Dm 755 target/release/${pkgname} -t "${pkgdir}/usr/bin"
install -Dm 644 ../fido2luks.bash "${pkgdir}/usr/share/bash-completion/completions/fido2luks"
}

32
README.md
View File

@ -2,7 +2,7 @@
This will allow you to unlock your LUKS encrypted disk with an FIDO2 compatible key.
Note: This has only been tested under Fedora 31, [Ubuntu 20.04](initramfs-tools/), [NixOS](https://nixos.org/nixos/manual/#sec-luks-file-systems-fido2) using a Solo Key, Trezor Model T, YubiKey(fw >= [5.2.3](https://support.yubico.com/hc/en-us/articles/360016649319-YubiKey-5-2-3-Enhancements-to-FIDO-2-Support))
Note: This has only been tested under Fedora 31, [Ubuntu 20.04](initramfs-tools/), [NixOS](https://nixos.org/nixos/manual/#sec-luks-file-systems-fido2) using a Solo Key, Trezor Model T
## Setup
@ -115,36 +115,6 @@ sudo -E fido2luks -i replace-key /dev/disk/by-uuid/<DISK_UUID>
sudo rm -rf /usr/lib/dracut/modules.d/96luks-2fa /etc/dracut.conf.d/luks-2fa.conf /etc/fido2luks.conf
```
## Theory of operation
fido2luks builds on two basic building blocks, LUKS as an abstraction over linux disk encryption and and the FIDO2 extension [`hmac-secret`](https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-client-to-authenticator-protocol-v2.0-rd-20180702.html#sctn-hmac-secret-extension).
The `hmac-secret` extension allows for an secret to be dervied on the FIDO2 device from two inputs, the user supplied salt/password/keyfile and another secret contained within the FID2 device. The output of the `hmac-secret` function will then be used to decrypt the LUKS header which in turn is used to decrypt the disk.
```
+-------------------------------------------------------------------------------+
| |
| +-----------------------------------------+ |
| | FIDO2 device | |
| | | |
| | | |
+-------+--------+ +------+ | +---------------+ | | +------------------------+
| Salt/Password +-> |sha256+------------------------> | | | v | LUKS header |
+----------------+ +------+ | | | | | | +---------------+
| | | | +--------+ +------------------------+--------> |Disk master key|
| | sha256_hmac +---------> | sha256 +-------> | Keyslot 1 | +---------------+
+----------------+ | +----------+ | | | +--------+ +------------------------+
| FIDO credential+---------------> |Credential| +----> | | | | Keyslot 2 |
+----------------+ | |secret | | | | +------------------------+
| +----------+ +---------------+ |
| |
| |
+-----------------------------------------+
```
Since all these components build upon each other losing or damaging just one of them will render the disk undecryptable, it's threfore of paramount importance to backup the LUKS header and ideally set an backup password
or utilise more than one FIDO2 device. Each additional credential and password combination will require it's own LUKS keyslot since the credential secret is randomly generated for each new credential and will thus result
in a completly different secret.
## License
Licensed under

62
flake.lock generated
View File

@ -1,62 +0,0 @@
{
"nodes": {
"naersk": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1639947939,
"narHash": "sha256-pGsM8haJadVP80GFq4xhnSpNitYNQpaXk4cnA796Cso=",
"owner": "nmattia",
"repo": "naersk",
"rev": "2fc8ce9d3c025d59fee349c1f80be9785049d653",
"type": "github"
},
"original": {
"owner": "nmattia",
"repo": "naersk",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1638109994,
"narHash": "sha256-OpA37PTiPMIqoRJbufbl5rOLII7HeeGcA0yl7FoyCIE=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "a284564b7f75ac4db73607db02076e8da9d42c9d",
"type": "github"
},
"original": {
"id": "nixpkgs",
"type": "indirect"
}
},
"root": {
"inputs": {
"naersk": "naersk",
"nixpkgs": "nixpkgs",
"utils": "utils"
}
},
"utils": {
"locked": {
"lastModified": 1638122382,
"narHash": "sha256-sQzZzAbvKEqN9s0bzWuYmRaA03v40gaJ4+iL1LXjaeI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "74f7e4319258e287b0f9cb95426c9853b282730b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

61
flake.nix
View File

@ -1,61 +0,0 @@
{
description = "Decrypt your LUKS partition using a FIDO2 compatible authenticator";
inputs = {
utils.url = "github:numtide/flake-utils";
naersk = {
url = "github:nmattia/naersk";
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs = { self, nixpkgs, utils, naersk }:
let
root = ./.;
pname = (builtins.fromTOML (builtins.readFile ./Cargo.toml)).package.name;
forPkgs = pkgs:
let
naersk-lib = naersk.lib."${pkgs.system}";
buildInputs = with pkgs; [ cryptsetup ];
LIBCLANG_PATH = "${pkgs.clang.cc.lib}/lib";
nativeBuildInputs = with pkgs; [
pkgconfig
clang
];
in
rec {
# `nix build`
packages.${pname} = naersk-lib.buildPackage {
inherit pname root buildInputs nativeBuildInputs LIBCLANG_PATH;
};
defaultPackage = packages.${pname};
# `nix run`
apps.${pname} = utils.lib.mkApp {
drv = packages.${pname};
};
defaultApp = apps.${pname};
# `nix flake check`
checks = {
fmt = with pkgs; runCommandLocal "${pname}-fmt" { buildInputs = [ cargo rustfmt nixpkgs-fmt ]; } ''
cd ${root}
cargo fmt -- --check
nixpkgs-fmt --check *.nix
touch $out
'';
};
# `nix develop`
devShell = pkgs.mkShell {
nativeBuildInputs = with pkgs; [ rustc cargo rustfmt nixpkgs-fmt ] ++ nativeBuildInputs;
inherit buildInputs LIBCLANG_PATH;
};
};
forSystem = system: forPkgs nixpkgs.legacyPackages."${system}";
in
(utils.lib.eachSystem [ "aarch64-linux" "i686-linux" "x86_64-linux" ] forSystem) // {
overlay = final: prev: (forPkgs final).packages;
};
}

18
initcpio/Makefile
View File

@ -1,18 +0,0 @@
.PHONY: install remove
install:
install -Dm644 hooks/fido2luks -t /usr/lib/initcpio/hooks
install -Dm644 install/fido2luks -t /usr/lib/initcpio/install
ifdef preset
mkinitcpio -p $(preset)
else
mkinitcpio -P
endif
remove:
rm /usr/lib/initcpio/{hooks,install}/fido2luks
ifdef preset
mkinitcpio -p $(preset)
else
mkinitcpio -P
endif

52
initcpio/README.md
View File

@ -1,52 +0,0 @@
## fido2luks hook for mkinitcpio (ArchLinux and derivatives)
> ⚠️ Before proceeding, it is very advised to [backup your existing LUKS2 header](https://wiki.archlinux.org/title/dm-crypt/Device_encryption#Backup_using_cryptsetup) to external storage
### Setup
1. Connect your FIDO2 authenticator
2. Generate credential id
```shell
fido2luks credential
```
3. Generate salt (random string)
```shell
pwgen 48 1
```
4. Add key to your LUKS2 device
```shell
fido2luks add-key -Pt --salt <salt> <block_device> <credential_id>
```
`-P` - request PIN to unlock the authenticator
`-t` - add token (including credential id) to the LUKS2 header
`-e` - wipe all other keys
For the full list of options see `fido2luks add-key --help`
5. Edit [/etc/fido2luks.conf](/initcpio/fido2luks.conf)
Keyslot (`FIDO2LUKS_DEVICE_SLOT`) can be obtained from the output of
```shell
cryptsetup luksDump <block_device>
```
6. Add fido2luks hook to /etc/mkinitcpio.conf
Before or instead of `encrypt` hook, for example:
```shell
HOOKS=(base udev autodetect modconf keyboard block fido2luks filesystems fsck)
```
7. Recreate initial ramdisk
```shell
mkinitcpio -p <preset>
```

18
initcpio/fido2luks.conf
View File

@ -1,18 +0,0 @@
# Set credential *ONLY IF* it's not embedded in the LUKS2 header
FIDO2LUKS_CREDENTIAL_ID=
# Encrypted device and its name under /dev/mapper
# Can be overridden by `cryptdevice` kernel parameter
FIDO2LUKS_DEVICE=
FIDO2LUKS_MAPPER_NAME=
FIDO2LUKS_SALT=string:<salt>
# Use specific keyslot (ignore all other slots)
FIDO2LUKS_DEVICE_SLOT=
# Await for an authenticator to be connected (in seconds)
FIDO2LUKS_DEVICE_AWAIT=
# Set to 1 if PIN is required to unlock the authenticator
FIDO2LUKS_ASK_PIN=

55
initcpio/hooks/fido2luks
View File

@ -1,55 +0,0 @@
#!/usr/bin/ash
run_hook() {
modprobe -a -q dm-crypt >/dev/null 2>&1
. /etc/fido2luks.conf
if [ -z "$cryptdevice" ]; then
device="$FIDO2LUKS_DEVICE"
dmname="$FIDO2LUKS_MAPPER_NAME"
else
IFS=: read cryptdev dmname _cryptoptions <<EOF
$cryptdevice
EOF
if ! device=$(resolve_device "${cryptdev}" ${rootdelay}); then
return 1
fi
fi
options="--salt $FIDO2LUKS_SALT"
if [ "$FIDO2LUKS_ASK_PIN" == 1 ]; then
options="$options --pin"
fi
if [ -n "$FIDO2LUKS_DEVICE_SLOT" ]; then
options="$options --slot $FIDO2LUKS_DEVICE_SLOT"
fi
if [ -n "$FIDO2LUKS_DEVICE_AWAIT" ]; then
options="$options --await-dev $FIDO2LUKS_DEVICE_AWAIT"
fi
# HACK: /dev/tty is hardcoded in rpassword, but not accessible from the ramdisk
# Temporary link it to /dev/tty1
mv /dev/tty /dev/tty.back
ln -s /dev/tty1 /dev/tty
printf "\nAuthentication is required to access the $dmname volume at $device\n"
if [ -z "$FIDO2LUKS_CREDENTIAL_ID" ]; then
fido2luks open-token $device $dmname $options
else
fido2luks open $device $dmname $FIDO2LUKS_CREDENTIAL_ID $options
fi
exit_code=$?
# Restore /dev/tty
mv /dev/tty.back /dev/tty
if [ $exit_code -ne 0 ]; then
printf '\n'
read -s -p 'Press Enter to continue'
printf '\n'
fi
}

31
initcpio/install/fido2luks
View File

@ -1,31 +0,0 @@
#!/bin/bash
build() {
local mod
add_module dm-crypt
add_module dm-integrity
if [[ $CRYPTO_MODULES ]]; then
for mod in $CRYPTO_MODULES; do
add_module "$mod"
done
else
add_all_modules /crypto/
fi
add_binary fido2luks
add_binary dmsetup
add_file /usr/lib/udev/rules.d/10-dm.rules
add_file /usr/lib/udev/rules.d/13-dm-disk.rules
add_file /usr/lib/udev/rules.d/95-dm-notify.rules
add_file /usr/lib/initcpio/udev/11-dm-initramfs.rules /usr/lib/udev/rules.d/11-dm-initramfs.rules
add_file /etc/fido2luks.conf /etc/fido2luks.conf
add_runscript
}
help() {
cat <<HELPEOF
This hook allows to decrypt LUKS2 partition using FIDO2 compatible authenticator
HELPEOF
}

2
initramfs-tools/fido2luks.conf
View File

@ -1,5 +1,3 @@
FIDO2LUKS_SALT=Ask
#FIDO2LUKS_PASSWORD_HELPER="/usr/bin/plymouth ask-for-password --prompt 'FIDO2 password salt'"
FIDO2LUKS_CREDENTIAL_ID=
FIDO2LUKS_USE_TOKEN=0
FIDO2LUKS_PASSWORD_FALLBACK=1

16
initramfs-tools/keyscript.sh
View File

@ -2,17 +2,6 @@
set -a
. /etc/fido2luks.conf
# Set Defaults
if [ -z "$FIDO2LUKS_USE_TOKEN" ]; then
FIDO2LUKS_USE_TOKEN=0
fi
if [ -z "$FIDO2LUKS_PASSWORD_FALLBACK" ]; then
FIDO2LUKS_PASSWORD_FALLBACK=1
fi
if [ -z "$FIDO2LUKS_PASSWORD_HELPER" ]; then
MSG="FIDO2 password salt for $CRYPTTAB_NAME"
export FIDO2LUKS_PASSWORD_HELPER="plymouth ask-for-password --prompt '$MSG'"
@ -23,8 +12,3 @@ if [ "$FIDO2LUKS_USE_TOKEN" -eq 1 ]; then
fi
fido2luks print-secret --bin
# Fall back to passphrase-based unlock if fido2luks fails
if [ "$?" -gt 0 ] && [ "$FIDO2LUKS_PASSWORD_FALLBACK" -eq 1 ]; then
plymouth ask-for-password --prompt "Password for $CRYPTTAB_SOURCE"
fi

220
pam_mount/fido2luksmounthelper.sh
View File

@ -1,220 +0,0 @@
#!/bin/bash
#
# This is a rather minimal example Argbash potential
# Example taken from http://argbash.readthedocs.io/en/stable/example.html
#
# ARG_POSITIONAL_SINGLE([operation],[Operation to perform (mount|umount)],[])
# ARG_OPTIONAL_SINGLE([credentials-type],[c],[Type of the credentials to use (external|embedded)])
# ARG_OPTIONAL_SINGLE([device],[d],[Name of the device to create])
# ARG_OPTIONAL_SINGLE([mount-point],[m],[Path of the mount point to use])
# ARG_OPTIONAL_BOOLEAN([ask-pin],[a],[Ask for a pin],[off])
# ARG_OPTIONAL_SINGLE([salt],[s],[Salt to use],[""])
# ARG_HELP([Unlocks/Locks a LUKS volume and mount/unmount it in the given mount point.])
# ARGBASH_GO()
# needed because of Argbash --> m4_ignore([
### START OF CODE GENERATED BY Argbash v2.9.0 one line above ###
# Argbash is a bash code generator used to get arguments parsing right.
# Argbash is FREE SOFTWARE, see https://argbash.io for more info
# Generated online by https://argbash.io/generate
die()
{
local _ret="${2:-1}"
test "${_PRINT_HELP:-no}" = yes && print_help >&2
echo "$1" >&2
exit "${_ret}"
}
begins_with_short_option()
{
local first_option all_short_options='cdmash'
first_option="${1:0:1}"
test "$all_short_options" = "${all_short_options/$first_option/}" && return 1 || return 0
}
# THE DEFAULTS INITIALIZATION - POSITIONALS
_positionals=()
# THE DEFAULTS INITIALIZATION - OPTIONALS
_arg_credentials_type=
_arg_device=
_arg_mount_point=
_arg_ask_pin="off"
_arg_salt=""
print_help()
{
printf '%s\n' "Unlocks/Locks a LUKS volume and mount/unmount it in the given mount point."
printf 'Usage: %s [-c|--credentials-type <arg>] [-d|--device <arg>] [-m|--mount-point <arg>] [-a|--(no-)ask-pin] [-s|--salt <arg>] [-h|--help] <operation>\n' "$0"
printf '\t%s\n' "<operation>: Operation to perform (mount|umount)"
printf '\t%s\n' "-c, --credentials-type: Type of the credentials to use (external|embedded) (no default)"
printf '\t%s\n' "-d, --device: Name of the device to create (no default)"
printf '\t%s\n' "-m, --mount-point: Path of the mount point to use (no default)"
printf '\t%s\n' "-a, --ask-pin, --no-ask-pin: Ask for a pin (off by default)"
printf '\t%s\n' "-s, --salt: Salt to use (default: '""')"
printf '\t%s\n' "-h, --help: Prints help"
}
parse_commandline()
{
_positionals_count=0
while test $# -gt 0
do
_key="$1"
case "$_key" in
-c|--credentials-type)
test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1
_arg_credentials_type="$2"
shift
;;
--credentials-type=*)
_arg_credentials_type="${_key##--credentials-type=}"
;;
-c*)
_arg_credentials_type="${_key##-c}"
;;
-d|--device)
test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1
_arg_device="$2"
shift
;;
--device=*)
_arg_device="${_key##--device=}"
;;
-d*)
_arg_device="${_key##-d}"
;;
-m|--mount-point)
test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1
_arg_mount_point="$2"
shift
;;
--mount-point=*)
_arg_mount_point="${_key##--mount-point=}"
;;
-m*)
_arg_mount_point="${_key##-m}"
;;
-a|--no-ask-pin|--ask-pin)
_arg_ask_pin="on"
test "${1:0:5}" = "--no-" && _arg_ask_pin="off"
;;
-a*)
_arg_ask_pin="on"
_next="${_key##-a}"
if test -n "$_next" -a "$_next" != "$_key"
then
{ begins_with_short_option "$_next" && shift && set -- "-a" "-${_next}" "$@"; } || die "The short option '$_key' can't be decomposed to ${_key:0:2} and -${_key:2}, because ${_key:0:2} doesn't accept value and '-${_key:2:1}' doesn't correspond to a short option."
fi
;;
-s|--salt)
test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1
_arg_salt="$2"
shift
;;
--salt=*)
_arg_salt="${_key##--salt=}"
;;
-s*)
_arg_salt="${_key##-s}"
;;
-h|--help)
print_help
exit 0
;;
-h*)
print_help
exit 0
;;
*)
_last_positional="$1"
_positionals+=("$_last_positional")
_positionals_count=$((_positionals_count + 1))
;;
esac
shift
done
}
handle_passed_args_count()
{
local _required_args_string="'operation'"
test "${_positionals_count}" -ge 1 || _PRINT_HELP=yes die "FATAL ERROR: Not enough positional arguments - we require exactly 1 (namely: $_required_args_string), but got only ${_positionals_count}." 1
test "${_positionals_count}" -le 1 || _PRINT_HELP=yes die "FATAL ERROR: There were spurious positional arguments --- we expect exactly 1 (namely: $_required_args_string), but got ${_positionals_count} (the last one was: '${_last_positional}')." 1
}
assign_positional_args()
{
local _positional_name _shift_for=$1
_positional_names="_arg_operation "
shift "$_shift_for"
for _positional_name in ${_positional_names}
do
test $# -gt 0 || break
eval "$_positional_name=\${1}" || die "Error during argument parsing, possibly an Argbash bug." 1
shift
done
}
parse_commandline "$@"
handle_passed_args_count
assign_positional_args 1 "${_positionals[@]}"
# OTHER STUFF GENERATED BY Argbash
### END OF CODE GENERATED BY Argbash (sortof) ### ])
# [ <-- needed because of Argbash
if [ -z ${_arg_mount_point} ]; then
die "Missing '--mount-point' argument"
fi
if [ -z ${_arg_device} ]; then
die "Missing '--device' argument"
fi
ASK_PIN=${_arg_ask_pin}
OPERATION=${_arg_operation}
DEVICE=${_arg_device}
DEVICE_NAME=$(sed "s|/|_|g" <<< ${DEVICE})
MOUNT_POINT=${_arg_mount_point}
CREDENTIALS_TYPE=${_arg_credentials_type}
SALT=${_arg_salt}
CONF_FILE_PATH="/etc/fido2luksmounthelper.conf"
if [ "${OPERATION}" == "mount" ]; then
if [ "${CREDENTIALS_TYPE}" == "external" ]; then
if [ -f ${CONF_FILE_PATH} ]; then
if [ "${ASK_PIN}" == "on" ]; then
read PASSWORD
fi
CREDENTIALS=$(<${CONF_FILE_PATH})
else
die "The configuration file '${CONF_FILE_PATH}' is missing. Please create it or use embedded credentials."
fi
printf ${PASSWORD} | fido2luks open --salt string:${SALT} --pin --pin-source /dev/stdin ${DEVICE} ${DEVICE_NAME} ${CREDENTIALS}
elif [ "${CREDENTIALS_TYPE}" == "embedded" ]; then
if [ "${ASK_PIN}" == "on" ]; then
read PASSWORD
fi
printf ${PASSWORD} | fido2luks open-token --salt string:${SALT} --pin --pin-source /dev/stdin ${DEVICE} ${DEVICE_NAME}
else
die "Given credential-type '${CREDENTIALS_TYPE}' is invalid. It must be 'external' or 'embedded'"
fi
mount /dev/mapper/${DEVICE_NAME} ${MOUNT_POINT}
elif [ "${OPERATION}" == "umount" ]; then
umount ${MOUNT_POINT}
cryptsetup luksClose ${DEVICE_NAME}
else
die "Given operation '${OPERATION}' is invalid. It must be 'mount' or 'unmount'"
fi
exit 0
# ] <-- needed because of Argbash

35
src/cli.rs
View File

@ -25,7 +25,7 @@ fn read_pin(ap: &AuthenticatorParameters) -> Fido2LuksResult<String> {
if let Some(src) = ap.pin_source.as_ref() {
let mut pin = String::new();
File::open(src)?.read_to_string(&mut pin)?;
Ok(pin.trim_end_matches("\n").to_string()) //remove trailing newline
Ok(pin)
} else {
util::read_password("Authenticator PIN", false)
}
@ -71,12 +71,6 @@ pub fn parse_cmdline() -> Args {
Args::from_args()
}
pub fn prompt_interaction(interactive: bool) {
if interactive {
println!("Authorize using your FIDO device");
}
}
pub fn run_cli() -> Fido2LuksResult<()> {
let mut stdout = io::stdout();
let args = parse_cmdline();
@ -93,7 +87,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
} else {
None
};
let cred = make_credential_id(Some(name.as_ref()), pin)?;
let cred = make_credential_id(name.as_ref().map(|n| n.as_ref()), pin)?;
println!("{}", hex::encode(&cred.id));
Ok(())
}
@ -115,7 +109,6 @@ pub fn run_cli() -> Fido2LuksResult<()> {
} else {
secret.salt.obtain_sha256(&secret.password_helper)
}?;
prompt_interaction(interactive);
let (secret, _cred) = derive_secret(
credentials.ids.0.as_slice(),
&salt,
@ -171,27 +164,23 @@ pub fn run_cli() -> Fido2LuksResult<()> {
} => Ok((util::read_keyfile(file)?, None)),
OtherSecret {
fido_device: true, ..
} => {
prompt_interaction(interactive);
Ok(derive_secret(
} => Ok(derive_secret(
&credentials.ids.0,
&salt(salt_q, verify)?,
authenticator.await_time,
pin.as_deref(),
)
.map(|(secret, cred)| (secret[..].to_vec(), Some(cred)))?)
}
.map(|(secret, cred)| (secret[..].to_vec(), Some(cred)))?),
_ => Ok((
util::read_password(salt_q, verify)?.as_bytes().to_vec(),
None,
)),
}
};
let secret = |q: &str, verify: bool| -> Fido2LuksResult<([u8; 32], FidoCredential)> {
prompt_interaction(interactive);
let secret = |verify: bool| -> Fido2LuksResult<([u8; 32], FidoCredential)> {
derive_secret(
&credentials.ids.0,
&salt(q, verify)?,
&salt("Password", verify)?,
authenticator.await_time,
pin.as_deref(),
)
@ -201,7 +190,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
match &args.command {
Command::AddKey { exclusive, .. } => {
let (existing_secret, _) = other_secret("Current password", false)?;
let (new_secret, cred) = secret("Password to be added", true)?;
let (new_secret, cred) = secret(true)?;
let added_slot = luks_dev.add_key(
&new_secret,
&existing_secret[..],
@ -226,7 +215,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
Ok(())
}
Command::ReplaceKey { add_password, .. } => {
let (existing_secret, _) = secret("Current password", false)?;
let (existing_secret, _) = secret(false)?;
let (replacement_secret, cred) = other_secret("Replacement password", true)?;
let slot = if *add_password {
luks_dev.add_key(
@ -259,7 +248,6 @@ pub fn run_cli() -> Fido2LuksResult<()> {
secret,
name,
retries,
allow_discards,
..
}
| Command::OpenToken {
@ -268,7 +256,6 @@ pub fn run_cli() -> Fido2LuksResult<()> {
secret,
name,
retries,
allow_discards,
} => {
let pin_string;
let pin = if authenticator.pin {
@ -287,7 +274,6 @@ pub fn run_cli() -> Fido2LuksResult<()> {
// Cow shouldn't be necessary
let secret = |credentials: Cow<'_, Vec<HexEncoded>>| {
prompt_interaction(interactive);
derive_secret(
credentials.as_ref(),
&salt("Password", false)?,
@ -301,9 +287,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
loop {
let secret = match &args.command {
Command::Open { credentials, .. } => secret(Cow::Borrowed(&credentials.ids.0))
.and_then(|(secret, _cred)| {
luks_dev.activate(&name, &secret, luks.slot, *allow_discards)
}),
.and_then(|(secret, _cred)| luks_dev.activate(&name, &secret, luks.slot)),
Command::OpenToken { .. } => luks_dev.activate_token(
&name,
Box::new(|credentials: Vec<String>| {
@ -315,7 +299,6 @@ pub fn run_cli() -> Fido2LuksResult<()> {
.map(|(secret, cred)| (secret, hex::encode(&cred.id)))
}),
luks.slot,
*allow_discards,
),
_ => unreachable!(),
};

12
src/cli_args/mod.rs
View File

@ -216,9 +216,6 @@ pub enum Command {
secret: SecretParameters,
#[structopt(short = "r", long = "max-retries", default_value = "0")]
retries: i32,
/// Pass SSD trim instructions to the underlying block device
#[structopt(long = "allow-discards")]
allow_discards: bool,
},
/// Open the LUKS device using credentials embedded in the LUKS 2 header
#[structopt(name = "open-token")]
@ -233,18 +230,15 @@ pub enum Command {
secret: SecretParameters,
#[structopt(short = "r", long = "max-retries", default_value = "0")]
retries: i32,
/// Pass SSD trim instructions to the underlying block device
#[structopt(long = "allow-discards")]
allow_discards: bool,
},
/// Generate a new FIDO credential
#[structopt(name = "credential")]
Credential {
#[structopt(flatten)]
authenticator: AuthenticatorParameters,
/// Name to be displayed on the authenticator display
#[structopt(env = "FIDO2LUKS_CREDENTIAL_NAME", default_value = "fido2luks")]
name: String,
/// Name to be displayed on the authenticator if it has a display
#[structopt(env = "FIDO2LUKS_CREDENTIAL_NAME")]
name: Option<String>,
},
/// Check if an authenticator is connected
#[structopt(name = "connected")]

39
src/error.rs
View File

@ -1,10 +1,10 @@
use ctap::FidoError;
use libcryptsetup_rs::LibcryptErr;
use pamsm::PamError;
use std::io;
use std::io::ErrorKind;
use std::string::FromUtf8Error;
use Fido2LuksError::*;
pub type Fido2LuksResult<T> = Result<T, Fido2LuksError>;
#[derive(Debug, Fail)]
@ -29,6 +29,10 @@ pub enum Fido2LuksError {
WrongSecret,
#[fail(display = "not an utf8 string")]
StringEncodingError { cause: FromUtf8Error },
#[fail(display = "elevated privileges required")]
MissingPrivileges,
#[fail(display = "{}", cause)]
Configuration { cause: ConfigurationError },
}
impl Fido2LuksError {
@ -50,6 +54,26 @@ pub enum AskPassError {
IO(io::Error),
#[fail(display = "provided passwords don't match")]
Mismatch,
#[fail(display = "unable to retrieve password: {}", _0)]
Pam(PamError),
}
impl From<PamError> for AskPassError {
fn from(e: PamError) -> Self {
AskPassError::Pam(e)
}
}
impl From<io::Error> for AskPassError {
fn from(e: io::Error) -> Self {
AskPassError::IO(e)
}
}
impl From<AskPassError> for Fido2LuksError {
fn from(cause: AskPassError) -> Self {
Fido2LuksError::AskPassError { cause }
}
}
#[derive(Debug, Fail)]
@ -112,3 +136,16 @@ impl From<FromUtf8Error> for Fido2LuksError {
StringEncodingError { cause: e }
}
}
#[derive(Debug, Fail)]
pub enum ConfigurationError {
#[fail(display = "config is missing some values: {:?}", _0)]
Missing(Vec<String>),
#[fail(display = "config attribute {} contains an invalid value: {}", _1, _0)]
InvalidValue(String, String),
}
impl From<ConfigurationError> for Fido2LuksError {
fn from(cause: ConfigurationError) -> Fido2LuksError {
Fido2LuksError::Configuration { cause }
}
}

183
src/lib.rs Normal file
View File

@ -0,0 +1,183 @@
#[macro_use]
extern crate failure;
extern crate ctap_hmac as ctap;
#[macro_use]
extern crate serde_derive;
use crate::cli_args::{CommaSeparated, HexEncoded};
use crate::device::*;
use crate::error::*;
use crate::luks::*;
use ctap::FidoCredential;
use failure::_core::time::Duration;
use pamsm::PamLibExt;
use pamsm::*;
use std::collections::{HashMap, HashSet};
use std::path::Path;
use std::str::FromStr;
use sudo::{self, RunningAs};
pub mod cli_args;
pub mod device;
pub mod error;
pub mod luks;
pub mod util;
struct PamFido2Luks;
impl PamFido2Luks {
fn open(
&self,
user: String,
mut password: impl FnMut(&str) -> PamResult<String>,
args: Vec<String>,
) -> Fido2LuksResult<()> {
let args: HashMap<String, String> = args
.into_iter()
.filter_map(|arg| {
let mut parts = arg.split("=");
parts
.by_ref()
.next()
.map(|key| (key.to_string(), parts.collect::<Vec<_>>().join("=")))
})
.collect();
let credentials = match args.get("credentials").map(|creds| {
<CommaSeparated<String>>::from_str(creds)
.map(|cs| cs.0)
.map_err(|_| ConfigurationError::InvalidValue("credentials".into(), creds.into()))
}) {
Some(creds) => creds?,
_ => Vec::new(),
};
let pin = args.get("pin");
let pin_prefix = args
.get("pin-prefix")
.map(|p| p.parse::<bool>().unwrap_or_default())
.unwrap_or_default();
let device = args
.get("device")
.map(|device| device.replace("%user%", user.as_str()));
let name = args
.get("name")
.map(|name| name.replace("%user%", user.as_str()));
let mut attempts = args
.get("attempts")
.and_then(|a| a.parse::<usize>().ok())
.unwrap_or(3);
if let (Some(device), Some(name)) = (device, name) {
if !Path::new(&device).exists() || Path::new(&format!("/dev/mapper/{}", name)).exists()
{
return Ok(());
}
// root required to mount luks
match sudo::check() {
RunningAs::User => return Err(Fido2LuksError::MissingPrivileges),
_ => {
sudo::escalate_if_needed().map_err(|_| Fido2LuksError::MissingPrivileges)?;
}
}
let mut device = LuksDevice::load(device)?;
let mut additional_credentials: HashSet<String> = HashSet::new();
if device.is_luks2()? {
for token in device.tokens()? {
let (_, token) = token?;
additional_credentials.extend(token.credential.into_iter());
}
}
let credentials: Vec<FidoCredential> = credentials
.into_iter()
.chain(additional_credentials.into_iter())
.map(|cred| HexEncoded::from_str(cred.as_str()))
.map(|cred| FidoCredential {
id: cred.unwrap().0,
public_key: None,
})
.collect();
let credentials: Vec<&FidoCredential> = credentials.iter().collect();
if !credentials.is_empty() {
loop {
let (pin, pass) = if pin_prefix {
let password = password("PIN + FIDO2 salt (pin:password):")
.map_err(|e| Fido2LuksError::AskPassError { cause: e.into() })?;
let mut parts = password.split(":");
(
parts.next().map(|p| p.to_string()).or(pin.cloned()),
parts.collect::<Vec<_>>().join(":"),
)
} else {
(
pin.cloned(),
password("FIDO2 salt: ")
.map_err(|e| Fido2LuksError::AskPassError { cause: e.into() })?,
)
};
let salt = util::sha256(&[pass.as_bytes()]);
let secret = util::sha256(&[
&salt,
&perform_challenge(
&credentials[..],
&salt,
Duration::from_secs(15),
pin.as_ref().map(String::as_str),
)?
.0[..],
]);
match device.activate(name.as_str(), &secret[..], None) {
Ok(_) => return Ok(()),
_ if attempts > 0 => {
attempts -= 1;
continue;
}
Err(e) => break Err(e),
}
}
} else {
Err(ConfigurationError::Missing(vec!["credentials".into()]).into())
}
} else {
Ok(())
}
}
}
impl PamServiceModule for PamFido2Luks {
fn authenticate(pamh: Pam, _flag: PamFlag, args: Vec<String>) -> PamError {
let perfrom_authenticate = move || -> Fido2LuksResult<()> {
let user = match pamh.get_cached_user() {
Err(e) => Err(AskPassError::Pam(e))?,
Ok(p) => p.map(|s| s.to_str().map(str::to_string).unwrap()),
};
let mut password = match pamh.get_authtok(None) {
Err(e) => Err(AskPassError::Pam(e))?,
Ok(p) => p.map(|s| s.to_str().map(str::to_string).unwrap()),
};
if let Some(user) = user {
PamFido2Luks.open(
user,
move |q: &str| match password.take() {
Some(pass) => Ok(pass),
None => pamh
.conv(Some(q), PamMsgStyle::PROMPT_ECHO_OFF)
.map(|s| s.map(|s| s.to_str().unwrap()).unwrap_or("").to_string()),
},
args,
)
} else {
Err(AskPassError::Pam(PamError::AUTH_ERR))?
}
};
match perfrom_authenticate() {
Ok(_) => PamError::SUCCESS,
Err(e) => {
eprintln!("{}", e);
PamError::AUTH_ERR
}
}
}
}
pam_module!(PamFido2Luks);

14
src/luks.rs
View File

@ -1,8 +1,8 @@
use crate::error::*;
use libcryptsetup_rs::{
CryptActivateFlag, CryptActivateFlags, CryptDevice, CryptInit, CryptTokenInfo,
EncryptionFormat, KeyslotInfo, TokenInput,
CryptActivateFlags, CryptDevice, CryptInit, CryptTokenInfo, EncryptionFormat, KeyslotInfo,
TokenInput,
};
use std::collections::{HashMap, HashSet};
use std::path::Path;
@ -221,15 +221,10 @@ impl LuksDevice {
name: &str,
secret: &[u8],
slot_hint: Option<u32>,
allow_discard: bool,
) -> Fido2LuksResult<u32> {
let mut flags = CryptActivateFlags::empty();
if allow_discard {
flags = CryptActivateFlags::new(vec![CryptActivateFlag::AllowDiscards]);
}
self.device
.activate_handle()
.activate_by_passphrase(Some(name), slot_hint, secret, flags)
.activate_by_passphrase(Some(name), slot_hint, secret, CryptActivateFlags::empty())
.map_err(LuksError::activate)
}
@ -238,7 +233,6 @@ impl LuksDevice {
name: &str,
secret: impl Fn(Vec<String>) -> Fido2LuksResult<([u8; 32], String)>,
slot_hint: Option<u32>,
allow_discard: bool,
) -> Fido2LuksResult<u32> {
if !self.is_luks2()? {
return Err(LuksError::Luks2Required.into());
@ -282,7 +276,7 @@ impl LuksDevice {
.chain(std::iter::once(None).take(slots.is_empty() as usize)), // Try all slots as last resort
);
for slot in slots {
match self.activate(name, &secret, slot, allow_discard) {
match self.activate(name, &secret, slot) {
Err(Fido2LuksError::WrongSecret) => (),
res => return res,
}