shimun/fido2luks
1
0
Fork 0
Code Issues Pull Requests 3 Releases Wiki Activity

Compare commits

base: shimun:master
Branches Tags
shimun:master
shimun:0.3.0-alpha
shimun:ctap-hid-fido2
shimun:retry_pin
shimun:0.3.0
shimun:debVM
shimun:flake
shimun:password_promt
shimun:dracut
shimun:initcpio
shimun:pam_mod
shimun:setup
shimun:completions
shimun:pkgbuild
shimun:pin_source
shimun:relicense
shimun:deb
shimun:initramfs-tools
shimun:luks_refr
shimun:0.2.8
shimun:luks2_token
shimun:cli_reorg
shimun:request_multiple
shimun:luks2
shimun:cratesio
shimun:isalt
shimun:connected
shimun:keyutils
shimun:0.2.20
shimun:0.2.19
shimun:0.2.18
shimun:0.2.17
shimun:0.2.16
shimun:0.2.15
shimun:0.2.14
shimun:0.2.13
shimun:0.2.12
shimun:0.2.11
shimun:0.2.10
shimun:0.2.9
shimun:0.2.8
shimun:0.2.7
shimun:0.2.6
shimun:0.2.5
shimun:0.2.4
shimun:0.2.3
shimun:0.2.2
shimun:0.2.1
shimun:0.2.0
..
compare: shimun:retry_pin
Branches Tags
shimun:0.3.0-alpha
shimun:ctap-hid-fido2
shimun:retry_pin
shimun:master
shimun:0.3.0
shimun:debVM
shimun:flake
shimun:password_promt
shimun:dracut
shimun:initcpio
shimun:pam_mod
shimun:setup
shimun:completions
shimun:pkgbuild
shimun:pin_source
shimun:relicense
shimun:deb
shimun:initramfs-tools
shimun:luks_refr
shimun:0.2.8
shimun:luks2_token
shimun:cli_reorg
shimun:request_multiple
shimun:luks2
shimun:cratesio
shimun:isalt
shimun:connected
shimun:keyutils
shimun:0.2.20
shimun:0.2.19
shimun:0.2.18
shimun:0.2.17
shimun:0.2.16
shimun:0.2.15
shimun:0.2.14
shimun:0.2.13
shimun:0.2.12
shimun:0.2.11
shimun:0.2.10
shimun:0.2.9
shimun:0.2.8
shimun:0.2.7
shimun:0.2.6
shimun:0.2.5
shimun:0.2.4
shimun:0.2.3
shimun:0.2.2
shimun:0.2.1
shimun:0.2.0

6 Commits
master ... retry_pin

Author SHA1 Message Date
shimun
4ee5965bfa
added: retry pin 2022-01-24 14:36:07 +01:00
shimun
b939e9efcd
added: allow-discards env var 2022-01-24 14:19:04 +01:00
shimun
f6c2bc4cdb
added --allow-discards flag 2021-12-28 13:50:21 +01:00
shimun
4e7ef4b8b7
0.3.0-alpha notice 2021-12-11 11:52:40 +01:00
shimun
e1ad8b37c1
0.3.0-alpha 2021-12-11 11:51:07 +01:00
shimun
e9510216ef
1
Some checks failed
continuous-integration/drone/push Build is failing
Details
continuous-integration/drone/pr Build is failing
Details
2020-10-11 18:33:59 +02:00
19 changed files with 738 additions and 602 deletions
Show Stats Expand all files Collapse all files

10
.drone.yml
View File

@ -8,22 +8,20 @@ steps:
- rustup component add rustfmt
- cargo fmt --all -- --check
- name: test
image: ubuntu:focal
image: shimun/fido2luks@sha256:6d0b4017bffbec5fac8f25d383d68671fcc9930efb02e97ce5ea81acf0060ece
environment:
DEBIAN_FRONTEND: noninteractive
commands:
- apt update && apt install -y cargo libkeyutils-dev libclang-dev clang pkg-config libcryptsetup-dev
- cargo test --locked
- name: publish
image: ubuntu:focal
image: shimun/fido2luks@sha256:6d0b4017bffbec5fac8f25d383d68671fcc9930efb02e97ce5ea81acf0060ece
environment:
DEBIAN_FRONTEND: noninteractive
CARGO_REGISTRY_TOKEN:
from_secret: cargo_tkn
commands:
- grep -E 'version ?= ?"${DRONE_TAG}"' -i Cargo.toml || (printf "incorrect crate/tag version" && exit 1)
- apt update && apt install -y cargo libkeyutils-dev libclang-dev clang pkg-config libcryptsetup-dev
- cargo package --all-features
- cargo publish --all-features
- cargo package --all-features --allow-dirty
- cargo publish --all-features --allow-dirty
when:
event: tag

11
CHANGELOG.md Normal file
View File

@ -0,0 +1,11 @@
## 0.3.0
* LUKS2 Tokens are now supported by every subcommand
* `<credential>` has been converted into the flag `--creds`
credentials provided by `--creds` will be supplemented from the LUKS header unless this is disabled by `--disable-token`
* `fido2luks add-key` will take an `--auto-cred` flag which allows for credentials to be generated and stored without having to use `fido2luks credential`
`fido2luks replace-key` will allow for credentials to be removed using the `--remove-cred` flag respectively
* Removed `fido2luks open-token` subcommand
`fido2luks open` now fulfills both functions
* Added `fido2luks open --dry-run` flag, to perform the whole procedure apart from mounting the LUKS volume
* Added an `--verbose` flag to display additional information like credentials and keyslots used if desired

416
Cargo.lock generated
View File

@ -1,34 +1,36 @@
# This file is automatically @generated by Cargo.
# It is not intended for manual editing.
version = 3
[[package]]
name = "addr2line"
version = "0.17.0"
version = "0.13.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b9ecd88a8c8378ca913a680cd98f0f13ac67383d35993f86c90a70e3f137816b"
checksum = "1b6a2d3371669ab3ca9797670853d61402b03d0b4b9ebf33d677dfa720203072"
dependencies = [
"gimli",
]
[[package]]
name = "adler"
version = "1.0.2"
version = "0.2.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f26201604c87b1e01bd3d98f8d5d9a8fcbb815e8cedb41ffccbeb4bf593a35fe"
checksum = "ee2a4ec343196209d6594e19543ae87a39f96d5534d7174822a3ad825dd6ed7e"
[[package]]
name = "aho-corasick"
version = "0.7.18"
version = "0.7.13"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1e37cfd5e7657ada45f742d6e99ca5788580b5c529dc78faf11ece6dc702656f"
checksum = "043164d8ba5c4c3035fec9bbee8647c0261d788f3474306f93bb65901cae0e86"
dependencies = [
"memchr",
]
[[package]]
name = "ansi_term"
version = "0.12.1"
version = "0.11.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d52a9bb7ec0cf484c551830a7ce27bd20d67eac647e1befb56b0be4ee39a55d2"
checksum = "ee49baf6cb617b853aa8d93bf420db2383fab46d314482ca2803b40d5fde979b"
dependencies = [
"winapi",
]
@ -58,13 +60,12 @@ checksum = "cdb031dd78e28731d87d56cc8ffef4a8f36ca26c38fe2de700543e627f8a464a"
[[package]]
name = "backtrace"
version = "0.3.63"
version = "0.3.50"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "321629d8ba6513061f26707241fa9bc89524ff1cd7a915a97ef0c62c666ce1b6"
checksum = "46254cf2fdcdf1badb5934448c1bcbe046a56537b3987d96c51a7afc5d03f293"
dependencies = [
"addr2line",
"cc",
"cfg-if 1.0.0",
"cfg-if",
"libc",
"miniz_oxide",
"object",
@ -73,12 +74,13 @@ dependencies = [
[[package]]
name = "bindgen"
version = "0.59.2"
version = "0.54.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2bd2a9a458e8f4304c52c43ebb0cfbd520289f8379a52e329a38afda99bf8eb8"
checksum = "66c0bb6167449588ff70803f4127f0684f9063097eca5016f37eb52b92c2cf36"
dependencies = [
"bitflags",
"cexpr",
"cfg-if",
"clang-sys",
"clap",
"env_logger",
@ -86,8 +88,8 @@ dependencies = [
"lazycell",
"log",
"peeking_take_while",
"proc-macro2 1.0.36",
"quote 1.0.14",
"proc-macro2 1.0.27",
"quote 1.0.7",
"regex",
"rustc-hash",
"shlex",
@ -96,15 +98,15 @@ dependencies = [
[[package]]
name = "bitflags"
version = "1.3.2"
version = "1.2.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a"
checksum = "cf1de2fe8c75bc145a2f577add951f8134889b4795d47466a54a5c846d691693"
[[package]]
name = "bstr"
version = "0.2.17"
version = "0.2.15"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ba3569f383e8f1598449f1a423e72e99569137b47740b1da11ef19af3d5c3223"
checksum = "a40b47ad93e1a5404e6c18dec46b628214fee441c70f4ab5d6942142cc268a3d"
dependencies = [
"lazy_static",
"memchr",
@ -114,9 +116,9 @@ dependencies = [
[[package]]
name = "byteorder"
version = "1.4.3"
version = "1.3.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "14c189c53d098945499cdfa7ecc63567cf3886b3332b312a5b4585d8d3a6a610"
checksum = "08c48aae112d48ed9f069b33538ea9e3e90aa263cfa3d1c24309612b1f7472de"
[[package]]
name = "cbor-codec"
@ -130,15 +132,15 @@ dependencies = [
[[package]]
name = "cc"
version = "1.0.72"
version = "1.0.59"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "22a9137b95ea06864e018375b72adfb7db6e6f68cfc8df5a04d00288050485ee"
checksum = "66120af515773fb005778dc07c261bd201ec8ce50bd6e7144c927753fe013381"
[[package]]
name = "cexpr"
version = "0.6.0"
version = "0.4.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6fac387a98bb7c37292057cffc56d62ecb629900026402633ae9160df93a8766"
checksum = "f4aedb84272dbe89af497cf81375129abda4fc0a9e7c5d317498c15cc30c0d27"
dependencies = [
"nom",
]
@ -149,17 +151,11 @@ version = "0.1.10"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4785bdd1c96b2a846b2bd7cc02e86b6b3dbf14e7e53446c4f54c92a361040822"
[[package]]
name = "cfg-if"
version = "1.0.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd"
[[package]]
name = "clang-sys"
version = "1.3.0"
version = "0.29.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "fa66045b9cb23c2e9c1520732030608b02ee07e5cfaa5a521ec15ded7fa24c90"
checksum = "fe6837df1d5cba2397b835c8530f51723267e16abbf83892e9e5af4f0e5dd10a"
dependencies = [
"glob",
"libc",
@ -168,9 +164,9 @@ dependencies = [
[[package]]
name = "clap"
version = "2.34.0"
version = "2.33.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a0610544180c38b88101fecf2dd634b174a62eef6946f84dfc6a7127512b381c"
checksum = "37e58ac78573c40708d45522f0d80fa2f01cc4f9b4e2bf749807255454312002"
dependencies = [
"ansi_term",
"atty",
@ -196,7 +192,7 @@ version = "0.7.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "69323bff1fb41c635347b8ead484a5ca6c3f11914d784170b158d8449ab07f8e"
dependencies = [
"cfg-if 0.1.10",
"cfg-if",
"crossbeam-channel",
"crossbeam-deque",
"crossbeam-epoch",
@ -216,9 +212,9 @@ dependencies = [
[[package]]
name = "crossbeam-deque"
version = "0.7.4"
version = "0.7.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c20ff29ded3204c5106278a81a38f4b482636ed4fa1e6cfbeef193291beb29ed"
checksum = "9f02af974daeee82218205558e51ec8768b48cf524bd01d550abe5573a608285"
dependencies = [
"crossbeam-epoch",
"crossbeam-utils",
@ -232,7 +228,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "058ed274caafc1f60c4997b5fc07bf7dc7cca454af7c6e81edffe5f33f70dace"
dependencies = [
"autocfg 1.0.1",
"cfg-if 0.1.10",
"cfg-if",
"crossbeam-utils",
"lazy_static",
"maybe-uninit",
@ -246,7 +242,7 @@ version = "0.2.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "774ba60a54c213d409d5353bda12d49cd68d14e45036a285234c8d6f91f92570"
dependencies = [
"cfg-if 0.1.10",
"cfg-if",
"crossbeam-utils",
"maybe-uninit",
]
@ -258,7 +254,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c3c7c73a2d1e9fc0886a08b93e98eb643461230d5f1925e4036204d5f2e261a8"
dependencies = [
"autocfg 1.0.1",
"cfg-if 0.1.10",
"cfg-if",
"lazy_static",
]
@ -270,7 +266,7 @@ checksum = "22813a6dc45b335f9bade10bf7271dc477e81113e89eb251a0bc2a8a81c536e1"
dependencies = [
"bstr",
"csv-core",
"itoa 0.4.8",
"itoa",
"ryu",
"serde",
]
@ -325,10 +321,10 @@ checksum = "f0c960ae2da4de88a91b2d920c2a7233b400bc33cb28453a2987822d8392519b"
dependencies = [
"fnv",
"ident_case",
"proc-macro2 1.0.36",
"quote 1.0.14",
"proc-macro2 1.0.27",
"quote 1.0.7",
"strsim 0.9.3",
"syn 1.0.84",
"syn 1.0.73",
]
[[package]]
@ -338,8 +334,8 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d9b5a2f4ac4969822c62224815d069952656cadc7084fdca9751e6d959189b72"
dependencies = [
"darling_core",
"quote 1.0.14",
"syn 1.0.84",
"quote 1.0.7",
"syn 1.0.73",
]
[[package]]
@ -350,9 +346,9 @@ checksum = "a2658621297f2cf68762a6f7dc0bb7e1ff2cfd6583daef8ee0fed6f7ec468ec0"
dependencies = [
"darling",
"derive_builder_core",
"proc-macro2 1.0.36",
"quote 1.0.14",
"syn 1.0.84",
"proc-macro2 1.0.27",
"quote 1.0.7",
"syn 1.0.73",
]
[[package]]
@ -362,22 +358,22 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2791ea3e372c8495c0bc2033991d76b512cd799d07491fbd6890124db9458bef"
dependencies = [
"darling",
"proc-macro2 1.0.36",
"quote 1.0.14",
"syn 1.0.84",
"proc-macro2 1.0.27",
"quote 1.0.7",
"syn 1.0.73",
]
[[package]]
name = "either"
version = "1.6.1"
version = "1.6.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e78d4f1cc4ae33bbfc157ed5d5a5ef3bc29227303d595861deb238fcec4e9457"
checksum = "cd56b59865bce947ac5958779cfa508f6c3b9497cc762b7e24a12d11ccde2c4f"
[[package]]
name = "env_logger"
version = "0.9.0"
version = "0.7.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0b2cf0344971ee6c64c31be0d530793fba457d322dfec2810c453d0ef228f9c3"
checksum = "44533bbbb3bb3c1fa17d9f2e4e38bbbaf8396ba82193c4cb1b6445d711445d36"
dependencies = [
"atty",
"humantime",
@ -402,15 +398,15 @@ version = "0.1.8"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "aa4da3c766cd7a0db8242e326e9e4e081edd567072893ed320008189715366a4"
dependencies = [
"proc-macro2 1.0.36",
"quote 1.0.14",
"syn 1.0.84",
"proc-macro2 1.0.27",
"quote 1.0.7",
"syn 1.0.73",
"synstructure",
]
[[package]]
name = "fido2luks"
version = "0.2.20"
version = "0.3.0-alpha"
dependencies = [
"ctap_hmac",
"failure",
@ -442,22 +438,11 @@ version = "0.3.55"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8f5f3913fa0bfe7ee1fd8248b6b9f42a5af4b9d65ec2dd2c3c26132b950ecfc2"
[[package]]
name = "getrandom"
version = "0.2.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7fcd999463524c52659517fe2cea98493cfe485d10565e7b0fb07dbba7ad2753"
dependencies = [
"cfg-if 1.0.0",
"libc",
"wasi",
]
[[package]]
name = "gimli"
version = "0.26.1"
version = "0.22.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "78cc372d058dcf6d5ecd98510e7fbc9e5aec4d21de70f65fea8fecebcd881bd4"
checksum = "aaf91faf136cb47367fa430cd46e37a788775e7fa104f8b4bcb3861dc389b724"
[[package]]
name = "glob"
@ -467,18 +452,18 @@ checksum = "9b919933a397b79c37e33b77bb2aa3dc8eb6e165ad809e58ff75bc7db2e34574"
[[package]]
name = "heck"
version = "0.3.3"
version = "0.3.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6d621efb26863f0e9924c6ac577e8275e5e6b77455db64ffa6c65c904e9e132c"
checksum = "20564e78d53d2bb135c343b3f47714a56af2061f1c928fdb541dc7b9fdd94205"
dependencies = [
"unicode-segmentation",
]
[[package]]
name = "hermit-abi"
version = "0.1.19"
version = "0.1.15"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "62b467343b94ba476dcb2500d242dadbb39557df889310ac77c5d99100aaac33"
checksum = "3deed196b6e7f9e44a2ae8d94225d80302d81208b1bb673fd21fe634645c85a9"
dependencies = [
"libc",
]
@ -491,9 +476,12 @@ checksum = "805026a5d0141ffc30abb3be3173848ad46a1b1664fe632428479619a3644d77"
[[package]]
name = "humantime"
version = "2.1.0"
version = "1.3.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9a3a5bfb195931eeb336b2a7b4d761daec841b97f947d34394601737a7bba5e4"
checksum = "df004cfca50ef23c36850aaaa59ad52cc70d0e90243c3c7737a4dd32dc7a3c4f"
dependencies = [
"quick-error",
]
[[package]]
name = "ident_case"
@ -503,15 +491,9 @@ checksum = "b9e0384b61958566e926dc50660321d12159025e767c18e043daf26b70104c39"
[[package]]
name = "itoa"
version = "0.4.8"
version = "0.4.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b71991ff56294aa922b450139ee08b3bfc70982c6b2c7562771375cf73542dd4"
[[package]]
name = "itoa"
version = "1.0.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1aab8fc367588b89dcee83ab0fd66b72b50b72fa1904d7095045ace2b0c81c35"
checksum = "dc6f3ad7b9d11a0c00842ff8de1b60ee58661048eb8049ed33c73594f359d7e6"
[[package]]
name = "lazy_static"
@ -527,54 +509,54 @@ checksum = "830d08ce1d1d941e6b30645f1a0eb5643013d835ce3779a5fc208261dbe10f55"
[[package]]
name = "libc"
version = "0.2.112"
version = "0.2.76"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1b03d17f364a3a042d5e5d46b053bbbf82c92c9430c592dd4c064dc6ee997125"
checksum = "755456fae044e6fa1ebbbd1b3e902ae19e73097ed4ed87bb79934a867c007bc3"
[[package]]
name = "libcryptsetup-rs"
version = "0.4.4"
version = "0.4.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "dccc914e228f8b36aae1173b8dba2abf62eed833e9f816ec27b0917b26655d09"
checksum = "b9042dbf4b7e4309494949696496e230c9052af64559d3441627d639898c172c"
dependencies = [
"either",
"libc",
"libcryptsetup-rs-sys",
"pkg-config",
"semver 0.11.0",
"semver",
"serde_json",
"uuid",
]
[[package]]
name = "libcryptsetup-rs-sys"
version = "0.1.6"
version = "0.1.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "41ef25e923679fe233e3c109702829717404d1266c80d6f30236e82e7b2798dc"
checksum = "4b75a2b946509fb39fdb4b232c973166da14be373d09a43eb36b82f775d8244e"
dependencies = [
"bindgen",
"cc",
"pkg-config",
"semver 1.0.4",
"semver",
]
[[package]]
name = "libloading"
version = "0.7.2"
version = "0.5.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "afe203d669ec979b7128619bae5a63b7b42e9203c1b29146079ee05e2f604b52"
checksum = "f2b111a074963af1d37a139918ac6d49ad1d0d5e47f72fd55388619691a7d753"
dependencies = [
"cfg-if 1.0.0",
"cc",
"winapi",
]
[[package]]
name = "log"
version = "0.4.14"
version = "0.4.11"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "51b9bbe6c47d51fc3e1a9b945965946b4c44142ab8792c50835a980d362c2710"
checksum = "4fabed175da42fed1fa0746b0ea71f412aa9d35e76e95e59b192c64b9dc2bf8b"
dependencies = [
"cfg-if 1.0.0",
"cfg-if",
]
[[package]]
@ -585,43 +567,35 @@ checksum = "60302e4db3a61da70c0cb7991976248362f30319e88850c487b9b95bbf059e00"
[[package]]
name = "memchr"
version = "2.4.1"
version = "2.3.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "308cc39be01b73d0d18f82a0e7b2a3df85245f84af96fdddc5d202d27e47b86a"
checksum = "3728d817d99e5ac407411fa471ff9800a778d88a24685968b36824eaf4bee400"
[[package]]
name = "memoffset"
version = "0.5.6"
version = "0.5.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "043175f069eda7b85febe4a74abbaeff828d9f8b448515d3151a14a3542811aa"
checksum = "c198b026e1bbf08a937e94c6c60f9ec4a2267f5b0d2eec9c1b21b061ce2be55f"
dependencies = [
"autocfg 1.0.1",
]
[[package]]
name = "minimal-lexical"
version = "0.2.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "68354c5c6bd36d73ff3feceb05efa59b6acb7626617f4962be322a825e61f79a"
[[package]]
name = "miniz_oxide"
version = "0.4.4"
version = "0.4.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a92518e98c078586bc6c934028adcca4c92a53d6a958196de835170a01d84e4b"
checksum = "4d7559a8a40d0f97e1edea3220f698f78b1c5ab67532e49f68fde3910323b722"
dependencies = [
"adler",
"autocfg 1.0.1",
]
[[package]]
name = "nom"
version = "7.1.0"
version = "5.1.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1b1d11e1ef389c76fe5b81bcaf2ea32cf88b62bc494e19f493d0b30e7a930109"
checksum = "ffb4262d26ed83a1c0a33a38fe2bb15797329c85770da05e6b828ddb782627af"
dependencies = [
"memchr",
"minimal-lexical",
"version_check",
]
@ -638,21 +612,18 @@ dependencies = [
[[package]]
name = "num-traits"
version = "0.2.14"
version = "0.2.12"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9a64b1ec5cda2586e284722486d802acf1f7dbdc623e2bfc57e65ca1cd099290"
checksum = "ac267bcc07f48ee5f8935ab0d24f316fb722d7a1292e2913f0cc196b29ffd611"
dependencies = [
"autocfg 1.0.1",
]
[[package]]
name = "object"
version = "0.27.1"
version = "0.20.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "67ac1d3f9a1d3616fd9a60c8d74296f22406a238b6a72f5cc1e6f314df4ffbf9"
dependencies = [
"memchr",
]
checksum = "1ab52be62400ca80aa00285d25253d7f7c437b7375c4de678f5405d3afe82ca5"
[[package]]
name = "peeking_take_while"
@ -660,20 +631,11 @@ version = "0.1.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "19b17cddbe7ec3f8bc800887bab5e717348c95ea2ca0b1bf0837fb964dc67099"
[[package]]
name = "pest"
version = "2.1.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "10f4872ae94d7b90ae48754df22fd42ad52ce740b8f370b03da4835417403e53"
dependencies = [
"ucd-trie",
]
[[package]]
name = "pkg-config"
version = "0.3.24"
version = "0.3.18"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "58893f751c9b0412871a09abd62ecd2a00298c6c83befa223ef98c52aef40cbe"
checksum = "d36492546b6af1463394d46f0c834346f31548646f6ba10849802c9c9a27ac33"
[[package]]
name = "proc-macro-error"
@ -682,9 +644,9 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "da25490ff9892aab3fcf7c36f08cfb902dd3e71ca0f9f9517bea02a73a5ce38c"
dependencies = [
"proc-macro-error-attr",
"proc-macro2 1.0.36",
"quote 1.0.14",
"syn 1.0.84",
"proc-macro2 1.0.27",
"quote 1.0.7",
"syn 1.0.73",
"version_check",
]
@ -694,8 +656,8 @@ version = "1.0.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a1be40180e52ecc98ad80b184934baf3d0d29f979574e439af5a55274b35f869"
dependencies = [
"proc-macro2 1.0.36",
"quote 1.0.14",
"proc-macro2 1.0.27",
"quote 1.0.7",
"version_check",
]
@ -710,13 +672,19 @@ dependencies = [
[[package]]
name = "proc-macro2"
version = "1.0.36"
version = "1.0.27"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c7342d5883fbccae1cc37a2353b09c87c9b0f3afd73f5fb9bba687a1f733b029"
checksum = "f0d8caf72986c1a598726adc988bb5984792ef84f5ee5aa50209145ee8077038"
dependencies = [
"unicode-xid 0.2.2",
"unicode-xid 0.2.1",
]
[[package]]
name = "quick-error"
version = "1.2.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a1d01941d82fa2ab50be1e79e6714289dd7cde78eba4c074bc5a4374f650dfe0"
[[package]]
name = "quote"
version = "0.6.13"
@ -728,11 +696,11 @@ dependencies = [
[[package]]
name = "quote"
version = "1.0.14"
version = "1.0.7"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "47aa80447ce4daf1717500037052af176af5d38cc3e571d9ec1c7353fc10c87d"
checksum = "aa563d17ecb180e500da1cfd2b028310ac758de548efdd203e18f283af693f37"
dependencies = [
"proc-macro2 1.0.36",
"proc-macro2 1.0.27",
]
[[package]]
@ -875,13 +843,14 @@ dependencies = [
[[package]]
name = "regex"
version = "1.5.4"
version = "1.3.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d07a8629359eb56f1e2fb1652bb04212c072a87ba68546a04065d525673ac461"
checksum = "9c3780fcf44b193bc4d09f36d2a3c87b251da4a046c87795a0d35f4f927ad8e6"
dependencies = [
"aho-corasick",
"memchr",
"regex-syntax",
"thread_local",
]
[[package]]
@ -892,9 +861,9 @@ checksum = "6c230d73fb8d8c1b9c0b3135c5142a8acee3a0558fb8db5cf1cb65f8d7862132"
[[package]]
name = "regex-syntax"
version = "0.6.25"
version = "0.6.18"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f497285884f3fcff424ffc933e56d7cbca511def0c9831a7f9b5f6153e3cc89b"
checksum = "26412eb97c6b088a6997e05f69403a802a92d520de2f8e63c2b65f9e0f47c4e8"
[[package]]
name = "ring"
@ -933,9 +902,9 @@ dependencies = [
[[package]]
name = "rustc-demangle"
version = "0.1.21"
version = "0.1.16"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7ef03e0a2b150c7a90d01faf6254c9c48a41e95fb2a8c2ac1c6f0d2b9aefc342"
checksum = "4c691c0e608126e00913e33f0ccf3727d5fc84573623b8d65b2df340b5201783"
[[package]]
name = "rustc-hash"
@ -951,9 +920,9 @@ checksum = "dcf128d1287d2ea9d80910b5f1120d0b8eede3fbf1abe91c40d39ea7d51e6fda"
[[package]]
name = "ryu"
version = "1.0.9"
version = "1.0.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "73b4b750c782965c211b42f022f59af1fbceabdd026623714f104152f1ec149f"
checksum = "71d301d4193d031abdd79ff7e3dd721168a9572ef3fe51a1517aba235bd8f86e"
[[package]]
name = "scopeguard"
@ -963,61 +932,52 @@ checksum = "d29ab0c6d3fc0ee92fe66e2d99f700eab17a8d57d1c1d3b748380fb20baa78cd"
[[package]]
name = "semver"
version = "0.11.0"
version = "0.9.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f301af10236f6df4160f7c3f04eec6dbc70ace82d23326abad5edee88801c6b6"
checksum = "1d7eb9ef2c18661902cc47e535f9bc51b78acd254da71d375c2f6720d9a40403"
dependencies = [
"semver-parser",
]
[[package]]
name = "semver"
version = "1.0.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "568a8e6258aa33c13358f81fd834adb854c6f7c9468520910a9b1e8fac068012"
[[package]]
name = "semver-parser"
version = "0.10.2"
version = "0.7.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "00b0bef5b7f9e0df16536d3961cfb6e84331c065b4066afb39768d0e319411f7"
dependencies = [
"pest",
]
checksum = "388a1df253eca08550bef6c72392cfe7c30914bf41df5269b68cbd6ff8f570a3"
[[package]]
name = "serde"
version = "1.0.132"
version = "1.0.126"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8b9875c23cf305cd1fd7eb77234cbb705f21ea6a72c637a5c6db5fe4b8e7f008"
checksum = "ec7505abeacaec74ae4778d9d9328fe5a5d04253220a85c4ee022239fc996d03"
[[package]]
name = "serde_derive"
version = "1.0.132"
version = "1.0.126"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ecc0db5cb2556c0e558887d9bbdcf6ac4471e83ff66cf696e5419024d1606276"
checksum = "963a7dbc9895aeac7ac90e74f34a5d5261828f79df35cbed41e10189d3804d43"
dependencies = [
"proc-macro2 1.0.36",
"quote 1.0.14",
"syn 1.0.84",
"proc-macro2 1.0.27",
"quote 1.0.7",
"syn 1.0.73",
]
[[package]]
name = "serde_json"
version = "1.0.73"
version = "1.0.57"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "bcbd0344bc6533bc7ec56df11d42fb70f1b912351c0825ccb7211b59d8af7cf5"
checksum = "164eacbdb13512ec2745fb09d51fd5b22b0d65ed294a1dcf7285a360c80a675c"
dependencies = [
"itoa 1.0.1",
"itoa",
"ryu",
"serde",
]
[[package]]
name = "shlex"
version = "1.1.0"
version = "0.1.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "43b2853a4d09f215c24cc5489c992ce46052d359b5109343cbafbf26bc62f8a3"
checksum = "7fdf1b9db47230893d76faad238fd6097fd6d6a9245cd7a4d90dbd639536bbd2"
[[package]]
name = "strsim"
@ -1033,9 +993,9 @@ checksum = "6446ced80d6c486436db5c078dde11a9f73d42b57fb273121e160b84f63d894c"
[[package]]
name = "structopt"
version = "0.3.25"
version = "0.3.17"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "40b9788f4202aa75c240ecc9c15c65185e6a39ccdeb0fd5d008b98825464c87c"
checksum = "6cc388d94ffabf39b5ed5fadddc40147cb21e605f53db6f8f36a625d27489ac5"
dependencies = [
"clap",
"lazy_static",
@ -1044,15 +1004,15 @@ dependencies = [
[[package]]
name = "structopt-derive"
version = "0.4.18"
version = "0.4.10"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "dcb5ae327f9cc13b68763b5749770cb9e048a99bd9dfdfa58d0cf05d5f64afe0"
checksum = "5e2513111825077552a6751dfad9e11ce0fba07d7276a3943a037d7e93e64c5f"
dependencies = [
"heck",
"proc-macro-error",
"proc-macro2 1.0.36",
"quote 1.0.14",
"syn 1.0.84",
"proc-macro2 1.0.27",
"quote 1.0.7",
"syn 1.0.73",
]
[[package]]
@ -1068,32 +1028,32 @@ dependencies = [
[[package]]
name = "syn"
version = "1.0.84"
version = "1.0.73"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ecb2e6da8ee5eb9a61068762a32fa9619cc591ceb055b3687f4cd4051ec2e06b"
checksum = "f71489ff30030d2ae598524f61326b902466f72a0fb1a8564c001cc63425bcc7"
dependencies = [
"proc-macro2 1.0.36",
"quote 1.0.14",
"unicode-xid 0.2.2",
"proc-macro2 1.0.27",
"quote 1.0.7",
"unicode-xid 0.2.1",
]
[[package]]
name = "synstructure"
version = "0.12.6"
version = "0.12.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f36bdaa60a83aca3921b5259d5400cbf5e90fc51931376a9bd4a0eb79aa7210f"
checksum = "b834f2d66f734cb897113e34aaff2f1ab4719ca946f9a7358dba8f8064148701"
dependencies = [
"proc-macro2 1.0.36",
"quote 1.0.14",
"syn 1.0.84",
"unicode-xid 0.2.2",
"proc-macro2 1.0.27",
"quote 1.0.7",
"syn 1.0.73",
"unicode-xid 0.2.1",
]
[[package]]
name = "termcolor"
version = "1.1.2"
version = "1.1.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2dfed899f0eb03f32ee8c6a0aabdb8a7949659e3466561fc0adf54e26d88c5f4"
checksum = "bb6bfa289a4d7c5766392812c0a1f4c1ba45afa1ad47803c11e1f407d846d75f"
dependencies = [
"winapi-util",
]
@ -1108,32 +1068,36 @@ dependencies = [
]
[[package]]
name = "time"
version = "0.1.43"
name = "thread_local"
version = "1.0.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ca8a50ef2360fbd1eeb0ecd46795a87a19024eb4b53c5dc916ca1fd95fe62438"
checksum = "d40c6d1b69745a6ec6fb1ca717914848da4b44ae29d9b3080cbee91d72a69b14"
dependencies = [
"lazy_static",
]
[[package]]
name = "time"
version = "0.1.44"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6db9e6914ab8b1ae1c260a4ae7a49b6c5611b40328a735b21862567685e73255"
dependencies = [
"libc",
"wasi",
"winapi",
]
[[package]]
name = "ucd-trie"
version = "0.1.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "56dee185309b50d1f11bfedef0fe6d036842e3fb77413abef29f8f8d1c5d4c1c"
[[package]]
name = "unicode-segmentation"
version = "1.8.0"
version = "1.6.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8895849a949e7845e06bd6dc1aa51731a103c42707010a5b591c0038fb73385b"
checksum = "e83e153d1053cbb5a118eeff7fd5be06ed99153f00dbcd8ae310c5fb2b22edc0"
[[package]]
name = "unicode-width"
version = "0.1.9"
version = "0.1.8"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3ed742d4ea2bd1176e236172c8429aaf54486e7ac098db29ffe6529e0ce50973"
checksum = "9337591893a19b88d8d87f2cec1e73fad5cdfd10e5a6f349f498ad6ea2ffb1e3"
[[package]]
name = "unicode-xid"
@ -1143,9 +1107,9 @@ checksum = "fc72304796d0818e357ead4e000d19c9c174ab23dc11093ac919054d20a6a7fc"
[[package]]
name = "unicode-xid"
version = "0.2.2"
version = "0.2.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8ccb82d61f80a663efe1f787a51b16b5a51e3314d6ac365b08639f52387b33f3"
checksum = "f7fe0bb3479651439c9112f72b6c505038574c9fbb575ed1bf3b797fa39dd564"
[[package]]
name = "untrusted"
@ -1155,11 +1119,11 @@ checksum = "55cd1f4b4e96b46aeb8d4855db4a7a9bd96eeeb5c6a1ab54593328761642ce2f"
[[package]]
name = "uuid"
version = "0.8.2"
version = "0.7.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "bc5cf98d8186244414c848017f0e2676b3fcb46807f6668a97dfe67359a3c4b7"
checksum = "90dbc611eb48397705a6b0f6e917da23ae517e4d127123d2cf7674206627d32a"
dependencies = [
"getrandom",
"rand 0.6.5",
]
[[package]]
@ -1170,24 +1134,22 @@ checksum = "f1bddf1187be692e79c5ffeab891132dfb0f236ed36a43c7ed39f1165ee20191"
[[package]]
name = "version_check"
version = "0.9.3"
version = "0.9.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5fecdca9a5291cc2b8dcf7dc02453fee791a280f3743cb0905f8822ae463b3fe"
checksum = "b5a972e5669d67ba988ce3dc826706fb0a8b01471c088cb0b6110b805cc36aed"
[[package]]
name = "wasi"
version = "0.10.2+wasi-snapshot-preview1"
version = "0.10.0+wasi-snapshot-preview1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "fd6fbd9a79829dd1ad0cc20627bf1ed606756a7f77edff7b66b7064f9cb327c6"
checksum = "1a143597ca7c7793eff794def352d41792a93c481eb1042423ff7ff72ba2c31f"
[[package]]
name = "which"
version = "4.2.2"
version = "3.1.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ea187a8ef279bc014ec368c27a920da2024d2a711109bfbe3440585d5cf27ad9"
checksum = "d011071ae14a2f6671d0b74080ae0cd8ebf3a6f8c9589a2cd45f23126fe29724"
dependencies = [
"either",
"lazy_static",
"libc",
]

9
Cargo.toml
View File

@ -1,6 +1,6 @@
[package]
name = "fido2luks"
version = "0.2.20"
version = "0.3.0-alpha"
authors = ["shimunn <shimun@shimun.net>"]
edition = "2018"
@ -20,10 +20,10 @@ ring = "0.13.5"
failure = "0.1.5"
rpassword = "4.0.1"
structopt = "0.3.2"
libcryptsetup-rs = "0.4.1"
libcryptsetup-rs = "0.4.2"
serde_json = "1.0.51"
serde_derive = "1.0.106"
serde = "1.0.106"
serde_derive = "1.0.116"
serde = "1.0.116"
[build-dependencies]
ctap_hmac = { version="0.4.5", features = ["request_multiple"] }
@ -48,7 +48,6 @@ extended-description = "Decrypt your LUKS partition using a FIDO2 compatible aut
assets = [
["target/release/fido2luks", "usr/bin/", "755"],
["fido2luks.bash", "usr/share/bash-completion/completions/fido2luks", "644"],
["pam_mount/fido2luksmounthelper.sh", "usr/bin/", "755"],
["initramfs-tools/keyscript.sh", "/lib/cryptsetup/scripts/fido2luks", "755" ],
["initramfs-tools/hook/fido2luks.sh", "etc/initramfs-tools/hooks/", "755" ],
["initramfs-tools/fido2luks.conf", "etc/", "644"],

161
README.md
View File

@ -1,160 +1,7 @@
# fido2luks [![Crates.io Version](https://img.shields.io/crates/v/fido2luks.svg)](https://crates.io/crates/fido2luks)
This will allow you to unlock your LUKS encrypted disk with an FIDO2 compatible key.
Note: This has only been tested under Fedora 31, [Ubuntu 20.04](initramfs-tools/), [NixOS](https://nixos.org/nixos/manual/#sec-luks-file-systems-fido2) using a Solo Key, Trezor Model T, YubiKey(fw >= [5.2.3](https://support.yubico.com/hc/en-us/articles/360016649319-YubiKey-5-2-3-Enhancements-to-FIDO-2-Support))
## Setup
### Prerequisites
```
dnf install clang cargo cryptsetup-devel -y
```
### Device
```
git clone https://github.com/shimunn/fido2luks.git && cd fido2luks
# Alternativly cargo build --release && sudo cp target/release/fido2luks /usr/bin/
sudo -E cargo install -f --path . --root /usr
# Copy template
cp dracut/96luks-2fa/fido2luks.conf /etc/
# Name is optional but useful if your authenticator has a display
echo FIDO2LUKS_CREDENTIAL_ID=$(fido2luks credential [NAME]) >> /etc/fido2luks.conf
# Load config into env
set -a
. /etc/fido2luks.conf
# Repeat for each luks volume
# You can also use the `--token` flag when using LUKS2 which will then store the credential in the LUKS header,
# enabling you to use `fido2luks open-token` without passing a credential as parameter
sudo -E fido2luks -i add-key /dev/disk/by-uuid/<DISK_UUID>
# Test(only works if the luks container isn't active)
sudo -E fido2luks -i open /dev/disk/by-uuid/<DISK_UUID> luks-<DISK_UUID>
```
### Dracut
```
cd dracut
sudo make install
```
### Grub
Add `rd.luks.2fa=<CREDENTIAL_ID>:<DISK_UUID>` to `GRUB_CMDLINE_LINUX` in /etc/default/grub
Note: This is only required for your root disk, systemd will try to unlock all other LUKS partions using the same key if you added it using `fido2luks add-key`
```
grub2-mkconfig > /boot/grub2/grub.cfg
```
I'd also recommend to copy the executable onto /boot so that it is accessible in case you have to access your disk from a rescue system
```
mkdir /boot/fido2luks/
cp /usr/bin/fido2luks /boot/fido2luks/
cp /etc/fido2luks.conf /boot/fido2luks/
```
## Testing
Just reboot and see if it works, if that's the case you should remove your old less secure password from your LUKS header:
```
# Recommend in case you lose your authenticator, store this backupfile somewhere safe
cryptsetup luksHeaderBackup /dev/disk/by-uuid/<DISK_UUID> --header-backup-file luks_backup_<DISK_UUID>
# There is no turning back if you mess this up, make sure you made a backup
# You can also pass `--token` if you're using LUKS2 which will then store the credential in the LUKS header,
# which will enable you to use `fido2luks open-token` without passing a credential as parameter
fido2luks -i add-key --exclusive /dev/disk/by-uuid/<DISK_UUID>
```
## Addtional settings
### Password less
Remove your previous secret as described in the next section, in case you've already added one.
Open `/etc/fido2luks.conf` and replace `FIDO2LUKS_SALT=Ask` with `FIDO2LUKS_SALT=string:<YOUR_RANDOM_STRING>`
but be warned that this password will be included to into your initramfs.
Import the new config into env:
```
set -a
. /etc/fido2luks.conf
```
Then add the new secret to each device and update dracut afterwards `dracut -f`
### Multiple keys
Additional/backup keys are supported, Multiple fido2luks credentials can be added to your /etc/fido2luks.conf file. Credential tokens are comma separated.
```
FIDO2LUKS_CREDENTIAL_ID=<CREDENTIAL1>,<CREDENTIAL2>,<CREDENTIAL3>
```
## Removal
Remove `rd.luks.2fa` from `GRUB_CMDLINE_LINUX` in /etc/default/grub
```
set -a
. fido2luks.conf
sudo -E fido2luks -i replace-key /dev/disk/by-uuid/<DISK_UUID>
sudo rm -rf /usr/lib/dracut/modules.d/96luks-2fa /etc/dracut.conf.d/luks-2fa.conf /etc/fido2luks.conf
```
## Theory of operation
fido2luks builds on two basic building blocks, LUKS as an abstraction over linux disk encryption and and the FIDO2 extension [`hmac-secret`](https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-client-to-authenticator-protocol-v2.0-rd-20180702.html#sctn-hmac-secret-extension).
The `hmac-secret` extension allows for an secret to be dervied on the FIDO2 device from two inputs, the user supplied salt/password/keyfile and another secret contained within the FID2 device. The output of the `hmac-secret` function will then be used to decrypt the LUKS header which in turn is used to decrypt the disk.
```
+-------------------------------------------------------------------------------+
| |
| +-----------------------------------------+ |
| | FIDO2 device | |
| | | |
| | | |
+-------+--------+ +------+ | +---------------+ | | +------------------------+
| Salt/Password +-> |sha256+------------------------> | | | v | LUKS header |
+----------------+ +------+ | | | | | | +---------------+
| | | | +--------+ +------------------------+--------> |Disk master key|
| | sha256_hmac +---------> | sha256 +-------> | Keyslot 1 | +---------------+
+----------------+ | +----------+ | | | +--------+ +------------------------+
| FIDO credential+---------------> |Credential| +----> | | | | Keyslot 2 |
+----------------+ | |secret | | | | +------------------------+
| +----------+ +---------------+ |
| |
| |
+-----------------------------------------+
```
Since all these components build upon each other losing or damaging just one of them will render the disk undecryptable, it's threfore of paramount importance to backup the LUKS header and ideally set an backup password
or utilise more than one FIDO2 device. Each additional credential and password combination will require it's own LUKS keyslot since the credential secret is randomly generated for each new credential and will thus result
in a completly different secret.
## License
Licensed under
* Mozilla Public License 2.0, ([LICENSE-MPL](LICENSE-MPL) or https://www.mozilla.org/en-US/MPL/2.0/)
### Contribution
Unless you explicitly state otherwise, any contribution intentionally
submitted for inclusion in the work by you, as defined in the MPL 2.0
license, shall be licensed as above, without any additional terms or
conditions.
## 0.3.0-alpha
This is just the program itself, all intitrid scripts are mostly taylored to the latest 0.2.x version and will most likely not work with 0.3.0 due to breaking changes in the CLI interface.
I've decided it release the version in this state since I just do not have the time now or in the forseeable future to tewak all scripts since it's quite an tedious tasks which involves rebooting VMs countless times.
If you're interested to adapt or write scripts for an particular distro I'd be more than happy to accept pull requests.

6
build.rs
View File

@ -19,6 +19,10 @@ use structopt::StructOpt;
fn main() {
// generate completion scripts, zsh does panic for some reason
for shell in Shell::variants().iter().filter(|shell| **shell != "zsh") {
Args::clap().gen_completions(env!("CARGO_PKG_NAME"), Shell::from_str(shell).unwrap(), ".");
Args::clap().gen_completions(
env!("CARGO_PKG_NAME"),
Shell::from_str(shell).unwrap(),
env!("CARGO_MANIFEST_DIR"),
);
}
}

6
flake.lock generated
View File

@ -7,11 +7,11 @@
]
},
"locked": {
"lastModified": 1639947939,
"narHash": "sha256-pGsM8haJadVP80GFq4xhnSpNitYNQpaXk4cnA796Cso=",
"lastModified": 1639051343,
"narHash": "sha256-62qARP+5Q0GmudcpuQHJP3/yXIgmUVoHR4orD/+FAC4=",
"owner": "nmattia",
"repo": "naersk",
"rev": "2fc8ce9d3c025d59fee349c1f80be9785049d653",
"rev": "ebde51ec0eec82dc71eaca03bc24cf8eb44a3d74",
"type": "github"
},
"original": {

2
flake.nix
View File

@ -46,6 +46,8 @@
'';
};
hydraJobs = checks // packages;
# `nix develop`
devShell = pkgs.mkShell {
nativeBuildInputs = with pkgs; [ rustc cargo rustfmt nixpkgs-fmt ] ++ nativeBuildInputs;

15
initramfs-tools/Dockerfile Normal file
View File

@ -0,0 +1,15 @@
FROM rust:bullseye
RUN cargo install -f cargo-deb --debug --version 1.30.0
ARG DEBIAN_FRONTEND=noninteractive
RUN apt update && apt install -y cryptsetup pkg-config libclang-dev libcryptsetup-dev && mkdir -p /build/fido2luks
WORKDIR /build/fido2luks
ENV CARGO_TARGET_DIR=/build/fido2luks/target
RUN cargo install fido2luks -f
CMD bash -xc 'cp -rf /code/* /build/fido2luks && cargo-deb && cp target/debian/*.deb /out'

9
initramfs-tools/build-deb.sh Executable file
View File

@ -0,0 +1,9 @@
#!/usr/bin/env bash
set -ex
docker build . -t fido2luks-deb
mkdir -p debs
docker run -ti -v "$(pwd)/..:/code:ro" -v "$(pwd)/debs:/out" fido2luks-deb

2
initramfs-tools/fido2luks.conf
View File

@ -1,5 +1,3 @@
FIDO2LUKS_SALT=Ask
#FIDO2LUKS_PASSWORD_HELPER="/usr/bin/plymouth ask-for-password --prompt 'FIDO2 password salt'"
FIDO2LUKS_CREDENTIAL_ID=
FIDO2LUKS_USE_TOKEN=0
FIDO2LUKS_PASSWORD_FALLBACK=1

22
initramfs-tools/keyscript.sh
View File

@ -2,29 +2,9 @@
set -a
. /etc/fido2luks.conf
# Set Defaults
if [ -z "$FIDO2LUKS_USE_TOKEN" ]; then
FIDO2LUKS_USE_TOKEN=0
fi
if [ -z "$FIDO2LUKS_PASSWORD_FALLBACK" ]; then
FIDO2LUKS_PASSWORD_FALLBACK=1
fi
if [ -z "$FIDO2LUKS_PASSWORD_HELPER" ]; then
MSG="FIDO2 password salt for $CRYPTTAB_NAME"
export FIDO2LUKS_PASSWORD_HELPER="plymouth ask-for-password --prompt '$MSG'"
fi
if [ "$FIDO2LUKS_USE_TOKEN" -eq 1 ]; then
export FIDO2LUKS_CREDENTIAL_ID="$FIDO2LUKS_CREDENTIAL_ID,$(fido2luks token list --csv $CRYPTTAB_SOURCE)"
fi
fido2luks print-secret --bin
# Fall back to passphrase-based unlock if fido2luks fails
if [ "$?" -gt 0 ] && [ "$FIDO2LUKS_PASSWORD_FALLBACK" -eq 1 ]; then
plymouth ask-for-password --prompt "Password for $CRYPTTAB_SOURCE"
fi
fido2luks print-secret --bin "$CRYPTTAB_SOURCE" $([ "$FIDO2LUKS_USE_TOKEN" -eq 0 ] && printf "--disable-token")

465
src/cli.rs
View File

@ -2,33 +2,23 @@ use crate::error::*;
use crate::luks::{Fido2LuksToken, LuksDevice};
use crate::util::sha256;
use crate::*;
pub use cli_args::Args;
use cli_args::*;
use structopt::clap::Shell;
use structopt::StructOpt;
use ctap::{FidoCredential, FidoErrorKind};
use std::io::{Read, Write};
use std::borrow::Cow;
use std::collections::HashSet;
use std::io::Write;
use std::iter::FromIterator;
use std::path::Path;
use std::str::FromStr;
use std::thread;
use std::time::Duration;
use std::borrow::Cow;
use std::collections::HashSet;
use std::fs::File;
use std::time::SystemTime;
use structopt::clap::Shell;
use structopt::StructOpt;
pub use cli_args::Args;
fn read_pin(ap: &AuthenticatorParameters) -> Fido2LuksResult<String> {
if let Some(src) = ap.pin_source.as_ref() {
let mut pin = String::new();
File::open(src)?.read_to_string(&mut pin)?;
Ok(pin.trim_end_matches("\n").to_string()) //remove trailing newline
} else {
util::read_password("Authenticator PIN", false)
}
fn read_pin() -> Fido2LuksResult<String> {
util::read_password_tty("Authenticator PIN", false)
}
fn derive_secret(
@ -37,6 +27,9 @@ fn derive_secret(
timeout: u64,
pin: Option<&str>,
) -> Fido2LuksResult<([u8; 32], FidoCredential)> {
if credentials.is_empty() {
return Err(Fido2LuksError::InsufficientCredentials);
}
let timeout = Duration::from_secs(timeout);
let start = SystemTime::now();
@ -64,7 +57,98 @@ fn derive_secret(
let (unsalted, cred) =
perform_challenge(&credentials, salt, timeout - start.elapsed().unwrap(), pin)?;
Ok((sha256(&[salt, &unsalted[..]]), cred.clone()))
let binary = sha256(&[salt, &unsalted[..]]);
Ok((binary, cred.clone()))
}
pub fn extend_creds_device(
creds: &[HexEncoded],
luks_dev: &mut LuksDevice,
) -> Fido2LuksResult<Vec<HexEncoded>> {
let mut additional = HashSet::new();
additional.extend(creds.iter().cloned());
for token in luks_dev.tokens()? {
for cred in token?.1.credential {
let parsed = HexEncoded::from_str(cred.as_str()).map_err(|_e| {
Fido2LuksError::HexEncodingError {
string: cred.clone(),
}
})?;
additional.insert(parsed);
}
}
Ok(Vec::from_iter(additional.into_iter()))
}
pub fn get_input(
secret: &SecretParameters,
authenticator: &AuthenticatorParameters,
interactive: bool,
q: &str,
verify: bool,
) -> Fido2LuksResult<(Option<String>, [u8; 32])> {
let password_helper = secret
.password_helper
.as_ref()
.map(|helper| move || helper.obtain());
let salt = &secret.salt;
Ok(if interactive {
(
if authenticator.pin && may_require_pin()? {
Some(read_pin()?)
} else {
None
},
salt.obtain_sha256(Some(|| util::read_password_tty(q, verify)))?,
)
} else {
match (
authenticator.pin && may_require_pin()?,
authenticator.pin_prefixed,
) {
(true, false) => (Some(read_pin()?), salt.obtain_sha256(password_helper)?),
(true, true) => read_password_pin_prefixed(|| {
salt.obtain(password_helper).and_then(|secret| {
String::from_utf8(secret).map_err(|e| Fido2LuksError::from(e))
})
})?,
(false, _) => (None, salt.obtain_sha256(password_helper)?),
}
})
}
pub fn read_password_pin_prefixed(
prefixed: impl Fn() -> Fido2LuksResult<String>,
) -> Fido2LuksResult<(Option<String>, [u8; 32])> {
let read = prefixed()?;
let separator = ':';
let mut parts = read.split(separator);
let pin = parts.next().filter(|p| p.len() > 0).map(|p| p.to_string());
let password = match pin {
Some(ref pin) if read.len() > pin.len() => {
read.chars().skip(pin.len() + 1).collect::<String>()
}
Some(_) => String::new(),
_ => read
.chars()
.skip(read.chars().next().map(|c| c == separator).unwrap_or(false) as usize)
.collect::<String>(),
};
Ok((pin, util::sha256(&[password.as_bytes()])))
}
/// generate an more readable name from common paths
pub fn derive_credential_name(path: &Path) -> String {
match path.file_name() {
Some(name)
if path
.iter()
.any(|p| p == "by-label" || p == "by-partlabel" || p == "by-uuid") =>
{
name.to_string_lossy().as_ref().to_string()
}
_ => path.display().to_string(),
}
}
pub fn parse_cmdline() -> Args {
@ -80,6 +164,11 @@ pub fn prompt_interaction(interactive: bool) {
pub fn run_cli() -> Fido2LuksResult<()> {
let mut stdout = io::stdout();
let args = parse_cmdline();
let log = |message: &dyn Fn() -> String| {
if args.verbose {
eprintln!("{}", &*message());
}
};
let interactive = args.interactive;
match &args.command {
Command::Credential {
@ -87,8 +176,8 @@ pub fn run_cli() -> Fido2LuksResult<()> {
name,
} => {
let pin_string;
let pin = if authenticator.pin {
pin_string = read_pin(authenticator)?;
let pin = if authenticator.pin && may_require_pin()? {
pin_string = read_pin()?;
Some(pin_string.as_ref())
} else {
None
@ -102,26 +191,44 @@ pub fn run_cli() -> Fido2LuksResult<()> {
authenticator,
credentials,
secret,
device,
} => {
let pin_string;
let pin = if authenticator.pin {
pin_string = read_pin(authenticator)?;
Some(pin_string.as_ref())
let (pin, salt) =
get_input(&secret, &authenticator, args.interactive, "Password", false)?;
let credentials = if let Some(path) = device {
let mut dev = LuksDevice::load(path)?;
let luks2 = dev.is_luks2()?;
log(&|| format!("luks2 supported: {}", luks2));
extend_creds_device(
credentials
.ids
.clone()
.map(|cs| cs.0)
.unwrap_or_default()
.as_slice(),
&mut dev,
)?
} else {
None
credentials.ids.clone().map(|cs| cs.0).unwrap_or_default()
};
let salt = if interactive || secret.password_helper == PasswordHelper::Stdin {
util::read_password_hashed("Password", false)
} else {
secret.salt.obtain_sha256(&secret.password_helper)
}?;
log(&|| {
format!(
"credentials: {}",
credentials
.iter()
.map(ToString::to_string)
.collect::<Vec<_>>()
.join(", ")
)
});
prompt_interaction(interactive);
let (secret, _cred) = derive_secret(
credentials.ids.0.as_slice(),
let (secret, cred) = derive_secret(
&credentials,
&salt,
authenticator.await_time,
pin,
pin.as_deref(),
)?;
log(&|| format!("credential used: {}", hex::encode(&cred.id)));
if *binary {
stdout.write_all(&secret[..])?;
} else {
@ -136,7 +243,6 @@ pub fn run_cli() -> Fido2LuksResult<()> {
secret,
luks_mod,
existing_secret: other_secret,
token,
..
}
| Command::ReplaceKey {
@ -146,21 +252,41 @@ pub fn run_cli() -> Fido2LuksResult<()> {
secret,
luks_mod,
replacement: other_secret,
token,
..
} => {
let pin = if authenticator.pin {
Some(read_pin(authenticator)?)
let mut luks_dev = LuksDevice::load(&luks.device)?;
let luks2 = luks_dev.is_luks2()?;
log(&|| format!("luks2 supported: {}", luks2));
let credentials = if !luks.disable_token && luks2 {
extend_creds_device(
credentials
.ids
.clone()
.map(|cs| cs.0)
.unwrap_or_default()
.as_slice(),
&mut luks_dev,
)?
} else {
None
credentials.ids.clone().map(|cs| cs.0).unwrap_or_default()
};
let salt = |q: &str, verify: bool| -> Fido2LuksResult<[u8; 32]> {
if interactive || secret.password_helper == PasswordHelper::Stdin {
util::read_password_hashed(q, verify)
} else {
secret.salt.obtain_sha256(&secret.password_helper)
}
log(&|| {
format!(
"credentials: {}",
credentials
.iter()
.map(ToString::to_string)
.collect::<Vec<_>>()
.join(", ")
)
});
let inputs = |q: &str, verify: bool| -> Fido2LuksResult<(Option<String>, [u8; 32])> {
get_input(&secret, &authenticator, args.interactive, q, verify)
};
let other_secret = |salt_q: &str,
verify: bool|
-> Fido2LuksResult<(Vec<u8>, Option<FidoCredential>)> {
@ -172,41 +298,69 @@ pub fn run_cli() -> Fido2LuksResult<()> {
OtherSecret {
fido_device: true, ..
} => {
let (pin, salt) = inputs(salt_q, verify)?;
prompt_interaction(interactive);
Ok(derive_secret(
&credentials.ids.0,
&salt(salt_q, verify)?,
&credentials,
&salt,
authenticator.await_time,
pin.as_deref(),
)
.map(|(secret, cred)| (secret[..].to_vec(), Some(cred)))?)
}
_ => Ok((
util::read_password(salt_q, verify)?.as_bytes().to_vec(),
util::read_password_tty(salt_q, verify)?.as_bytes().to_vec(),
None,
)),
}
};
let secret = |q: &str, verify: bool| -> Fido2LuksResult<([u8; 32], FidoCredential)> {
let secret = |q: &str,
verify: bool,
credentials: &[HexEncoded]|
-> Fido2LuksResult<([u8; 32], FidoCredential)> {
let (pin, salt) = inputs(q, verify)?;
prompt_interaction(interactive);
derive_secret(
&credentials.ids.0,
&salt(q, verify)?,
authenticator.await_time,
pin.as_deref(),
)
derive_secret(credentials, &salt, authenticator.await_time, pin.as_deref())
};
let mut luks_dev = LuksDevice::load(&luks.device)?;
// Non overlap
match &args.command {
Command::AddKey { exclusive, .. } => {
Command::AddKey {
exclusive,
generate_credential,
..
} => {
let (existing_secret, _) = other_secret("Current password", false)?;
let (new_secret, cred) = secret("Password to be added", true)?;
let (new_secret, cred) = if *generate_credential && luks2 {
let cred = make_credential_id(
Some(derive_credential_name(luks.device.as_path()).as_str()),
(if authenticator.pin && may_require_pin()? {
//TODO: not ideal since it ignores pin-prefixed
Some(read_pin()?)
} else {
None
})
.as_deref(),
)?;
log(&|| {
format!(
"generated credential: {}\ncredential username: {:?}",
hex::encode(&cred.id),
derive_credential_name(luks.device.as_path())
)
});
let creds = vec![HexEncoded(cred.id)];
secret("Password to be added", true, &creds)
} else {
secret("Password to be added", true, &credentials)
}?;
log(&|| format!("credential used: {}", hex::encode(&cred.id)));
let added_slot = luks_dev.add_key(
&new_secret,
&existing_secret[..],
luks_mod.kdf_time.or(Some(10)),
Some(&cred.id[..]).filter(|_| *token),
Some(&cred.id[..])
.filter(|_| !luks.disable_token || *generate_credential)
.filter(|_| luks2),
)?;
if *exclusive {
let destroyed = luks_dev.remove_keyslots(&[added_slot])?;
@ -225,24 +379,42 @@ pub fn run_cli() -> Fido2LuksResult<()> {
}
Ok(())
}
Command::ReplaceKey { add_password, .. } => {
let (existing_secret, _) = secret("Current password", false)?;
Command::ReplaceKey {
add_password,
remove_cred,
..
} => {
let (existing_secret, _prev_cred) =
secret("Current password", false, &credentials)?;
let (replacement_secret, cred) = other_secret("Replacement password", true)?;
let slot = if *add_password {
luks_dev.add_key(
&replacement_secret[..],
&existing_secret,
luks_mod.kdf_time,
cred.as_ref().filter(|_| *token).map(|cred| &cred.id[..]),
cred.as_ref()
.filter(|_| !luks.disable_token)
.filter(|_| luks2)
.map(|cred| &cred.id[..]),
)
} else {
luks_dev.replace_key(
let slot = luks_dev.replace_key(
&replacement_secret[..],
&existing_secret,
luks_mod.kdf_time,
cred.as_ref().filter(|_| *token).map(|cred| &cred.id[..]),
)
cred.as_ref()
.filter(|_| !luks.disable_token)
.filter(|_| luks2)
.map(|cred| &cred.id[..]),
)?;
if *remove_cred && cred.is_none() {
luks_dev.remove_token_slot(slot)?;
}
Ok(slot)
}?;
if let Some(cred) = cred {
log(&|| format!("credential used: {}", hex::encode(&cred.id)));
}
println!(
"Added to password to device {}, slot: {}",
luks.device.display(),
@ -258,80 +430,93 @@ pub fn run_cli() -> Fido2LuksResult<()> {
authenticator,
secret,
name,
credentials,
retries,
dry_run,
allow_discards,
..
}
| Command::OpenToken {
luks,
authenticator,
secret,
name,
retries,
allow_discards,
} => {
let pin_string;
let pin = if authenticator.pin {
pin_string = read_pin(authenticator)?;
Some(pin_string.as_ref())
} else {
None
};
let salt = |q: &str, verify: bool| -> Fido2LuksResult<[u8; 32]> {
if interactive || secret.password_helper == PasswordHelper::Stdin {
util::read_password_hashed(q, verify)
} else {
secret.salt.obtain_sha256(&secret.password_helper)
}
let inputs = |q: &str, verify: bool| -> Fido2LuksResult<(Option<String>, [u8; 32])> {
get_input(&secret, &authenticator, args.interactive, q, verify)
};
// Cow shouldn't be necessary
let secret = |credentials: Cow<'_, Vec<HexEncoded>>| {
let (pin, salt) = inputs("Password", false)?;
prompt_interaction(interactive);
derive_secret(
credentials.as_ref(),
&salt("Password", false)?,
&salt,
authenticator.await_time,
pin,
pin.as_deref(),
)
};
let mut retries = *retries;
let mut luks_dev = LuksDevice::load(&luks.device)?;
let luks2 = luks_dev.is_luks2()?;
log(&|| format!("luks2 supported: {}", luks2));
loop {
let secret = match &args.command {
Command::Open { credentials, .. } => secret(Cow::Borrowed(&credentials.ids.0))
.and_then(|(secret, _cred)| {
luks_dev.activate(&name, &secret, luks.slot, *allow_discards)
}),
Command::OpenToken { .. } => luks_dev.activate_token(
let slot = if let Some(ref credentials) = credentials.ids {
log(&|| {
format!(
"credentials: {}",
credentials
.0
.iter()
.map(ToString::to_string)
.collect::<Vec<_>>()
.join(", ")
)
});
secret(Cow::Borrowed(&credentials.0)).and_then(|(secret, cred)| {
log(&|| format!("credential used: {}", hex::encode(&cred.id)));
luks_dev.activate(&name, &secret, luks.slot, *dry_run, *allow_discards)
})
} else if luks2 && !luks.disable_token {
luks_dev.activate_token(
&name,
Box::new(|credentials: Vec<String>| {
log(&|| format!("credentials: {}", credentials.join(", ")));
let creds = credentials
.into_iter()
.flat_map(|cred| HexEncoded::from_str(cred.as_ref()).ok())
.collect::<Vec<_>>();
secret(Cow::Owned(creds))
.map(|(secret, cred)| (secret, hex::encode(&cred.id)))
secret(Cow::Owned(creds)).map(|(secret, cred)| {
log(&|| format!("credential used: {}", hex::encode(&cred.id)));
(secret, hex::encode(&cred.id))
})
}),
luks.slot,
*dry_run,
*allow_discards,
),
_ => unreachable!(),
)
} else if luks_dev.is_luks2()? && luks.disable_token {
// disable-token is mostly cosmetic in this instance
return Err(Fido2LuksError::InsufficientCredentials);
} else {
return Err(Fido2LuksError::WrongSecret);
};
match secret {
match slot {
Err(e) => {
match e {
Fido2LuksError::WrongSecret if retries > 0 => {}
Fido2LuksError::AuthenticatorError { ref cause }
if cause.kind() == FidoErrorKind::Timeout && retries > 0 => {}
if match cause.kind() {
FidoErrorKind::Timeout => true,
FidoErrorKind::CborError(e) if e.code() == 0x33 => true,
_ => false,
} && retries > 0 => {}
e => return Err(e),
}
};
retries -= 1;
eprintln!("{}", e);
}
res => break res.map(|_| ()),
Ok(slot) => {
log(&|| format!("keyslot: {}", slot));
break Ok(());
}
}
}
}
@ -401,7 +586,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
}
}
let count = if tokens.is_empty() {
dev.add_token(&Fido2LuksToken::with_credentials(&credentials.ids.0, *slot))?;
dev.add_token(&Fido2LuksToken::with_credentials(&credentials.0, *slot))?;
1
} else {
tokens.len()
@ -409,7 +594,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
for (id, mut token) in tokens {
token
.credential
.extend(credentials.ids.0.iter().map(|h| h.to_string()));
.extend(credentials.0.iter().map(|h| h.to_string()));
dev.update_token(id, &token)?;
}
println!("Updated {} tokens", count);
@ -437,7 +622,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
token.credential = token
.credential
.into_iter()
.filter(|cred| !credentials.ids.0.iter().any(|h| &h.to_string() == cred))
.filter(|cred| !credentials.0.iter().any(|h| &h.to_string() == cred))
.collect();
dev.update_token(id, &token)?;
}
@ -467,16 +652,64 @@ pub fn run_cli() -> Fido2LuksResult<()> {
}
},
Command::GenerateCompletions { shell, out_dir } => {
Args::clap().gen_completions(
env!("CARGO_PKG_NAME"),
match shell.as_ref() {
"bash" => Shell::Bash,
"fish" => Shell::Fish,
_ => unreachable!("structopt shouldn't allow us to reach this point"),
},
&out_dir,
);
// zsh won't work atm https://github.com/clap-rs/clap/issues/1822
if let Some(s) = shell {
if s.as_str() == "zsh" {
unimplemented!("zsh completions are broken atm: see https://github.com/clap-rs/clap/issues/1822")
}
}
for variant in Shell::variants().iter().filter(|v| *v != &"zsh") {
if let Some(s) = shell {
if *variant != s.as_str() {
break;
}
}
Args::clap().gen_completions(
env!("CARGO_PKG_NAME"),
Shell::from_str(variant)
.expect("structopt shouldn't allow us to reach this point"),
&out_dir,
);
}
Ok(())
}
}
}
#[cfg(test)]
mod test {
use super::*;
#[test]
fn test_read_password_pin_prefixed() {
// 1234:test -> PIN: 1234, password: test
assert_eq!(
read_password_pin_prefixed(|| Ok("1234:test".into())).unwrap(),
(Some("1234".to_string()), util::sha256(&["test".as_bytes()]))
);
// :test -> PIN: None, password: test
assert_eq!(
read_password_pin_prefixed(|| Ok(":test".into())).unwrap(),
(None, util::sha256(&["test".as_bytes()]))
);
// 1234::test -> PIN: 1234, password: :test
assert_eq!(
read_password_pin_prefixed(|| Ok("1234::test".into())).unwrap(),
(
Some("1234".to_string()),
util::sha256(&[":test".as_bytes()])
)
);
// 1234 -> PIN: 1234, password: empty
assert_eq!(
read_password_pin_prefixed(|| Ok("1234".into())).unwrap(),
(Some("1234".to_string()), util::sha256(&["".as_bytes()]))
);
// 1234:test -> PIN: None, password: test
assert_eq!(
read_password_pin_prefixed(|| Ok(":test".into())).unwrap(),
(None, util::sha256(&["test".as_bytes()]))
);
}
}

31
src/cli_args/config.rs
View File

@ -7,6 +7,7 @@ use std::fs::File;
use std::io::Read;
use std::path::PathBuf;
use std::process::Command;
use std::process::Stdio;
use std::str::FromStr;
#[derive(Debug, Clone, PartialEq)]
@ -55,11 +56,17 @@ impl fmt::Display for SecretInput {
}
impl SecretInput {
pub fn obtain_string(&self, password_helper: &PasswordHelper) -> Fido2LuksResult<String> {
pub fn obtain_string(
&self,
password_helper: Option<impl FnOnce() -> Fido2LuksResult<String>>,
) -> Fido2LuksResult<String> {
Ok(String::from_utf8(self.obtain(password_helper)?)?)
}
pub fn obtain(&self, password_helper: &PasswordHelper) -> Fido2LuksResult<Vec<u8>> {
pub fn obtain(
&self,
password_helper: Option<impl FnOnce() -> Fido2LuksResult<String>>,
) -> Fido2LuksResult<Vec<u8>> {
let mut secret = Vec::new();
match self {
SecretInput::File { path } => {
@ -67,16 +74,22 @@ impl SecretInput {
let mut do_io = || File::open(path)?.read_to_end(&mut secret);
do_io().map_err(|cause| Fido2LuksError::KeyfileError { cause })?;
}
SecretInput::AskPassword => {
secret.extend_from_slice(password_helper.obtain()?.as_bytes())
}
SecretInput::AskPassword => secret.extend_from_slice(
password_helper.ok_or_else(|| Fido2LuksError::AskPassError {
cause: AskPassError::FailedHelper,
})?()?
.as_bytes(),
),
SecretInput::String(s) => secret.extend_from_slice(s.as_bytes()),
}
Ok(secret)
}
pub fn obtain_sha256(&self, password_helper: &PasswordHelper) -> Fido2LuksResult<[u8; 32]> {
pub fn obtain_sha256(
&self,
password_helper: Option<impl FnOnce() -> Fido2LuksResult<String>>,
) -> Fido2LuksResult<[u8; 32]> {
let mut digest = digest::Context::new(&digest::SHA256);
match self {
SecretInput::File { path } => {
@ -151,11 +164,13 @@ impl PasswordHelper {
use PasswordHelper::*;
match self {
Systemd => unimplemented!(),
Stdin => Ok(util::read_password("Password", true)?),
Stdin => Ok(util::read_password("Password", true, false)?),
Script(password_helper) => {
let password = Command::new("sh")
.arg("-c")
.arg(&password_helper)
.stdin(Stdio::inherit())
.stderr(Stdio::inherit())
.output()
.map_err(|e| Fido2LuksError::AskPassError {
cause: error::AskPassError::IO(e),
@ -198,7 +213,7 @@ mod test {
fn input_salt_obtain() {
assert_eq!(
SecretInput::String("abc".into())
.obtain_sha256(&PasswordHelper::Stdin)
.obtain_sha256(Some(|| Ok("123456".to_string())))
.unwrap(),
[
186, 120, 22, 191, 143, 1, 207, 234, 65, 65, 64, 222, 93, 174, 34, 35, 176, 3, 97,

112
src/cli_args/mod.rs
View File

@ -1,7 +1,8 @@
use std::fmt::{Display, Error, Formatter};
use std::hash::{Hash, Hasher};
use std::path::PathBuf;
use std::str::FromStr;
use structopt::clap::AppSettings;
use structopt::clap::{AppSettings, Shell};
use structopt::StructOpt;
mod config;
@ -31,6 +32,12 @@ impl FromStr for HexEncoded {
}
}
impl Hash for HexEncoded {
fn hash<H: Hasher>(&self, state: &mut H) {
self.0.hash(state)
}
}
#[derive(Debug, Eq, PartialEq, Clone)]
pub struct CommaSeparated<T: FromStr + Display>(pub Vec<T>);
@ -58,19 +65,24 @@ impl<T: Display + FromStr> FromStr for CommaSeparated<T> {
#[derive(Debug, StructOpt)]
pub struct Credentials {
/// FIDO credential ids, separated by ',' generate using fido2luks credential
#[structopt(name = "credential-id", env = "FIDO2LUKS_CREDENTIAL_ID")]
pub ids: CommaSeparated<HexEncoded>,
#[structopt(
name = "credential-ids",
env = "FIDO2LUKS_CREDENTIAL_ID",
short = "c",
long = "creds"
)]
pub ids: Option<CommaSeparated<HexEncoded>>,
}
#[derive(Debug, StructOpt)]
pub struct AuthenticatorParameters {
/// Request a PIN to unlock the authenticator
/// Request a PIN to unlock the authenticator if required
#[structopt(short = "P", long = "pin")]
pub pin: bool,
/// Location to read PIN from
#[structopt(long = "pin-source", env = "FIDO2LUKS_PIN_SOURCE")]
pub pin_source: Option<PathBuf>,
/// Request PIN and password combined `pin:password` when using an password helper
#[structopt(long = "pin-prefixed")]
pub pin_prefixed: bool,
/// Await for an authenticator to be connected, timeout after n seconds
#[structopt(
@ -90,13 +102,20 @@ pub struct LuksParameters {
/// Try to unlock the device using a specifc keyslot, ignore all other slots
#[structopt(long = "slot", env = "FIDO2LUKS_DEVICE_SLOT")]
pub slot: Option<u32>,
/// Disable implicit use of LUKS2 tokens
#[structopt(
long = "disable-token",
// env = "FIDO2LUKS_DISABLE_TOKEN" // unfortunately clap will convert flags into args if they have an env attribute
)]
pub disable_token: bool,
}
#[derive(Debug, StructOpt, Clone)]
pub struct LuksModParameters {
/// Number of milliseconds required to derive the volume decryption key
/// Defaults to 10ms when using an authenticator or the default by cryptsetup when using a password
#[structopt(long = "kdf-time", name = "kdf-time")]
#[structopt(long = "kdf-time", name = "kdf-time", env = "FIDO2LUKS_KDF_TIME")]
pub kdf_time: Option<u64>,
}
@ -119,15 +138,17 @@ pub struct SecretParameters {
#[structopt(
name = "password-helper",
env = "FIDO2LUKS_PASSWORD_HELPER",
default_value = "/usr/bin/env systemd-ask-password 'Please enter second factor for LUKS disk encryption!'"
long = "password-helper"
)]
pub password_helper: PasswordHelper,
pub password_helper: Option<PasswordHelper>,
}
#[derive(Debug, StructOpt)]
pub struct Args {
/// Request passwords via Stdin instead of using the password helper
#[structopt(short = "i", long = "interactive")]
pub interactive: bool,
#[structopt(short = "v", long = "verbose")]
pub verbose: bool,
#[structopt(subcommand)]
pub command: Command,
}
@ -138,7 +159,7 @@ pub struct OtherSecret {
#[structopt(short = "d", long = "keyfile", conflicts_with = "fido_device")]
pub keyfile: Option<PathBuf>,
/// Use another fido device instead of a password
/// Note: this requires for the credential fot the other device to be passed as argument as well
/// Note: this requires for the credential for the other device to be passed as argument as well
#[structopt(short = "f", long = "fido-device", conflicts_with = "keyfile")]
pub fido_device: bool,
}
@ -147,8 +168,9 @@ pub struct OtherSecret {
pub enum Command {
#[structopt(name = "print-secret")]
PrintSecret {
// version 0.3.0 will store use the lower case ascii encoded hex string making binary output unnecessary
/// Prints the secret as binary instead of hex encoded
#[structopt(short = "b", long = "bin")]
#[structopt(hidden = true, short = "b", long = "bin")]
binary: bool,
#[structopt(flatten)]
credentials: Credentials,
@ -156,6 +178,9 @@ pub enum Command {
authenticator: AuthenticatorParameters,
#[structopt(flatten)]
secret: SecretParameters,
/// Load credentials from LUKS header
#[structopt(env = "FIDO2LUKS_DEVICE")]
device: Option<PathBuf>,
},
/// Adds a generated key to the specified LUKS device
#[structopt(name = "add-key")]
@ -171,9 +196,9 @@ pub enum Command {
/// Will wipe all other keys
#[structopt(short = "e", long = "exclusive")]
exclusive: bool,
/// Will add an token to your LUKS 2 header, including the credential id
#[structopt(short = "t", long = "token")]
token: bool,
/// Will generate an credential while adding a new key to this LUKS device if supported
#[structopt(short = "g", long = "gen-cred")]
generate_credential: bool,
#[structopt(flatten)]
existing_secret: OtherSecret,
#[structopt(flatten)]
@ -193,16 +218,16 @@ pub enum Command {
/// Add the password and keep the key
#[structopt(short = "a", long = "add-password")]
add_password: bool,
/// Will add an token to your LUKS 2 header, including the credential id
#[structopt(short = "t", long = "token")]
token: bool,
/// Remove the affected credential from LUKS header
#[structopt(short = "r", long = "remove-cred")]
remove_cred: bool,
#[structopt(flatten)]
replacement: OtherSecret,
#[structopt(flatten)]
luks_mod: LuksModParameters,
},
/// Open the LUKS device
#[structopt(name = "open")]
#[structopt(name = "open", alias = "open-token")]
Open {
#[structopt(flatten)]
luks: LuksParameters,
@ -216,25 +241,11 @@ pub enum Command {
secret: SecretParameters,
#[structopt(short = "r", long = "max-retries", default_value = "0")]
retries: i32,
/// Perform the whole procedure without mounting the LUKS volume on success
#[structopt(long = "dry-run")]
dry_run: bool,
/// Pass SSD trim instructions to the underlying block device
#[structopt(long = "allow-discards")]
allow_discards: bool,
},
/// Open the LUKS device using credentials embedded in the LUKS 2 header
#[structopt(name = "open-token")]
OpenToken {
#[structopt(flatten)]
luks: LuksParameters,
#[structopt(env = "FIDO2LUKS_MAPPER_NAME")]
name: String,
#[structopt(flatten)]
authenticator: AuthenticatorParameters,
#[structopt(flatten)]
secret: SecretParameters,
#[structopt(short = "r", long = "max-retries", default_value = "0")]
retries: i32,
/// Pass SSD trim instructions to the underlying block device
#[structopt(long = "allow-discards")]
#[structopt(long = "allow-discards", env = "FIDO2LUKS_ALLOW_DISCARDS")]
allow_discards: bool,
},
/// Generate a new FIDO credential
@ -251,11 +262,12 @@ pub enum Command {
Connected,
Token(TokenCommand),
/// Generate bash completion scripts
/// Example: fido2luks completions --shell bash /usr/share/bash-completion/completions
#[structopt(name = "completions", setting = AppSettings::Hidden)]
GenerateCompletions {
/// Shell to generate completions for: bash, fish
#[structopt(possible_values = &["bash", "fish"])]
shell: String,
/// Shell to generate completions for
#[structopt(short = "s", long = "shell",possible_values = &Shell::variants()[..])]
shell: Option<String>,
out_dir: PathBuf,
},
}
@ -275,8 +287,14 @@ pub enum TokenCommand {
Add {
#[structopt(env = "FIDO2LUKS_DEVICE")]
device: PathBuf,
#[structopt(flatten)]
credentials: Credentials,
/// FIDO credential ids, separated by ',' generate using fido2luks credential
#[structopt(
name = "credential-ids",
env = "FIDO2LUKS_CREDENTIAL_ID",
short = "c",
long = "creds"
)]
credentials: CommaSeparated<HexEncoded>,
/// Slot to which the credentials will be added
#[structopt(long = "slot", env = "FIDO2LUKS_DEVICE_SLOT")]
slot: u32,
@ -285,8 +303,14 @@ pub enum TokenCommand {
Remove {
#[structopt(env = "FIDO2LUKS_DEVICE")]
device: PathBuf,
#[structopt(flatten)]
credentials: Credentials,
/// FIDO credential ids, separated by ',' generate using fido2luks credential
#[structopt(
name = "credential-ids",
env = "FIDO2LUKS_CREDENTIAL_ID",
short = "c",
long = "creds"
)]
credentials: CommaSeparated<HexEncoded>,
/// Token from which the credentials will be removed
#[structopt(long = "token")]
token_id: Option<u32>,

15
src/device.rs
View File

@ -19,7 +19,7 @@ pub fn make_credential_id(
}
let request = request.build().unwrap();
let make_credential = |device: &mut FidoDevice| {
if let Some(pin) = pin {
if let Some(pin) = pin.filter(|_| device.needs_pin()) {
device.unlock(pin)?;
}
device.make_hmac_credential(&request)
@ -44,7 +44,7 @@ pub fn perform_challenge<'a>(
.build()
.unwrap();
let get_assertion = |device: &mut FidoDevice| {
if let Some(pin) = pin {
if let Some(pin) = pin.filter(|_| device.needs_pin()) {
device.unlock(pin)?;
}
device.get_hmac_assertion(&request, &util::sha256(&[&salt[..]]), None)
@ -58,6 +58,17 @@ pub fn perform_challenge<'a>(
Ok((secret, credential))
}
pub fn may_require_pin() -> Fido2LuksResult<bool> {
for di in ctap::get_devices()? {
if let Ok(dev) = FidoDevice::new(&di) {
if dev.needs_pin() {
return Ok(true);
}
}
}
Ok(false)
}
pub fn get_devices() -> Fido2LuksResult<Vec<FidoDevice>> {
let mut devices = Vec::with_capacity(2);
for di in ctap::get_devices()? {

6
src/error.rs
View File

@ -29,6 +29,10 @@ pub enum Fido2LuksError {
WrongSecret,
#[fail(display = "not an utf8 string")]
StringEncodingError { cause: FromUtf8Error },
#[fail(display = "not an hex string: {}", string)]
HexEncodingError { string: String },
#[fail(display = "couldn't obtain at least one credential")]
InsufficientCredentials,
}
impl Fido2LuksError {
@ -50,6 +54,8 @@ pub enum AskPassError {
IO(io::Error),
#[fail(display = "provided passwords don't match")]
Mismatch,
#[fail(display = "failed to call password helper")]
FailedHelper,
}
#[derive(Debug, Fail)]

24
src/luks.rs
View File

@ -111,6 +111,20 @@ impl LuksDevice {
Ok(())
}
pub fn remove_token_slot(&mut self, slot: u32) -> Fido2LuksResult<()> {
let mut remove = HashSet::new();
for token in self.tokens()? {
let (id, token) = token?;
if token.keyslots.contains(&slot.to_string()) {
remove.insert(id);
}
}
for rm in remove {
self.remove_token(rm)?;
}
Ok(())
}
pub fn update_token(&mut self, token: u32, data: &Fido2LuksToken) -> Fido2LuksResult<()> {
self.require_luks2()?;
self.device
@ -192,7 +206,9 @@ impl LuksDevice {
old_secret,
CryptActivateFlags::empty(),
)?;
self.device.keyslot_handle().change_by_passphrase(
// slot should stay the same but better be safe than sorry
let slot = self.device.keyslot_handle().change_by_passphrase(
Some(slot),
Some(slot),
old_secret,
@ -221,6 +237,7 @@ impl LuksDevice {
name: &str,
secret: &[u8],
slot_hint: Option<u32>,
dry_run: bool,
allow_discard: bool,
) -> Fido2LuksResult<u32> {
let mut flags = CryptActivateFlags::empty();
@ -229,7 +246,7 @@ impl LuksDevice {
}
self.device
.activate_handle()
.activate_by_passphrase(Some(name), slot_hint, secret, flags)
.activate_by_passphrase(Some(name).filter(|_| !dry_run), slot_hint, secret, flags)
.map_err(LuksError::activate)
}
@ -238,6 +255,7 @@ impl LuksDevice {
name: &str,
secret: impl Fn(Vec<String>) -> Fido2LuksResult<([u8; 32], String)>,
slot_hint: Option<u32>,
dry_run: bool,
allow_discard: bool,
) -> Fido2LuksResult<u32> {
if !self.is_luks2()? {
@ -282,7 +300,7 @@ impl LuksDevice {
.chain(std::iter::once(None).take(slots.is_empty() as usize)), // Try all slots as last resort
);
for slot in slots {
match self.activate(name, &secret, slot, allow_discard) {
match self.activate(name, &secret, slot, dry_run, allow_discard) {
Err(Fido2LuksError::WrongSecret) => (),
res => return res,
}

18
src/util.rs
View File

@ -13,9 +13,17 @@ pub fn sha256(messages: &[&[u8]]) -> [u8; 32] {
secret.as_mut().copy_from_slice(digest.finish().as_ref());
secret
}
pub fn read_password(q: &str, verify: bool) -> Fido2LuksResult<String> {
match rpassword::read_password_from_tty(Some(&[q, ": "].join("")))? {
pub fn read_password_tty(q: &str, verify: bool) -> Fido2LuksResult<String> {
read_password(q, verify, true)
}
pub fn read_password(q: &str, verify: bool, tty: bool) -> Fido2LuksResult<String> {
let res = if tty {
rpassword::read_password_from_tty(Some(&[q, ": "].join("")))
} else {
print!("{}: ", q);
rpassword::read_password()
}?;
match res {
ref pass
if verify
&& &rpassword::read_password_from_tty(Some(&[q, "(again): "].join(" ")))?
@ -29,10 +37,6 @@ pub fn read_password(q: &str, verify: bool) -> Fido2LuksResult<String> {
}
}
pub fn read_password_hashed(q: &str, verify: bool) -> Fido2LuksResult<[u8; 32]> {
read_password(q, verify).map(|pass| sha256(&[pass.as_bytes()]))
}
pub fn read_keyfile<P: Into<PathBuf>>(path: P) -> Fido2LuksResult<Vec<u8>> {
let mut file = File::open(path.into())?;
let mut key = Vec::new();