shimun/fido2luks
1
0
Fork 0
Code Issues Pull Requests 3 Releases Wiki Activity

Compare commits

base: shimun:pam_mod
Branches Tags
shimun:master shimun:0.3.0-alpha shimun:ctap-hid-fido2 shimun:retry_pin shimun:0.3.0 shimun:debVM shimun:flake shimun:password_promt shimun:dracut shimun:initcpio shimun:pam_mod shimun:setup shimun:completions shimun:pkgbuild shimun:pin_source shimun:relicense shimun:deb shimun:initramfs-tools shimun:luks_refr shimun:0.2.8 shimun:luks2_token shimun:cli_reorg shimun:request_multiple shimun:luks2 shimun:cratesio shimun:isalt shimun:connected shimun:keyutils
shimun:0.2.20 shimun:0.2.19 shimun:0.2.18 shimun:0.2.17 shimun:0.2.16 shimun:0.2.15 shimun:0.2.14 shimun:0.2.13 shimun:0.2.12 shimun:0.2.11 shimun:0.2.10 shimun:0.2.9 shimun:0.2.8 shimun:0.2.7 shimun:0.2.6 shimun:0.2.5 shimun:0.2.4 shimun:0.2.3 shimun:0.2.2 shimun:0.2.1 shimun:0.2.0
..
compare: shimun:0.2.16
Branches Tags
shimun:0.3.0-alpha shimun:ctap-hid-fido2 shimun:retry_pin shimun:master shimun:0.3.0 shimun:debVM shimun:flake shimun:password_promt shimun:dracut shimun:initcpio shimun:pam_mod shimun:setup shimun:completions shimun:pkgbuild shimun:pin_source shimun:relicense shimun:deb shimun:initramfs-tools shimun:luks_refr shimun:0.2.8 shimun:luks2_token shimun:cli_reorg shimun:request_multiple shimun:luks2 shimun:cratesio shimun:isalt shimun:connected shimun:keyutils
shimun:0.2.20 shimun:0.2.19 shimun:0.2.18 shimun:0.2.17 shimun:0.2.16 shimun:0.2.15 shimun:0.2.14 shimun:0.2.13 shimun:0.2.12 shimun:0.2.11 shimun:0.2.10 shimun:0.2.9 shimun:0.2.8 shimun:0.2.7 shimun:0.2.6 shimun:0.2.5 shimun:0.2.4 shimun:0.2.3 shimun:0.2.2 shimun:0.2.1 shimun:0.2.0

7 Commits
pam_mod ... 0.2.16

Author SHA1 Message Date
shimun
b3495c45f3 add nix flake 2021-02-08 16:06:56 +01:00
shimunn
17ca487b85 Obvious password promt (#29) 
* obvious password promt

* prompt interaction with FIDO device
 2021-02-08 15:58:41 +01:00
shimun
b0404f2fc1 minimum YubiKey firmware version
Some checks reported errors
continuous-integration/drone/push Build encountered an error
Details
2020-11-17 13:05:45 +01:00
shimunn
de21e3ef8d Merge pull request #21 from aacebedo/master 
Added an helper script to be used with pam_mount
 2020-11-01 21:18:13 +01:00
Alexandre ACEBEDO
8a7b3addbb Added an helper script to be used with pam_mount 2020-11-01 18:21:04 +01:00
shimun
e7e44cd61b fix test
All checks were successful
continuous-integration/drone/push Build is passing
Details
2020-10-13 14:17:22 +02:00
shimun
0ec859f4a6 remove trailing newline from pin
Some checks failed
continuous-integration/drone/push Build is failing
Details
2020-09-25 12:40:34 +02:00
12 changed files with 378 additions and 271 deletions
Expand all files Collapse all files

4
.drone.yml
View File

@@ -12,7 +12,7 @@ steps:
environment: environment:
DEBIAN_FRONTEND: noninteractive DEBIAN_FRONTEND: noninteractive
commands: commands:
- apt update && apt install -y cargo libkeyutils-dev libclang-dev clang pkg-config libcryptsetup-dev libpam-dev - apt update && apt install -y cargo libkeyutils-dev libclang-dev clang pkg-config libcryptsetup-dev
- cargo test --locked - cargo test --locked
- name: publish - name: publish
image: ubuntu:focal image: ubuntu:focal
@@ -22,7 +22,7 @@ steps:
from_secret: cargo_tkn from_secret: cargo_tkn
commands: commands:
- grep -E 'version ?= ?"${DRONE_TAG}"' -i Cargo.toml || (printf "incorrect crate/tag version" && exit 1) - grep -E 'version ?= ?"${DRONE_TAG}"' -i Cargo.toml || (printf "incorrect crate/tag version" && exit 1)
- apt update && apt install -y cargo libkeyutils-dev libclang-dev clang pkg-config libcryptsetup-dev libpam-dev - apt update && apt install -y cargo libkeyutils-dev libclang-dev clang pkg-config libcryptsetup-dev
- cargo package --all-features - cargo package --all-features
- cargo publish --all-features - cargo publish --all-features
when: when:

2
.gitignore vendored
View File

@@ -6,3 +6,5 @@ fido2luks.bash
fido2luks.elv fido2luks.elv
fido2luks.fish fido2luks.fish
fido2luks.zsh fido2luks.zsh
result
result-*

20
Cargo.lock generated
View File

@@ -377,20 +377,18 @@ dependencies = [
[[package]] [[package]]
name = "fido2luks" name = "fido2luks"
version = "0.2.15" version = "0.2.16"
dependencies = [ dependencies = [
"ctap_hmac", "ctap_hmac",
"failure", "failure",
"hex", "hex",
"libcryptsetup-rs", "libcryptsetup-rs",
"pamsm",
"ring", "ring",
"rpassword", "rpassword",
"serde", "serde",
"serde_derive", "serde_derive",
"serde_json", "serde_json",
"structopt", "structopt",
"sudo",
] ]
[[package]] [[package]]
@@ -598,12 +596,6 @@ version = "0.20.0"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1ab52be62400ca80aa00285d25253d7f7c437b7375c4de678f5405d3afe82ca5" checksum = "1ab52be62400ca80aa00285d25253d7f7c437b7375c4de678f5405d3afe82ca5"
[[package]]
name = "pamsm"
version = "0.4.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3580ed2ebe075c74db583233318abf4b07bc8d9a40c7691d0ae9c186e19e43dd"
[[package]] [[package]]
name = "peeking_take_while" name = "peeking_take_while"
version = "0.1.2" version = "0.1.2"
@@ -988,16 +980,6 @@ dependencies = [
"syn 1.0.40", "syn 1.0.40",
] ]
[[package]]
name = "sudo"
version = "0.5.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2a88e74edf206f281aff2820aa2066c781331044c770626dcafe19491f214e05"
dependencies = [
"libc",
"log",
]
[[package]] [[package]]
name = "syn" name = "syn"
version = "0.15.44" version = "0.15.44"

18
Cargo.toml
View File

@@ -1,6 +1,6 @@
[package] [package]
name = "fido2luks" name = "fido2luks"
version = "0.2.15" version = "0.2.16"
authors = ["shimunn <shimun@shimun.net>"] authors = ["shimunn <shimun@shimun.net>"]
edition = "2018" edition = "2018"
@@ -24,8 +24,6 @@ libcryptsetup-rs = "0.4.1"
serde_json = "1.0.51" serde_json = "1.0.51"
serde_derive = "1.0.106" serde_derive = "1.0.106"
serde = "1.0.106" serde = "1.0.106"
pamsm = { version = "0.4.1", features = ["libpam"] }
sudo = "0.5.0"
[build-dependencies] [build-dependencies]
ctap_hmac = { version="0.4.2", features = ["request_multiple"] } ctap_hmac = { version="0.4.2", features = ["request_multiple"] }
@@ -34,7 +32,6 @@ ring = "0.13.5"
failure = "0.1.5" failure = "0.1.5"
rpassword = "4.0.1" rpassword = "4.0.1"
libcryptsetup-rs = "0.4.1" libcryptsetup-rs = "0.4.1"
pamsm = { version = "0.4.1", features = ["libpam"] }
structopt = "0.3.2" structopt = "0.3.2"
[profile.release] [profile.release]
@@ -44,23 +41,14 @@ panic = 'abort'
incremental = false incremental = false
overflow-checks = false overflow-checks = false
[[bin]]
name = "fido2luks"
path = "src/main.rs"
[lib]
name = "fido2luks_pam"
path = "src/lib.rs"
crate-type = ["cdylib"]
[package.metadata.deb] [package.metadata.deb]
depends = "$auto, cryptsetup" depends = "$auto, cryptsetup"
build-depends = "libclang-dev, libcryptsetup-dev, libpam-dev" build-depends = "libclang-dev, libcryptsetup-dev"
extended-description = "Decrypt your LUKS partition using a FIDO2 compatible authenticator" extended-description = "Decrypt your LUKS partition using a FIDO2 compatible authenticator"
assets = [ assets = [
["target/release/fido2luks", "usr/bin/", "755"], ["target/release/fido2luks", "usr/bin/", "755"],
["target/release/libfido2luks_pam.so", "usr/lib/x86_64-linux-gnu/security/pam_fido2luks.so", "755"],
["fido2luks.bash", "usr/share/bash-completion/completions/fido2luks", "644"], ["fido2luks.bash", "usr/share/bash-completion/completions/fido2luks", "644"],
["pam_mount/fido2luksmounthelper.sh", "usr/bin/", "755"],
["initramfs-tools/keyscript.sh", "/lib/cryptsetup/scripts/fido2luks", "755" ], ["initramfs-tools/keyscript.sh", "/lib/cryptsetup/scripts/fido2luks", "755" ],
["initramfs-tools/hook/fido2luks.sh", "etc/initramfs-tools/hooks/", "755" ], ["initramfs-tools/hook/fido2luks.sh", "etc/initramfs-tools/hooks/", "755" ],
["initramfs-tools/fido2luks.conf", "etc/", "644"], ["initramfs-tools/fido2luks.conf", "etc/", "644"],

1
PKGBUILD
View File

@@ -21,5 +21,6 @@ build() {
package() { package() {
install -Dm 755 target/release/${pkgname} -t "${pkgdir}/usr/bin" install -Dm 755 target/release/${pkgname} -t "${pkgdir}/usr/bin"
install -Dm 755 ../pam_mount/fido2luksmounthelper.sh -t "${pkgdir}/usr/bin"
install -Dm 644 ../fido2luks.bash "${pkgdir}/usr/share/bash-completion/completions/fido2luks" install -Dm 644 ../fido2luks.bash "${pkgdir}/usr/share/bash-completion/completions/fido2luks"
} }

2
README.md
View File

@@ -2,7 +2,7 @@
This will allow you to unlock your LUKS encrypted disk with an FIDO2 compatible key. This will allow you to unlock your LUKS encrypted disk with an FIDO2 compatible key.
Note: This has only been tested under Fedora 31, [Ubuntu 20.04](initramfs-tools/), [NixOS](https://nixos.org/nixos/manual/#sec-luks-file-systems-fido2) using a Solo Key, Trezor Model T Note: This has only been tested under Fedora 31, [Ubuntu 20.04](initramfs-tools/), [NixOS](https://nixos.org/nixos/manual/#sec-luks-file-systems-fido2) using a Solo Key, Trezor Model T, YubiKey(fw >= [5.2.3](https://support.yubico.com/hc/en-us/articles/360016649319-YubiKey-5-2-3-Enhancements-to-FIDO-2-Support))
## Setup ## Setup

61
flake.lock generated Normal file
View File

@@ -0,0 +1,61 @@
{
"nodes": {
"naersk": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1612192764,
"narHash": "sha256-7EnLtZQWP6511G1ZPA7FmJlqAr3hWsAYb24tvTvJ/ec=",
"owner": "nmattia",
"repo": "naersk",
"rev": "6e149bfd726a8ebefa415f2d713ba6d942435abd",
"type": "github"
},
"original": {
"owner": "nmattia",
"repo": "naersk",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1611910458,
"narHash": "sha256-//j54S14v9lp3YKizS1WZW3WKwLjGTzvwhHfUAaRBPQ=",
"path": "/nix/store/z5g10k571cc5q9yvr0bafzswp0ggawjw-source",
"rev": "6e7f25001fe6874f7ae271891f709bbf50a22c45",
"type": "path"
},
"original": {
"id": "nixpkgs",
"type": "indirect"
}
},
"root": {
"inputs": {
"naersk": "naersk",
"nixpkgs": "nixpkgs",
"utils": "utils"
}
},
"utils": {
"locked": {
"lastModified": 1610051610,
"narHash": "sha256-U9rPz/usA1/Aohhk7Cmc2gBrEEKRzcW4nwPWMPwja4Y=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "3982c9903e93927c2164caa727cd3f6a0e6d14cc",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

61
flake.nix Normal file
View File

@@ -0,0 +1,61 @@
{
description = "Decrypt your LUKS partition using a FIDO2 compatible authenticator";
inputs = {
utils.url = "github:numtide/flake-utils";
naersk = {
url = "github:nmattia/naersk";
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs = { self, nixpkgs, utils, naersk }:
let
root = ./.;
pname = (builtins.fromTOML (builtins.readFile ./Cargo.toml)).package.name;
forPkgs = pkgs:
let
naersk-lib = naersk.lib."${pkgs.system}";
buildInputs = with pkgs; [ cryptsetup ];
LIBCLANG_PATH = "${pkgs.clang.cc.lib}/lib";
nativeBuildInputs = with pkgs; [
pkgconfig
clang
];
in
rec {
# `nix build`
packages.${pname} = naersk-lib.buildPackage {
inherit pname root buildInputs nativeBuildInputs LIBCLANG_PATH;
};
defaultPackage = packages.${pname};
# `nix run`
apps.${pname} = utils.lib.mkApp {
drv = packages.${pname};
};
defaultApp = apps.${pname};
# `nix flake check`
checks = {
fmt = with pkgs; runCommandLocal "${pname}-fmt" { buildInputs = [ cargo rustfmt nixpkgs-fmt ]; } ''
cd ${root}
cargo fmt -- --check
nixpkgs-fmt --check *.nix
touch $out
'';
};
# `nix develop`
devShell = pkgs.mkShell {
nativeBuildInputs = with pkgs; [ rustc cargo rustfmt nixpkgs-fmt ] ++ nativeBuildInputs;
inherit buildInputs LIBCLANG_PATH;
};
};
forSystem = system: forPkgs nixpkgs.legacyPackages."${system}";
in
(utils.lib.eachSystem [ "aarch64-linux" "i686-linux" "x86_64-linux" ] forSystem) // {
overlay = final: prev: (forPkgs final).packages;
};
}

220
pam_mount/fido2luksmounthelper.sh Executable file
View File

@@ -0,0 +1,220 @@
#!/bin/bash
#
# This is a rather minimal example Argbash potential
# Example taken from http://argbash.readthedocs.io/en/stable/example.html
#
# ARG_POSITIONAL_SINGLE([operation],[Operation to perform (mount|umount)],[])
# ARG_OPTIONAL_SINGLE([credentials-type],[c],[Type of the credentials to use (external|embedded)])
# ARG_OPTIONAL_SINGLE([device],[d],[Name of the device to create])
# ARG_OPTIONAL_SINGLE([mount-point],[m],[Path of the mount point to use])
# ARG_OPTIONAL_BOOLEAN([ask-pin],[a],[Ask for a pin],[off])
# ARG_OPTIONAL_SINGLE([salt],[s],[Salt to use],[""])
# ARG_HELP([Unlocks/Locks a LUKS volume and mount/unmount it in the given mount point.])
# ARGBASH_GO()
# needed because of Argbash --> m4_ignore([
### START OF CODE GENERATED BY Argbash v2.9.0 one line above ###
# Argbash is a bash code generator used to get arguments parsing right.
# Argbash is FREE SOFTWARE, see https://argbash.io for more info
# Generated online by https://argbash.io/generate
die()
{
local _ret="${2:-1}"
test "${_PRINT_HELP:-no}" = yes && print_help >&2
echo "$1" >&2
exit "${_ret}"
}
begins_with_short_option()
{
local first_option all_short_options='cdmash'
first_option="${1:0:1}"
test "$all_short_options" = "${all_short_options/$first_option/}" && return 1 || return 0
}
# THE DEFAULTS INITIALIZATION - POSITIONALS
_positionals=()
# THE DEFAULTS INITIALIZATION - OPTIONALS
_arg_credentials_type=
_arg_device=
_arg_mount_point=
_arg_ask_pin="off"
_arg_salt=""
print_help()
{
printf '%s\n' "Unlocks/Locks a LUKS volume and mount/unmount it in the given mount point."
printf 'Usage: %s [-c|--credentials-type <arg>] [-d|--device <arg>] [-m|--mount-point <arg>] [-a|--(no-)ask-pin] [-s|--salt <arg>] [-h|--help] <operation>\n' "$0"
printf '\t%s\n' "<operation>: Operation to perform (mount|umount)"
printf '\t%s\n' "-c, --credentials-type: Type of the credentials to use (external|embedded) (no default)"
printf '\t%s\n' "-d, --device: Name of the device to create (no default)"
printf '\t%s\n' "-m, --mount-point: Path of the mount point to use (no default)"
printf '\t%s\n' "-a, --ask-pin, --no-ask-pin: Ask for a pin (off by default)"
printf '\t%s\n' "-s, --salt: Salt to use (default: '""')"
printf '\t%s\n' "-h, --help: Prints help"
}
parse_commandline()
{
_positionals_count=0
while test $# -gt 0
do
_key="$1"
case "$_key" in
-c|--credentials-type)
test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1
_arg_credentials_type="$2"
shift
;;
--credentials-type=*)
_arg_credentials_type="${_key##--credentials-type=}"
;;
-c*)
_arg_credentials_type="${_key##-c}"
;;
-d|--device)
test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1
_arg_device="$2"
shift
;;
--device=*)
_arg_device="${_key##--device=}"
;;
-d*)
_arg_device="${_key##-d}"
;;
-m|--mount-point)
test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1
_arg_mount_point="$2"
shift
;;
--mount-point=*)
_arg_mount_point="${_key##--mount-point=}"
;;
-m*)
_arg_mount_point="${_key##-m}"
;;
-a|--no-ask-pin|--ask-pin)
_arg_ask_pin="on"
test "${1:0:5}" = "--no-" && _arg_ask_pin="off"
;;
-a*)
_arg_ask_pin="on"
_next="${_key##-a}"
if test -n "$_next" -a "$_next" != "$_key"
then
{ begins_with_short_option "$_next" && shift && set -- "-a" "-${_next}" "$@"; } || die "The short option '$_key' can't be decomposed to ${_key:0:2} and -${_key:2}, because ${_key:0:2} doesn't accept value and '-${_key:2:1}' doesn't correspond to a short option."
fi
;;
-s|--salt)
test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1
_arg_salt="$2"
shift
;;
--salt=*)
_arg_salt="${_key##--salt=}"
;;
-s*)
_arg_salt="${_key##-s}"
;;
-h|--help)
print_help
exit 0
;;
-h*)
print_help
exit 0
;;
*)
_last_positional="$1"
_positionals+=("$_last_positional")
_positionals_count=$((_positionals_count + 1))
;;
esac
shift
done
}
handle_passed_args_count()
{
local _required_args_string="'operation'"
test "${_positionals_count}" -ge 1 || _PRINT_HELP=yes die "FATAL ERROR: Not enough positional arguments - we require exactly 1 (namely: $_required_args_string), but got only ${_positionals_count}." 1
test "${_positionals_count}" -le 1 || _PRINT_HELP=yes die "FATAL ERROR: There were spurious positional arguments --- we expect exactly 1 (namely: $_required_args_string), but got ${_positionals_count} (the last one was: '${_last_positional}')." 1
}
assign_positional_args()
{
local _positional_name _shift_for=$1
_positional_names="_arg_operation "
shift "$_shift_for"
for _positional_name in ${_positional_names}
do
test $# -gt 0 || break
eval "$_positional_name=\${1}" || die "Error during argument parsing, possibly an Argbash bug." 1
shift
done
}
parse_commandline "$@"
handle_passed_args_count
assign_positional_args 1 "${_positionals[@]}"
# OTHER STUFF GENERATED BY Argbash
### END OF CODE GENERATED BY Argbash (sortof) ### ])
# [ <-- needed because of Argbash
if [ -z ${_arg_mount_point} ]; then
die "Missing '--mount-point' argument"
fi
if [ -z ${_arg_device} ]; then
die "Missing '--device' argument"
fi
ASK_PIN=${_arg_ask_pin}
OPERATION=${_arg_operation}
DEVICE=${_arg_device}
DEVICE_NAME=$(sed "s|/|_|g" <<< ${DEVICE})
MOUNT_POINT=${_arg_mount_point}
CREDENTIALS_TYPE=${_arg_credentials_type}
SALT=${_arg_salt}
CONF_FILE_PATH="/etc/fido2luksmounthelper.conf"
if [ "${OPERATION}" == "mount" ]; then
if [ "${CREDENTIALS_TYPE}" == "external" ]; then
if [ -f ${CONF_FILE_PATH} ]; then
if [ "${ASK_PIN}" == "on" ]; then
read PASSWORD
fi
CREDENTIALS=$(<${CONF_FILE_PATH})
else
die "The configuration file '${CONF_FILE_PATH}' is missing. Please create it or use embedded credentials."
fi
printf ${PASSWORD} | fido2luks open --salt string:${SALT} --pin --pin-source /dev/stdin ${DEVICE} ${DEVICE_NAME} ${CREDENTIALS}
elif [ "${CREDENTIALS_TYPE}" == "embedded" ]; then
if [ "${ASK_PIN}" == "on" ]; then
read PASSWORD
fi
printf ${PASSWORD} | fido2luks open-token --salt string:${SALT} --pin --pin-source /dev/stdin ${DEVICE} ${DEVICE_NAME}
else
die "Given credential-type '${CREDENTIALS_TYPE}' is invalid. It must be 'external' or 'embedded'"
fi
mount /dev/mapper/${DEVICE_NAME} ${MOUNT_POINT}
elif [ "${OPERATION}" == "umount" ]; then
umount ${MOUNT_POINT}
cryptsetup luksClose ${DEVICE_NAME}
else
die "Given operation '${OPERATION}' is invalid. It must be 'mount' or 'unmount'"
fi
exit 0
# ] <-- needed because of Argbash

36
src/cli.rs
View File

@@ -25,7 +25,7 @@ fn read_pin(ap: &AuthenticatorParameters) -> Fido2LuksResult<String> {
if let Some(src) = ap.pin_source.as_ref() { if let Some(src) = ap.pin_source.as_ref() {
let mut pin = String::new(); let mut pin = String::new();
File::open(src)?.read_to_string(&mut pin)?; File::open(src)?.read_to_string(&mut pin)?;
Ok(pin) Ok(pin.trim_end_matches("\n").to_string()) //remove trailing newline
} else { } else {
util::read_password("Authenticator PIN", false) util::read_password("Authenticator PIN", false)
} }
@@ -71,6 +71,12 @@ pub fn parse_cmdline() -> Args {
Args::from_args() Args::from_args()
} }
pub fn prompt_interaction(interactive: bool) {
if interactive {
println!("Authorize using your FIDO device");
}
}
pub fn run_cli() -> Fido2LuksResult<()> { pub fn run_cli() -> Fido2LuksResult<()> {
let mut stdout = io::stdout(); let mut stdout = io::stdout();
let args = parse_cmdline(); let args = parse_cmdline();
@@ -109,6 +115,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
} else { } else {
secret.salt.obtain_sha256(&secret.password_helper) secret.salt.obtain_sha256(&secret.password_helper)
}?; }?;
prompt_interaction(interactive);
let (secret, _cred) = derive_secret( let (secret, _cred) = derive_secret(
credentials.ids.0.as_slice(), credentials.ids.0.as_slice(),
&salt, &salt,
@@ -164,23 +171,27 @@ pub fn run_cli() -> Fido2LuksResult<()> {
} => Ok((util::read_keyfile(file)?, None)), } => Ok((util::read_keyfile(file)?, None)),
OtherSecret { OtherSecret {
fido_device: true, .. fido_device: true, ..
} => Ok(derive_secret( } => {
&credentials.ids.0, prompt_interaction(interactive);
&salt(salt_q, verify)?, Ok(derive_secret(
authenticator.await_time, &credentials.ids.0,
pin.as_deref(), &salt(salt_q, verify)?,
) authenticator.await_time,
.map(|(secret, cred)| (secret[..].to_vec(), Some(cred)))?), pin.as_deref(),
)
.map(|(secret, cred)| (secret[..].to_vec(), Some(cred)))?)
}
_ => Ok(( _ => Ok((
util::read_password(salt_q, verify)?.as_bytes().to_vec(), util::read_password(salt_q, verify)?.as_bytes().to_vec(),
None, None,
)), )),
} }
}; };
let secret = |verify: bool| -> Fido2LuksResult<([u8; 32], FidoCredential)> { let secret = |q: &str, verify: bool| -> Fido2LuksResult<([u8; 32], FidoCredential)> {
prompt_interaction(interactive);
derive_secret( derive_secret(
&credentials.ids.0, &credentials.ids.0,
&salt("Password", verify)?, &salt(q, verify)?,
authenticator.await_time, authenticator.await_time,
pin.as_deref(), pin.as_deref(),
) )
@@ -190,7 +201,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
match &args.command { match &args.command {
Command::AddKey { exclusive, .. } => { Command::AddKey { exclusive, .. } => {
let (existing_secret, _) = other_secret("Current password", false)?; let (existing_secret, _) = other_secret("Current password", false)?;
let (new_secret, cred) = secret(true)?; let (new_secret, cred) = secret("Password to be added", true)?;
let added_slot = luks_dev.add_key( let added_slot = luks_dev.add_key(
&new_secret, &new_secret,
&existing_secret[..], &existing_secret[..],
@@ -215,7 +226,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
Ok(()) Ok(())
} }
Command::ReplaceKey { add_password, .. } => { Command::ReplaceKey { add_password, .. } => {
let (existing_secret, _) = secret(false)?; let (existing_secret, _) = secret("Current password", false)?;
let (replacement_secret, cred) = other_secret("Replacement password", true)?; let (replacement_secret, cred) = other_secret("Replacement password", true)?;
let slot = if *add_password { let slot = if *add_password {
luks_dev.add_key( luks_dev.add_key(
@@ -274,6 +285,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
// Cow shouldn't be necessary // Cow shouldn't be necessary
let secret = |credentials: Cow<'_, Vec<HexEncoded>>| { let secret = |credentials: Cow<'_, Vec<HexEncoded>>| {
prompt_interaction(interactive);
derive_secret( derive_secret(
credentials.as_ref(), credentials.as_ref(),
&salt("Password", false)?, &salt("Password", false)?,

39
src/error.rs
View File

@@ -1,10 +1,10 @@
use ctap::FidoError; use ctap::FidoError;
use libcryptsetup_rs::LibcryptErr; use libcryptsetup_rs::LibcryptErr;
use pamsm::PamError;
use std::io; use std::io;
use std::io::ErrorKind; use std::io::ErrorKind;
use std::string::FromUtf8Error; use std::string::FromUtf8Error;
use Fido2LuksError::*; use Fido2LuksError::*;
pub type Fido2LuksResult<T> = Result<T, Fido2LuksError>; pub type Fido2LuksResult<T> = Result<T, Fido2LuksError>;
#[derive(Debug, Fail)] #[derive(Debug, Fail)]
@@ -29,10 +29,6 @@ pub enum Fido2LuksError {
WrongSecret, WrongSecret,
#[fail(display = "not an utf8 string")] #[fail(display = "not an utf8 string")]
StringEncodingError { cause: FromUtf8Error }, StringEncodingError { cause: FromUtf8Error },
#[fail(display = "elevated privileges required")]
MissingPrivileges,
#[fail(display = "{}", cause)]
Configuration { cause: ConfigurationError },
} }
impl Fido2LuksError { impl Fido2LuksError {
@@ -54,26 +50,6 @@ pub enum AskPassError {
IO(io::Error), IO(io::Error),
#[fail(display = "provided passwords don't match")] #[fail(display = "provided passwords don't match")]
Mismatch, Mismatch,
#[fail(display = "unable to retrieve password: {}", _0)]
Pam(PamError),
}
impl From<PamError> for AskPassError {
fn from(e: PamError) -> Self {
AskPassError::Pam(e)
}
}
impl From<io::Error> for AskPassError {
fn from(e: io::Error) -> Self {
AskPassError::IO(e)
}
}
impl From<AskPassError> for Fido2LuksError {
fn from(cause: AskPassError) -> Self {
Fido2LuksError::AskPassError { cause }
}
} }
#[derive(Debug, Fail)] #[derive(Debug, Fail)]
@@ -136,16 +112,3 @@ impl From<FromUtf8Error> for Fido2LuksError {
StringEncodingError { cause: e } StringEncodingError { cause: e }
} }
} }
#[derive(Debug, Fail)]
pub enum ConfigurationError {
#[fail(display = "config is missing some values: {:?}", _0)]
Missing(Vec<String>),
#[fail(display = "config attribute {} contains an invalid value: {}", _1, _0)]
InvalidValue(String, String),
}
impl From<ConfigurationError> for Fido2LuksError {
fn from(cause: ConfigurationError) -> Fido2LuksError {
Fido2LuksError::Configuration { cause }
}
}

183
src/lib.rs
View File

@@ -1,183 +0,0 @@
#[macro_use]
extern crate failure;
extern crate ctap_hmac as ctap;
#[macro_use]
extern crate serde_derive;
use crate::cli_args::{CommaSeparated, HexEncoded};
use crate::device::*;
use crate::error::*;
use crate::luks::*;
use ctap::FidoCredential;
use failure::_core::time::Duration;
use pamsm::PamLibExt;
use pamsm::*;
use std::collections::{HashMap, HashSet};
use std::path::Path;
use std::str::FromStr;
use sudo::{self, RunningAs};
pub mod cli_args;
pub mod device;
pub mod error;
pub mod luks;
pub mod util;
struct PamFido2Luks;
impl PamFido2Luks {
fn open(
&self,
user: String,
mut password: impl FnMut(&str) -> PamResult<String>,
args: Vec<String>,
) -> Fido2LuksResult<()> {
let args: HashMap<String, String> = args
.into_iter()
.filter_map(|arg| {
let mut parts = arg.split("=");
parts
.by_ref()
.next()
.map(|key| (key.to_string(), parts.collect::<Vec<_>>().join("=")))
})
.collect();
let credentials = match args.get("credentials").map(|creds| {
<CommaSeparated<String>>::from_str(creds)
.map(|cs| cs.0)
.map_err(|_| ConfigurationError::InvalidValue("credentials".into(), creds.into()))
}) {
Some(creds) => creds?,
_ => Vec::new(),
};
let pin = args.get("pin");
let pin_prefix = args
.get("pin-prefix")
.map(|p| p.parse::<bool>().unwrap_or_default())
.unwrap_or_default();
let device = args
.get("device")
.map(|device| device.replace("%user%", user.as_str()));
let name = args
.get("name")
.map(|name| name.replace("%user%", user.as_str()));
let mut attempts = args
.get("attempts")
.and_then(|a| a.parse::<usize>().ok())
.unwrap_or(3);
if let (Some(device), Some(name)) = (device, name) {
if !Path::new(&device).exists() || Path::new(&format!("/dev/mapper/{}", name)).exists()
{
return Ok(());
}
// root required to mount luks
match sudo::check() {
RunningAs::User => return Err(Fido2LuksError::MissingPrivileges),
_ => {
sudo::escalate_if_needed().map_err(|_| Fido2LuksError::MissingPrivileges)?;
}
}
let mut device = LuksDevice::load(device)?;
let mut additional_credentials: HashSet<String> = HashSet::new();
if device.is_luks2()? {
for token in device.tokens()? {
let (_, token) = token?;
additional_credentials.extend(token.credential.into_iter());
}
}
let credentials: Vec<FidoCredential> = credentials
.into_iter()
.chain(additional_credentials.into_iter())
.map(|cred| HexEncoded::from_str(cred.as_str()))
.map(|cred| FidoCredential {
id: cred.unwrap().0,
public_key: None,
})
.collect();
let credentials: Vec<&FidoCredential> = credentials.iter().collect();
if !credentials.is_empty() {
loop {
let (pin, pass) = if pin_prefix {
let password = password("PIN + FIDO2 salt (pin:password):")
.map_err(|e| Fido2LuksError::AskPassError { cause: e.into() })?;
let mut parts = password.split(":");
(
parts.next().map(|p| p.to_string()).or(pin.cloned()),
parts.collect::<Vec<_>>().join(":"),
)
} else {
(
pin.cloned(),
password("FIDO2 salt: ")
.map_err(|e| Fido2LuksError::AskPassError { cause: e.into() })?,
)
};
let salt = util::sha256(&[pass.as_bytes()]);
let secret = util::sha256(&[
&salt,
&perform_challenge(
&credentials[..],
&salt,
Duration::from_secs(15),
pin.as_ref().map(String::as_str),
)?
.0[..],
]);
match device.activate(name.as_str(), &secret[..], None) {
Ok(_) => return Ok(()),
_ if attempts > 0 => {
attempts -= 1;
continue;
}
Err(e) => break Err(e),
}
}
} else {
Err(ConfigurationError::Missing(vec!["credentials".into()]).into())
}
} else {
Ok(())
}
}
}
impl PamServiceModule for PamFido2Luks {
fn authenticate(pamh: Pam, _flag: PamFlag, args: Vec<String>) -> PamError {
let perfrom_authenticate = move || -> Fido2LuksResult<()> {
let user = match pamh.get_cached_user() {
Err(e) => Err(AskPassError::Pam(e))?,
Ok(p) => p.map(|s| s.to_str().map(str::to_string).unwrap()),
};
let mut password = match pamh.get_authtok(None) {
Err(e) => Err(AskPassError::Pam(e))?,
Ok(p) => p.map(|s| s.to_str().map(str::to_string).unwrap()),
};
if let Some(user) = user {
PamFido2Luks.open(
user,
move |q: &str| match password.take() {
Some(pass) => Ok(pass),
None => pamh
.conv(Some(q), PamMsgStyle::PROMPT_ECHO_OFF)
.map(|s| s.map(|s| s.to_str().unwrap()).unwrap_or("").to_string()),
},
args,
)
} else {
Err(AskPassError::Pam(PamError::AUTH_ERR))?
}
};
match perfrom_authenticate() {
Ok(_) => PamError::SUCCESS,
Err(e) => {
eprintln!("{}", e);
PamError::AUTH_ERR
}
}
}
}
pam_module!(PamFido2Luks);