shimun/fido2luks
1
0
Fork 0
Code Issues Pull Requests 3 Releases Wiki Activity

Compare commits

base: shimun:request_multiple
Branches Tags
shimun:master shimun:0.3.0-alpha shimun:ctap-hid-fido2 shimun:retry_pin shimun:0.3.0 shimun:debVM shimun:flake shimun:password_promt shimun:dracut shimun:initcpio shimun:pam_mod shimun:setup shimun:completions shimun:pkgbuild shimun:pin_source shimun:relicense shimun:deb shimun:initramfs-tools shimun:luks_refr shimun:0.2.8 shimun:luks2_token shimun:cli_reorg shimun:request_multiple shimun:luks2 shimun:cratesio shimun:isalt shimun:connected shimun:keyutils
shimun:0.2.20 shimun:0.2.19 shimun:0.2.18 shimun:0.2.17 shimun:0.2.16 shimun:0.2.15 shimun:0.2.14 shimun:0.2.13 shimun:0.2.12 shimun:0.2.11 shimun:0.2.10 shimun:0.2.9 shimun:0.2.8 shimun:0.2.7 shimun:0.2.6 shimun:0.2.5 shimun:0.2.4 shimun:0.2.3 shimun:0.2.2 shimun:0.2.1 shimun:0.2.0
...
compare: shimun:0.2.6
Branches Tags
shimun:0.3.0-alpha shimun:ctap-hid-fido2 shimun:retry_pin shimun:master shimun:0.3.0 shimun:debVM shimun:flake shimun:password_promt shimun:dracut shimun:initcpio shimun:pam_mod shimun:setup shimun:completions shimun:pkgbuild shimun:pin_source shimun:relicense shimun:deb shimun:initramfs-tools shimun:luks_refr shimun:0.2.8 shimun:luks2_token shimun:cli_reorg shimun:request_multiple shimun:luks2 shimun:cratesio shimun:isalt shimun:connected shimun:keyutils
shimun:0.2.20 shimun:0.2.19 shimun:0.2.18 shimun:0.2.17 shimun:0.2.16 shimun:0.2.15 shimun:0.2.14 shimun:0.2.13 shimun:0.2.12 shimun:0.2.11 shimun:0.2.10 shimun:0.2.9 shimun:0.2.8 shimun:0.2.7 shimun:0.2.6 shimun:0.2.5 shimun:0.2.4 shimun:0.2.3 shimun:0.2.2 shimun:0.2.1 shimun:0.2.0

6 Commits
request_mu ... 0.2.6

Author SHA1 Message Date
shimun
b94f45d1ff patch secret_gen before obtaing first secret 2020-04-06 23:33:41 +02:00
shimun
c8fb636846 mention clang build dependency 2020-04-06 22:52:15 +02:00
shimun
49e2835f60 enable fido requests to be sent to multiple devices at once 2020-04-06 21:38:11 +02:00
shimun
bb7ee7c1ce request password only once if possible 2020-04-03 22:02:05 +02:00
shimun
0ba77963d2 update ctap_hmac 2020-04-02 17:22:15 +02:00
shimun
c99d7f562d support luks2 2020-03-27 20:08:54 +01:00
6 changed files with 429 additions and 392 deletions
Expand all files Collapse all files

733
Cargo.lock generated
View File

File diff suppressed because it is too large Load Diff

2
Cargo.toml
View File

@@ -20,7 +20,7 @@ ring = "0.13.5"
failure = "0.1.5" failure = "0.1.5"
rpassword = "4.0.1" rpassword = "4.0.1"
structopt = "0.3.2" structopt = "0.3.2"
libcryptsetup-rs = { git = "https://github.com/shimunn/libcryptsetup-rs.git", branch = "crypt_load_ptr_null" } libcryptsetup-rs = "0.2.0"
[profile.release] [profile.release]
lto = true lto = true

2
README.md
View File

@@ -9,7 +9,7 @@ Note: This has only been tested under Fedora 31 using a Solo Key, Trezor Model T
### Prerequisites ### Prerequisites
``` ```
dnf install cargo cryptsetup-devel -y dnf install clang cargo cryptsetup-devel -y
``` ```
### Device ### Device

49
src/cli.rs
View File

@@ -12,7 +12,9 @@ use std::io::Write;
use std::process::exit; use std::process::exit;
use std::thread; use std::thread;
use crate::util::read_password;
use std::time::SystemTime; use std::time::SystemTime;
#[derive(Debug, Eq, PartialEq, Clone)] #[derive(Debug, Eq, PartialEq, Clone)]
pub struct HexEncoded(pub Vec<u8>); pub struct HexEncoded(pub Vec<u8>);
@@ -97,19 +99,40 @@ pub struct SecretGeneration {
default_value = "15" default_value = "15"
)] )]
pub await_authenticator: u64, pub await_authenticator: u64,
/// Request the password twice to ensure it being correct
#[structopt(
long = "verify-password",
env = "FIDO2LUKS_VERIFY_PASSWORD",
hidden = true
)]
pub verify_password: Option<bool>,
} }
impl SecretGeneration { impl SecretGeneration {
pub fn patch(&self, args: &Args) -> Self { pub fn patch(&self, args: &Args, verify_password: Option<bool>) -> Self {
let mut me = self.clone(); let mut me = self.clone();
if args.interactive { if args.interactive {
me.password_helper = PasswordHelper::Stdin; me.password_helper = PasswordHelper::Stdin;
} }
me.verify_password = me.verify_password.or(verify_password);
me me
} }
pub fn obtain_secret(&self) -> Fido2LuksResult<[u8; 32]> { pub fn obtain_secret(&self, password_query: &str) -> Fido2LuksResult<[u8; 32]> {
let salt = self.salt.obtain(&self.password_helper)?; let mut salt = [0u8; 32];
match self.password_helper {
PasswordHelper::Stdin if !self.verify_password.unwrap_or(true) => {
salt.copy_from_slice(&util::sha256(&[&read_password(
password_query,
self.verify_password.unwrap_or(true),
)?
.as_bytes()[..]]));
}
_ => {
salt = self.salt.obtain(&self.password_helper)?;
}
}
let timeout = Duration::from_secs(self.await_authenticator); let timeout = Duration::from_secs(self.await_authenticator);
let start = SystemTime::now(); let start = SystemTime::now();
@@ -170,7 +193,9 @@ impl OtherSecret {
) -> Fido2LuksResult<Vec<u8>> { ) -> Fido2LuksResult<Vec<u8>> {
match &self.keyfile { match &self.keyfile {
Some(keyfile) => util::read_keyfile(keyfile.clone()), Some(keyfile) => util::read_keyfile(keyfile.clone()),
None if self.fido_device => Ok(Vec::from(&secret_gen.obtain_secret()?[..])), None if self.fido_device => {
Ok(Vec::from(&secret_gen.obtain_secret(password_question)?[..]))
}
None => util::read_password(password_question, verify_password) None => util::read_password(password_question, verify_password)
.map(|p| p.as_bytes().to_vec()), .map(|p| p.as_bytes().to_vec()),
} }
@@ -258,7 +283,9 @@ pub fn run_cli() -> Fido2LuksResult<()> {
binary, binary,
ref secret_gen, ref secret_gen,
} => { } => {
let secret = secret_gen.patch(&args).obtain_secret()?; let secret = secret_gen
.patch(&args, Some(false))
.obtain_secret("Password")?;
if *binary { if *binary {
stdout.write(&secret[..])?; stdout.write(&secret[..])?;
} else { } else {
@@ -273,9 +300,9 @@ pub fn run_cli() -> Fido2LuksResult<()> {
ref secret_gen, ref secret_gen,
luks_settings, luks_settings,
} => { } => {
let secret_gen = secret_gen.patch(&args); let secret_gen = secret_gen.patch(&args, None);
let old_secret = existing_secret.obtain(&secret_gen, false, "Existing password")?; let old_secret = existing_secret.obtain(&secret_gen, false, "Existing password")?;
let secret = secret_gen.obtain_secret()?; let secret = secret_gen.obtain_secret("Password")?;
let added_slot = luks::add_key( let added_slot = luks::add_key(
device.clone(), device.clone(),
&secret, &secret,
@@ -306,8 +333,8 @@ pub fn run_cli() -> Fido2LuksResult<()> {
ref secret_gen, ref secret_gen,
luks_settings, luks_settings,
} => { } => {
let secret_gen = secret_gen.patch(&args); let secret_gen = secret_gen.patch(&args, Some(false));
let secret = secret_gen.patch(&args).obtain_secret()?; let secret = secret_gen.obtain_secret("Password")?;
let new_secret = replacement.obtain(&secret_gen, true, "Replacement password")?; let new_secret = replacement.obtain(&secret_gen, true, "Replacement password")?;
let slot = if *add_password { let slot = if *add_password {
luks::add_key(device, &new_secret[..], &secret, luks_settings.kdf_time) luks::add_key(device, &new_secret[..], &secret, luks_settings.kdf_time)
@@ -330,8 +357,8 @@ pub fn run_cli() -> Fido2LuksResult<()> {
let mut retries = *retries; let mut retries = *retries;
loop { loop {
match secret_gen match secret_gen
.patch(&args) .patch(&args, Some(false))
.obtain_secret() .obtain_secret("Password")
.and_then(|secret| luks::open_container(&device, &name, &secret)) .and_then(|secret| luks::open_container(&device, &name, &secret))
{ {
Err(e) => { Err(e) => {

5
src/device.rs
View File

@@ -1,5 +1,6 @@
use crate::error::*; use crate::error::*;
use crate::util;
use ctap::{ use ctap::{
self, extensions::hmac::HmacExtension, request_multiple_devices, FidoAssertionRequestBuilder, self, extensions::hmac::HmacExtension, request_multiple_devices, FidoAssertionRequestBuilder,
FidoCredential, FidoCredentialRequestBuilder, FidoDevice, FidoError, FidoErrorKind, FidoCredential, FidoCredentialRequestBuilder, FidoDevice, FidoError, FidoErrorKind,
@@ -33,7 +34,9 @@ pub fn perform_challenge(
.credentials(credentials) .credentials(credentials)
.build() .build()
.unwrap(); .unwrap();
let get_assertion = |device: &mut FidoDevice| device.get_hmac_assertion(&request, &salt, None); let get_assertion = |device: &mut FidoDevice| {
device.get_hmac_assertion(&request, &util::sha256(&[&salt[..]]), None)
};
let (_, (secret, _)) = request_multiple_devices( let (_, (secret, _)) = request_multiple_devices(
get_devices()? get_devices()?
.iter_mut() .iter_mut()

30
src/luks.rs
View File

@@ -1,11 +1,21 @@
use crate::error::*; use crate::error::*;
use libcryptsetup_rs::{CryptActivateFlags, CryptDevice, CryptInit, KeyslotInfo}; use libcryptsetup_rs::{CryptActivateFlags, CryptDevice, CryptInit, EncryptionFormat, KeyslotInfo};
use std::path::Path; use std::path::Path;
fn load_device_handle<P: AsRef<Path>>(path: P) -> Fido2LuksResult<CryptDevice> { fn load_device_handle<P: AsRef<Path>>(path: P) -> Fido2LuksResult<CryptDevice> {
let mut device = CryptInit::init(path.as_ref())?; let mut device = CryptInit::init(path.as_ref())?;
Ok(device.context_handle().load::<()>(None, None).map(|_| device)?) //TODO: determine luks version some way other way than just trying
let mut load = |format| device.context_handle().load::<()>(format, None).map(|_| ());
vec![EncryptionFormat::Luks2, EncryptionFormat::Luks1]
.into_iter()
.fold(None, |res, format| match res {
Some(Ok(())) => res,
Some(e) => Some(e.or(load(format))),
None => Some(load(format)),
})
.unwrap()?;
Ok(device)
} }
pub fn open_container<P: AsRef<Path>>(path: P, name: &str, secret: &[u8]) -> Fido2LuksResult<()> { pub fn open_container<P: AsRef<Path>>(path: P, name: &str, secret: &[u8]) -> Fido2LuksResult<()> {
@@ -28,27 +38,27 @@ pub fn add_key<P: AsRef<Path>>(
device.settings_handle().set_iteration_time(millis) device.settings_handle().set_iteration_time(millis)
} }
let slot = device let slot = device
.keyslot_handle() .keyslot_handle(None)
.add_by_passphrase(None,old_secret, secret)?; .add_by_passphrase(old_secret, secret)?;
Ok(slot) Ok(slot)
} }
pub fn remove_keyslots<P: AsRef<Path>>(path: P, exclude: &[u32]) -> Fido2LuksResult<u32> { pub fn remove_keyslots<P: AsRef<Path>>(path: P, exclude: &[u32]) -> Fido2LuksResult<u32> {
let mut device = load_device_handle(path)?; let mut device = load_device_handle(path)?;
let mut handle = device.keyslot_handle(); let mut handle;
let mut destroyed = 0; let mut destroyed = 0;
//TODO: detect how many keyslots there are instead of trying within a given range //TODO: detect how many keyslots there are instead of trying within a given range
for slot in 0..1024 { for slot in 0..1024 {
handle = device.keyslot_handle(Some(slot));
match handle.status(slot)? { match handle.status()? {
KeyslotInfo::Inactive => continue, KeyslotInfo::Inactive => continue,
KeyslotInfo::Active if !exclude.contains(&slot) => { KeyslotInfo::Active if !exclude.contains(&slot) => {
handle.destroy(slot)?; handle.destroy()?;
destroyed += 1; destroyed += 1;
} }
_ => (), _ => (),
} }
match handle.status(slot)? { match handle.status()? {
KeyslotInfo::ActiveLast => break, KeyslotInfo::ActiveLast => break,
_ => (), _ => (),
} }
@@ -68,6 +78,6 @@ pub fn replace_key<P: AsRef<Path>>(
device.settings_handle().set_iteration_time(millis) device.settings_handle().set_iteration_time(millis)
} }
Ok(device Ok(device
.keyslot_handle() .keyslot_handle(None)
.change_by_passphrase(None, None, old_secret, secret)? as u32) .change_by_passphrase(None, None, old_secret, secret)? as u32)
} }