Compare commits
8 Commits
request_mu
...
0.2.7
| Author | SHA1 | Date | |
|---|---|---|---|
5c0364587e
|
|||
|
9307503bdc
|
|||
|
b94f45d1ff
|
|||
|
c8fb636846
|
|||
|
49e2835f60
|
|||
|
bb7ee7c1ce
|
|||
|
0ba77963d2
|
|||
|
c99d7f562d
|
737
Cargo.lock
generated
737
Cargo.lock
generated
File diff suppressed because it is too large
Load Diff
@@ -1,6 +1,6 @@
|
||||
[package]
|
||||
name = "fido2luks"
|
||||
version = "0.2.6"
|
||||
version = "0.2.7"
|
||||
authors = ["shimunn <shimun@shimun.net>"]
|
||||
edition = "2018"
|
||||
|
||||
@@ -14,13 +14,13 @@ categories = ["command-line-utilities"]
|
||||
license-file = "LICENSE"
|
||||
|
||||
[dependencies]
|
||||
ctap_hmac = { version="0.4.1", features = ["request_multiple"] }
|
||||
ctap_hmac = { version="0.4.2", features = ["request_multiple"] }
|
||||
hex = "0.3.2"
|
||||
ring = "0.13.5"
|
||||
failure = "0.1.5"
|
||||
rpassword = "4.0.1"
|
||||
structopt = "0.3.2"
|
||||
libcryptsetup-rs = { git = "https://github.com/shimunn/libcryptsetup-rs.git", branch = "crypt_load_ptr_null" }
|
||||
libcryptsetup-rs = "0.2.0"
|
||||
|
||||
[profile.release]
|
||||
lto = true
|
||||
|
||||
@@ -9,7 +9,7 @@ Note: This has only been tested under Fedora 31 using a Solo Key, Trezor Model T
|
||||
### Prerequisites
|
||||
|
||||
```
|
||||
dnf install cargo cryptsetup-devel -y
|
||||
dnf install clang cargo cryptsetup-devel -y
|
||||
```
|
||||
|
||||
### Device
|
||||
|
||||
64
src/cli.rs
64
src/cli.rs
@@ -12,7 +12,9 @@ use std::io::Write;
|
||||
use std::process::exit;
|
||||
use std::thread;
|
||||
|
||||
use crate::util::read_password;
|
||||
use std::time::SystemTime;
|
||||
|
||||
#[derive(Debug, Eq, PartialEq, Clone)]
|
||||
pub struct HexEncoded(pub Vec<u8>);
|
||||
|
||||
@@ -97,25 +99,46 @@ pub struct SecretGeneration {
|
||||
default_value = "15"
|
||||
)]
|
||||
pub await_authenticator: u64,
|
||||
|
||||
/// Request the password twice to ensure it being correct
|
||||
#[structopt(
|
||||
long = "verify-password",
|
||||
env = "FIDO2LUKS_VERIFY_PASSWORD",
|
||||
hidden = true
|
||||
)]
|
||||
pub verify_password: Option<bool>,
|
||||
}
|
||||
|
||||
impl SecretGeneration {
|
||||
pub fn patch(&self, args: &Args) -> Self {
|
||||
pub fn patch(&self, args: &Args, verify_password: Option<bool>) -> Self {
|
||||
let mut me = self.clone();
|
||||
if args.interactive {
|
||||
me.password_helper = PasswordHelper::Stdin;
|
||||
}
|
||||
me.verify_password = me.verify_password.or(verify_password);
|
||||
me
|
||||
}
|
||||
|
||||
pub fn obtain_secret(&self) -> Fido2LuksResult<[u8; 32]> {
|
||||
let salt = self.salt.obtain(&self.password_helper)?;
|
||||
pub fn obtain_secret(&self, password_query: &str) -> Fido2LuksResult<[u8; 32]> {
|
||||
let mut salt = [0u8; 32];
|
||||
match self.password_helper {
|
||||
PasswordHelper::Stdin if !self.verify_password.unwrap_or(true) => {
|
||||
salt.copy_from_slice(&util::sha256(&[&read_password(
|
||||
password_query,
|
||||
self.verify_password.unwrap_or(true),
|
||||
)?
|
||||
.as_bytes()[..]]));
|
||||
}
|
||||
_ => {
|
||||
salt = self.salt.obtain(&self.password_helper)?;
|
||||
}
|
||||
}
|
||||
let timeout = Duration::from_secs(self.await_authenticator);
|
||||
let start = SystemTime::now();
|
||||
|
||||
while let Ok(el) = start.elapsed() {
|
||||
if el > timeout {
|
||||
Err(error::Fido2LuksError::NoAuthenticatorError)?;
|
||||
return Err(error::Fido2LuksError::NoAuthenticatorError);
|
||||
}
|
||||
if get_devices()
|
||||
.map(|devices| !devices.is_empty())
|
||||
@@ -170,7 +193,9 @@ impl OtherSecret {
|
||||
) -> Fido2LuksResult<Vec<u8>> {
|
||||
match &self.keyfile {
|
||||
Some(keyfile) => util::read_keyfile(keyfile.clone()),
|
||||
None if self.fido_device => Ok(Vec::from(&secret_gen.obtain_secret()?[..])),
|
||||
None if self.fido_device => {
|
||||
Ok(Vec::from(&secret_gen.obtain_secret(password_question)?[..]))
|
||||
}
|
||||
None => util::read_password(password_question, verify_password)
|
||||
.map(|p| p.as_bytes().to_vec()),
|
||||
}
|
||||
@@ -258,11 +283,13 @@ pub fn run_cli() -> Fido2LuksResult<()> {
|
||||
binary,
|
||||
ref secret_gen,
|
||||
} => {
|
||||
let secret = secret_gen.patch(&args).obtain_secret()?;
|
||||
let secret = secret_gen
|
||||
.patch(&args, Some(false))
|
||||
.obtain_secret("Password")?;
|
||||
if *binary {
|
||||
stdout.write(&secret[..])?;
|
||||
stdout.write_all(&secret[..])?;
|
||||
} else {
|
||||
stdout.write(hex::encode(&secret[..]).as_bytes())?;
|
||||
stdout.write_all(hex::encode(&secret[..]).as_bytes())?;
|
||||
}
|
||||
Ok(stdout.flush()?)
|
||||
}
|
||||
@@ -273,9 +300,9 @@ pub fn run_cli() -> Fido2LuksResult<()> {
|
||||
ref secret_gen,
|
||||
luks_settings,
|
||||
} => {
|
||||
let secret_gen = secret_gen.patch(&args);
|
||||
let secret_gen = secret_gen.patch(&args, None);
|
||||
let old_secret = existing_secret.obtain(&secret_gen, false, "Existing password")?;
|
||||
let secret = secret_gen.obtain_secret()?;
|
||||
let secret = secret_gen.obtain_secret("Password")?;
|
||||
let added_slot = luks::add_key(
|
||||
device.clone(),
|
||||
&secret,
|
||||
@@ -306,8 +333,8 @@ pub fn run_cli() -> Fido2LuksResult<()> {
|
||||
ref secret_gen,
|
||||
luks_settings,
|
||||
} => {
|
||||
let secret_gen = secret_gen.patch(&args);
|
||||
let secret = secret_gen.patch(&args).obtain_secret()?;
|
||||
let secret_gen = secret_gen.patch(&args, Some(false));
|
||||
let secret = secret_gen.obtain_secret("Password")?;
|
||||
let new_secret = replacement.obtain(&secret_gen, true, "Replacement password")?;
|
||||
let slot = if *add_password {
|
||||
luks::add_key(device, &new_secret[..], &secret, luks_settings.kdf_time)
|
||||
@@ -330,20 +357,17 @@ pub fn run_cli() -> Fido2LuksResult<()> {
|
||||
let mut retries = *retries;
|
||||
loop {
|
||||
match secret_gen
|
||||
.patch(&args)
|
||||
.obtain_secret()
|
||||
.patch(&args, Some(false))
|
||||
.obtain_secret("Password")
|
||||
.and_then(|secret| luks::open_container(&device, &name, &secret))
|
||||
{
|
||||
Err(e) => {
|
||||
match e {
|
||||
Fido2LuksError::WrongSecret if retries > 0 => (),
|
||||
Fido2LuksError::WrongSecret if retries > 0 => {}
|
||||
Fido2LuksError::AuthenticatorError { ref cause }
|
||||
if cause.kind() == FidoErrorKind::Timeout && retries > 0 =>
|
||||
{
|
||||
()
|
||||
}
|
||||
if cause.kind() == FidoErrorKind::Timeout && retries > 0 => {}
|
||||
|
||||
e => break Err(e)?,
|
||||
e => return Err(e),
|
||||
}
|
||||
retries -= 1;
|
||||
eprintln!("{}", e);
|
||||
|
||||
@@ -24,7 +24,7 @@ impl Default for InputSalt {
|
||||
|
||||
impl From<&str> for InputSalt {
|
||||
fn from(s: &str) -> Self {
|
||||
let mut parts = s.split(":").into_iter();
|
||||
let mut parts = s.split(':');
|
||||
match parts.next() {
|
||||
Some("ask") | Some("Ask") => InputSalt::AskPassword,
|
||||
Some("file") => InputSalt::File {
|
||||
@@ -87,6 +87,7 @@ impl InputSalt {
|
||||
#[derive(Debug, Clone)]
|
||||
pub enum PasswordHelper {
|
||||
Script(String),
|
||||
#[allow(dead_code)]
|
||||
Systemd,
|
||||
Stdin,
|
||||
}
|
||||
@@ -134,7 +135,7 @@ impl PasswordHelper {
|
||||
Systemd => unimplemented!(),
|
||||
Stdin => Ok(util::read_password("Password", true)?),
|
||||
Script(password_helper) => {
|
||||
let mut helper_parts = password_helper.split(" ");
|
||||
let mut helper_parts = password_helper.split(' ');
|
||||
|
||||
let password = Command::new((&mut helper_parts).next().unwrap())
|
||||
.args(helper_parts)
|
||||
|
||||
@@ -1,12 +1,13 @@
|
||||
use crate::error::*;
|
||||
|
||||
use crate::util;
|
||||
use ctap::{
|
||||
self, extensions::hmac::HmacExtension, request_multiple_devices, FidoAssertionRequestBuilder,
|
||||
FidoCredential, FidoCredentialRequestBuilder, FidoDevice, FidoError, FidoErrorKind,
|
||||
};
|
||||
use std::time::Duration;
|
||||
|
||||
const RP_ID: &'static str = "fido2luks";
|
||||
const RP_ID: &str = "fido2luks";
|
||||
|
||||
pub fn make_credential_id(name: Option<&str>) -> Fido2LuksResult<FidoCredential> {
|
||||
let mut request = FidoCredentialRequestBuilder::default().rp_id(RP_ID);
|
||||
@@ -33,7 +34,9 @@ pub fn perform_challenge(
|
||||
.credentials(credentials)
|
||||
.build()
|
||||
.unwrap();
|
||||
let get_assertion = |device: &mut FidoDevice| device.get_hmac_assertion(&request, &salt, None);
|
||||
let get_assertion = |device: &mut FidoDevice| {
|
||||
device.get_hmac_assertion(&request, &util::sha256(&[&salt[..]]), None)
|
||||
};
|
||||
let (_, (secret, _)) = request_multiple_devices(
|
||||
get_devices()?
|
||||
.iter_mut()
|
||||
@@ -49,7 +52,7 @@ pub fn get_devices() -> Fido2LuksResult<Vec<FidoDevice>> {
|
||||
match FidoDevice::new(&di) {
|
||||
Err(e) => match e.kind() {
|
||||
FidoErrorKind::ParseCtap | FidoErrorKind::DeviceUnsupported => (),
|
||||
err => Err(FidoError::from(err))?,
|
||||
err => return Err(FidoError::from(err).into()),
|
||||
},
|
||||
Ok(dev) => devices.push(dev),
|
||||
}
|
||||
|
||||
33
src/luks.rs
33
src/luks.rs
@@ -1,11 +1,21 @@
|
||||
use crate::error::*;
|
||||
|
||||
use libcryptsetup_rs::{CryptActivateFlags, CryptDevice, CryptInit, KeyslotInfo};
|
||||
use libcryptsetup_rs::{CryptActivateFlags, CryptDevice, CryptInit, EncryptionFormat, KeyslotInfo};
|
||||
use std::path::Path;
|
||||
|
||||
fn load_device_handle<P: AsRef<Path>>(path: P) -> Fido2LuksResult<CryptDevice> {
|
||||
let mut device = CryptInit::init(path.as_ref())?;
|
||||
Ok(device.context_handle().load::<()>(None, None).map(|_| device)?)
|
||||
//TODO: determine luks version some way other way than just trying
|
||||
let mut load = |format| device.context_handle().load::<()>(format, None).map(|_| ());
|
||||
vec![EncryptionFormat::Luks2, EncryptionFormat::Luks1]
|
||||
.into_iter()
|
||||
.fold(None, |res, format| match res {
|
||||
Some(Ok(())) => res,
|
||||
Some(e) => Some(e.or_else(|_| load(format))),
|
||||
None => Some(load(format)),
|
||||
})
|
||||
.unwrap()?;
|
||||
Ok(device)
|
||||
}
|
||||
|
||||
pub fn open_container<P: AsRef<Path>>(path: P, name: &str, secret: &[u8]) -> Fido2LuksResult<()> {
|
||||
@@ -28,29 +38,28 @@ pub fn add_key<P: AsRef<Path>>(
|
||||
device.settings_handle().set_iteration_time(millis)
|
||||
}
|
||||
let slot = device
|
||||
.keyslot_handle()
|
||||
.add_by_passphrase(None,old_secret, secret)?;
|
||||
.keyslot_handle(None)
|
||||
.add_by_passphrase(old_secret, secret)?;
|
||||
Ok(slot)
|
||||
}
|
||||
|
||||
pub fn remove_keyslots<P: AsRef<Path>>(path: P, exclude: &[u32]) -> Fido2LuksResult<u32> {
|
||||
let mut device = load_device_handle(path)?;
|
||||
let mut handle = device.keyslot_handle();
|
||||
let mut handle;
|
||||
let mut destroyed = 0;
|
||||
//TODO: detect how many keyslots there are instead of trying within a given range
|
||||
for slot in 0..1024 {
|
||||
|
||||
match handle.status(slot)? {
|
||||
handle = device.keyslot_handle(Some(slot));
|
||||
match handle.status()? {
|
||||
KeyslotInfo::Inactive => continue,
|
||||
KeyslotInfo::Active if !exclude.contains(&slot) => {
|
||||
handle.destroy(slot)?;
|
||||
handle.destroy()?;
|
||||
destroyed += 1;
|
||||
}
|
||||
_ => (),
|
||||
}
|
||||
match handle.status(slot)? {
|
||||
KeyslotInfo::ActiveLast => break,
|
||||
_ => (),
|
||||
if let KeyslotInfo::ActiveLast = handle.status()? {
|
||||
break;
|
||||
}
|
||||
}
|
||||
Ok(destroyed)
|
||||
@@ -68,6 +77,6 @@ pub fn replace_key<P: AsRef<Path>>(
|
||||
device.settings_handle().set_iteration_time(millis)
|
||||
}
|
||||
Ok(device
|
||||
.keyslot_handle()
|
||||
.keyslot_handle(None)
|
||||
.change_by_passphrase(None, None, old_secret, secret)? as u32)
|
||||
}
|
||||
|
||||
@@ -4,7 +4,7 @@ use std::fs::File;
|
||||
use std::io::Read;
|
||||
use std::path::PathBuf;
|
||||
|
||||
pub fn sha256<'a>(messages: &[&[u8]]) -> [u8; 32] {
|
||||
pub fn sha256(messages: &[&[u8]]) -> [u8; 32] {
|
||||
let mut digest = digest::Context::new(&digest::SHA256);
|
||||
for m in messages.iter() {
|
||||
digest.update(m);
|
||||
@@ -23,7 +23,7 @@ pub fn read_password(q: &str, verify: bool) -> Fido2LuksResult<String> {
|
||||
{
|
||||
Err(Fido2LuksError::AskPassError {
|
||||
cause: AskPassError::Mismatch,
|
||||
})?
|
||||
})
|
||||
}
|
||||
pass => Ok(pass),
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user