shimun/fido2luks
1
0
Fork 0
Code Issues Pull Requests 3 Releases Wiki Activity

Compare commits

merge into: shimun:request_multiple
Branches Tags
shimun:master shimun:0.3.0-alpha shimun:ctap-hid-fido2 shimun:retry_pin shimun:0.3.0 shimun:debVM shimun:flake shimun:password_promt shimun:dracut shimun:initcpio shimun:pam_mod shimun:setup shimun:completions shimun:pkgbuild shimun:pin_source shimun:relicense shimun:deb shimun:initramfs-tools shimun:luks_refr shimun:0.2.8 shimun:luks2_token shimun:cli_reorg shimun:request_multiple shimun:luks2 shimun:cratesio shimun:isalt shimun:connected shimun:keyutils
shimun:0.2.20 shimun:0.2.19 shimun:0.2.18 shimun:0.2.17 shimun:0.2.16 shimun:0.2.15 shimun:0.2.14 shimun:0.2.13 shimun:0.2.12 shimun:0.2.11 shimun:0.2.10 shimun:0.2.9 shimun:0.2.8 shimun:0.2.7 shimun:0.2.6 shimun:0.2.5 shimun:0.2.4 shimun:0.2.3 shimun:0.2.2 shimun:0.2.1 shimun:0.2.0
...
pull from: shimun:luks2_token
Branches Tags
shimun:0.3.0-alpha shimun:ctap-hid-fido2 shimun:retry_pin shimun:master shimun:0.3.0 shimun:debVM shimun:flake shimun:password_promt shimun:dracut shimun:initcpio shimun:pam_mod shimun:setup shimun:completions shimun:pkgbuild shimun:pin_source shimun:relicense shimun:deb shimun:initramfs-tools shimun:luks_refr shimun:0.2.8 shimun:luks2_token shimun:cli_reorg shimun:request_multiple shimun:luks2 shimun:cratesio shimun:isalt shimun:connected shimun:keyutils
shimun:0.2.20 shimun:0.2.19 shimun:0.2.18 shimun:0.2.17 shimun:0.2.16 shimun:0.2.15 shimun:0.2.14 shimun:0.2.13 shimun:0.2.12 shimun:0.2.11 shimun:0.2.10 shimun:0.2.9 shimun:0.2.8 shimun:0.2.7 shimun:0.2.6 shimun:0.2.5 shimun:0.2.4 shimun:0.2.3 shimun:0.2.2 shimun:0.2.1 shimun:0.2.0

15 Commits
request_mu ... luks2_toke

Author SHA1 Message Date
shimun
c1a82b9ae6 update libcryptsetup_rs to 0.4.0 2020-06-06 22:43:18 +02:00
shimun
f774580c9c update to current api 2020-05-05 23:28:44 +02:00
shimun
0b19760175 hint slots 2020-04-28 19:09:53 +02:00
shimun
2ec8679c47 open token 2020-04-28 14:27:14 +02:00
shimun
65e1dead8b remove token 2020-04-27 22:07:00 +02:00
shimun
478fb5e036 store luks token 2020-04-27 19:26:21 +02:00
shimun
1547f5e199 get format 2020-04-27 18:12:06 +02:00
shimun
5c0364587e update ctap 2020-04-26 18:58:37 +02:00
shimun
9307503bdc applied clippy lints 2020-04-07 20:06:24 +02:00
shimun
b94f45d1ff patch secret_gen before obtaing first secret 2020-04-06 23:33:41 +02:00
shimun
c8fb636846 mention clang build dependency 2020-04-06 22:52:15 +02:00
shimun
49e2835f60 enable fido requests to be sent to multiple devices at once 2020-04-06 21:38:11 +02:00
shimun
bb7ee7c1ce request password only once if possible 2020-04-03 22:02:05 +02:00
shimun
0ba77963d2 update ctap_hmac 2020-04-02 17:22:15 +02:00
shimun
c99d7f562d support luks2 2020-03-27 20:08:54 +01:00
10 changed files with 740 additions and 449 deletions
Expand all files Collapse all files

781
Cargo.lock generated
View File

File diff suppressed because it is too large Load Diff

9
Cargo.toml
View File

@@ -1,6 +1,6 @@
[package] [package]
name = "fido2luks" name = "fido2luks"
version = "0.2.6" version = "0.2.8"
authors = ["shimunn <shimun@shimun.net>"] authors = ["shimunn <shimun@shimun.net>"]
edition = "2018" edition = "2018"
@@ -14,13 +14,16 @@ categories = ["command-line-utilities"]
license-file = "LICENSE" license-file = "LICENSE"
[dependencies] [dependencies]
ctap_hmac = { version="0.4.1", features = ["request_multiple"] } ctap_hmac = { version="0.4.2", features = ["request_multiple"] }
hex = "0.3.2" hex = "0.3.2"
ring = "0.13.5" ring = "0.13.5"
failure = "0.1.5" failure = "0.1.5"
rpassword = "4.0.1" rpassword = "4.0.1"
structopt = "0.3.2" structopt = "0.3.2"
libcryptsetup-rs = { git = "https://github.com/shimunn/libcryptsetup-rs.git", branch = "crypt_load_ptr_null" } libcryptsetup-rs = "0.4.0"
serde_json = "1.0.51"
serde_derive = "1.0.106"
serde = "1.0.106"
[profile.release] [profile.release]
lto = true lto = true

2
README.md
View File

@@ -9,7 +9,7 @@ Note: This has only been tested under Fedora 31 using a Solo Key, Trezor Model T
### Prerequisites ### Prerequisites
``` ```
dnf install cargo cryptsetup-devel -y dnf install clang cargo cryptsetup-devel -y
``` ```
### Device ### Device

138
src/cli.rs
View File

@@ -12,7 +12,9 @@ use std::io::Write;
use std::process::exit; use std::process::exit;
use std::thread; use std::thread;
use crate::util::read_password;
use std::time::SystemTime; use std::time::SystemTime;
#[derive(Debug, Eq, PartialEq, Clone)] #[derive(Debug, Eq, PartialEq, Clone)]
pub struct HexEncoded(pub Vec<u8>); pub struct HexEncoded(pub Vec<u8>);
@@ -97,25 +99,54 @@ pub struct SecretGeneration {
default_value = "15" default_value = "15"
)] )]
pub await_authenticator: u64, pub await_authenticator: u64,
/// Request the password twice to ensure it being correct
#[structopt(
long = "verify-password",
env = "FIDO2LUKS_VERIFY_PASSWORD",
hidden = true
)]
pub verify_password: Option<bool>,
} }
impl SecretGeneration { impl SecretGeneration {
pub fn patch(&self, args: &Args) -> Self { pub fn patch(&self, args: &Args, verify_password: Option<bool>) -> Self {
let mut me = self.clone(); let mut me = self.clone();
if args.interactive { if args.interactive {
me.password_helper = PasswordHelper::Stdin; me.password_helper = PasswordHelper::Stdin;
} }
me.verify_password = me.verify_password.or(verify_password);
me me
} }
pub fn obtain_secret(&self) -> Fido2LuksResult<[u8; 32]> { pub fn obtain_secret(&self, password_query: &str) -> Fido2LuksResult<[u8; 32]> {
let salt = self.salt.obtain(&self.password_helper)?; self.obtain_secret_and_credential(password_query)
.map(|(secret, _)| secret)
}
pub fn obtain_secret_and_credential(
&self,
password_query: &str,
) -> Fido2LuksResult<([u8; 32], FidoCredential)> {
let mut salt = [0u8; 32];
match self.password_helper {
PasswordHelper::Stdin if !self.verify_password.unwrap_or(true) => {
salt.copy_from_slice(&util::sha256(&[&read_password(
password_query,
self.verify_password.unwrap_or(true),
)?
.as_bytes()[..]]));
}
_ => {
salt = self.salt.obtain(&self.password_helper)?;
}
}
let timeout = Duration::from_secs(self.await_authenticator); let timeout = Duration::from_secs(self.await_authenticator);
let start = SystemTime::now(); let start = SystemTime::now();
while let Ok(el) = start.elapsed() { while let Ok(el) = start.elapsed() {
if el > timeout { if el > timeout {
Err(error::Fido2LuksError::NoAuthenticatorError)?; return Err(error::Fido2LuksError::NoAuthenticatorError);
} }
if get_devices() if get_devices()
.map(|devices| !devices.is_empty()) .map(|devices| !devices.is_empty())
@@ -135,10 +166,9 @@ impl SecretGeneration {
}) })
.collect::<Vec<_>>(); .collect::<Vec<_>>();
let credentials = credentials.iter().collect::<Vec<_>>(); let credentials = credentials.iter().collect::<Vec<_>>();
Ok(assemble_secret( let (secret, credential) =
&perform_challenge(&credentials[..], &salt, timeout - start.elapsed().unwrap())?, perform_challenge(&credentials[..], &salt, timeout - start.elapsed().unwrap())?;
&salt, Ok((assemble_secret(&secret, &salt), credential.clone()))
))
} }
} }
@@ -170,7 +200,9 @@ impl OtherSecret {
) -> Fido2LuksResult<Vec<u8>> { ) -> Fido2LuksResult<Vec<u8>> {
match &self.keyfile { match &self.keyfile {
Some(keyfile) => util::read_keyfile(keyfile.clone()), Some(keyfile) => util::read_keyfile(keyfile.clone()),
None if self.fido_device => Ok(Vec::from(&secret_gen.obtain_secret()?[..])), None if self.fido_device => {
Ok(Vec::from(&secret_gen.obtain_secret(password_question)?[..]))
}
None => util::read_password(password_question, verify_password) None => util::read_password(password_question, verify_password)
.map(|p| p.as_bytes().to_vec()), .map(|p| p.as_bytes().to_vec()),
} }
@@ -195,6 +227,9 @@ pub enum Command {
/// Will wipe all other keys /// Will wipe all other keys
#[structopt(short = "e", long = "exclusive")] #[structopt(short = "e", long = "exclusive")]
exclusive: bool, exclusive: bool,
/// Will add an token to your LUKS 2 header, including the credential id
#[structopt(short = "t", long = "token")]
token: bool,
#[structopt(flatten)] #[structopt(flatten)]
existing_secret: OtherSecret, existing_secret: OtherSecret,
#[structopt(flatten)] #[structopt(flatten)]
@@ -210,6 +245,9 @@ pub enum Command {
/// Add the password and keep the key /// Add the password and keep the key
#[structopt(short = "a", long = "add-password")] #[structopt(short = "a", long = "add-password")]
add_password: bool, add_password: bool,
// /// Will add an token to your LUKS 2 header, including the credential id
// #[structopt(short = "t", long = "token")]
// token: bool,
#[structopt(flatten)] #[structopt(flatten)]
replacement: OtherSecret, replacement: OtherSecret,
#[structopt(flatten)] #[structopt(flatten)]
@@ -229,6 +267,15 @@ pub enum Command {
#[structopt(flatten)] #[structopt(flatten)]
secret_gen: SecretGeneration, secret_gen: SecretGeneration,
}, },
/// Open the LUKS device using information embedded into the LUKS 2 header
#[structopt(name = "open-token")]
OpenToken {
#[structopt(env = "FIDO2LUKS_DEVICE")]
device: PathBuf,
#[structopt(env = "FIDO2LUKS_MAPPER_NAME")]
name: String,
salt: String,
},
/// Generate a new FIDO credential /// Generate a new FIDO credential
#[structopt(name = "credential")] #[structopt(name = "credential")]
Credential { Credential {
@@ -258,29 +305,33 @@ pub fn run_cli() -> Fido2LuksResult<()> {
binary, binary,
ref secret_gen, ref secret_gen,
} => { } => {
let secret = secret_gen.patch(&args).obtain_secret()?; let secret = secret_gen
.patch(&args, Some(false))
.obtain_secret("Password")?;
if *binary { if *binary {
stdout.write(&secret[..])?; stdout.write_all(&secret[..])?;
} else { } else {
stdout.write(hex::encode(&secret[..]).as_bytes())?; stdout.write_all(hex::encode(&secret[..]).as_bytes())?;
} }
Ok(stdout.flush()?) Ok(stdout.flush()?)
} }
Command::AddKey { Command::AddKey {
device, device,
exclusive, exclusive,
token,
existing_secret, existing_secret,
ref secret_gen, ref secret_gen,
luks_settings, luks_settings,
} => { } => {
let secret_gen = secret_gen.patch(&args); let secret_gen = secret_gen.patch(&args, None);
let old_secret = existing_secret.obtain(&secret_gen, false, "Existing password")?; let old_secret = existing_secret.obtain(&secret_gen, false, "Existing password")?;
let secret = secret_gen.obtain_secret()?; let (secret, credential) = secret_gen.obtain_secret_and_credential("Password")?;
let added_slot = luks::add_key( let added_slot = luks::add_key(
device.clone(), device.clone(),
&secret, &secret,
&old_secret[..], &old_secret[..],
luks_settings.kdf_time.or(Some(10)), luks_settings.kdf_time.or(Some(10)),
Some(&credential.id[..]).filter(|_| *token),
)?; )?;
if *exclusive { if *exclusive {
let destroyed = luks::remove_keyslots(&device, &[added_slot])?; let destroyed = luks::remove_keyslots(&device, &[added_slot])?;
@@ -302,17 +353,30 @@ pub fn run_cli() -> Fido2LuksResult<()> {
Command::ReplaceKey { Command::ReplaceKey {
device, device,
add_password, add_password,
//token,
replacement, replacement,
ref secret_gen, ref secret_gen,
luks_settings, luks_settings,
} => { } => {
let secret_gen = secret_gen.patch(&args); let secret_gen = secret_gen.patch(&args, Some(false));
let secret = secret_gen.patch(&args).obtain_secret()?; let secret = secret_gen.obtain_secret("Password")?;
let new_secret = replacement.obtain(&secret_gen, true, "Replacement password")?; let new_secret = replacement.obtain(&secret_gen, true, "Replacement password")?;
let slot = if *add_password { let slot = if *add_password {
luks::add_key(device, &new_secret[..], &secret, luks_settings.kdf_time) luks::add_key(
device,
&new_secret[..],
&secret,
luks_settings.kdf_time,
None,
)
} else { } else {
luks::replace_key(device, &new_secret[..], &secret, luks_settings.kdf_time) luks::replace_key(
device,
&new_secret[..],
&secret,
luks_settings.kdf_time,
None,
)
}?; }?;
println!( println!(
"Added to password to device {}, slot: {}", "Added to password to device {}, slot: {}",
@@ -330,20 +394,17 @@ pub fn run_cli() -> Fido2LuksResult<()> {
let mut retries = *retries; let mut retries = *retries;
loop { loop {
match secret_gen match secret_gen
.patch(&args) .patch(&args, Some(false))
.obtain_secret() .obtain_secret("Password")
.and_then(|secret| luks::open_container(&device, &name, &secret)) .and_then(|secret| luks::open_container(&device, &name, &secret))
{ {
Err(e) => { Err(e) => {
match e { match e {
Fido2LuksError::WrongSecret if retries > 0 => (), Fido2LuksError::WrongSecret if retries > 0 => {}
Fido2LuksError::AuthenticatorError { ref cause } Fido2LuksError::AuthenticatorError { ref cause }
if cause.kind() == FidoErrorKind::Timeout && retries > 0 => if cause.kind() == FidoErrorKind::Timeout && retries > 0 => {}
{
()
}
e => break Err(e)?, e => return Err(e),
} }
retries -= 1; retries -= 1;
eprintln!("{}", e); eprintln!("{}", e);
@@ -352,6 +413,31 @@ pub fn run_cli() -> Fido2LuksResult<()> {
} }
} }
} }
// TODO: utilise salt
Command::OpenToken {
device,
name,
salt: _,
} => luks::open_container_token(
device,
&name[..],
Box::new(|creds| {
let (secret, cred) = SecretGeneration {
credential_ids: CommaSeparated(
creds
.iter()
.map(|c| HexEncoded::from_str(&c[..]).unwrap())
.collect(),
),
salt: InputSalt::String("".into()),
password_helper: Default::default(),
await_authenticator: 100,
verify_password: None,
}
.obtain_secret_and_credential("Password")?;
Ok((secret, hex::encode(cred.id)))
}),
),
Command::Connected => match get_devices() { Command::Connected => match get_devices() {
Ok(ref devs) if !devs.is_empty() => { Ok(ref devs) if !devs.is_empty() => {
println!("Found {} devices", devs.len()); println!("Found {} devices", devs.len());

5
src/config.rs
View File

@@ -24,7 +24,7 @@ impl Default for InputSalt {
impl From<&str> for InputSalt { impl From<&str> for InputSalt {
fn from(s: &str) -> Self { fn from(s: &str) -> Self {
let mut parts = s.split(":").into_iter(); let mut parts = s.split(':');
match parts.next() { match parts.next() {
Some("ask") | Some("Ask") => InputSalt::AskPassword, Some("ask") | Some("Ask") => InputSalt::AskPassword,
Some("file") => InputSalt::File { Some("file") => InputSalt::File {
@@ -87,6 +87,7 @@ impl InputSalt {
#[derive(Debug, Clone)] #[derive(Debug, Clone)]
pub enum PasswordHelper { pub enum PasswordHelper {
Script(String), Script(String),
#[allow(dead_code)]
Systemd, Systemd,
Stdin, Stdin,
} }
@@ -134,7 +135,7 @@ impl PasswordHelper {
Systemd => unimplemented!(), Systemd => unimplemented!(),
Stdin => Ok(util::read_password("Password", true)?), Stdin => Ok(util::read_password("Password", true)?),
Script(password_helper) => { Script(password_helper) => {
let mut helper_parts = password_helper.split(" "); let mut helper_parts = password_helper.split(' ');
let password = Command::new((&mut helper_parts).next().unwrap()) let password = Command::new((&mut helper_parts).next().unwrap())
.args(helper_parts) .args(helper_parts)

19
src/device.rs
View File

@@ -1,12 +1,13 @@
use crate::error::*; use crate::error::*;
use crate::util;
use ctap::{ use ctap::{
self, extensions::hmac::HmacExtension, request_multiple_devices, FidoAssertionRequestBuilder, self, extensions::hmac::HmacExtension, request_multiple_devices, FidoAssertionRequestBuilder,
FidoCredential, FidoCredentialRequestBuilder, FidoDevice, FidoError, FidoErrorKind, FidoCredential, FidoCredentialRequestBuilder, FidoDevice, FidoError, FidoErrorKind,
}; };
use std::time::Duration; use std::time::Duration;
const RP_ID: &'static str = "fido2luks"; const RP_ID: &str = "fido2luks";
pub fn make_credential_id(name: Option<&str>) -> Fido2LuksResult<FidoCredential> { pub fn make_credential_id(name: Option<&str>) -> Fido2LuksResult<FidoCredential> {
let mut request = FidoCredentialRequestBuilder::default().rp_id(RP_ID); let mut request = FidoCredentialRequestBuilder::default().rp_id(RP_ID);
@@ -23,24 +24,26 @@ pub fn make_credential_id(name: Option<&str>) -> Fido2LuksResult<FidoCredential>
)?) )?)
} }
pub fn perform_challenge( pub fn perform_challenge<'a>(
credentials: &[&FidoCredential], credentials: &'a [&'a FidoCredential],
salt: &[u8; 32], salt: &[u8; 32],
timeout: Duration, timeout: Duration,
) -> Fido2LuksResult<[u8; 32]> { ) -> Fido2LuksResult<([u8; 32], &'a FidoCredential)> {
let request = FidoAssertionRequestBuilder::default() let request = FidoAssertionRequestBuilder::default()
.rp_id(RP_ID) .rp_id(RP_ID)
.credentials(credentials) .credentials(credentials)
.build() .build()
.unwrap(); .unwrap();
let get_assertion = |device: &mut FidoDevice| device.get_hmac_assertion(&request, &salt, None); let get_assertion = |device: &mut FidoDevice| {
let (_, (secret, _)) = request_multiple_devices( device.get_hmac_assertion(&request, &util::sha256(&[&salt[..]]), None)
};
let (credential, (secret, _)) = request_multiple_devices(
get_devices()? get_devices()?
.iter_mut() .iter_mut()
.map(|device| (device, &get_assertion)), .map(|device| (device, &get_assertion)),
Some(timeout), Some(timeout),
)?; )?;
Ok(secret) Ok((secret, credential))
} }
pub fn get_devices() -> Fido2LuksResult<Vec<FidoDevice>> { pub fn get_devices() -> Fido2LuksResult<Vec<FidoDevice>> {
@@ -49,7 +52,7 @@ pub fn get_devices() -> Fido2LuksResult<Vec<FidoDevice>> {
match FidoDevice::new(&di) { match FidoDevice::new(&di) {
Err(e) => match e.kind() { Err(e) => match e.kind() {
FidoErrorKind::ParseCtap | FidoErrorKind::DeviceUnsupported => (), FidoErrorKind::ParseCtap | FidoErrorKind::DeviceUnsupported => (),
err => Err(FidoError::from(err))?, err => return Err(FidoError::from(err).into()),
}, },
Ok(dev) => devices.push(dev), Ok(dev) => devices.push(dev),
} }

38
src/error.rs
View File

@@ -13,11 +13,13 @@ pub enum Fido2LuksError {
AuthenticatorError { cause: ctap::FidoError }, AuthenticatorError { cause: ctap::FidoError },
#[fail(display = "no authenticator found, please ensure your device is plugged in")] #[fail(display = "no authenticator found, please ensure your device is plugged in")]
NoAuthenticatorError, NoAuthenticatorError,
#[fail(display = "luks err")] #[fail(display = " {}", cause)]
LuksError { CryptsetupError {
cause: libcryptsetup_rs::LibcryptErr, cause: libcryptsetup_rs::LibcryptErr,
}, },
#[fail(display = "no authenticator found, please ensure your device is plugged in")] #[fail(display = "{}", cause)]
LuksError { cause: LuksError },
#[fail(display = "{}", cause)]
IoError { cause: io::Error }, IoError { cause: io::Error },
#[fail(display = "supplied secret isn't valid for this device")] #[fail(display = "supplied secret isn't valid for this device")]
WrongSecret, WrongSecret,
@@ -46,7 +48,35 @@ pub enum AskPassError {
Mismatch, Mismatch,
} }
#[derive(Debug, Fail)]
pub enum LuksError {
#[fail(display = "This feature requires to the LUKS device to be formatted as LUKS 2")]
Luks2Required,
#[fail(display = "Invalid token: {}", _0)]
InvalidToken(String),
#[fail(display = "No token found")]
NoToken,
#[fail(display = "The device already exists")]
DeviceExists,
}
impl LuksError {
pub fn activate(e: LibcryptErr) -> Fido2LuksError {
match e {
LibcryptErr::IOError(ref io) => match io.raw_os_error() {
Some(1) if io.kind() == ErrorKind::PermissionDenied => Fido2LuksError::WrongSecret,
Some(17) => Fido2LuksError::LuksError {
cause: LuksError::DeviceExists,
},
_ => return Fido2LuksError::CryptsetupError { cause: e },
},
_ => Fido2LuksError::CryptsetupError { cause: e },
}
}
}
use libcryptsetup_rs::LibcryptErr; use libcryptsetup_rs::LibcryptErr;
use std::io::ErrorKind;
use std::string::FromUtf8Error; use std::string::FromUtf8Error;
use Fido2LuksError::*; use Fido2LuksError::*;
@@ -62,7 +92,7 @@ impl From<LibcryptErr> for Fido2LuksError {
LibcryptErr::IOError(e) if e.raw_os_error().iter().any(|code| code == &1i32) => { LibcryptErr::IOError(e) if e.raw_os_error().iter().any(|code| code == &1i32) => {
WrongSecret WrongSecret
} }
_ => LuksError { cause: e }, _ => CryptsetupError { cause: e },
} }
} }
} }

189
src/luks.rs
View File

@@ -1,11 +1,43 @@
use crate::error::*; use crate::error::*;
use libcryptsetup_rs::{CryptActivateFlags, CryptDevice, CryptInit, KeyslotInfo}; use libcryptsetup_rs::{
CryptActivateFlags, CryptDevice, CryptInit, CryptTokenInfo, EncryptionFormat, KeyslotInfo,
TokenInput,
};
use std::collections::{HashMap, HashSet};
use std::path::Path; use std::path::Path;
fn load_device_handle<P: AsRef<Path>>(path: P) -> Fido2LuksResult<CryptDevice> { fn load_device_handle<P: AsRef<Path>>(path: P) -> Fido2LuksResult<CryptDevice> {
let mut device = CryptInit::init(path.as_ref())?; let mut device = CryptInit::init(path.as_ref())?;
Ok(device.context_handle().load::<()>(None, None).map(|_| device)?) device.context_handle().load::<()>(None, None)?;
Ok(device)
}
fn check_luks2(device: &mut CryptDevice) -> Fido2LuksResult<()> {
match device.format_handle().get_type()? {
EncryptionFormat::Luks2 => Ok(()),
_ => Err(Fido2LuksError::LuksError {
cause: LuksError::Luks2Required,
}),
}
}
#[derive(Debug, Clone, Serialize, Deserialize)]
struct Fido2LuksToken {
#[serde(rename = "type")]
type_: String,
credential: Vec<String>,
keyslots: Vec<String>,
}
impl Fido2LuksToken {
fn new(credential_id: impl AsRef<[u8]>, slot: u32) -> Self {
Self {
type_: "fido2luks\0".into(), // Doubles as c style string
credential: vec![hex::encode(credential_id)],
keyslots: vec![slot.to_string()],
}
}
} }
pub fn open_container<P: AsRef<Path>>(path: P, name: &str, secret: &[u8]) -> Fido2LuksResult<()> { pub fn open_container<P: AsRef<Path>>(path: P, name: &str, secret: &[u8]) -> Fido2LuksResult<()> {
@@ -17,11 +49,78 @@ pub fn open_container<P: AsRef<Path>>(path: P, name: &str, secret: &[u8]) -> Fid
.map_err(|_e| Fido2LuksError::WrongSecret) .map_err(|_e| Fido2LuksError::WrongSecret)
} }
pub fn open_container_token<P: AsRef<Path>>(
path: P,
name: &str,
secret: Box<dyn Fn(Vec<String>) -> Fido2LuksResult<([u8; 32], String)>>,
) -> Fido2LuksResult<()> {
let mut device = load_device_handle(path)?;
check_luks2(&mut device)?;
let mut creds = HashMap::new();
for i in 0..256 {
let status = device.token_handle().status(i)?;
match status {
CryptTokenInfo::Inactive => break,
CryptTokenInfo::Internal(s)
| CryptTokenInfo::InternalUnknown(s)
| CryptTokenInfo::ExternalUnknown(s)
| CryptTokenInfo::External(s)
if &s != "fido2luks" =>
{
continue
}
_ => (),
};
let json = device.token_handle().json_get(i)?;
let info: Fido2LuksToken =
serde_json::from_value(json.clone()).map_err(|_| Fido2LuksError::LuksError {
cause: LuksError::InvalidToken(json.to_string()),
})?;
let slots = || {
info.keyslots
.iter()
.filter_map(|slot| slot.parse::<u32>().ok())
};
for cred in info.credential.iter().cloned() {
creds
.entry(cred)
.or_insert_with(|| slots().collect::<HashSet<u32>>())
.extend(slots());
}
}
if creds.is_empty() {
return Err(Fido2LuksError::LuksError {
cause: LuksError::NoToken,
});
}
let (secret, credential) = secret(creds.keys().cloned().collect())?;
let slots = creds.get(&credential).unwrap();
let slots = slots
.iter()
.cloned()
.map(Option::Some)
.chain(std::iter::once(None).take(slots.is_empty() as usize));
for slot in slots {
match device
.activate_handle()
.activate_by_passphrase(Some(name), slot, &secret, CryptActivateFlags::empty())
.map(|_slot| ())
.map_err(LuksError::activate)
{
Err(Fido2LuksError::WrongSecret) => (),
res => return res,
}
}
Err(Fido2LuksError::WrongSecret)
}
pub fn add_key<P: AsRef<Path>>( pub fn add_key<P: AsRef<Path>>(
path: P, path: P,
secret: &[u8], secret: &[u8],
old_secret: &[u8], old_secret: &[u8],
iteration_time: Option<u64>, iteration_time: Option<u64>,
credential_id: Option<&[u8]>,
) -> Fido2LuksResult<u32> { ) -> Fido2LuksResult<u32> {
let mut device = load_device_handle(path)?; let mut device = load_device_handle(path)?;
if let Some(millis) = iteration_time { if let Some(millis) = iteration_time {
@@ -30,28 +129,77 @@ pub fn add_key<P: AsRef<Path>>(
let slot = device let slot = device
.keyslot_handle() .keyslot_handle()
.add_by_passphrase(None, old_secret, secret)?; .add_by_passphrase(None, old_secret, secret)?;
if let Some(id) = credential_id {
/* if let e @ Err(_) = check_luks2(&mut device) {
//rollback
device.keyslot_handle(Some(slot)).destroy()?;
return e.map(|_| 0u32);
}*/
device.token_handle().json_set(TokenInput::AddToken(
&serde_json::to_value(&Fido2LuksToken::new(id, slot)).unwrap(),
))?;
}
Ok(slot) Ok(slot)
} }
fn find_token(
device: &mut CryptDevice,
slot: u32,
) -> Fido2LuksResult<Option<(u32, Fido2LuksToken)>> {
for i in 0..256 {
let status = device.token_handle().status(i)?;
match status {
CryptTokenInfo::Inactive => break,
CryptTokenInfo::Internal(s)
| CryptTokenInfo::InternalUnknown(s)
| CryptTokenInfo::ExternalUnknown(s)
| CryptTokenInfo::External(s)
if &s != "fido2luks" =>
{
continue
}
_ => (),
};
let json = device.token_handle().json_get(i)?;
let info: Fido2LuksToken =
serde_json::from_value(json.clone()).map_err(|_| Fido2LuksError::LuksError {
cause: LuksError::InvalidToken(json.to_string()),
})?;
if info.keyslots.contains(&slot.to_string()) {
return Ok(Some((i, info)));
}
}
Ok(None)
}
pub fn remove_keyslots<P: AsRef<Path>>(path: P, exclude: &[u32]) -> Fido2LuksResult<u32> { pub fn remove_keyslots<P: AsRef<Path>>(path: P, exclude: &[u32]) -> Fido2LuksResult<u32> {
let mut device = load_device_handle(path)?; let mut device = load_device_handle(path)?;
let mut handle = device.keyslot_handle();
let mut destroyed = 0; let mut destroyed = 0;
//TODO: detect how many keyslots there are instead of trying within a given range let mut tokens = Vec::new();
for slot in 0..1024 { for slot in 0..256 {
match device.keyslot_handle().status(slot)? {
match handle.status(slot)? {
KeyslotInfo::Inactive => continue, KeyslotInfo::Inactive => continue,
KeyslotInfo::Active if !exclude.contains(&slot) => { KeyslotInfo::Active | KeyslotInfo::ActiveLast if !exclude.contains(&slot) => {
handle.destroy(slot)?; if let Ok(_) = check_luks2(&mut device) {
if let Some((token, _)) = dbg!(find_token(&mut device, slot))? {
tokens.push(token);
}
}
device.keyslot_handle().destroy(slot)?;
destroyed += 1; destroyed += 1;
} }
_ => (),
}
match handle.status(slot)? {
KeyslotInfo::ActiveLast => break, KeyslotInfo::ActiveLast => break,
_ => (), _ => (),
} }
if device.keyslot_handle().status(slot)? == KeyslotInfo::ActiveLast {
break;
}
}
for token in tokens.iter() {
device
.token_handle()
.json_set(TokenInput::RemoveToken(*token))?;
} }
Ok(destroyed) Ok(destroyed)
} }
@@ -61,13 +209,26 @@ pub fn replace_key<P: AsRef<Path>>(
secret: &[u8], secret: &[u8],
old_secret: &[u8], old_secret: &[u8],
iteration_time: Option<u64>, iteration_time: Option<u64>,
credential_id: Option<&[u8]>,
) -> Fido2LuksResult<u32> { ) -> Fido2LuksResult<u32> {
let mut device = load_device_handle(path)?; let mut device = load_device_handle(path)?;
// Set iteration time not sure wether this applies to luks2 as well // Set iteration time not sure wether this applies to luks2 as well
if let Some(millis) = iteration_time { if let Some(millis) = iteration_time {
device.settings_handle().set_iteration_time(millis) device.settings_handle().set_iteration_time(millis)
} }
Ok(device let slot = device
.keyslot_handle() .keyslot_handle()
.change_by_passphrase(None, None, old_secret, secret)? as u32) .change_by_passphrase(None, None, old_secret, secret)? as u32;
if let Some(id) = credential_id {
if check_luks2(&mut device).is_ok() {
let token = find_token(&mut device, slot)?.map(|(t, _)| t);
if let Some(token) = token {
device.token_handle().json_set(TokenInput::ReplaceToken(
token,
&serde_json::to_value(&Fido2LuksToken::new(id, slot)).unwrap(),
))?;
}
}
}
Ok(slot)
} }

2
src/main.rs
View File

@@ -1,6 +1,8 @@
#[macro_use] #[macro_use]
extern crate failure; extern crate failure;
extern crate ctap_hmac as ctap; extern crate ctap_hmac as ctap;
#[macro_use]
extern crate serde_derive;
use crate::cli::*; use crate::cli::*;
use crate::config::*; use crate::config::*;
use crate::device::*; use crate::device::*;

4
src/util.rs
View File

@@ -4,7 +4,7 @@ use std::fs::File;
use std::io::Read; use std::io::Read;
use std::path::PathBuf; use std::path::PathBuf;
pub fn sha256<'a>(messages: &[&[u8]]) -> [u8; 32] { pub fn sha256(messages: &[&[u8]]) -> [u8; 32] {
let mut digest = digest::Context::new(&digest::SHA256); let mut digest = digest::Context::new(&digest::SHA256);
for m in messages.iter() { for m in messages.iter() {
digest.update(m); digest.update(m);
@@ -23,7 +23,7 @@ pub fn read_password(q: &str, verify: bool) -> Fido2LuksResult<String> {
{ {
Err(Fido2LuksError::AskPassError { Err(Fido2LuksError::AskPassError {
cause: AskPassError::Mismatch, cause: AskPassError::Mismatch,
})? })
} }
pass => Ok(pass), pass => Ok(pass),
} }