shimun/fido2luks
1
0
Fork 0
Code Issues Pull Requests 3 Releases Wiki Activity

Compare commits

base: shimun:request_multiple
Branches Tags
shimun:master shimun:0.3.0-alpha shimun:ctap-hid-fido2 shimun:retry_pin shimun:0.3.0 shimun:debVM shimun:flake shimun:password_promt shimun:dracut shimun:initcpio shimun:pam_mod shimun:setup shimun:completions shimun:pkgbuild shimun:pin_source shimun:relicense shimun:deb shimun:initramfs-tools shimun:luks_refr shimun:0.2.8 shimun:luks2_token shimun:cli_reorg shimun:request_multiple shimun:luks2 shimun:cratesio shimun:isalt shimun:connected shimun:keyutils
shimun:0.2.20 shimun:0.2.19 shimun:0.2.18 shimun:0.2.17 shimun:0.2.16 shimun:0.2.15 shimun:0.2.14 shimun:0.2.13 shimun:0.2.12 shimun:0.2.11 shimun:0.2.10 shimun:0.2.9 shimun:0.2.8 shimun:0.2.7 shimun:0.2.6 shimun:0.2.5 shimun:0.2.4 shimun:0.2.3 shimun:0.2.2 shimun:0.2.1 shimun:0.2.0
..
compare: shimun:0.2.7
Branches Tags
shimun:0.3.0-alpha shimun:ctap-hid-fido2 shimun:retry_pin shimun:master shimun:0.3.0 shimun:debVM shimun:flake shimun:password_promt shimun:dracut shimun:initcpio shimun:pam_mod shimun:setup shimun:completions shimun:pkgbuild shimun:pin_source shimun:relicense shimun:deb shimun:initramfs-tools shimun:luks_refr shimun:0.2.8 shimun:luks2_token shimun:cli_reorg shimun:request_multiple shimun:luks2 shimun:cratesio shimun:isalt shimun:connected shimun:keyutils
shimun:0.2.20 shimun:0.2.19 shimun:0.2.18 shimun:0.2.17 shimun:0.2.16 shimun:0.2.15 shimun:0.2.14 shimun:0.2.13 shimun:0.2.12 shimun:0.2.11 shimun:0.2.10 shimun:0.2.9 shimun:0.2.8 shimun:0.2.7 shimun:0.2.6 shimun:0.2.5 shimun:0.2.4 shimun:0.2.3 shimun:0.2.2 shimun:0.2.1 shimun:0.2.0

8 Commits
request_mu ... 0.2.7

Author SHA1 Message Date
shimun
5c0364587e update ctap 2020-04-26 18:58:37 +02:00
shimun
9307503bdc applied clippy lints 2020-04-07 20:06:24 +02:00
shimun
b94f45d1ff patch secret_gen before obtaing first secret 2020-04-06 23:33:41 +02:00
shimun
c8fb636846 mention clang build dependency 2020-04-06 22:52:15 +02:00
shimun
49e2835f60 enable fido requests to be sent to multiple devices at once 2020-04-06 21:38:11 +02:00
shimun
bb7ee7c1ce request password only once if possible 2020-04-03 22:02:05 +02:00
shimun
0ba77963d2 update ctap_hmac 2020-04-02 17:22:15 +02:00
shimun
c99d7f562d support luks2 2020-03-27 20:08:54 +01:00
8 changed files with 447 additions and 413 deletions
Expand all files Collapse all files

737
Cargo.lock generated
View File

File diff suppressed because it is too large Load Diff

6
Cargo.toml
View File

@@ -1,6 +1,6 @@
[package] [package]
name = "fido2luks" name = "fido2luks"
version = "0.2.6" version = "0.2.7"
authors = ["shimunn <shimun@shimun.net>"] authors = ["shimunn <shimun@shimun.net>"]
edition = "2018" edition = "2018"
@@ -14,13 +14,13 @@ categories = ["command-line-utilities"]
license-file = "LICENSE" license-file = "LICENSE"
[dependencies] [dependencies]
ctap_hmac = { version="0.4.1", features = ["request_multiple"] } ctap_hmac = { version="0.4.2", features = ["request_multiple"] }
hex = "0.3.2" hex = "0.3.2"
ring = "0.13.5" ring = "0.13.5"
failure = "0.1.5" failure = "0.1.5"
rpassword = "4.0.1" rpassword = "4.0.1"
structopt = "0.3.2" structopt = "0.3.2"
libcryptsetup-rs = { git = "https://github.com/shimunn/libcryptsetup-rs.git", branch = "crypt_load_ptr_null" } libcryptsetup-rs = "0.2.0"
[profile.release] [profile.release]
lto = true lto = true

2
README.md
View File

@@ -9,7 +9,7 @@ Note: This has only been tested under Fedora 31 using a Solo Key, Trezor Model T
### Prerequisites ### Prerequisites
``` ```
dnf install cargo cryptsetup-devel -y dnf install clang cargo cryptsetup-devel -y
``` ```
### Device ### Device

64
src/cli.rs
View File

@@ -12,7 +12,9 @@ use std::io::Write;
use std::process::exit; use std::process::exit;
use std::thread; use std::thread;
use crate::util::read_password;
use std::time::SystemTime; use std::time::SystemTime;
#[derive(Debug, Eq, PartialEq, Clone)] #[derive(Debug, Eq, PartialEq, Clone)]
pub struct HexEncoded(pub Vec<u8>); pub struct HexEncoded(pub Vec<u8>);
@@ -97,25 +99,46 @@ pub struct SecretGeneration {
default_value = "15" default_value = "15"
)] )]
pub await_authenticator: u64, pub await_authenticator: u64,
/// Request the password twice to ensure it being correct
#[structopt(
long = "verify-password",
env = "FIDO2LUKS_VERIFY_PASSWORD",
hidden = true
)]
pub verify_password: Option<bool>,
} }
impl SecretGeneration { impl SecretGeneration {
pub fn patch(&self, args: &Args) -> Self { pub fn patch(&self, args: &Args, verify_password: Option<bool>) -> Self {
let mut me = self.clone(); let mut me = self.clone();
if args.interactive { if args.interactive {
me.password_helper = PasswordHelper::Stdin; me.password_helper = PasswordHelper::Stdin;
} }
me.verify_password = me.verify_password.or(verify_password);
me me
} }
pub fn obtain_secret(&self) -> Fido2LuksResult<[u8; 32]> { pub fn obtain_secret(&self, password_query: &str) -> Fido2LuksResult<[u8; 32]> {
let salt = self.salt.obtain(&self.password_helper)?; let mut salt = [0u8; 32];
match self.password_helper {
PasswordHelper::Stdin if !self.verify_password.unwrap_or(true) => {
salt.copy_from_slice(&util::sha256(&[&read_password(
password_query,
self.verify_password.unwrap_or(true),
)?
.as_bytes()[..]]));
}
_ => {
salt = self.salt.obtain(&self.password_helper)?;
}
}
let timeout = Duration::from_secs(self.await_authenticator); let timeout = Duration::from_secs(self.await_authenticator);
let start = SystemTime::now(); let start = SystemTime::now();
while let Ok(el) = start.elapsed() { while let Ok(el) = start.elapsed() {
if el > timeout { if el > timeout {
Err(error::Fido2LuksError::NoAuthenticatorError)?; return Err(error::Fido2LuksError::NoAuthenticatorError);
} }
if get_devices() if get_devices()
.map(|devices| !devices.is_empty()) .map(|devices| !devices.is_empty())
@@ -170,7 +193,9 @@ impl OtherSecret {
) -> Fido2LuksResult<Vec<u8>> { ) -> Fido2LuksResult<Vec<u8>> {
match &self.keyfile { match &self.keyfile {
Some(keyfile) => util::read_keyfile(keyfile.clone()), Some(keyfile) => util::read_keyfile(keyfile.clone()),
None if self.fido_device => Ok(Vec::from(&secret_gen.obtain_secret()?[..])), None if self.fido_device => {
Ok(Vec::from(&secret_gen.obtain_secret(password_question)?[..]))
}
None => util::read_password(password_question, verify_password) None => util::read_password(password_question, verify_password)
.map(|p| p.as_bytes().to_vec()), .map(|p| p.as_bytes().to_vec()),
} }
@@ -258,11 +283,13 @@ pub fn run_cli() -> Fido2LuksResult<()> {
binary, binary,
ref secret_gen, ref secret_gen,
} => { } => {
let secret = secret_gen.patch(&args).obtain_secret()?; let secret = secret_gen
.patch(&args, Some(false))
.obtain_secret("Password")?;
if *binary { if *binary {
stdout.write(&secret[..])?; stdout.write_all(&secret[..])?;
} else { } else {
stdout.write(hex::encode(&secret[..]).as_bytes())?; stdout.write_all(hex::encode(&secret[..]).as_bytes())?;
} }
Ok(stdout.flush()?) Ok(stdout.flush()?)
} }
@@ -273,9 +300,9 @@ pub fn run_cli() -> Fido2LuksResult<()> {
ref secret_gen, ref secret_gen,
luks_settings, luks_settings,
} => { } => {
let secret_gen = secret_gen.patch(&args); let secret_gen = secret_gen.patch(&args, None);
let old_secret = existing_secret.obtain(&secret_gen, false, "Existing password")?; let old_secret = existing_secret.obtain(&secret_gen, false, "Existing password")?;
let secret = secret_gen.obtain_secret()?; let secret = secret_gen.obtain_secret("Password")?;
let added_slot = luks::add_key( let added_slot = luks::add_key(
device.clone(), device.clone(),
&secret, &secret,
@@ -306,8 +333,8 @@ pub fn run_cli() -> Fido2LuksResult<()> {
ref secret_gen, ref secret_gen,
luks_settings, luks_settings,
} => { } => {
let secret_gen = secret_gen.patch(&args); let secret_gen = secret_gen.patch(&args, Some(false));
let secret = secret_gen.patch(&args).obtain_secret()?; let secret = secret_gen.obtain_secret("Password")?;
let new_secret = replacement.obtain(&secret_gen, true, "Replacement password")?; let new_secret = replacement.obtain(&secret_gen, true, "Replacement password")?;
let slot = if *add_password { let slot = if *add_password {
luks::add_key(device, &new_secret[..], &secret, luks_settings.kdf_time) luks::add_key(device, &new_secret[..], &secret, luks_settings.kdf_time)
@@ -330,20 +357,17 @@ pub fn run_cli() -> Fido2LuksResult<()> {
let mut retries = *retries; let mut retries = *retries;
loop { loop {
match secret_gen match secret_gen
.patch(&args) .patch(&args, Some(false))
.obtain_secret() .obtain_secret("Password")
.and_then(|secret| luks::open_container(&device, &name, &secret)) .and_then(|secret| luks::open_container(&device, &name, &secret))
{ {
Err(e) => { Err(e) => {
match e { match e {
Fido2LuksError::WrongSecret if retries > 0 => (), Fido2LuksError::WrongSecret if retries > 0 => {}
Fido2LuksError::AuthenticatorError { ref cause } Fido2LuksError::AuthenticatorError { ref cause }
if cause.kind() == FidoErrorKind::Timeout && retries > 0 => if cause.kind() == FidoErrorKind::Timeout && retries > 0 => {}
{
()
}
e => break Err(e)?, e => return Err(e),
} }
retries -= 1; retries -= 1;
eprintln!("{}", e); eprintln!("{}", e);

5
src/config.rs
View File

@@ -24,7 +24,7 @@ impl Default for InputSalt {
impl From<&str> for InputSalt { impl From<&str> for InputSalt {
fn from(s: &str) -> Self { fn from(s: &str) -> Self {
let mut parts = s.split(":").into_iter(); let mut parts = s.split(':');
match parts.next() { match parts.next() {
Some("ask") | Some("Ask") => InputSalt::AskPassword, Some("ask") | Some("Ask") => InputSalt::AskPassword,
Some("file") => InputSalt::File { Some("file") => InputSalt::File {
@@ -87,6 +87,7 @@ impl InputSalt {
#[derive(Debug, Clone)] #[derive(Debug, Clone)]
pub enum PasswordHelper { pub enum PasswordHelper {
Script(String), Script(String),
#[allow(dead_code)]
Systemd, Systemd,
Stdin, Stdin,
} }
@@ -134,7 +135,7 @@ impl PasswordHelper {
Systemd => unimplemented!(), Systemd => unimplemented!(),
Stdin => Ok(util::read_password("Password", true)?), Stdin => Ok(util::read_password("Password", true)?),
Script(password_helper) => { Script(password_helper) => {
let mut helper_parts = password_helper.split(" "); let mut helper_parts = password_helper.split(' ');
let password = Command::new((&mut helper_parts).next().unwrap()) let password = Command::new((&mut helper_parts).next().unwrap())
.args(helper_parts) .args(helper_parts)

9
src/device.rs
View File

@@ -1,12 +1,13 @@
use crate::error::*; use crate::error::*;
use crate::util;
use ctap::{ use ctap::{
self, extensions::hmac::HmacExtension, request_multiple_devices, FidoAssertionRequestBuilder, self, extensions::hmac::HmacExtension, request_multiple_devices, FidoAssertionRequestBuilder,
FidoCredential, FidoCredentialRequestBuilder, FidoDevice, FidoError, FidoErrorKind, FidoCredential, FidoCredentialRequestBuilder, FidoDevice, FidoError, FidoErrorKind,
}; };
use std::time::Duration; use std::time::Duration;
const RP_ID: &'static str = "fido2luks"; const RP_ID: &str = "fido2luks";
pub fn make_credential_id(name: Option<&str>) -> Fido2LuksResult<FidoCredential> { pub fn make_credential_id(name: Option<&str>) -> Fido2LuksResult<FidoCredential> {
let mut request = FidoCredentialRequestBuilder::default().rp_id(RP_ID); let mut request = FidoCredentialRequestBuilder::default().rp_id(RP_ID);
@@ -33,7 +34,9 @@ pub fn perform_challenge(
.credentials(credentials) .credentials(credentials)
.build() .build()
.unwrap(); .unwrap();
let get_assertion = |device: &mut FidoDevice| device.get_hmac_assertion(&request, &salt, None); let get_assertion = |device: &mut FidoDevice| {
device.get_hmac_assertion(&request, &util::sha256(&[&salt[..]]), None)
};
let (_, (secret, _)) = request_multiple_devices( let (_, (secret, _)) = request_multiple_devices(
get_devices()? get_devices()?
.iter_mut() .iter_mut()
@@ -49,7 +52,7 @@ pub fn get_devices() -> Fido2LuksResult<Vec<FidoDevice>> {
match FidoDevice::new(&di) { match FidoDevice::new(&di) {
Err(e) => match e.kind() { Err(e) => match e.kind() {
FidoErrorKind::ParseCtap | FidoErrorKind::DeviceUnsupported => (), FidoErrorKind::ParseCtap | FidoErrorKind::DeviceUnsupported => (),
err => Err(FidoError::from(err))?, err => return Err(FidoError::from(err).into()),
}, },
Ok(dev) => devices.push(dev), Ok(dev) => devices.push(dev),
} }

33
src/luks.rs
View File

@@ -1,11 +1,21 @@
use crate::error::*; use crate::error::*;
use libcryptsetup_rs::{CryptActivateFlags, CryptDevice, CryptInit, KeyslotInfo}; use libcryptsetup_rs::{CryptActivateFlags, CryptDevice, CryptInit, EncryptionFormat, KeyslotInfo};
use std::path::Path; use std::path::Path;
fn load_device_handle<P: AsRef<Path>>(path: P) -> Fido2LuksResult<CryptDevice> { fn load_device_handle<P: AsRef<Path>>(path: P) -> Fido2LuksResult<CryptDevice> {
let mut device = CryptInit::init(path.as_ref())?; let mut device = CryptInit::init(path.as_ref())?;
Ok(device.context_handle().load::<()>(None, None).map(|_| device)?) //TODO: determine luks version some way other way than just trying
let mut load = |format| device.context_handle().load::<()>(format, None).map(|_| ());
vec![EncryptionFormat::Luks2, EncryptionFormat::Luks1]
.into_iter()
.fold(None, |res, format| match res {
Some(Ok(())) => res,
Some(e) => Some(e.or_else(|_| load(format))),
None => Some(load(format)),
})
.unwrap()?;
Ok(device)
} }
pub fn open_container<P: AsRef<Path>>(path: P, name: &str, secret: &[u8]) -> Fido2LuksResult<()> { pub fn open_container<P: AsRef<Path>>(path: P, name: &str, secret: &[u8]) -> Fido2LuksResult<()> {
@@ -28,29 +38,28 @@ pub fn add_key<P: AsRef<Path>>(
device.settings_handle().set_iteration_time(millis) device.settings_handle().set_iteration_time(millis)
} }
let slot = device let slot = device
.keyslot_handle() .keyslot_handle(None)
.add_by_passphrase(None,old_secret, secret)?; .add_by_passphrase(old_secret, secret)?;
Ok(slot) Ok(slot)
} }
pub fn remove_keyslots<P: AsRef<Path>>(path: P, exclude: &[u32]) -> Fido2LuksResult<u32> { pub fn remove_keyslots<P: AsRef<Path>>(path: P, exclude: &[u32]) -> Fido2LuksResult<u32> {
let mut device = load_device_handle(path)?; let mut device = load_device_handle(path)?;
let mut handle = device.keyslot_handle(); let mut handle;
let mut destroyed = 0; let mut destroyed = 0;
//TODO: detect how many keyslots there are instead of trying within a given range //TODO: detect how many keyslots there are instead of trying within a given range
for slot in 0..1024 { for slot in 0..1024 {
handle = device.keyslot_handle(Some(slot));
match handle.status(slot)? { match handle.status()? {
KeyslotInfo::Inactive => continue, KeyslotInfo::Inactive => continue,
KeyslotInfo::Active if !exclude.contains(&slot) => { KeyslotInfo::Active if !exclude.contains(&slot) => {
handle.destroy(slot)?; handle.destroy()?;
destroyed += 1; destroyed += 1;
} }
_ => (), _ => (),
} }
match handle.status(slot)? { if let KeyslotInfo::ActiveLast = handle.status()? {
KeyslotInfo::ActiveLast => break, break;
_ => (),
} }
} }
Ok(destroyed) Ok(destroyed)
@@ -68,6 +77,6 @@ pub fn replace_key<P: AsRef<Path>>(
device.settings_handle().set_iteration_time(millis) device.settings_handle().set_iteration_time(millis)
} }
Ok(device Ok(device
.keyslot_handle() .keyslot_handle(None)
.change_by_passphrase(None, None, old_secret, secret)? as u32) .change_by_passphrase(None, None, old_secret, secret)? as u32)
} }

4
src/util.rs
View File

@@ -4,7 +4,7 @@ use std::fs::File;
use std::io::Read; use std::io::Read;
use std::path::PathBuf; use std::path::PathBuf;
pub fn sha256<'a>(messages: &[&[u8]]) -> [u8; 32] { pub fn sha256(messages: &[&[u8]]) -> [u8; 32] {
let mut digest = digest::Context::new(&digest::SHA256); let mut digest = digest::Context::new(&digest::SHA256);
for m in messages.iter() { for m in messages.iter() {
digest.update(m); digest.update(m);
@@ -23,7 +23,7 @@ pub fn read_password(q: &str, verify: bool) -> Fido2LuksResult<String> {
{ {
Err(Fido2LuksError::AskPassError { Err(Fido2LuksError::AskPassError {
cause: AskPassError::Mismatch, cause: AskPassError::Mismatch,
})? })
} }
pass => Ok(pass), pass => Ok(pass),
} }