shimun/fido2luks
1
0
Fork 0
Code Issues Pull Requests 3 Releases Wiki Activity

Compare commits

merge into: shimun:retry_pin
Branches Tags
shimun:master shimun:0.3.0-alpha shimun:ctap-hid-fido2 shimun:retry_pin shimun:0.3.0 shimun:debVM shimun:flake shimun:password_promt shimun:dracut shimun:initcpio shimun:pam_mod shimun:setup shimun:completions shimun:pkgbuild shimun:pin_source shimun:relicense shimun:deb shimun:initramfs-tools shimun:luks_refr shimun:0.2.8 shimun:luks2_token shimun:cli_reorg shimun:request_multiple shimun:luks2 shimun:cratesio shimun:isalt shimun:connected shimun:keyutils
shimun:0.2.20 shimun:0.2.19 shimun:0.2.18 shimun:0.2.17 shimun:0.2.16 shimun:0.2.15 shimun:0.2.14 shimun:0.2.13 shimun:0.2.12 shimun:0.2.11 shimun:0.2.10 shimun:0.2.9 shimun:0.2.8 shimun:0.2.7 shimun:0.2.6 shimun:0.2.5 shimun:0.2.4 shimun:0.2.3 shimun:0.2.2 shimun:0.2.1 shimun:0.2.0
...
pull from: shimun:0.3.0-alpha
Branches Tags
shimun:0.3.0-alpha shimun:ctap-hid-fido2 shimun:retry_pin shimun:master shimun:0.3.0 shimun:debVM shimun:flake shimun:password_promt shimun:dracut shimun:initcpio shimun:pam_mod shimun:setup shimun:completions shimun:pkgbuild shimun:pin_source shimun:relicense shimun:deb shimun:initramfs-tools shimun:luks_refr shimun:0.2.8 shimun:luks2_token shimun:cli_reorg shimun:request_multiple shimun:luks2 shimun:cratesio shimun:isalt shimun:connected shimun:keyutils
shimun:0.2.20 shimun:0.2.19 shimun:0.2.18 shimun:0.2.17 shimun:0.2.16 shimun:0.2.15 shimun:0.2.14 shimun:0.2.13 shimun:0.2.12 shimun:0.2.11 shimun:0.2.10 shimun:0.2.9 shimun:0.2.8 shimun:0.2.7 shimun:0.2.6 shimun:0.2.5 shimun:0.2.4 shimun:0.2.3 shimun:0.2.2 shimun:0.2.1 shimun:0.2.0

17 Commits
retry_pin ... 0.3.0-alph

Author SHA1 Message Date
shimun
acd4021e03 Merge remote-tracking branch 'gt/ctap-hid-fido2' into 0.3.0-alpha 2024-03-03 19:41:19 +01:00
shimun
238d877e2f chore: update naersk 2024-02-11 19:37:12 +01:00
shimun
93e8a33c0e chore: update deps 2023-12-17 13:53:14 +01:00
shimunn
fb60987468 build nix package 2023-10-02 11:55:56 +02:00
shimun
871b2863b2 fix: build env 2022-09-28 19:48:30 +02:00
shimun
f436ae538d chore: update 2022-07-28 15:10:28 +02:00
shimun
17c96090bd fix: ctap crate 2022-07-05 15:35:54 +02:00
shimun
fce6ea2e31 fix: use patched ctap-hid crate 2022-06-16 17:42:50 +02:00
shimun
b566af46f7 fix: prevent creation of rk credential 2022-06-15 01:16:06 +02:00
shimun
1f0d555cea added: comment field to luks header data 2022-04-15 17:06:11 +02:00
shimun
2255f224a5 bump version 2022-04-11 14:36:07 +02:00
shimun
581e1780d1 update ctap-hid 2022-04-10 17:23:25 +02:00
shimun
7daa5a3fdb use develop version 2022-04-04 10:57:57 +02:00
shimun
4e986b8f05 removed: keepalive msg 2022-03-29 15:58:51 +02:00
shimun
ca82293976 fix: reintroduce connected command 2022-03-29 15:58:16 +02:00
shimun
d5b043840f chore: migrate to ctap-hid-fido2 2022-03-27 10:00:12 +02:00
shimun
eb8d65eb4f switch to ctap-hid-fido2 2022-03-23 19:30:24 +01:00
13 changed files with 942 additions and 778 deletions
Expand all files Collapse all files

32
.github/workflows/current.yml vendored Normal file
View File

@@ -0,0 +1,32 @@
# This is a basic workflow to help you get started with Actions
name: Current
# Controls when the workflow will run
on:
schedule:
- cron: '0 22 * * 6'
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
# This workflow contains a single job called "build"
build:
# The type of runner that the job will run on
runs-on: ubuntu-latest
# Steps represent a sequence of tasks that will be executed as part of the job
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- uses: actions/checkout@v3
- name: Install Nix
uses: DeterminateSystems/nix-installer-action@v4
- name: Setup Attic cache
uses: ryanccn/attic-action@v0
with:
endpoint: ${{ secrets.ATTIC_ENDPOINT }}
cache: ${{ secrets.ATTIC_CACHE }}
token: ${{ secrets.ATTIC_TOKEN }}
- name: Build Nix Package nixos-unstable
run: nix build --override-input nixpkgs github:nixos/nixpkgs/nixos-unstable --show-trace

33
.github/workflows/locked.yml vendored Normal file
View File

@@ -0,0 +1,33 @@
# This is a basic workflow to help you get started with Actions
name: Locked
# Controls when the workflow will run
on:
# Triggers the workflow on push or pull request events but only for the "master" branch
push:
branches: '*'
pull_request:
branches: '*'
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
# This workflow contains a single job called "build"
build:
# The type of runner that the job will run on
runs-on: ubuntu-latest
# Steps represent a sequence of tasks that will be executed as part of the job
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- uses: actions/checkout@v3
- name: Install Nix
uses: DeterminateSystems/nix-installer-action@v4
- name: Setup Attic cache
uses: ryanccn/attic-action@v0
with:
endpoint: ${{ secrets.ATTIC_ENDPOINT }}
cache: ${{ secrets.ATTIC_CACHE }}
token: ${{ secrets.ATTIC_TOKEN }}
- name: Build Nix Package
run: nix build -j 10 --show-trace

1255
Cargo.lock generated
View File

File diff suppressed because it is too large Load Diff

15
Cargo.toml
View File

@@ -1,6 +1,6 @@
[package] [package]
name = "fido2luks" name = "fido2luks"
version = "0.3.0-alpha" version = "0.3.1-alpha"
authors = ["shimunn <shimun@shimun.net>"] authors = ["shimunn <shimun@shimun.net>"]
edition = "2018" edition = "2018"
@@ -14,25 +14,26 @@ categories = ["command-line-utilities"]
license = "MPL-2.0" license = "MPL-2.0"
[dependencies] [dependencies]
ctap_hmac = { version="0.4.5", features = ["request_multiple"] }
hex = "0.3.2" hex = "0.3.2"
ring = "0.13.5" ring = "0.16.5"
failure = "0.1.5" failure = "0.1.5"
rpassword = "4.0.1" rpassword = "4.0.1"
structopt = "0.3.2" structopt = "0.3.2"
libcryptsetup-rs = "0.4.2" libcryptsetup-rs = "0.9.1"
serde_json = "1.0.51" serde_json = "1.0.51"
serde_derive = "1.0.116" serde_derive = "1.0.116"
serde = "1.0.116" serde = "1.0.116"
anyhow = "1.0.56"
ctap-hid-fido2 = "3.4.1"
[build-dependencies] [build-dependencies]
ctap_hmac = { version="0.4.5", features = ["request_multiple"] }
hex = "0.3.2" hex = "0.3.2"
ring = "0.13.5" ring = "0.16.5"
failure = "0.1.5" failure = "0.1.5"
rpassword = "4.0.1" rpassword = "4.0.1"
libcryptsetup-rs = "0.4.1" libcryptsetup-rs = "0.9.1"
structopt = "0.3.2" structopt = "0.3.2"
anyhow = "1.0.56"
[profile.release] [profile.release]
lto = true lto = true

8
build.rs
View File

@@ -1,7 +1,6 @@
#![allow(warnings)] #![allow(warnings)]
#[macro_use] #[macro_use]
extern crate failure; extern crate failure;
extern crate ctap_hmac as ctap;
#[path = "src/cli_args/mod.rs"] #[path = "src/cli_args/mod.rs"]
mod cli_args; mod cli_args;
@@ -12,17 +11,22 @@ mod util;
use cli_args::Args; use cli_args::Args;
use std::env; use std::env;
use std::fs;
use std::path::PathBuf;
use std::str::FromStr; use std::str::FromStr;
use structopt::clap::Shell; use structopt::clap::Shell;
use structopt::StructOpt; use structopt::StructOpt;
fn main() { fn main() {
let env_outdir = env::var_os("OUT_DIR").unwrap();
let outdir = PathBuf::from(PathBuf::from(env_outdir).ancestors().nth(3).unwrap());
fs::create_dir_all(&outdir).unwrap();
// generate completion scripts, zsh does panic for some reason // generate completion scripts, zsh does panic for some reason
for shell in Shell::variants().iter().filter(|shell| **shell != "zsh") { for shell in Shell::variants().iter().filter(|shell| **shell != "zsh") {
Args::clap().gen_completions( Args::clap().gen_completions(
env!("CARGO_PKG_NAME"), env!("CARGO_PKG_NAME"),
Shell::from_str(shell).unwrap(), Shell::from_str(shell).unwrap(),
env!("CARGO_MANIFEST_DIR"), &outdir,
); );
} }
} }

42
flake.lock generated
View File

@@ -7,26 +7,26 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1639051343, "lastModified": 1698420672,
"narHash": "sha256-62qARP+5Q0GmudcpuQHJP3/yXIgmUVoHR4orD/+FAC4=", "narHash": "sha256-/TdeHMPRjjdJub7p7+w55vyABrsJlt5QkznPYy55vKA=",
"owner": "nmattia", "owner": "nix-community",
"repo": "naersk", "repo": "naersk",
"rev": "ebde51ec0eec82dc71eaca03bc24cf8eb44a3d74", "rev": "aeb58d5e8faead8980a807c840232697982d47b9",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nmattia", "owner": "nix-community",
"repo": "naersk", "repo": "naersk",
"type": "github" "type": "github"
} }
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1638109994, "lastModified": 1705496572,
"narHash": "sha256-OpA37PTiPMIqoRJbufbl5rOLII7HeeGcA0yl7FoyCIE=", "narHash": "sha256-rPIe9G5EBLXdBdn9ilGc0nq082lzQd0xGGe092R/5QE=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "a284564b7f75ac4db73607db02076e8da9d42c9d", "rev": "842d9d80cfd4560648c785f8a4e6f3b096790e19",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -41,13 +41,31 @@
"utils": "utils" "utils": "utils"
} }
}, },
"utils": { "systems": {
"locked": { "locked": {
"lastModified": 1638122382, "lastModified": 1681028828,
"narHash": "sha256-sQzZzAbvKEqN9s0bzWuYmRaA03v40gaJ4+iL1LXjaeI=", "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"utils": {
"inputs": {
"systems": "systems"
},
"locked": {
"lastModified": 1705309234,
"narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=",
"owner": "numtide", "owner": "numtide",
"repo": "flake-utils", "repo": "flake-utils",
"rev": "74f7e4319258e287b0f9cb95426c9853b282730b", "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26",
"type": "github" "type": "github"
}, },
"original": { "original": {

12
flake.nix
View File

@@ -4,7 +4,7 @@
inputs = { inputs = {
utils.url = "github:numtide/flake-utils"; utils.url = "github:numtide/flake-utils";
naersk = { naersk = {
url = "github:nmattia/naersk"; url = "github:nix-community/naersk";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
}; };
@@ -16,17 +16,17 @@
forPkgs = pkgs: forPkgs = pkgs:
let let
naersk-lib = naersk.lib."${pkgs.system}"; naersk-lib = naersk.lib."${pkgs.system}";
buildInputs = with pkgs; [ cryptsetup ]; buildInputs = with pkgs; [ cryptsetup cryptsetup.dev udev.dev ];
LIBCLANG_PATH = "${pkgs.clang.cc.lib}/lib";
nativeBuildInputs = with pkgs; [ nativeBuildInputs = with pkgs; [
pkgconfig rustPlatform.bindgenHook
pkg-config
clang clang
]; ];
in in
rec { rec {
# `nix build` # `nix build`
packages.${pname} = naersk-lib.buildPackage { packages.${pname} = naersk-lib.buildPackage {
inherit pname root buildInputs nativeBuildInputs LIBCLANG_PATH; inherit pname root buildInputs nativeBuildInputs;
}; };
defaultPackage = packages.${pname}; defaultPackage = packages.${pname};
@@ -51,7 +51,7 @@
# `nix develop` # `nix develop`
devShell = pkgs.mkShell { devShell = pkgs.mkShell {
nativeBuildInputs = with pkgs; [ rustc cargo rustfmt nixpkgs-fmt ] ++ nativeBuildInputs; nativeBuildInputs = with pkgs; [ rustc cargo rustfmt nixpkgs-fmt ] ++ nativeBuildInputs;
inherit buildInputs LIBCLANG_PATH; inherit buildInputs;
}; };
}; };
forSystem = system: forPkgs nixpkgs.legacyPackages."${system}"; forSystem = system: forPkgs nixpkgs.legacyPackages."${system}";

97
src/cli.rs
View File

@@ -4,14 +4,13 @@ use crate::util::sha256;
use crate::*; use crate::*;
pub use cli_args::Args; pub use cli_args::Args;
use cli_args::*; use cli_args::*;
use ctap::{FidoCredential, FidoErrorKind}; use ctap_hid_fido2::public_key_credential_descriptor::PublicKeyCredentialDescriptor;
use std::borrow::Cow; use std::borrow::Cow;
use std::collections::HashSet; use std::collections::HashSet;
use std::io::Write; use std::io::Write;
use std::iter::FromIterator; use std::iter::FromIterator;
use std::path::Path; use std::path::Path;
use std::str::FromStr; use std::str::FromStr;
use std::thread;
use std::time::Duration; use std::time::Duration;
use std::time::SystemTime; use std::time::SystemTime;
use structopt::clap::Shell; use structopt::clap::Shell;
@@ -26,31 +25,31 @@ fn derive_secret(
salt: &[u8; 32], salt: &[u8; 32],
timeout: u64, timeout: u64,
pin: Option<&str>, pin: Option<&str>,
) -> Fido2LuksResult<([u8; 32], FidoCredential)> { ) -> Fido2LuksResult<([u8; 32], PublicKeyCredentialDescriptor)> {
if credentials.is_empty() { if credentials.is_empty() {
return Err(Fido2LuksError::InsufficientCredentials); return Err(Fido2LuksError::InsufficientCredentials);
} }
let timeout = Duration::from_secs(timeout); let timeout = Duration::from_secs(timeout);
let start = SystemTime::now(); let start = SystemTime::now();
while let Ok(el) = start.elapsed() { //while let Ok(el) = start.elapsed() {
if el > timeout { // if el > timeout {
return Err(error::Fido2LuksError::NoAuthenticatorError); // return Err(error::Fido2LuksError::NoAuthenticatorError);
} // }
if get_devices() // if get_devices()
.map(|devices| !devices.is_empty()) // .map(|devices| !devices.is_empty())
.unwrap_or(false) // .unwrap_or(false)
{ // {
break; // break;
} // }
thread::sleep(Duration::from_millis(500)); // thread::sleep(Duration::from_millis(500));
} //}
let credentials = credentials let credentials = credentials
.iter() .iter()
.map(|hex| FidoCredential { .map(|hex| PublicKeyCredentialDescriptor {
id: hex.0.clone(), id: hex.0.clone(),
public_key: None, ctype: Default::default(),
}) })
.collect::<Vec<_>>(); .collect::<Vec<_>>();
let credentials = credentials.iter().collect::<Vec<_>>(); let credentials = credentials.iter().collect::<Vec<_>>();
@@ -182,7 +181,8 @@ pub fn run_cli() -> Fido2LuksResult<()> {
} else { } else {
None None
}; };
let cred = make_credential_id(Some(name.as_ref()), pin)?; let cred =
make_credential_id(Some(name.as_str()).filter(|name| name.len() > 0), pin, &[])?;
println!("{}", hex::encode(&cred.id)); println!("{}", hex::encode(&cred.id));
Ok(()) Ok(())
} }
@@ -289,7 +289,10 @@ pub fn run_cli() -> Fido2LuksResult<()> {
let other_secret = |salt_q: &str, let other_secret = |salt_q: &str,
verify: bool| verify: bool|
-> Fido2LuksResult<(Vec<u8>, Option<FidoCredential>)> { -> Fido2LuksResult<(
Vec<u8>,
Option<PublicKeyCredentialDescriptor>,
)> {
match other_secret { match other_secret {
OtherSecret { OtherSecret {
keyfile: Some(file), keyfile: Some(file),
@@ -314,22 +317,38 @@ pub fn run_cli() -> Fido2LuksResult<()> {
)), )),
} }
}; };
let secret = |q: &str, let secret =
verify: bool, |q: &str,
credentials: &[HexEncoded]| verify: bool,
-> Fido2LuksResult<([u8; 32], FidoCredential)> { credentials: &[HexEncoded]|
let (pin, salt) = inputs(q, verify)?; -> Fido2LuksResult<([u8; 32], PublicKeyCredentialDescriptor)> {
prompt_interaction(interactive); let (pin, salt) = inputs(q, verify)?;
derive_secret(credentials, &salt, authenticator.await_time, pin.as_deref()) prompt_interaction(interactive);
}; derive_secret(credentials, &salt, authenticator.await_time, pin.as_deref())
};
// Non overlap // Non overlap
match &args.command { match &args.command {
Command::AddKey { Command::AddKey {
exclusive, exclusive,
generate_credential, generate_credential,
comment,
.. ..
} => { } => {
let (existing_secret, _) = other_secret("Current password", false)?; let (existing_secret, existing_credential) =
other_secret("Current password", false)?;
let excluded_credential = existing_credential.as_ref();
let exclude_list = excluded_credential
.as_ref()
.map(core::slice::from_ref)
.unwrap_or_default();
existing_credential.iter().for_each(|cred| {
log(&|| {
format!(
"using credential to unlock container: {}",
hex::encode(&cred.id)
)
})
});
let (new_secret, cred) = if *generate_credential && luks2 { let (new_secret, cred) = if *generate_credential && luks2 {
let cred = make_credential_id( let cred = make_credential_id(
Some(derive_credential_name(luks.device.as_path()).as_str()), Some(derive_credential_name(luks.device.as_path()).as_str()),
@@ -340,6 +359,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
None None
}) })
.as_deref(), .as_deref(),
dbg!(exclude_list),
)?; )?;
log(&|| { log(&|| {
format!( format!(
@@ -361,6 +381,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
Some(&cred.id[..]) Some(&cred.id[..])
.filter(|_| !luks.disable_token || *generate_credential) .filter(|_| !luks.disable_token || *generate_credential)
.filter(|_| luks2), .filter(|_| luks2),
comment.as_deref().map(String::from),
)?; )?;
if *exclusive { if *exclusive {
let destroyed = luks_dev.remove_keyslots(&[added_slot])?; let destroyed = luks_dev.remove_keyslots(&[added_slot])?;
@@ -396,6 +417,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
.filter(|_| !luks.disable_token) .filter(|_| !luks.disable_token)
.filter(|_| luks2) .filter(|_| luks2)
.map(|cred| &cred.id[..]), .map(|cred| &cred.id[..]),
None,
) )
} else { } else {
let slot = luks_dev.replace_key( let slot = luks_dev.replace_key(
@@ -501,9 +523,8 @@ pub fn run_cli() -> Fido2LuksResult<()> {
Err(e) => { Err(e) => {
match e { match e {
Fido2LuksError::WrongSecret if retries > 0 => {} Fido2LuksError::WrongSecret if retries > 0 => {}
Fido2LuksError::AuthenticatorError { ref cause } //Fido2LuksError::AuthenticatorError { ref cause }
if cause.kind() == FidoErrorKind::Timeout && retries > 0 => {} // if cause.kind() == FidoErrorKind::Timeout && retries > 0 => {}
e => return Err(e), e => return Err(e),
}; };
retries -= 1; retries -= 1;
@@ -544,8 +565,13 @@ pub fn run_cli() -> Fido2LuksResult<()> {
continue; continue;
} }
println!( println!(
"{}:\n\tSlots: {}\n\tCredentials: {}", "{}{}:\n\tSlots: {}\n\tCredentials: {}",
id, id,
token
.comment
.as_deref()
.map(|comment| format!(" - {}", comment))
.unwrap_or_default(),
if token.keyslots.is_empty() { if token.keyslots.is_empty() {
"None".into() "None".into()
} else { } else {
@@ -571,6 +597,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
TokenCommand::Add { TokenCommand::Add {
device, device,
credentials, credentials,
comment,
slot, slot,
} => { } => {
let mut dev = LuksDevice::load(device)?; let mut dev = LuksDevice::load(device)?;
@@ -582,7 +609,11 @@ pub fn run_cli() -> Fido2LuksResult<()> {
} }
} }
let count = if tokens.is_empty() { let count = if tokens.is_empty() {
dev.add_token(&Fido2LuksToken::with_credentials(&credentials.0, *slot))?; dev.add_token(&Fido2LuksToken::with_credentials(
&credentials.0,
*slot,
comment.as_deref().map(String::from),
))?;
1 1
} else { } else {
tokens.len() tokens.len()

8
src/cli_args/mod.rs
View File

@@ -189,6 +189,9 @@ pub enum Command {
luks: LuksParameters, luks: LuksParameters,
#[structopt(flatten)] #[structopt(flatten)]
credentials: Credentials, credentials: Credentials,
/// Comment to be associated with this credential
#[structopt(long = "comment")]
comment: Option<String>,
#[structopt(flatten)] #[structopt(flatten)]
authenticator: AuthenticatorParameters, authenticator: AuthenticatorParameters,
#[structopt(flatten)] #[structopt(flatten)]
@@ -254,7 +257,7 @@ pub enum Command {
#[structopt(flatten)] #[structopt(flatten)]
authenticator: AuthenticatorParameters, authenticator: AuthenticatorParameters,
/// Name to be displayed on the authenticator display /// Name to be displayed on the authenticator display
#[structopt(env = "FIDO2LUKS_CREDENTIAL_NAME", default_value = "fido2luks")] #[structopt(env = "FIDO2LUKS_CREDENTIAL_NAME", default_value = "")]
name: String, name: String,
}, },
/// Check if an authenticator is connected /// Check if an authenticator is connected
@@ -295,6 +298,9 @@ pub enum TokenCommand {
long = "creds" long = "creds"
)] )]
credentials: CommaSeparated<HexEncoded>, credentials: CommaSeparated<HexEncoded>,
/// Comment to be associated with this credential
#[structopt(long = "comment")]
comment: Option<String>,
/// Slot to which the credentials will be added /// Slot to which the credentials will be added
#[structopt(long = "slot", env = "FIDO2LUKS_DEVICE_SLOT")] #[structopt(long = "slot", env = "FIDO2LUKS_DEVICE_SLOT")]
slot: u32, slot: u32,

161
src/device.rs
View File

@@ -1,84 +1,133 @@
use crate::error::*; use crate::error::*;
use crate::util; use crate::util;
use ctap::{ use ctap_hid_fido2;
self, extensions::hmac::HmacExtension, request_multiple_devices, FidoAssertionRequestBuilder, use ctap_hid_fido2::fidokey::get_assertion::get_assertion_params;
FidoCredential, FidoCredentialRequestBuilder, FidoDevice, FidoError, FidoErrorKind, use ctap_hid_fido2::fidokey::make_credential::make_credential_params;
}; use ctap_hid_fido2::fidokey::GetAssertionArgsBuilder;
use ctap_hid_fido2::fidokey::MakeCredentialArgsBuilder;
use ctap_hid_fido2::get_fidokey_devices;
use ctap_hid_fido2::public_key_credential_descriptor::PublicKeyCredentialDescriptor;
use ctap_hid_fido2::public_key_credential_user_entity::PublicKeyCredentialUserEntity;
use ctap_hid_fido2::FidoKeyHidFactory;
use ctap_hid_fido2::HidInfo;
use ctap_hid_fido2::LibCfg;
use std::time::Duration; use std::time::Duration;
const RP_ID: &str = "fido2luks"; const RP_ID: &str = "fido2luks";
fn lib_cfg() -> LibCfg {
let mut cfg = LibCfg::init();
cfg.enable_log = false;
cfg.keep_alive_msg = String::new();
cfg
}
pub fn make_credential_id( pub fn make_credential_id(
name: Option<&str>, name: Option<&str>,
pin: Option<&str>, pin: Option<&str>,
) -> Fido2LuksResult<FidoCredential> { exclude: &[&PublicKeyCredentialDescriptor],
let mut request = FidoCredentialRequestBuilder::default().rp_id(RP_ID); ) -> Fido2LuksResult<PublicKeyCredentialDescriptor> {
if let Some(user_name) = name { let mut req = MakeCredentialArgsBuilder::new(RP_ID, &[])
request = request.user_name(user_name); .extensions(&[make_credential_params::Extension::HmacSecret(Some(true))]);
if let Some(pin) = pin {
req = req.pin(pin);
} else {
req = req.without_pin_and_uv();
} }
let request = request.build().unwrap(); for cred in exclude {
let make_credential = |device: &mut FidoDevice| { req = req.exclude_authenticator(cred.id.as_ref());
if let Some(pin) = pin.filter(|_| device.needs_pin()) { }
device.unlock(pin)?; if let Some(_) = name {
req = req.user_entity(&PublicKeyCredentialUserEntity::new(
Some(b"00"),
name.clone(),
name,
));
}
let devices = get_devices()?;
let mut err: Option<Fido2LuksError> = None;
let req = req.build();
for dev in devices {
let handle = FidoKeyHidFactory::create_by_params(&vec![dev.param], &lib_cfg()).unwrap();
match handle.make_credential_with_args(&req) {
Ok(resp) => return Ok(resp.credential_descriptor),
Err(e) => err = Some(e.into()),
} }
device.make_hmac_credential(&request) }
}; Err(err.unwrap_or(Fido2LuksError::NoAuthenticatorError))
Ok(request_multiple_devices(
get_devices()?
.iter_mut()
.map(|device| (device, &make_credential)),
None,
)?)
} }
pub fn perform_challenge<'a>( pub fn perform_challenge<'a>(
credentials: &'a [&'a FidoCredential], credentials: &'a [&'a PublicKeyCredentialDescriptor],
salt: &[u8; 32], salt: &[u8; 32],
timeout: Duration, _timeout: Duration,
pin: Option<&str>, pin: Option<&str>,
) -> Fido2LuksResult<([u8; 32], &'a FidoCredential)> { ) -> Fido2LuksResult<([u8; 32], &'a PublicKeyCredentialDescriptor)> {
let request = FidoAssertionRequestBuilder::default() if credentials.is_empty() {
.rp_id(RP_ID) return Err(Fido2LuksError::InsufficientCredentials);
.credentials(credentials) }
.build() let mut req = GetAssertionArgsBuilder::new(RP_ID, &[]).extensions(&[
.unwrap(); get_assertion_params::Extension::HmacSecret(Some(util::sha256(&[&salt[..]]))),
let get_assertion = |device: &mut FidoDevice| { ]);
if let Some(pin) = pin.filter(|_| device.needs_pin()) { for cred in credentials {
device.unlock(pin)?; req = req.add_credential_id(&cred.id);
}
if let Some(pin) = pin {
req = req.pin(pin);
} else {
req = req.without_pin_and_uv();
}
let process_response = |resp: Vec<get_assertion_params::Assertion>| -> Fido2LuksResult<([u8; 32], &'a PublicKeyCredentialDescriptor)> {
for att in resp {
for ext in att.extensions.iter() {
match ext {
get_assertion_params::Extension::HmacSecret(Some(secret)) => {
//TODO: eliminate unwrap
let cred_used = credentials
.iter()
.copied()
.find(|cred| {
att.credential_id == cred.id
})
.unwrap();
return Ok((secret.clone(), cred_used));
}
_ => continue,
}
} }
device.get_hmac_assertion(&request, &util::sha256(&[&salt[..]]), None) }
Err(Fido2LuksError::WrongSecret)
}; };
let (credential, (secret, _)) = request_multiple_devices(
get_devices()? let devices = get_devices()?;
.iter_mut() let mut err: Option<Fido2LuksError> = None;
.map(|device| (device, &get_assertion)), let req = req.build();
Some(timeout), for dev in devices {
)?; let handle = FidoKeyHidFactory::create_by_params(&vec![dev.param], &lib_cfg()).unwrap();
Ok((secret, credential)) match handle.get_assertion_with_args(&req) {
Ok(resp) => return process_response(resp),
Err(e) => err = Some(e.into()),
}
}
Err(err.unwrap_or(Fido2LuksError::NoAuthenticatorError))
} }
pub fn may_require_pin() -> Fido2LuksResult<bool> { pub fn may_require_pin() -> Fido2LuksResult<bool> {
for di in ctap::get_devices()? { for dev in get_devices()? {
if let Ok(dev) = FidoDevice::new(&di) { let handle = FidoKeyHidFactory::create_by_params(&vec![dev.param], &lib_cfg()).unwrap();
if dev.needs_pin() { let info = handle.get_info()?;
return Ok(true); let needs_pin = info
} .options
.iter()
.any(|(name, val)| &name[..] == "clientPin" && *val);
if needs_pin {
return Ok(true);
} }
} }
Ok(false) Ok(false)
} }
pub fn get_devices() -> Fido2LuksResult<Vec<FidoDevice>> { pub fn get_devices() -> Fido2LuksResult<Vec<HidInfo>> {
let mut devices = Vec::with_capacity(2); Ok(get_fidokey_devices())
for di in ctap::get_devices()? {
match FidoDevice::new(&di) {
Err(e) => match e.kind() {
FidoErrorKind::ParseCtap | FidoErrorKind::DeviceUnsupported => (),
err => return Err(FidoError::from(err).into()),
},
Ok(dev) => devices.push(dev),
}
}
Ok(devices)
} }

16
src/error.rs
View File

@@ -1,4 +1,4 @@
use ctap::FidoError; use anyhow;
use libcryptsetup_rs::LibcryptErr; use libcryptsetup_rs::LibcryptErr;
use std::io; use std::io;
use std::io::ErrorKind; use std::io::ErrorKind;
@@ -14,7 +14,7 @@ pub enum Fido2LuksError {
#[fail(display = "unable to read keyfile: {}", cause)] #[fail(display = "unable to read keyfile: {}", cause)]
KeyfileError { cause: io::Error }, KeyfileError { cause: io::Error },
#[fail(display = "authenticator error: {}", cause)] #[fail(display = "authenticator error: {}", cause)]
AuthenticatorError { cause: ctap::FidoError }, AuthenticatorError { cause: anyhow::Error },
#[fail(display = "no authenticator found, please ensure your device is plugged in")] #[fail(display = "no authenticator found, please ensure your device is plugged in")]
NoAuthenticatorError, NoAuthenticatorError,
#[fail(display = " {}", cause)] #[fail(display = " {}", cause)]
@@ -35,6 +35,12 @@ pub enum Fido2LuksError {
InsufficientCredentials, InsufficientCredentials,
} }
impl From<anyhow::Error> for Fido2LuksError {
fn from(cause: anyhow::Error) -> Self {
Fido2LuksError::AuthenticatorError { cause }
}
}
impl Fido2LuksError { impl Fido2LuksError {
pub fn exit_code(&self) -> i32 { pub fn exit_code(&self) -> i32 {
use Fido2LuksError::*; use Fido2LuksError::*;
@@ -91,12 +97,6 @@ impl From<LuksError> for Fido2LuksError {
} }
} }
impl From<FidoError> for Fido2LuksError {
fn from(e: FidoError) -> Self {
AuthenticatorError { cause: e }
}
}
impl From<LibcryptErr> for Fido2LuksError { impl From<LibcryptErr> for Fido2LuksError {
fn from(e: LibcryptErr) -> Self { fn from(e: LibcryptErr) -> Self {
match e { match e {

40
src/luks.rs
View File

@@ -1,9 +1,8 @@
use crate::error::*; use crate::error::*;
use libcryptsetup_rs::{ use libcryptsetup_rs::consts::flags::CryptActivate;
CryptActivateFlag, CryptActivateFlags, CryptDevice, CryptInit, CryptTokenInfo, use libcryptsetup_rs::consts::vals::{EncryptionFormat, KeyslotInfo};
EncryptionFormat, KeyslotInfo, TokenInput, use libcryptsetup_rs::{CryptDevice, CryptInit, CryptTokenInfo, TokenInput};
};
use std::collections::{HashMap, HashSet}; use std::collections::{HashMap, HashSet};
use std::path::Path; use std::path::Path;
@@ -142,6 +141,7 @@ impl LuksDevice {
old_secret: &[u8], old_secret: &[u8],
iteration_time: Option<u64>, iteration_time: Option<u64>,
credential_id: Option<&[u8]>, credential_id: Option<&[u8]>,
comment: Option<String>,
) -> Fido2LuksResult<u32> { ) -> Fido2LuksResult<u32> {
if let Some(millis) = iteration_time { if let Some(millis) = iteration_time {
self.device.settings_handle().set_iteration_time(millis) self.device.settings_handle().set_iteration_time(millis)
@@ -152,7 +152,7 @@ impl LuksDevice {
.add_by_passphrase(None, old_secret, secret)?; .add_by_passphrase(None, old_secret, secret)?;
if let Some(id) = credential_id { if let Some(id) = credential_id {
self.device.token_handle().json_set(TokenInput::AddToken( self.device.token_handle().json_set(TokenInput::AddToken(
&serde_json::to_value(&Fido2LuksToken::new(id, slot)).unwrap(), &serde_json::to_value(&Fido2LuksToken::new(id, slot, comment)).unwrap(),
))?; ))?;
} }
@@ -204,7 +204,7 @@ impl LuksDevice {
None, None,
None, None,
old_secret, old_secret,
CryptActivateFlags::empty(), CryptActivate::empty(),
)?; )?;
// slot should stay the same but better be safe than sorry // slot should stay the same but better be safe than sorry
@@ -216,9 +216,18 @@ impl LuksDevice {
)? as u32; )? as u32;
if let Some(id) = credential_id { if let Some(id) = credential_id {
if self.is_luks2()? { if self.is_luks2()? {
let token = self.find_token(slot)?.map(|(t, _)| t); let (token_id, token_data) = match self.find_token(slot)? {
let json = serde_json::to_value(&Fido2LuksToken::new(id, slot)).unwrap(); Some((id, data)) => (Some(id), Some(data)),
if let Some(token) = token { _ => (None, None),
};
let json = serde_json::to_value(&Fido2LuksToken::new(
id,
slot,
// retain comment on replace
token_data.map(|data| data.comment).flatten(),
))
.unwrap();
if let Some(token) = token_id {
self.device self.device
.token_handle() .token_handle()
.json_set(TokenInput::ReplaceToken(token, &json))?; .json_set(TokenInput::ReplaceToken(token, &json))?;
@@ -240,9 +249,9 @@ impl LuksDevice {
dry_run: bool, dry_run: bool,
allow_discard: bool, allow_discard: bool,
) -> Fido2LuksResult<u32> { ) -> Fido2LuksResult<u32> {
let mut flags = CryptActivateFlags::empty(); let mut flags = CryptActivate::empty();
if allow_discard { if allow_discard {
flags = CryptActivateFlags::new(vec![CryptActivateFlag::AllowDiscards]); flags = flags | CryptActivate::ALLOW_DISCARDS;
} }
self.device self.device
.activate_handle() .activate_handle()
@@ -315,16 +324,19 @@ pub struct Fido2LuksToken {
pub type_: String, pub type_: String,
pub credential: HashSet<String>, pub credential: HashSet<String>,
pub keyslots: HashSet<String>, pub keyslots: HashSet<String>,
#[serde(skip_serializing_if = "Option::is_none")]
pub comment: Option<String>,
} }
impl Fido2LuksToken { impl Fido2LuksToken {
pub fn new(credential_id: impl AsRef<[u8]>, slot: u32) -> Self { pub fn new(credential_id: impl AsRef<[u8]>, slot: u32, comment: Option<String>) -> Self {
Self::with_credentials(std::iter::once(credential_id), slot) Self::with_credentials(std::iter::once(credential_id), slot, comment)
} }
pub fn with_credentials<I: IntoIterator<Item = B>, B: AsRef<[u8]>>( pub fn with_credentials<I: IntoIterator<Item = B>, B: AsRef<[u8]>>(
credentials: I, credentials: I,
slot: u32, slot: u32,
comment: Option<String>,
) -> Self { ) -> Self {
Self { Self {
credential: credentials credential: credentials
@@ -332,6 +344,7 @@ impl Fido2LuksToken {
.map(|cred| hex::encode(cred.as_ref())) .map(|cred| hex::encode(cred.as_ref()))
.collect(), .collect(),
keyslots: vec![slot.to_string()].into_iter().collect(), keyslots: vec![slot.to_string()].into_iter().collect(),
comment,
..Default::default() ..Default::default()
} }
} }
@@ -346,6 +359,7 @@ impl Default for Fido2LuksToken {
type_: Self::default_type().into(), type_: Self::default_type().into(),
credential: HashSet::new(), credential: HashSet::new(),
keyslots: HashSet::new(), keyslots: HashSet::new(),
comment: None,
} }
} }
} }

1
src/main.rs
View File

@@ -1,6 +1,5 @@
#[macro_use] #[macro_use]
extern crate failure; extern crate failure;
extern crate ctap_hmac as ctap;
#[macro_use] #[macro_use]
extern crate serde_derive; extern crate serde_derive;
use crate::cli::*; use crate::cli::*;