Compare commits
17 Commits
retry_pin
...
0.3.0-alph
| Author | SHA1 | Date | |
|---|---|---|---|
acd4021e03
|
|||
|
238d877e2f
|
|||
|
93e8a33c0e
|
|||
|
fb60987468
|
||
|
871b2863b2
|
|||
|
f436ae538d
|
|||
|
17c96090bd
|
|||
|
fce6ea2e31
|
|||
|
b566af46f7
|
|||
|
1f0d555cea
|
|||
|
2255f224a5
|
|||
|
581e1780d1
|
|||
|
7daa5a3fdb
|
|||
|
4e986b8f05
|
|||
|
ca82293976
|
|||
|
d5b043840f
|
|||
|
eb8d65eb4f
|
32
.github/workflows/current.yml
vendored
Normal file
32
.github/workflows/current.yml
vendored
Normal file
@@ -0,0 +1,32 @@
|
||||
# This is a basic workflow to help you get started with Actions
|
||||
|
||||
name: Current
|
||||
|
||||
# Controls when the workflow will run
|
||||
on:
|
||||
schedule:
|
||||
- cron: '0 22 * * 6'
|
||||
# Allows you to run this workflow manually from the Actions tab
|
||||
workflow_dispatch:
|
||||
|
||||
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
|
||||
jobs:
|
||||
# This workflow contains a single job called "build"
|
||||
build:
|
||||
# The type of runner that the job will run on
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
# Steps represent a sequence of tasks that will be executed as part of the job
|
||||
steps:
|
||||
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
|
||||
- uses: actions/checkout@v3
|
||||
- name: Install Nix
|
||||
uses: DeterminateSystems/nix-installer-action@v4
|
||||
- name: Setup Attic cache
|
||||
uses: ryanccn/attic-action@v0
|
||||
with:
|
||||
endpoint: ${{ secrets.ATTIC_ENDPOINT }}
|
||||
cache: ${{ secrets.ATTIC_CACHE }}
|
||||
token: ${{ secrets.ATTIC_TOKEN }}
|
||||
- name: Build Nix Package nixos-unstable
|
||||
run: nix build --override-input nixpkgs github:nixos/nixpkgs/nixos-unstable --show-trace
|
||||
33
.github/workflows/locked.yml
vendored
Normal file
33
.github/workflows/locked.yml
vendored
Normal file
@@ -0,0 +1,33 @@
|
||||
# This is a basic workflow to help you get started with Actions
|
||||
|
||||
name: Locked
|
||||
|
||||
# Controls when the workflow will run
|
||||
on:
|
||||
# Triggers the workflow on push or pull request events but only for the "master" branch
|
||||
push:
|
||||
branches: '*'
|
||||
pull_request:
|
||||
branches: '*'
|
||||
|
||||
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
|
||||
jobs:
|
||||
# This workflow contains a single job called "build"
|
||||
build:
|
||||
# The type of runner that the job will run on
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
# Steps represent a sequence of tasks that will be executed as part of the job
|
||||
steps:
|
||||
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
|
||||
- uses: actions/checkout@v3
|
||||
- name: Install Nix
|
||||
uses: DeterminateSystems/nix-installer-action@v4
|
||||
- name: Setup Attic cache
|
||||
uses: ryanccn/attic-action@v0
|
||||
with:
|
||||
endpoint: ${{ secrets.ATTIC_ENDPOINT }}
|
||||
cache: ${{ secrets.ATTIC_CACHE }}
|
||||
token: ${{ secrets.ATTIC_TOKEN }}
|
||||
- name: Build Nix Package
|
||||
run: nix build -j 10 --show-trace
|
||||
1255
Cargo.lock
generated
1255
Cargo.lock
generated
File diff suppressed because it is too large
Load Diff
15
Cargo.toml
15
Cargo.toml
@@ -1,6 +1,6 @@
|
||||
[package]
|
||||
name = "fido2luks"
|
||||
version = "0.3.0-alpha"
|
||||
version = "0.3.1-alpha"
|
||||
authors = ["shimunn <shimun@shimun.net>"]
|
||||
edition = "2018"
|
||||
|
||||
@@ -14,25 +14,26 @@ categories = ["command-line-utilities"]
|
||||
license = "MPL-2.0"
|
||||
|
||||
[dependencies]
|
||||
ctap_hmac = { version="0.4.5", features = ["request_multiple"] }
|
||||
hex = "0.3.2"
|
||||
ring = "0.13.5"
|
||||
ring = "0.16.5"
|
||||
failure = "0.1.5"
|
||||
rpassword = "4.0.1"
|
||||
structopt = "0.3.2"
|
||||
libcryptsetup-rs = "0.4.2"
|
||||
libcryptsetup-rs = "0.9.1"
|
||||
serde_json = "1.0.51"
|
||||
serde_derive = "1.0.116"
|
||||
serde = "1.0.116"
|
||||
anyhow = "1.0.56"
|
||||
ctap-hid-fido2 = "3.4.1"
|
||||
|
||||
[build-dependencies]
|
||||
ctap_hmac = { version="0.4.5", features = ["request_multiple"] }
|
||||
hex = "0.3.2"
|
||||
ring = "0.13.5"
|
||||
ring = "0.16.5"
|
||||
failure = "0.1.5"
|
||||
rpassword = "4.0.1"
|
||||
libcryptsetup-rs = "0.4.1"
|
||||
libcryptsetup-rs = "0.9.1"
|
||||
structopt = "0.3.2"
|
||||
anyhow = "1.0.56"
|
||||
|
||||
[profile.release]
|
||||
lto = true
|
||||
|
||||
8
build.rs
8
build.rs
@@ -1,7 +1,6 @@
|
||||
#![allow(warnings)]
|
||||
#[macro_use]
|
||||
extern crate failure;
|
||||
extern crate ctap_hmac as ctap;
|
||||
|
||||
#[path = "src/cli_args/mod.rs"]
|
||||
mod cli_args;
|
||||
@@ -12,17 +11,22 @@ mod util;
|
||||
|
||||
use cli_args::Args;
|
||||
use std::env;
|
||||
use std::fs;
|
||||
use std::path::PathBuf;
|
||||
use std::str::FromStr;
|
||||
use structopt::clap::Shell;
|
||||
use structopt::StructOpt;
|
||||
|
||||
fn main() {
|
||||
let env_outdir = env::var_os("OUT_DIR").unwrap();
|
||||
let outdir = PathBuf::from(PathBuf::from(env_outdir).ancestors().nth(3).unwrap());
|
||||
fs::create_dir_all(&outdir).unwrap();
|
||||
// generate completion scripts, zsh does panic for some reason
|
||||
for shell in Shell::variants().iter().filter(|shell| **shell != "zsh") {
|
||||
Args::clap().gen_completions(
|
||||
env!("CARGO_PKG_NAME"),
|
||||
Shell::from_str(shell).unwrap(),
|
||||
env!("CARGO_MANIFEST_DIR"),
|
||||
&outdir,
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
42
flake.lock
generated
42
flake.lock
generated
@@ -7,26 +7,26 @@
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1639051343,
|
||||
"narHash": "sha256-62qARP+5Q0GmudcpuQHJP3/yXIgmUVoHR4orD/+FAC4=",
|
||||
"owner": "nmattia",
|
||||
"lastModified": 1698420672,
|
||||
"narHash": "sha256-/TdeHMPRjjdJub7p7+w55vyABrsJlt5QkznPYy55vKA=",
|
||||
"owner": "nix-community",
|
||||
"repo": "naersk",
|
||||
"rev": "ebde51ec0eec82dc71eaca03bc24cf8eb44a3d74",
|
||||
"rev": "aeb58d5e8faead8980a807c840232697982d47b9",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nmattia",
|
||||
"owner": "nix-community",
|
||||
"repo": "naersk",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1638109994,
|
||||
"narHash": "sha256-OpA37PTiPMIqoRJbufbl5rOLII7HeeGcA0yl7FoyCIE=",
|
||||
"lastModified": 1705496572,
|
||||
"narHash": "sha256-rPIe9G5EBLXdBdn9ilGc0nq082lzQd0xGGe092R/5QE=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "a284564b7f75ac4db73607db02076e8da9d42c9d",
|
||||
"rev": "842d9d80cfd4560648c785f8a4e6f3b096790e19",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@@ -41,13 +41,31 @@
|
||||
"utils": "utils"
|
||||
}
|
||||
},
|
||||
"utils": {
|
||||
"systems": {
|
||||
"locked": {
|
||||
"lastModified": 1638122382,
|
||||
"narHash": "sha256-sQzZzAbvKEqN9s0bzWuYmRaA03v40gaJ4+iL1LXjaeI=",
|
||||
"lastModified": 1681028828,
|
||||
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
|
||||
"owner": "nix-systems",
|
||||
"repo": "default",
|
||||
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-systems",
|
||||
"repo": "default",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"utils": {
|
||||
"inputs": {
|
||||
"systems": "systems"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1705309234,
|
||||
"narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=",
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"rev": "74f7e4319258e287b0f9cb95426c9853b282730b",
|
||||
"rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
||||
12
flake.nix
12
flake.nix
@@ -4,7 +4,7 @@
|
||||
inputs = {
|
||||
utils.url = "github:numtide/flake-utils";
|
||||
naersk = {
|
||||
url = "github:nmattia/naersk";
|
||||
url = "github:nix-community/naersk";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
};
|
||||
@@ -16,17 +16,17 @@
|
||||
forPkgs = pkgs:
|
||||
let
|
||||
naersk-lib = naersk.lib."${pkgs.system}";
|
||||
buildInputs = with pkgs; [ cryptsetup ];
|
||||
LIBCLANG_PATH = "${pkgs.clang.cc.lib}/lib";
|
||||
buildInputs = with pkgs; [ cryptsetup cryptsetup.dev udev.dev ];
|
||||
nativeBuildInputs = with pkgs; [
|
||||
pkgconfig
|
||||
rustPlatform.bindgenHook
|
||||
pkg-config
|
||||
clang
|
||||
];
|
||||
in
|
||||
rec {
|
||||
# `nix build`
|
||||
packages.${pname} = naersk-lib.buildPackage {
|
||||
inherit pname root buildInputs nativeBuildInputs LIBCLANG_PATH;
|
||||
inherit pname root buildInputs nativeBuildInputs;
|
||||
};
|
||||
defaultPackage = packages.${pname};
|
||||
|
||||
@@ -51,7 +51,7 @@
|
||||
# `nix develop`
|
||||
devShell = pkgs.mkShell {
|
||||
nativeBuildInputs = with pkgs; [ rustc cargo rustfmt nixpkgs-fmt ] ++ nativeBuildInputs;
|
||||
inherit buildInputs LIBCLANG_PATH;
|
||||
inherit buildInputs;
|
||||
};
|
||||
};
|
||||
forSystem = system: forPkgs nixpkgs.legacyPackages."${system}";
|
||||
|
||||
89
src/cli.rs
89
src/cli.rs
@@ -4,14 +4,13 @@ use crate::util::sha256;
|
||||
use crate::*;
|
||||
pub use cli_args::Args;
|
||||
use cli_args::*;
|
||||
use ctap::{FidoCredential, FidoErrorKind};
|
||||
use ctap_hid_fido2::public_key_credential_descriptor::PublicKeyCredentialDescriptor;
|
||||
use std::borrow::Cow;
|
||||
use std::collections::HashSet;
|
||||
use std::io::Write;
|
||||
use std::iter::FromIterator;
|
||||
use std::path::Path;
|
||||
use std::str::FromStr;
|
||||
use std::thread;
|
||||
use std::time::Duration;
|
||||
use std::time::SystemTime;
|
||||
use structopt::clap::Shell;
|
||||
@@ -26,31 +25,31 @@ fn derive_secret(
|
||||
salt: &[u8; 32],
|
||||
timeout: u64,
|
||||
pin: Option<&str>,
|
||||
) -> Fido2LuksResult<([u8; 32], FidoCredential)> {
|
||||
) -> Fido2LuksResult<([u8; 32], PublicKeyCredentialDescriptor)> {
|
||||
if credentials.is_empty() {
|
||||
return Err(Fido2LuksError::InsufficientCredentials);
|
||||
}
|
||||
let timeout = Duration::from_secs(timeout);
|
||||
let start = SystemTime::now();
|
||||
|
||||
while let Ok(el) = start.elapsed() {
|
||||
if el > timeout {
|
||||
return Err(error::Fido2LuksError::NoAuthenticatorError);
|
||||
}
|
||||
if get_devices()
|
||||
.map(|devices| !devices.is_empty())
|
||||
.unwrap_or(false)
|
||||
{
|
||||
break;
|
||||
}
|
||||
thread::sleep(Duration::from_millis(500));
|
||||
}
|
||||
//while let Ok(el) = start.elapsed() {
|
||||
// if el > timeout {
|
||||
// return Err(error::Fido2LuksError::NoAuthenticatorError);
|
||||
// }
|
||||
// if get_devices()
|
||||
// .map(|devices| !devices.is_empty())
|
||||
// .unwrap_or(false)
|
||||
// {
|
||||
// break;
|
||||
// }
|
||||
// thread::sleep(Duration::from_millis(500));
|
||||
//}
|
||||
|
||||
let credentials = credentials
|
||||
.iter()
|
||||
.map(|hex| FidoCredential {
|
||||
.map(|hex| PublicKeyCredentialDescriptor {
|
||||
id: hex.0.clone(),
|
||||
public_key: None,
|
||||
ctype: Default::default(),
|
||||
})
|
||||
.collect::<Vec<_>>();
|
||||
let credentials = credentials.iter().collect::<Vec<_>>();
|
||||
@@ -182,7 +181,8 @@ pub fn run_cli() -> Fido2LuksResult<()> {
|
||||
} else {
|
||||
None
|
||||
};
|
||||
let cred = make_credential_id(Some(name.as_ref()), pin)?;
|
||||
let cred =
|
||||
make_credential_id(Some(name.as_str()).filter(|name| name.len() > 0), pin, &[])?;
|
||||
println!("{}", hex::encode(&cred.id));
|
||||
Ok(())
|
||||
}
|
||||
@@ -289,7 +289,10 @@ pub fn run_cli() -> Fido2LuksResult<()> {
|
||||
|
||||
let other_secret = |salt_q: &str,
|
||||
verify: bool|
|
||||
-> Fido2LuksResult<(Vec<u8>, Option<FidoCredential>)> {
|
||||
-> Fido2LuksResult<(
|
||||
Vec<u8>,
|
||||
Option<PublicKeyCredentialDescriptor>,
|
||||
)> {
|
||||
match other_secret {
|
||||
OtherSecret {
|
||||
keyfile: Some(file),
|
||||
@@ -314,10 +317,11 @@ pub fn run_cli() -> Fido2LuksResult<()> {
|
||||
)),
|
||||
}
|
||||
};
|
||||
let secret = |q: &str,
|
||||
let secret =
|
||||
|q: &str,
|
||||
verify: bool,
|
||||
credentials: &[HexEncoded]|
|
||||
-> Fido2LuksResult<([u8; 32], FidoCredential)> {
|
||||
-> Fido2LuksResult<([u8; 32], PublicKeyCredentialDescriptor)> {
|
||||
let (pin, salt) = inputs(q, verify)?;
|
||||
prompt_interaction(interactive);
|
||||
derive_secret(credentials, &salt, authenticator.await_time, pin.as_deref())
|
||||
@@ -327,9 +331,24 @@ pub fn run_cli() -> Fido2LuksResult<()> {
|
||||
Command::AddKey {
|
||||
exclusive,
|
||||
generate_credential,
|
||||
comment,
|
||||
..
|
||||
} => {
|
||||
let (existing_secret, _) = other_secret("Current password", false)?;
|
||||
let (existing_secret, existing_credential) =
|
||||
other_secret("Current password", false)?;
|
||||
let excluded_credential = existing_credential.as_ref();
|
||||
let exclude_list = excluded_credential
|
||||
.as_ref()
|
||||
.map(core::slice::from_ref)
|
||||
.unwrap_or_default();
|
||||
existing_credential.iter().for_each(|cred| {
|
||||
log(&|| {
|
||||
format!(
|
||||
"using credential to unlock container: {}",
|
||||
hex::encode(&cred.id)
|
||||
)
|
||||
})
|
||||
});
|
||||
let (new_secret, cred) = if *generate_credential && luks2 {
|
||||
let cred = make_credential_id(
|
||||
Some(derive_credential_name(luks.device.as_path()).as_str()),
|
||||
@@ -340,6 +359,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
|
||||
None
|
||||
})
|
||||
.as_deref(),
|
||||
dbg!(exclude_list),
|
||||
)?;
|
||||
log(&|| {
|
||||
format!(
|
||||
@@ -361,6 +381,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
|
||||
Some(&cred.id[..])
|
||||
.filter(|_| !luks.disable_token || *generate_credential)
|
||||
.filter(|_| luks2),
|
||||
comment.as_deref().map(String::from),
|
||||
)?;
|
||||
if *exclusive {
|
||||
let destroyed = luks_dev.remove_keyslots(&[added_slot])?;
|
||||
@@ -396,6 +417,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
|
||||
.filter(|_| !luks.disable_token)
|
||||
.filter(|_| luks2)
|
||||
.map(|cred| &cred.id[..]),
|
||||
None,
|
||||
)
|
||||
} else {
|
||||
let slot = luks_dev.replace_key(
|
||||
@@ -501,13 +523,8 @@ pub fn run_cli() -> Fido2LuksResult<()> {
|
||||
Err(e) => {
|
||||
match e {
|
||||
Fido2LuksError::WrongSecret if retries > 0 => {}
|
||||
Fido2LuksError::AuthenticatorError { ref cause }
|
||||
if match cause.kind() {
|
||||
FidoErrorKind::Timeout => true,
|
||||
FidoErrorKind::CborError(e) if e.code() == 0x33 => true,
|
||||
_ => false,
|
||||
} && retries > 0 => {}
|
||||
|
||||
//Fido2LuksError::AuthenticatorError { ref cause }
|
||||
// if cause.kind() == FidoErrorKind::Timeout && retries > 0 => {}
|
||||
e => return Err(e),
|
||||
};
|
||||
retries -= 1;
|
||||
@@ -548,8 +565,13 @@ pub fn run_cli() -> Fido2LuksResult<()> {
|
||||
continue;
|
||||
}
|
||||
println!(
|
||||
"{}:\n\tSlots: {}\n\tCredentials: {}",
|
||||
"{}{}:\n\tSlots: {}\n\tCredentials: {}",
|
||||
id,
|
||||
token
|
||||
.comment
|
||||
.as_deref()
|
||||
.map(|comment| format!(" - {}", comment))
|
||||
.unwrap_or_default(),
|
||||
if token.keyslots.is_empty() {
|
||||
"None".into()
|
||||
} else {
|
||||
@@ -575,6 +597,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
|
||||
TokenCommand::Add {
|
||||
device,
|
||||
credentials,
|
||||
comment,
|
||||
slot,
|
||||
} => {
|
||||
let mut dev = LuksDevice::load(device)?;
|
||||
@@ -586,7 +609,11 @@ pub fn run_cli() -> Fido2LuksResult<()> {
|
||||
}
|
||||
}
|
||||
let count = if tokens.is_empty() {
|
||||
dev.add_token(&Fido2LuksToken::with_credentials(&credentials.0, *slot))?;
|
||||
dev.add_token(&Fido2LuksToken::with_credentials(
|
||||
&credentials.0,
|
||||
*slot,
|
||||
comment.as_deref().map(String::from),
|
||||
))?;
|
||||
1
|
||||
} else {
|
||||
tokens.len()
|
||||
|
||||
@@ -189,6 +189,9 @@ pub enum Command {
|
||||
luks: LuksParameters,
|
||||
#[structopt(flatten)]
|
||||
credentials: Credentials,
|
||||
/// Comment to be associated with this credential
|
||||
#[structopt(long = "comment")]
|
||||
comment: Option<String>,
|
||||
#[structopt(flatten)]
|
||||
authenticator: AuthenticatorParameters,
|
||||
#[structopt(flatten)]
|
||||
@@ -245,7 +248,7 @@ pub enum Command {
|
||||
#[structopt(long = "dry-run")]
|
||||
dry_run: bool,
|
||||
/// Pass SSD trim instructions to the underlying block device
|
||||
#[structopt(long = "allow-discards", env = "FIDO2LUKS_ALLOW_DISCARDS")]
|
||||
#[structopt(long = "allow-discards")]
|
||||
allow_discards: bool,
|
||||
},
|
||||
/// Generate a new FIDO credential
|
||||
@@ -254,7 +257,7 @@ pub enum Command {
|
||||
#[structopt(flatten)]
|
||||
authenticator: AuthenticatorParameters,
|
||||
/// Name to be displayed on the authenticator display
|
||||
#[structopt(env = "FIDO2LUKS_CREDENTIAL_NAME", default_value = "fido2luks")]
|
||||
#[structopt(env = "FIDO2LUKS_CREDENTIAL_NAME", default_value = "")]
|
||||
name: String,
|
||||
},
|
||||
/// Check if an authenticator is connected
|
||||
@@ -295,6 +298,9 @@ pub enum TokenCommand {
|
||||
long = "creds"
|
||||
)]
|
||||
credentials: CommaSeparated<HexEncoded>,
|
||||
/// Comment to be associated with this credential
|
||||
#[structopt(long = "comment")]
|
||||
comment: Option<String>,
|
||||
/// Slot to which the credentials will be added
|
||||
#[structopt(long = "slot", env = "FIDO2LUKS_DEVICE_SLOT")]
|
||||
slot: u32,
|
||||
|
||||
159
src/device.rs
159
src/device.rs
@@ -1,84 +1,133 @@
|
||||
use crate::error::*;
|
||||
|
||||
use crate::util;
|
||||
use ctap::{
|
||||
self, extensions::hmac::HmacExtension, request_multiple_devices, FidoAssertionRequestBuilder,
|
||||
FidoCredential, FidoCredentialRequestBuilder, FidoDevice, FidoError, FidoErrorKind,
|
||||
};
|
||||
use ctap_hid_fido2;
|
||||
use ctap_hid_fido2::fidokey::get_assertion::get_assertion_params;
|
||||
use ctap_hid_fido2::fidokey::make_credential::make_credential_params;
|
||||
use ctap_hid_fido2::fidokey::GetAssertionArgsBuilder;
|
||||
use ctap_hid_fido2::fidokey::MakeCredentialArgsBuilder;
|
||||
use ctap_hid_fido2::get_fidokey_devices;
|
||||
use ctap_hid_fido2::public_key_credential_descriptor::PublicKeyCredentialDescriptor;
|
||||
use ctap_hid_fido2::public_key_credential_user_entity::PublicKeyCredentialUserEntity;
|
||||
use ctap_hid_fido2::FidoKeyHidFactory;
|
||||
use ctap_hid_fido2::HidInfo;
|
||||
use ctap_hid_fido2::LibCfg;
|
||||
use std::time::Duration;
|
||||
|
||||
const RP_ID: &str = "fido2luks";
|
||||
|
||||
fn lib_cfg() -> LibCfg {
|
||||
let mut cfg = LibCfg::init();
|
||||
cfg.enable_log = false;
|
||||
cfg.keep_alive_msg = String::new();
|
||||
cfg
|
||||
}
|
||||
|
||||
pub fn make_credential_id(
|
||||
name: Option<&str>,
|
||||
pin: Option<&str>,
|
||||
) -> Fido2LuksResult<FidoCredential> {
|
||||
let mut request = FidoCredentialRequestBuilder::default().rp_id(RP_ID);
|
||||
if let Some(user_name) = name {
|
||||
request = request.user_name(user_name);
|
||||
exclude: &[&PublicKeyCredentialDescriptor],
|
||||
) -> Fido2LuksResult<PublicKeyCredentialDescriptor> {
|
||||
let mut req = MakeCredentialArgsBuilder::new(RP_ID, &[])
|
||||
.extensions(&[make_credential_params::Extension::HmacSecret(Some(true))]);
|
||||
if let Some(pin) = pin {
|
||||
req = req.pin(pin);
|
||||
} else {
|
||||
req = req.without_pin_and_uv();
|
||||
}
|
||||
let request = request.build().unwrap();
|
||||
let make_credential = |device: &mut FidoDevice| {
|
||||
if let Some(pin) = pin.filter(|_| device.needs_pin()) {
|
||||
device.unlock(pin)?;
|
||||
for cred in exclude {
|
||||
req = req.exclude_authenticator(cred.id.as_ref());
|
||||
}
|
||||
device.make_hmac_credential(&request)
|
||||
};
|
||||
Ok(request_multiple_devices(
|
||||
get_devices()?
|
||||
.iter_mut()
|
||||
.map(|device| (device, &make_credential)),
|
||||
None,
|
||||
)?)
|
||||
if let Some(_) = name {
|
||||
req = req.user_entity(&PublicKeyCredentialUserEntity::new(
|
||||
Some(b"00"),
|
||||
name.clone(),
|
||||
name,
|
||||
));
|
||||
}
|
||||
let devices = get_devices()?;
|
||||
let mut err: Option<Fido2LuksError> = None;
|
||||
let req = req.build();
|
||||
for dev in devices {
|
||||
let handle = FidoKeyHidFactory::create_by_params(&vec![dev.param], &lib_cfg()).unwrap();
|
||||
match handle.make_credential_with_args(&req) {
|
||||
Ok(resp) => return Ok(resp.credential_descriptor),
|
||||
Err(e) => err = Some(e.into()),
|
||||
}
|
||||
}
|
||||
Err(err.unwrap_or(Fido2LuksError::NoAuthenticatorError))
|
||||
}
|
||||
|
||||
pub fn perform_challenge<'a>(
|
||||
credentials: &'a [&'a FidoCredential],
|
||||
credentials: &'a [&'a PublicKeyCredentialDescriptor],
|
||||
salt: &[u8; 32],
|
||||
timeout: Duration,
|
||||
_timeout: Duration,
|
||||
pin: Option<&str>,
|
||||
) -> Fido2LuksResult<([u8; 32], &'a FidoCredential)> {
|
||||
let request = FidoAssertionRequestBuilder::default()
|
||||
.rp_id(RP_ID)
|
||||
.credentials(credentials)
|
||||
.build()
|
||||
.unwrap();
|
||||
let get_assertion = |device: &mut FidoDevice| {
|
||||
if let Some(pin) = pin.filter(|_| device.needs_pin()) {
|
||||
device.unlock(pin)?;
|
||||
) -> Fido2LuksResult<([u8; 32], &'a PublicKeyCredentialDescriptor)> {
|
||||
if credentials.is_empty() {
|
||||
return Err(Fido2LuksError::InsufficientCredentials);
|
||||
}
|
||||
device.get_hmac_assertion(&request, &util::sha256(&[&salt[..]]), None)
|
||||
let mut req = GetAssertionArgsBuilder::new(RP_ID, &[]).extensions(&[
|
||||
get_assertion_params::Extension::HmacSecret(Some(util::sha256(&[&salt[..]]))),
|
||||
]);
|
||||
for cred in credentials {
|
||||
req = req.add_credential_id(&cred.id);
|
||||
}
|
||||
if let Some(pin) = pin {
|
||||
req = req.pin(pin);
|
||||
} else {
|
||||
req = req.without_pin_and_uv();
|
||||
}
|
||||
let process_response = |resp: Vec<get_assertion_params::Assertion>| -> Fido2LuksResult<([u8; 32], &'a PublicKeyCredentialDescriptor)> {
|
||||
for att in resp {
|
||||
for ext in att.extensions.iter() {
|
||||
match ext {
|
||||
get_assertion_params::Extension::HmacSecret(Some(secret)) => {
|
||||
//TODO: eliminate unwrap
|
||||
let cred_used = credentials
|
||||
.iter()
|
||||
.copied()
|
||||
.find(|cred| {
|
||||
att.credential_id == cred.id
|
||||
})
|
||||
.unwrap();
|
||||
return Ok((secret.clone(), cred_used));
|
||||
}
|
||||
_ => continue,
|
||||
}
|
||||
}
|
||||
}
|
||||
Err(Fido2LuksError::WrongSecret)
|
||||
};
|
||||
let (credential, (secret, _)) = request_multiple_devices(
|
||||
get_devices()?
|
||||
.iter_mut()
|
||||
.map(|device| (device, &get_assertion)),
|
||||
Some(timeout),
|
||||
)?;
|
||||
Ok((secret, credential))
|
||||
|
||||
let devices = get_devices()?;
|
||||
let mut err: Option<Fido2LuksError> = None;
|
||||
let req = req.build();
|
||||
for dev in devices {
|
||||
let handle = FidoKeyHidFactory::create_by_params(&vec![dev.param], &lib_cfg()).unwrap();
|
||||
match handle.get_assertion_with_args(&req) {
|
||||
Ok(resp) => return process_response(resp),
|
||||
Err(e) => err = Some(e.into()),
|
||||
}
|
||||
}
|
||||
Err(err.unwrap_or(Fido2LuksError::NoAuthenticatorError))
|
||||
}
|
||||
|
||||
pub fn may_require_pin() -> Fido2LuksResult<bool> {
|
||||
for di in ctap::get_devices()? {
|
||||
if let Ok(dev) = FidoDevice::new(&di) {
|
||||
if dev.needs_pin() {
|
||||
for dev in get_devices()? {
|
||||
let handle = FidoKeyHidFactory::create_by_params(&vec![dev.param], &lib_cfg()).unwrap();
|
||||
let info = handle.get_info()?;
|
||||
let needs_pin = info
|
||||
.options
|
||||
.iter()
|
||||
.any(|(name, val)| &name[..] == "clientPin" && *val);
|
||||
if needs_pin {
|
||||
return Ok(true);
|
||||
}
|
||||
}
|
||||
}
|
||||
Ok(false)
|
||||
}
|
||||
|
||||
pub fn get_devices() -> Fido2LuksResult<Vec<FidoDevice>> {
|
||||
let mut devices = Vec::with_capacity(2);
|
||||
for di in ctap::get_devices()? {
|
||||
match FidoDevice::new(&di) {
|
||||
Err(e) => match e.kind() {
|
||||
FidoErrorKind::ParseCtap | FidoErrorKind::DeviceUnsupported => (),
|
||||
err => return Err(FidoError::from(err).into()),
|
||||
},
|
||||
Ok(dev) => devices.push(dev),
|
||||
}
|
||||
}
|
||||
Ok(devices)
|
||||
pub fn get_devices() -> Fido2LuksResult<Vec<HidInfo>> {
|
||||
Ok(get_fidokey_devices())
|
||||
}
|
||||
|
||||
16
src/error.rs
16
src/error.rs
@@ -1,4 +1,4 @@
|
||||
use ctap::FidoError;
|
||||
use anyhow;
|
||||
use libcryptsetup_rs::LibcryptErr;
|
||||
use std::io;
|
||||
use std::io::ErrorKind;
|
||||
@@ -14,7 +14,7 @@ pub enum Fido2LuksError {
|
||||
#[fail(display = "unable to read keyfile: {}", cause)]
|
||||
KeyfileError { cause: io::Error },
|
||||
#[fail(display = "authenticator error: {}", cause)]
|
||||
AuthenticatorError { cause: ctap::FidoError },
|
||||
AuthenticatorError { cause: anyhow::Error },
|
||||
#[fail(display = "no authenticator found, please ensure your device is plugged in")]
|
||||
NoAuthenticatorError,
|
||||
#[fail(display = " {}", cause)]
|
||||
@@ -35,6 +35,12 @@ pub enum Fido2LuksError {
|
||||
InsufficientCredentials,
|
||||
}
|
||||
|
||||
impl From<anyhow::Error> for Fido2LuksError {
|
||||
fn from(cause: anyhow::Error) -> Self {
|
||||
Fido2LuksError::AuthenticatorError { cause }
|
||||
}
|
||||
}
|
||||
|
||||
impl Fido2LuksError {
|
||||
pub fn exit_code(&self) -> i32 {
|
||||
use Fido2LuksError::*;
|
||||
@@ -91,12 +97,6 @@ impl From<LuksError> for Fido2LuksError {
|
||||
}
|
||||
}
|
||||
|
||||
impl From<FidoError> for Fido2LuksError {
|
||||
fn from(e: FidoError) -> Self {
|
||||
AuthenticatorError { cause: e }
|
||||
}
|
||||
}
|
||||
|
||||
impl From<LibcryptErr> for Fido2LuksError {
|
||||
fn from(e: LibcryptErr) -> Self {
|
||||
match e {
|
||||
|
||||
40
src/luks.rs
40
src/luks.rs
@@ -1,9 +1,8 @@
|
||||
use crate::error::*;
|
||||
|
||||
use libcryptsetup_rs::{
|
||||
CryptActivateFlag, CryptActivateFlags, CryptDevice, CryptInit, CryptTokenInfo,
|
||||
EncryptionFormat, KeyslotInfo, TokenInput,
|
||||
};
|
||||
use libcryptsetup_rs::consts::flags::CryptActivate;
|
||||
use libcryptsetup_rs::consts::vals::{EncryptionFormat, KeyslotInfo};
|
||||
use libcryptsetup_rs::{CryptDevice, CryptInit, CryptTokenInfo, TokenInput};
|
||||
use std::collections::{HashMap, HashSet};
|
||||
use std::path::Path;
|
||||
|
||||
@@ -142,6 +141,7 @@ impl LuksDevice {
|
||||
old_secret: &[u8],
|
||||
iteration_time: Option<u64>,
|
||||
credential_id: Option<&[u8]>,
|
||||
comment: Option<String>,
|
||||
) -> Fido2LuksResult<u32> {
|
||||
if let Some(millis) = iteration_time {
|
||||
self.device.settings_handle().set_iteration_time(millis)
|
||||
@@ -152,7 +152,7 @@ impl LuksDevice {
|
||||
.add_by_passphrase(None, old_secret, secret)?;
|
||||
if let Some(id) = credential_id {
|
||||
self.device.token_handle().json_set(TokenInput::AddToken(
|
||||
&serde_json::to_value(&Fido2LuksToken::new(id, slot)).unwrap(),
|
||||
&serde_json::to_value(&Fido2LuksToken::new(id, slot, comment)).unwrap(),
|
||||
))?;
|
||||
}
|
||||
|
||||
@@ -204,7 +204,7 @@ impl LuksDevice {
|
||||
None,
|
||||
None,
|
||||
old_secret,
|
||||
CryptActivateFlags::empty(),
|
||||
CryptActivate::empty(),
|
||||
)?;
|
||||
|
||||
// slot should stay the same but better be safe than sorry
|
||||
@@ -216,9 +216,18 @@ impl LuksDevice {
|
||||
)? as u32;
|
||||
if let Some(id) = credential_id {
|
||||
if self.is_luks2()? {
|
||||
let token = self.find_token(slot)?.map(|(t, _)| t);
|
||||
let json = serde_json::to_value(&Fido2LuksToken::new(id, slot)).unwrap();
|
||||
if let Some(token) = token {
|
||||
let (token_id, token_data) = match self.find_token(slot)? {
|
||||
Some((id, data)) => (Some(id), Some(data)),
|
||||
_ => (None, None),
|
||||
};
|
||||
let json = serde_json::to_value(&Fido2LuksToken::new(
|
||||
id,
|
||||
slot,
|
||||
// retain comment on replace
|
||||
token_data.map(|data| data.comment).flatten(),
|
||||
))
|
||||
.unwrap();
|
||||
if let Some(token) = token_id {
|
||||
self.device
|
||||
.token_handle()
|
||||
.json_set(TokenInput::ReplaceToken(token, &json))?;
|
||||
@@ -240,9 +249,9 @@ impl LuksDevice {
|
||||
dry_run: bool,
|
||||
allow_discard: bool,
|
||||
) -> Fido2LuksResult<u32> {
|
||||
let mut flags = CryptActivateFlags::empty();
|
||||
let mut flags = CryptActivate::empty();
|
||||
if allow_discard {
|
||||
flags = CryptActivateFlags::new(vec![CryptActivateFlag::AllowDiscards]);
|
||||
flags = flags | CryptActivate::ALLOW_DISCARDS;
|
||||
}
|
||||
self.device
|
||||
.activate_handle()
|
||||
@@ -315,16 +324,19 @@ pub struct Fido2LuksToken {
|
||||
pub type_: String,
|
||||
pub credential: HashSet<String>,
|
||||
pub keyslots: HashSet<String>,
|
||||
#[serde(skip_serializing_if = "Option::is_none")]
|
||||
pub comment: Option<String>,
|
||||
}
|
||||
|
||||
impl Fido2LuksToken {
|
||||
pub fn new(credential_id: impl AsRef<[u8]>, slot: u32) -> Self {
|
||||
Self::with_credentials(std::iter::once(credential_id), slot)
|
||||
pub fn new(credential_id: impl AsRef<[u8]>, slot: u32, comment: Option<String>) -> Self {
|
||||
Self::with_credentials(std::iter::once(credential_id), slot, comment)
|
||||
}
|
||||
|
||||
pub fn with_credentials<I: IntoIterator<Item = B>, B: AsRef<[u8]>>(
|
||||
credentials: I,
|
||||
slot: u32,
|
||||
comment: Option<String>,
|
||||
) -> Self {
|
||||
Self {
|
||||
credential: credentials
|
||||
@@ -332,6 +344,7 @@ impl Fido2LuksToken {
|
||||
.map(|cred| hex::encode(cred.as_ref()))
|
||||
.collect(),
|
||||
keyslots: vec![slot.to_string()].into_iter().collect(),
|
||||
comment,
|
||||
..Default::default()
|
||||
}
|
||||
}
|
||||
@@ -346,6 +359,7 @@ impl Default for Fido2LuksToken {
|
||||
type_: Self::default_type().into(),
|
||||
credential: HashSet::new(),
|
||||
keyslots: HashSet::new(),
|
||||
comment: None,
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,6 +1,5 @@
|
||||
#[macro_use]
|
||||
extern crate failure;
|
||||
extern crate ctap_hmac as ctap;
|
||||
#[macro_use]
|
||||
extern crate serde_derive;
|
||||
use crate::cli::*;
|
||||
|
||||
Reference in New Issue
Block a user