Compare commits
13 Commits
retry_pin
...
ctap-hid-f
| Author | SHA1 | Date | |
|---|---|---|---|
871b2863b2
|
|||
|
f436ae538d
|
|||
|
17c96090bd
|
|||
|
fce6ea2e31
|
|||
|
b566af46f7
|
|||
|
1f0d555cea
|
|||
|
2255f224a5
|
|||
|
581e1780d1
|
|||
|
7daa5a3fdb
|
|||
|
4e986b8f05
|
|||
|
ca82293976
|
|||
|
d5b043840f
|
|||
|
eb8d65eb4f
|
1238
Cargo.lock
generated
1238
Cargo.lock
generated
File diff suppressed because it is too large
Load Diff
15
Cargo.toml
15
Cargo.toml
@@ -1,6 +1,6 @@
|
||||
[package]
|
||||
name = "fido2luks"
|
||||
version = "0.3.0-alpha"
|
||||
version = "0.3.1-alpha"
|
||||
authors = ["shimunn <shimun@shimun.net>"]
|
||||
edition = "2018"
|
||||
|
||||
@@ -14,24 +14,25 @@ categories = ["command-line-utilities"]
|
||||
license = "MPL-2.0"
|
||||
|
||||
[dependencies]
|
||||
ctap_hmac = { version="0.4.5", features = ["request_multiple"] }
|
||||
hex = "0.3.2"
|
||||
ring = "0.13.5"
|
||||
ring = "0.16.5"
|
||||
failure = "0.1.5"
|
||||
rpassword = "4.0.1"
|
||||
structopt = "0.3.2"
|
||||
libcryptsetup-rs = "0.4.2"
|
||||
serde_json = "1.0.51"
|
||||
serde_derive = "1.0.116"
|
||||
serde = "1.0.116"
|
||||
anyhow = "1.0.56"
|
||||
ctap-hid-fido2 = "3.4.1"
|
||||
libcryptsetup-rs = "0.5.1"
|
||||
|
||||
[build-dependencies]
|
||||
ctap_hmac = { version="0.4.5", features = ["request_multiple"] }
|
||||
hex = "0.3.2"
|
||||
ring = "0.13.5"
|
||||
ring = "0.16.5"
|
||||
failure = "0.1.5"
|
||||
rpassword = "4.0.1"
|
||||
libcryptsetup-rs = "0.4.1"
|
||||
anyhow = "1.0.56"
|
||||
libcryptsetup-rs = "0.5.1"
|
||||
structopt = "0.3.2"
|
||||
|
||||
[profile.release]
|
||||
|
||||
8
build.rs
8
build.rs
@@ -1,7 +1,6 @@
|
||||
#![allow(warnings)]
|
||||
#[macro_use]
|
||||
extern crate failure;
|
||||
extern crate ctap_hmac as ctap;
|
||||
|
||||
#[path = "src/cli_args/mod.rs"]
|
||||
mod cli_args;
|
||||
@@ -12,17 +11,22 @@ mod util;
|
||||
|
||||
use cli_args::Args;
|
||||
use std::env;
|
||||
use std::fs;
|
||||
use std::path::PathBuf;
|
||||
use std::str::FromStr;
|
||||
use structopt::clap::Shell;
|
||||
use structopt::StructOpt;
|
||||
|
||||
fn main() {
|
||||
let env_outdir = env::var_os("OUT_DIR").unwrap();
|
||||
let outdir = PathBuf::from(PathBuf::from(env_outdir).ancestors().nth(3).unwrap());
|
||||
fs::create_dir_all(&outdir).unwrap();
|
||||
// generate completion scripts, zsh does panic for some reason
|
||||
for shell in Shell::variants().iter().filter(|shell| **shell != "zsh") {
|
||||
Args::clap().gen_completions(
|
||||
env!("CARGO_PKG_NAME"),
|
||||
Shell::from_str(shell).unwrap(),
|
||||
env!("CARGO_MANIFEST_DIR"),
|
||||
&outdir,
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
18
flake.lock
generated
18
flake.lock
generated
@@ -7,11 +7,11 @@
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1639051343,
|
||||
"narHash": "sha256-62qARP+5Q0GmudcpuQHJP3/yXIgmUVoHR4orD/+FAC4=",
|
||||
"lastModified": 1639947939,
|
||||
"narHash": "sha256-pGsM8haJadVP80GFq4xhnSpNitYNQpaXk4cnA796Cso=",
|
||||
"owner": "nmattia",
|
||||
"repo": "naersk",
|
||||
"rev": "ebde51ec0eec82dc71eaca03bc24cf8eb44a3d74",
|
||||
"rev": "2fc8ce9d3c025d59fee349c1f80be9785049d653",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@@ -22,11 +22,11 @@
|
||||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1638109994,
|
||||
"narHash": "sha256-OpA37PTiPMIqoRJbufbl5rOLII7HeeGcA0yl7FoyCIE=",
|
||||
"lastModified": 1647282937,
|
||||
"narHash": "sha256-K8Oo6QyFCfiEWTRpQVfzcwI3YNMKlz6Tu8rr+o3rzRQ=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "a284564b7f75ac4db73607db02076e8da9d42c9d",
|
||||
"rev": "64fc73bd74f04d3e10cb4e70e1c65b92337e76db",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@@ -43,11 +43,11 @@
|
||||
},
|
||||
"utils": {
|
||||
"locked": {
|
||||
"lastModified": 1638122382,
|
||||
"narHash": "sha256-sQzZzAbvKEqN9s0bzWuYmRaA03v40gaJ4+iL1LXjaeI=",
|
||||
"lastModified": 1644229661,
|
||||
"narHash": "sha256-1YdnJAsNy69bpcjuoKdOYQX0YxZBiCYZo4Twxerqv7k=",
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"rev": "74f7e4319258e287b0f9cb95426c9853b282730b",
|
||||
"rev": "3cecb5b042f7f209c56ffd8371b2711a290ec797",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
||||
91
flake.nix
91
flake.nix
@@ -9,32 +9,42 @@
|
||||
};
|
||||
};
|
||||
|
||||
outputs = { self, nixpkgs, utils, naersk }:
|
||||
outputs = inputs @ { self, nixpkgs, utils, naersk, ... }:
|
||||
let
|
||||
root = ./.;
|
||||
pname = (builtins.fromTOML (builtins.readFile ./Cargo.toml)).package.name;
|
||||
forPkgs = pkgs:
|
||||
let
|
||||
naersk-lib = naersk.lib."${pkgs.system}";
|
||||
buildInputs = with pkgs; [ cryptsetup ];
|
||||
LIBCLANG_PATH = "${pkgs.clang.cc.lib}/lib";
|
||||
nativeBuildInputs = with pkgs; [
|
||||
pkgconfig
|
||||
clang
|
||||
];
|
||||
in
|
||||
root = inputs.source or self;
|
||||
pname = (builtins.fromTOML (builtins.readFile (root + "/Cargo.toml"))).package.name;
|
||||
# toolchains: stable, beta, default(nightly)
|
||||
toolchain = pkgs: if inputs ? fenix then inputs.fenix.packages."${pkgs.system}".complete.toolchain
|
||||
else with pkgs; symlinkJoin { name = "rust-toolchain"; paths = [ rustc cargo ]; };
|
||||
forSystem = system:
|
||||
let
|
||||
pkgs = nixpkgs.legacyPackages."${system}";
|
||||
in
|
||||
rec {
|
||||
# `nix build`
|
||||
packages.${pname} = naersk-lib.buildPackage {
|
||||
inherit pname root buildInputs nativeBuildInputs LIBCLANG_PATH;
|
||||
};
|
||||
defaultPackage = packages.${pname};
|
||||
packages.${pname} = (self.overlay pkgs pkgs).${pname};
|
||||
|
||||
packages.dockerImage = pkgs.runCommandLocal "docker-${pname}.tar.gz" {} "${apps.streamDockerImage.program} | gzip --fast > $out";
|
||||
|
||||
packages.default = packages.${pname};
|
||||
|
||||
# `nix run`
|
||||
apps.${pname} = utils.lib.mkApp {
|
||||
drv = packages.${pname};
|
||||
};
|
||||
defaultApp = apps.${pname};
|
||||
|
||||
# `nix run .#streamDockerImage | docker load`
|
||||
apps.streamDockerImage = utils.lib.mkApp {
|
||||
drv = with pkgs; dockerTools.streamLayeredImage {
|
||||
name = pname;
|
||||
tag = self.shortRev or "latest";
|
||||
config = {
|
||||
Entrypoint = apps.default.program;
|
||||
};
|
||||
};
|
||||
exePath = "";
|
||||
};
|
||||
apps.default = apps.${pname};
|
||||
|
||||
# `nix flake check`
|
||||
checks = {
|
||||
@@ -49,15 +59,42 @@
|
||||
hydraJobs = checks // packages;
|
||||
|
||||
# `nix develop`
|
||||
devShell = pkgs.mkShell {
|
||||
nativeBuildInputs = with pkgs; [ rustc cargo rustfmt nixpkgs-fmt ] ++ nativeBuildInputs;
|
||||
inherit buildInputs LIBCLANG_PATH;
|
||||
devShell = pkgs.mkShell rec {
|
||||
RUST_SRC_PATH = "${if inputs ? fenix then "${toolchain pkgs}/lib/rustlib" else pkgs.rustPlatform.rustLibSrc}";
|
||||
nativeBuildInputs = with pkgs; [ (toolchain pkgs) cargo-edit rustfmt nixpkgs-fmt ] ++ packages.default.nativeBuildInputs;
|
||||
inherit (packages.default) buildInputs LIBCLANG_PATH;
|
||||
shellHook = ''
|
||||
printf "Rust version:"
|
||||
rustc --version
|
||||
printf "\nbuild inputs: ${pkgs.lib.concatStringsSep ", " (map (bi: bi.name) (buildInputs ++ nativeBuildInputs))}"
|
||||
'';
|
||||
};
|
||||
};
|
||||
forSystem = system: forPkgs nixpkgs.legacyPackages."${system}";
|
||||
in
|
||||
(utils.lib.eachSystem [ "aarch64-linux" "i686-linux" "x86_64-linux" ] forSystem) // {
|
||||
overlay = final: prev: (forPkgs final).packages;
|
||||
};
|
||||
|
||||
};
|
||||
in
|
||||
(utils.lib.eachDefaultSystem forSystem) // {
|
||||
overlays.pinned = final: prev: (self.overlay final (import nixpkgs {
|
||||
inherit (final) localSystem;
|
||||
})).packages;
|
||||
overlay = final: prev:
|
||||
let
|
||||
naersk-lib = naersk.lib."${final.system}".override {
|
||||
rustc = toolchain prev;
|
||||
cargo = toolchain prev;
|
||||
};
|
||||
buildInputs = with prev; [
|
||||
udev cryptsetup.dev
|
||||
];
|
||||
nativeBuildInputs = with prev; [
|
||||
pkg-config clang
|
||||
];
|
||||
in
|
||||
{
|
||||
"${pname}" =
|
||||
naersk-lib.buildPackage {
|
||||
LIBCLANG_PATH = "${final.llvmPackages.libclang.lib}/lib";
|
||||
inherit pname root buildInputs nativeBuildInputs;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
101
src/cli.rs
101
src/cli.rs
@@ -4,14 +4,13 @@ use crate::util::sha256;
|
||||
use crate::*;
|
||||
pub use cli_args::Args;
|
||||
use cli_args::*;
|
||||
use ctap::{FidoCredential, FidoErrorKind};
|
||||
use ctap_hid_fido2::public_key_credential_descriptor::PublicKeyCredentialDescriptor;
|
||||
use std::borrow::Cow;
|
||||
use std::collections::HashSet;
|
||||
use std::io::Write;
|
||||
use std::iter::FromIterator;
|
||||
use std::path::Path;
|
||||
use std::str::FromStr;
|
||||
use std::thread;
|
||||
use std::time::Duration;
|
||||
use std::time::SystemTime;
|
||||
use structopt::clap::Shell;
|
||||
@@ -26,31 +25,31 @@ fn derive_secret(
|
||||
salt: &[u8; 32],
|
||||
timeout: u64,
|
||||
pin: Option<&str>,
|
||||
) -> Fido2LuksResult<([u8; 32], FidoCredential)> {
|
||||
) -> Fido2LuksResult<([u8; 32], PublicKeyCredentialDescriptor)> {
|
||||
if credentials.is_empty() {
|
||||
return Err(Fido2LuksError::InsufficientCredentials);
|
||||
}
|
||||
let timeout = Duration::from_secs(timeout);
|
||||
let start = SystemTime::now();
|
||||
|
||||
while let Ok(el) = start.elapsed() {
|
||||
if el > timeout {
|
||||
return Err(error::Fido2LuksError::NoAuthenticatorError);
|
||||
}
|
||||
if get_devices()
|
||||
.map(|devices| !devices.is_empty())
|
||||
.unwrap_or(false)
|
||||
{
|
||||
break;
|
||||
}
|
||||
thread::sleep(Duration::from_millis(500));
|
||||
}
|
||||
//while let Ok(el) = start.elapsed() {
|
||||
// if el > timeout {
|
||||
// return Err(error::Fido2LuksError::NoAuthenticatorError);
|
||||
// }
|
||||
// if get_devices()
|
||||
// .map(|devices| !devices.is_empty())
|
||||
// .unwrap_or(false)
|
||||
// {
|
||||
// break;
|
||||
// }
|
||||
// thread::sleep(Duration::from_millis(500));
|
||||
//}
|
||||
|
||||
let credentials = credentials
|
||||
.iter()
|
||||
.map(|hex| FidoCredential {
|
||||
.map(|hex| PublicKeyCredentialDescriptor {
|
||||
id: hex.0.clone(),
|
||||
public_key: None,
|
||||
ctype: Default::default(),
|
||||
})
|
||||
.collect::<Vec<_>>();
|
||||
let credentials = credentials.iter().collect::<Vec<_>>();
|
||||
@@ -182,7 +181,8 @@ pub fn run_cli() -> Fido2LuksResult<()> {
|
||||
} else {
|
||||
None
|
||||
};
|
||||
let cred = make_credential_id(Some(name.as_ref()), pin)?;
|
||||
let cred =
|
||||
make_credential_id(Some(name.as_str()).filter(|name| name.len() > 0), pin, &[])?;
|
||||
println!("{}", hex::encode(&cred.id));
|
||||
Ok(())
|
||||
}
|
||||
@@ -289,7 +289,10 @@ pub fn run_cli() -> Fido2LuksResult<()> {
|
||||
|
||||
let other_secret = |salt_q: &str,
|
||||
verify: bool|
|
||||
-> Fido2LuksResult<(Vec<u8>, Option<FidoCredential>)> {
|
||||
-> Fido2LuksResult<(
|
||||
Vec<u8>,
|
||||
Option<PublicKeyCredentialDescriptor>,
|
||||
)> {
|
||||
match other_secret {
|
||||
OtherSecret {
|
||||
keyfile: Some(file),
|
||||
@@ -314,22 +317,38 @@ pub fn run_cli() -> Fido2LuksResult<()> {
|
||||
)),
|
||||
}
|
||||
};
|
||||
let secret = |q: &str,
|
||||
verify: bool,
|
||||
credentials: &[HexEncoded]|
|
||||
-> Fido2LuksResult<([u8; 32], FidoCredential)> {
|
||||
let (pin, salt) = inputs(q, verify)?;
|
||||
prompt_interaction(interactive);
|
||||
derive_secret(credentials, &salt, authenticator.await_time, pin.as_deref())
|
||||
};
|
||||
let secret =
|
||||
|q: &str,
|
||||
verify: bool,
|
||||
credentials: &[HexEncoded]|
|
||||
-> Fido2LuksResult<([u8; 32], PublicKeyCredentialDescriptor)> {
|
||||
let (pin, salt) = inputs(q, verify)?;
|
||||
prompt_interaction(interactive);
|
||||
derive_secret(credentials, &salt, authenticator.await_time, pin.as_deref())
|
||||
};
|
||||
// Non overlap
|
||||
match &args.command {
|
||||
Command::AddKey {
|
||||
exclusive,
|
||||
generate_credential,
|
||||
comment,
|
||||
..
|
||||
} => {
|
||||
let (existing_secret, _) = other_secret("Current password", false)?;
|
||||
let (existing_secret, existing_credential) =
|
||||
other_secret("Current password", false)?;
|
||||
let excluded_credential = existing_credential.as_ref();
|
||||
let exclude_list = excluded_credential
|
||||
.as_ref()
|
||||
.map(core::slice::from_ref)
|
||||
.unwrap_or_default();
|
||||
existing_credential.iter().for_each(|cred| {
|
||||
log(&|| {
|
||||
format!(
|
||||
"using credential to unlock container: {}",
|
||||
hex::encode(&cred.id)
|
||||
)
|
||||
})
|
||||
});
|
||||
let (new_secret, cred) = if *generate_credential && luks2 {
|
||||
let cred = make_credential_id(
|
||||
Some(derive_credential_name(luks.device.as_path()).as_str()),
|
||||
@@ -340,6 +359,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
|
||||
None
|
||||
})
|
||||
.as_deref(),
|
||||
dbg!(exclude_list),
|
||||
)?;
|
||||
log(&|| {
|
||||
format!(
|
||||
@@ -361,6 +381,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
|
||||
Some(&cred.id[..])
|
||||
.filter(|_| !luks.disable_token || *generate_credential)
|
||||
.filter(|_| luks2),
|
||||
comment.as_deref().map(String::from),
|
||||
)?;
|
||||
if *exclusive {
|
||||
let destroyed = luks_dev.remove_keyslots(&[added_slot])?;
|
||||
@@ -396,6 +417,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
|
||||
.filter(|_| !luks.disable_token)
|
||||
.filter(|_| luks2)
|
||||
.map(|cred| &cred.id[..]),
|
||||
None,
|
||||
)
|
||||
} else {
|
||||
let slot = luks_dev.replace_key(
|
||||
@@ -501,13 +523,8 @@ pub fn run_cli() -> Fido2LuksResult<()> {
|
||||
Err(e) => {
|
||||
match e {
|
||||
Fido2LuksError::WrongSecret if retries > 0 => {}
|
||||
Fido2LuksError::AuthenticatorError { ref cause }
|
||||
if match cause.kind() {
|
||||
FidoErrorKind::Timeout => true,
|
||||
FidoErrorKind::CborError(e) if e.code() == 0x33 => true,
|
||||
_ => false,
|
||||
} && retries > 0 => {}
|
||||
|
||||
//Fido2LuksError::AuthenticatorError { ref cause }
|
||||
// if cause.kind() == FidoErrorKind::Timeout && retries > 0 => {}
|
||||
e => return Err(e),
|
||||
};
|
||||
retries -= 1;
|
||||
@@ -548,8 +565,13 @@ pub fn run_cli() -> Fido2LuksResult<()> {
|
||||
continue;
|
||||
}
|
||||
println!(
|
||||
"{}:\n\tSlots: {}\n\tCredentials: {}",
|
||||
"{}{}:\n\tSlots: {}\n\tCredentials: {}",
|
||||
id,
|
||||
token
|
||||
.comment
|
||||
.as_deref()
|
||||
.map(|comment| format!(" - {}", comment))
|
||||
.unwrap_or_default(),
|
||||
if token.keyslots.is_empty() {
|
||||
"None".into()
|
||||
} else {
|
||||
@@ -575,6 +597,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
|
||||
TokenCommand::Add {
|
||||
device,
|
||||
credentials,
|
||||
comment,
|
||||
slot,
|
||||
} => {
|
||||
let mut dev = LuksDevice::load(device)?;
|
||||
@@ -586,7 +609,11 @@ pub fn run_cli() -> Fido2LuksResult<()> {
|
||||
}
|
||||
}
|
||||
let count = if tokens.is_empty() {
|
||||
dev.add_token(&Fido2LuksToken::with_credentials(&credentials.0, *slot))?;
|
||||
dev.add_token(&Fido2LuksToken::with_credentials(
|
||||
&credentials.0,
|
||||
*slot,
|
||||
comment.as_deref().map(String::from),
|
||||
))?;
|
||||
1
|
||||
} else {
|
||||
tokens.len()
|
||||
|
||||
@@ -189,6 +189,9 @@ pub enum Command {
|
||||
luks: LuksParameters,
|
||||
#[structopt(flatten)]
|
||||
credentials: Credentials,
|
||||
/// Comment to be associated with this credential
|
||||
#[structopt(long = "comment")]
|
||||
comment: Option<String>,
|
||||
#[structopt(flatten)]
|
||||
authenticator: AuthenticatorParameters,
|
||||
#[structopt(flatten)]
|
||||
@@ -245,7 +248,7 @@ pub enum Command {
|
||||
#[structopt(long = "dry-run")]
|
||||
dry_run: bool,
|
||||
/// Pass SSD trim instructions to the underlying block device
|
||||
#[structopt(long = "allow-discards", env = "FIDO2LUKS_ALLOW_DISCARDS")]
|
||||
#[structopt(long = "allow-discards")]
|
||||
allow_discards: bool,
|
||||
},
|
||||
/// Generate a new FIDO credential
|
||||
@@ -254,7 +257,7 @@ pub enum Command {
|
||||
#[structopt(flatten)]
|
||||
authenticator: AuthenticatorParameters,
|
||||
/// Name to be displayed on the authenticator display
|
||||
#[structopt(env = "FIDO2LUKS_CREDENTIAL_NAME", default_value = "fido2luks")]
|
||||
#[structopt(env = "FIDO2LUKS_CREDENTIAL_NAME", default_value = "")]
|
||||
name: String,
|
||||
},
|
||||
/// Check if an authenticator is connected
|
||||
@@ -295,6 +298,9 @@ pub enum TokenCommand {
|
||||
long = "creds"
|
||||
)]
|
||||
credentials: CommaSeparated<HexEncoded>,
|
||||
/// Comment to be associated with this credential
|
||||
#[structopt(long = "comment")]
|
||||
comment: Option<String>,
|
||||
/// Slot to which the credentials will be added
|
||||
#[structopt(long = "slot", env = "FIDO2LUKS_DEVICE_SLOT")]
|
||||
slot: u32,
|
||||
|
||||
161
src/device.rs
161
src/device.rs
@@ -1,84 +1,133 @@
|
||||
use crate::error::*;
|
||||
|
||||
use crate::util;
|
||||
use ctap::{
|
||||
self, extensions::hmac::HmacExtension, request_multiple_devices, FidoAssertionRequestBuilder,
|
||||
FidoCredential, FidoCredentialRequestBuilder, FidoDevice, FidoError, FidoErrorKind,
|
||||
};
|
||||
use ctap_hid_fido2;
|
||||
use ctap_hid_fido2::fidokey::get_assertion::get_assertion_params;
|
||||
use ctap_hid_fido2::fidokey::make_credential::make_credential_params;
|
||||
use ctap_hid_fido2::fidokey::GetAssertionArgsBuilder;
|
||||
use ctap_hid_fido2::fidokey::MakeCredentialArgsBuilder;
|
||||
use ctap_hid_fido2::get_fidokey_devices;
|
||||
use ctap_hid_fido2::public_key_credential_descriptor::PublicKeyCredentialDescriptor;
|
||||
use ctap_hid_fido2::public_key_credential_user_entity::PublicKeyCredentialUserEntity;
|
||||
use ctap_hid_fido2::FidoKeyHidFactory;
|
||||
use ctap_hid_fido2::HidInfo;
|
||||
use ctap_hid_fido2::LibCfg;
|
||||
use std::time::Duration;
|
||||
|
||||
const RP_ID: &str = "fido2luks";
|
||||
|
||||
fn lib_cfg() -> LibCfg {
|
||||
let mut cfg = LibCfg::init();
|
||||
cfg.enable_log = false;
|
||||
cfg.keep_alive_msg = String::new();
|
||||
cfg
|
||||
}
|
||||
|
||||
pub fn make_credential_id(
|
||||
name: Option<&str>,
|
||||
pin: Option<&str>,
|
||||
) -> Fido2LuksResult<FidoCredential> {
|
||||
let mut request = FidoCredentialRequestBuilder::default().rp_id(RP_ID);
|
||||
if let Some(user_name) = name {
|
||||
request = request.user_name(user_name);
|
||||
exclude: &[&PublicKeyCredentialDescriptor],
|
||||
) -> Fido2LuksResult<PublicKeyCredentialDescriptor> {
|
||||
let mut req = MakeCredentialArgsBuilder::new(RP_ID, &[])
|
||||
.extensions(&[make_credential_params::Extension::HmacSecret(Some(true))]);
|
||||
if let Some(pin) = pin {
|
||||
req = req.pin(pin);
|
||||
} else {
|
||||
req = req.without_pin_and_uv();
|
||||
}
|
||||
let request = request.build().unwrap();
|
||||
let make_credential = |device: &mut FidoDevice| {
|
||||
if let Some(pin) = pin.filter(|_| device.needs_pin()) {
|
||||
device.unlock(pin)?;
|
||||
for cred in exclude {
|
||||
req = req.exclude_authenticator(cred.id.as_ref());
|
||||
}
|
||||
if let Some(_) = name {
|
||||
req = req.user_entity(&PublicKeyCredentialUserEntity::new(
|
||||
Some(b"00"),
|
||||
name.clone(),
|
||||
name,
|
||||
));
|
||||
}
|
||||
let devices = get_devices()?;
|
||||
let mut err: Option<Fido2LuksError> = None;
|
||||
let req = req.build();
|
||||
for dev in devices {
|
||||
let handle = FidoKeyHidFactory::create_by_params(&vec![dev.param], &lib_cfg()).unwrap();
|
||||
match handle.make_credential_with_args(&req) {
|
||||
Ok(resp) => return Ok(resp.credential_descriptor),
|
||||
Err(e) => err = Some(e.into()),
|
||||
}
|
||||
device.make_hmac_credential(&request)
|
||||
};
|
||||
Ok(request_multiple_devices(
|
||||
get_devices()?
|
||||
.iter_mut()
|
||||
.map(|device| (device, &make_credential)),
|
||||
None,
|
||||
)?)
|
||||
}
|
||||
Err(err.unwrap_or(Fido2LuksError::NoAuthenticatorError))
|
||||
}
|
||||
|
||||
pub fn perform_challenge<'a>(
|
||||
credentials: &'a [&'a FidoCredential],
|
||||
credentials: &'a [&'a PublicKeyCredentialDescriptor],
|
||||
salt: &[u8; 32],
|
||||
timeout: Duration,
|
||||
_timeout: Duration,
|
||||
pin: Option<&str>,
|
||||
) -> Fido2LuksResult<([u8; 32], &'a FidoCredential)> {
|
||||
let request = FidoAssertionRequestBuilder::default()
|
||||
.rp_id(RP_ID)
|
||||
.credentials(credentials)
|
||||
.build()
|
||||
.unwrap();
|
||||
let get_assertion = |device: &mut FidoDevice| {
|
||||
if let Some(pin) = pin.filter(|_| device.needs_pin()) {
|
||||
device.unlock(pin)?;
|
||||
) -> Fido2LuksResult<([u8; 32], &'a PublicKeyCredentialDescriptor)> {
|
||||
if credentials.is_empty() {
|
||||
return Err(Fido2LuksError::InsufficientCredentials);
|
||||
}
|
||||
let mut req = GetAssertionArgsBuilder::new(RP_ID, &[]).extensions(&[
|
||||
get_assertion_params::Extension::HmacSecret(Some(util::sha256(&[&salt[..]]))),
|
||||
]);
|
||||
for cred in credentials {
|
||||
req = req.add_credential_id(&cred.id);
|
||||
}
|
||||
if let Some(pin) = pin {
|
||||
req = req.pin(pin);
|
||||
} else {
|
||||
req = req.without_pin_and_uv();
|
||||
}
|
||||
let process_response = |resp: Vec<get_assertion_params::Assertion>| -> Fido2LuksResult<([u8; 32], &'a PublicKeyCredentialDescriptor)> {
|
||||
for att in resp {
|
||||
for ext in att.extensions.iter() {
|
||||
match ext {
|
||||
get_assertion_params::Extension::HmacSecret(Some(secret)) => {
|
||||
//TODO: eliminate unwrap
|
||||
let cred_used = credentials
|
||||
.iter()
|
||||
.copied()
|
||||
.find(|cred| {
|
||||
att.credential_id == cred.id
|
||||
})
|
||||
.unwrap();
|
||||
return Ok((secret.clone(), cred_used));
|
||||
}
|
||||
_ => continue,
|
||||
}
|
||||
}
|
||||
device.get_hmac_assertion(&request, &util::sha256(&[&salt[..]]), None)
|
||||
}
|
||||
Err(Fido2LuksError::WrongSecret)
|
||||
};
|
||||
let (credential, (secret, _)) = request_multiple_devices(
|
||||
get_devices()?
|
||||
.iter_mut()
|
||||
.map(|device| (device, &get_assertion)),
|
||||
Some(timeout),
|
||||
)?;
|
||||
Ok((secret, credential))
|
||||
|
||||
let devices = get_devices()?;
|
||||
let mut err: Option<Fido2LuksError> = None;
|
||||
let req = req.build();
|
||||
for dev in devices {
|
||||
let handle = FidoKeyHidFactory::create_by_params(&vec![dev.param], &lib_cfg()).unwrap();
|
||||
match handle.get_assertion_with_args(&req) {
|
||||
Ok(resp) => return process_response(resp),
|
||||
Err(e) => err = Some(e.into()),
|
||||
}
|
||||
}
|
||||
Err(err.unwrap_or(Fido2LuksError::NoAuthenticatorError))
|
||||
}
|
||||
|
||||
pub fn may_require_pin() -> Fido2LuksResult<bool> {
|
||||
for di in ctap::get_devices()? {
|
||||
if let Ok(dev) = FidoDevice::new(&di) {
|
||||
if dev.needs_pin() {
|
||||
return Ok(true);
|
||||
}
|
||||
for dev in get_devices()? {
|
||||
let handle = FidoKeyHidFactory::create_by_params(&vec![dev.param], &lib_cfg()).unwrap();
|
||||
let info = handle.get_info()?;
|
||||
let needs_pin = info
|
||||
.options
|
||||
.iter()
|
||||
.any(|(name, val)| &name[..] == "clientPin" && *val);
|
||||
if needs_pin {
|
||||
return Ok(true);
|
||||
}
|
||||
}
|
||||
Ok(false)
|
||||
}
|
||||
|
||||
pub fn get_devices() -> Fido2LuksResult<Vec<FidoDevice>> {
|
||||
let mut devices = Vec::with_capacity(2);
|
||||
for di in ctap::get_devices()? {
|
||||
match FidoDevice::new(&di) {
|
||||
Err(e) => match e.kind() {
|
||||
FidoErrorKind::ParseCtap | FidoErrorKind::DeviceUnsupported => (),
|
||||
err => return Err(FidoError::from(err).into()),
|
||||
},
|
||||
Ok(dev) => devices.push(dev),
|
||||
}
|
||||
}
|
||||
Ok(devices)
|
||||
pub fn get_devices() -> Fido2LuksResult<Vec<HidInfo>> {
|
||||
Ok(get_fidokey_devices())
|
||||
}
|
||||
|
||||
16
src/error.rs
16
src/error.rs
@@ -1,4 +1,4 @@
|
||||
use ctap::FidoError;
|
||||
use anyhow;
|
||||
use libcryptsetup_rs::LibcryptErr;
|
||||
use std::io;
|
||||
use std::io::ErrorKind;
|
||||
@@ -14,7 +14,7 @@ pub enum Fido2LuksError {
|
||||
#[fail(display = "unable to read keyfile: {}", cause)]
|
||||
KeyfileError { cause: io::Error },
|
||||
#[fail(display = "authenticator error: {}", cause)]
|
||||
AuthenticatorError { cause: ctap::FidoError },
|
||||
AuthenticatorError { cause: anyhow::Error },
|
||||
#[fail(display = "no authenticator found, please ensure your device is plugged in")]
|
||||
NoAuthenticatorError,
|
||||
#[fail(display = " {}", cause)]
|
||||
@@ -35,6 +35,12 @@ pub enum Fido2LuksError {
|
||||
InsufficientCredentials,
|
||||
}
|
||||
|
||||
impl From<anyhow::Error> for Fido2LuksError {
|
||||
fn from(cause: anyhow::Error) -> Self {
|
||||
Fido2LuksError::AuthenticatorError { cause }
|
||||
}
|
||||
}
|
||||
|
||||
impl Fido2LuksError {
|
||||
pub fn exit_code(&self) -> i32 {
|
||||
use Fido2LuksError::*;
|
||||
@@ -91,12 +97,6 @@ impl From<LuksError> for Fido2LuksError {
|
||||
}
|
||||
}
|
||||
|
||||
impl From<FidoError> for Fido2LuksError {
|
||||
fn from(e: FidoError) -> Self {
|
||||
AuthenticatorError { cause: e }
|
||||
}
|
||||
}
|
||||
|
||||
impl From<LibcryptErr> for Fido2LuksError {
|
||||
fn from(e: LibcryptErr) -> Self {
|
||||
match e {
|
||||
|
||||
27
src/luks.rs
27
src/luks.rs
@@ -142,6 +142,7 @@ impl LuksDevice {
|
||||
old_secret: &[u8],
|
||||
iteration_time: Option<u64>,
|
||||
credential_id: Option<&[u8]>,
|
||||
comment: Option<String>,
|
||||
) -> Fido2LuksResult<u32> {
|
||||
if let Some(millis) = iteration_time {
|
||||
self.device.settings_handle().set_iteration_time(millis)
|
||||
@@ -152,7 +153,7 @@ impl LuksDevice {
|
||||
.add_by_passphrase(None, old_secret, secret)?;
|
||||
if let Some(id) = credential_id {
|
||||
self.device.token_handle().json_set(TokenInput::AddToken(
|
||||
&serde_json::to_value(&Fido2LuksToken::new(id, slot)).unwrap(),
|
||||
&serde_json::to_value(&Fido2LuksToken::new(id, slot, comment)).unwrap(),
|
||||
))?;
|
||||
}
|
||||
|
||||
@@ -216,9 +217,18 @@ impl LuksDevice {
|
||||
)? as u32;
|
||||
if let Some(id) = credential_id {
|
||||
if self.is_luks2()? {
|
||||
let token = self.find_token(slot)?.map(|(t, _)| t);
|
||||
let json = serde_json::to_value(&Fido2LuksToken::new(id, slot)).unwrap();
|
||||
if let Some(token) = token {
|
||||
let (token_id, token_data) = match self.find_token(slot)? {
|
||||
Some((id, data)) => (Some(id), Some(data)),
|
||||
_ => (None, None),
|
||||
};
|
||||
let json = serde_json::to_value(&Fido2LuksToken::new(
|
||||
id,
|
||||
slot,
|
||||
// retain comment on replace
|
||||
token_data.map(|data| data.comment).flatten(),
|
||||
))
|
||||
.unwrap();
|
||||
if let Some(token) = token_id {
|
||||
self.device
|
||||
.token_handle()
|
||||
.json_set(TokenInput::ReplaceToken(token, &json))?;
|
||||
@@ -315,16 +325,19 @@ pub struct Fido2LuksToken {
|
||||
pub type_: String,
|
||||
pub credential: HashSet<String>,
|
||||
pub keyslots: HashSet<String>,
|
||||
#[serde(skip_serializing_if = "Option::is_none")]
|
||||
pub comment: Option<String>,
|
||||
}
|
||||
|
||||
impl Fido2LuksToken {
|
||||
pub fn new(credential_id: impl AsRef<[u8]>, slot: u32) -> Self {
|
||||
Self::with_credentials(std::iter::once(credential_id), slot)
|
||||
pub fn new(credential_id: impl AsRef<[u8]>, slot: u32, comment: Option<String>) -> Self {
|
||||
Self::with_credentials(std::iter::once(credential_id), slot, comment)
|
||||
}
|
||||
|
||||
pub fn with_credentials<I: IntoIterator<Item = B>, B: AsRef<[u8]>>(
|
||||
credentials: I,
|
||||
slot: u32,
|
||||
comment: Option<String>,
|
||||
) -> Self {
|
||||
Self {
|
||||
credential: credentials
|
||||
@@ -332,6 +345,7 @@ impl Fido2LuksToken {
|
||||
.map(|cred| hex::encode(cred.as_ref()))
|
||||
.collect(),
|
||||
keyslots: vec![slot.to_string()].into_iter().collect(),
|
||||
comment,
|
||||
..Default::default()
|
||||
}
|
||||
}
|
||||
@@ -346,6 +360,7 @@ impl Default for Fido2LuksToken {
|
||||
type_: Self::default_type().into(),
|
||||
credential: HashSet::new(),
|
||||
keyslots: HashSet::new(),
|
||||
comment: None,
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,6 +1,5 @@
|
||||
#[macro_use]
|
||||
extern crate failure;
|
||||
extern crate ctap_hmac as ctap;
|
||||
#[macro_use]
|
||||
extern crate serde_derive;
|
||||
use crate::cli::*;
|
||||
|
||||
Reference in New Issue
Block a user