diff --git a/src/hooks/ykfde b/src/hooks/ykfde index f621280..256f267 100644 --- a/src/hooks/ykfde +++ b/src/hooks/ykfde @@ -16,6 +16,7 @@ YKFDE_CHALLENGE="" YKFDE_CHALLENGE_PASSWORD_NEEDED="" YKFDE_SLEEP_AFTER_SUCCESSFUL_CRYPTSETUP="" YKFDE_USE_PLYMOUTH="" +export CRYPTOGRAPHY_OPENSSL_NO_LEGACY=1 message() { if [ "$YKFDE_USE_PLYMOUTH" ]; then @@ -192,8 +193,8 @@ ykfde_challenge_response() { while [ -z "$_yubikey_detected" ] && [ -z "$_yubikey_nfc_detected" ]; do _endtime="$(date +%s)" _usedtime=$((_endtime - _starttime)) - [ "$DBG" ] && message " (used time:$_usedtime, timeout:$_yubikey_timeout) 'ykinfo -$YKFDE_CHALLENGE_SLOT': " - _tmp="$(ykinfo -"$YKFDE_CHALLENGE_SLOT" 2>&1)" + [ "$DBG" ] && message " (used time:$_usedtime, timeout:$_yubikey_timeout) 'ykman otp info': " + _tmp="$(ykman otp info | grep -q "$YKFDE_CHALLENGE_SLOT: programmed" 2>&1)" _rc=$? [ "$DBG" ] && message "[$_rc] '$_tmp'" if [ "$_rc" -eq 0 ]; then @@ -232,9 +233,10 @@ ykfde_challenge_response() { if [ "$_yubikey_detected" ]; then while [ -z "$_ykfde_response" ]; do - [ "$DBG" ] && message " Running: 'ykchalresp -$YKFDE_CHALLENGE_SLOT $YKFDE_CHALLENGE'..." + YKFDE_REAL_CHALLENGE="$(printf '%s' "$YKFDE_CHALLENGE" | od --endian=big -t x1 -An | tr -d ' ,\n')" + [ "$DBG" ] && message " Running: 'ykman otp calculate $YKFDE_CHALLENGE_SLOT $YKFDE_REAL_CHALLENGE'..." message " Remember to touch the device if necessary." - _ykfde_response="$(printf %s "$YKFDE_CHALLENGE" | ykchalresp -"$YKFDE_CHALLENGE_SLOT" -i- | tr -d '\n')" + _ykfde_response="$(printf '%s' "$YKFDE_REAL_CHALLENGE" | ykman otp calculate "$YKFDE_CHALLENGE_SLOT" -- | tr -d '\n')" [ "$DBG" ] && message " Received response: '$_ykfde_response'" done fi diff --git a/src/install/ykfde b/src/install/ykfde index a68ee8d..80a3fa4 100644 --- a/src/install/ykfde +++ b/src/install/ykfde @@ -22,6 +22,25 @@ build() { add_all_modules "/crypto/" fi + base_files=$(pacman -Ql python | awk '{print $2}' | /bin/grep -E '.py$|.so$') + for file in $base_files + do + add_file $file + done + + python_ver=$(python -V | awk -F'[" ",.]' '{print $2"."$3}') + add_full_dir "/usr/lib/python${python_ver}/site-packages/zipp" + add_full_dir "/usr/lib/python${python_ver}/site-packages/cryptography" + add_full_dir "/usr/lib/python${python_ver}/site-packages/cffi" + add_full_dir "/usr/lib/python${python_ver}/site-packages/smartcard" + add_full_dir "/usr/lib/python${python_ver}/site-packages/fido2" + add_full_dir "/usr/lib/python${python_ver}/site-packages/importlib_metadata" + add_full_dir "/usr/lib/python${python_ver}/site-packages/ykman" + add_full_dir "/usr/lib/python${python_ver}/site-packages/yubikit" + add_full_dir "/usr/lib/python${python_ver}/site-packages/click" + add_full_dir "/usr/lib/python${python_ver}/site-packages/keyring" + add_binary "/usr/lib/python${python_ver}/site-packages/_cffi_backend.cpython-${python_ver/./}-x86_64-linux-gnu.so" + add_binary "cryptsetup" add_binary "dmsetup" add_file "/usr/lib/udev/rules.d/10-dm.rules" @@ -31,10 +50,12 @@ build() { # cryptsetup calls pthread_create(), which dlopen()s libgcc_s.so.1 add_binary "/usr/lib/libgcc_s.so.1" - + add_binary "/usr/lib/libssl.so.3" + add_binary "/usr/lib/libpcsclite.so.1" + add_binary "python" + add_binary "ykman" + add_binary "od" add_binary "tr" - add_binary "ykchalresp" - add_binary "ykinfo" add_binary "date" add_binary "sleep" add_binary "printf" diff --git a/src/ykfde-enroll b/src/ykfde-enroll index da4b5fb..6b5859f 100644 --- a/src/ykfde-enroll +++ b/src/ykfde-enroll @@ -84,10 +84,10 @@ while getopts ":d:s:ckovh" opt; do esac done -YKFDE_SLOT_CHECK="$(ykinfo -q -"$YKFDE_CHALLENGE_SLOT")" -[ "$DBG" ] && printf '%s\n' " > YubiKey slot status 'ykinfo -q -$YKFDE_CHALLENGE_SLOT': $YKFDE_SLOT_CHECK" +YKFDE_SLOT_CHECK="$(ykman otp info | grep "$YKFDE_CHALLENGE_SLOT" | awk '{print $3}')" +[ "$DBG" ] && printf '%s\n' " > YubiKey slot status 'ykman otp info': slot $YKFDE_CHALLENGE_SLOT: $YKFDE_SLOT_CHECK" -if [ "$YKFDE_SLOT_CHECK" != 1 ]; then +if [ "$YKFDE_SLOT_CHECK" != "programmed" ]; then printf '%s\n' "ERROR: Chosen YubiKey slot '$YKFDE_CHALLENGE_SLOT' isn't configured. Please choose slot configured for 'HMAC-SHA1 Challenge-Response' mode in '/etc/ykfde.conf'" exit 1 fi @@ -144,9 +144,10 @@ if [ -z "$YKFDE_CHALLENGE" ]; then fi while [ -z "$YKFDE_RESPONSE" ]; do - [ "$DBG" ] && printf '%s\n' " Running: 'ykchalresp -$YKFDE_CHALLENGE_SLOT $YKFDE_CHALLENGE'..." + YKFDE_REAL_CHALLENGE="$(printf '%s' "$YKFDE_CHALLENGE" | od --endian=big -t x1 -An | tr -d ' ,\n')" + [ "$DBG" ] && printf '%s\n' " Running: 'ykman otp calculate $YKFDE_CHALLENGE_SLOT $YKFDE_REAL_CHALLENGE'..." echo " Remember to touch the device if necessary." - YKFDE_RESPONSE="$(printf %s "$YKFDE_CHALLENGE" | ykchalresp -"$YKFDE_CHALLENGE_SLOT" -i- | tr -d '\n')" || true + YKFDE_RESPONSE="$(printf '%s' "$YKFDE_REAL_CHALLENGE" | ykman otp calculate "$YKFDE_CHALLENGE_SLOT" -- | tr -d '\n')" || true [ "$DBG" ] && printf '%s\n' " Received response: '$YKFDE_RESPONSE'" done @@ -190,9 +191,10 @@ if [ "$YKFDE_OLD_YUBIKEY" ]; then fi while [ -z "$YKFDE_OLD_RESPONSE" ]; do - [ "$DBG" ] && printf '%s\n' " Running: 'ykchalresp -$YKFDE_CHALLENGE_SLOT $YKFDE_OLD_CHALLENGE'..." + YKFDE_REAL_OLD_CHALLENGE=$(printf '%s' "$YKFDE_OLD_CHALLENGE" | od --endian=big -t x1 -An | tr -d ' ,\n') + [ "$DBG" ] && printf '%s\n' " Running: 'ykman otp calculate $YKFDE_CHALLENGE_SLOT $YKFDE_REAL_OLD_CHALLENGE'..." echo " Remember to touch the old device if necessary." - YKFDE_OLD_RESPONSE="$(printf %s "$YKFDE_OLD_CHALLENGE" | ykchalresp -"$YKFDE_CHALLENGE_SLOT" -i- | tr -d '\n')" || true + YKFDE_OLD_RESPONSE="$(printf '%s' "$YKFDE_REAL_OLD_CHALLENGE" | ykman otp calculate "$YKFDE_CHALLENGE_SLOT" -- | tr -d '\n')" || true [ "$DBG" ] && printf '%s\n' " Received response: '$YKFDE_OLD_RESPONSE'" done diff --git a/src/ykfde-format b/src/ykfde-format index 2371be0..d55dbfa 100644 --- a/src/ykfde-format +++ b/src/ykfde-format @@ -19,10 +19,10 @@ else echo "WARNING: Can't access /etc/ykfde.conf. Falling back to defaults." fi -YKFDE_SLOT_CHECK="$(ykinfo -q -"$YKFDE_CHALLENGE_SLOT")" -[ "${DBG:-}" ] && printf '%s\n' " > YubiKey slot status 'ykinfo -q -$YKFDE_CHALLENGE_SLOT': $YKFDE_SLOT_CHECK" +YKFDE_SLOT_CHECK="$(ykman otp info | grep "$YKFDE_CHALLENGE_SLOT" | awk '{print $3}')" +[ "${DBG:-}" ] && printf '%s\n' " > YubiKey slot status 'ykman otp info': slot $YKFDE_CHALLENGE_SLOT: $YKFDE_SLOT_CHECK" -if [ "$YKFDE_SLOT_CHECK" != 1 ]; then +if [ "$YKFDE_SLOT_CHECK" != "programmed" ]; then printf '%s\n' "ERROR: Chosen YubiKey slot '$YKFDE_CHALLENGE_SLOT' isn't configured. Please choose slot configured for 'HMAC-SHA1 Challenge-Response' mode in '/etc/ykfde.conf'" exit 1 fi @@ -54,9 +54,10 @@ if [ -z "$YKFDE_CHALLENGE" ]; then fi while [ -z "$YKFDE_RESPONSE" ]; do - [ "${DBG:-}" ] && printf '%s\n' " Running: 'ykchalresp -$YKFDE_CHALLENGE_SLOT $YKFDE_CHALLENGE'..." + YKFDE_REAL_CHALLENGE="$(printf '%s' "$YKFDE_CHALLENGE" | od --endian=big -t x1 -An | tr -d ' ,\n')" + [ "${DBG:-}" ] && printf '%s\n' " Running: 'ykman otp calculate $YKFDE_CHALLENGE_SLOT $YKFDE_REAL_CHALLENGE'..." echo " Remember to touch the device if necessary." - YKFDE_RESPONSE="$(printf %s "$YKFDE_CHALLENGE" | ykchalresp -"$YKFDE_CHALLENGE_SLOT" -i- | tr -d '\n')" || true + YKFDE_RESPONSE="$(printf '%s' "$YKFDE_REAL_CHALLENGE" | ykman otp calculate "$YKFDE_CHALLENGE_SLOT" -- | tr -d '\n')" || true [ "${DBG:-}" ] && printf '%s\n' " Received response: '$YKFDE_RESPONSE'" done diff --git a/src/ykfde-open b/src/ykfde-open index c87e15f..42dd711 100644 --- a/src/ykfde-open +++ b/src/ykfde-open @@ -93,10 +93,10 @@ done shift "$((OPTIND - 1))" -YKFDE_SLOT_CHECK="$(ykinfo -q -"$YKFDE_CHALLENGE_SLOT")" -[ "$DBG" ] && printf '%s\n' " > YubiKey slot status 'ykinfo -q -$YKFDE_CHALLENGE_SLOT': $YKFDE_SLOT_CHECK" +YKFDE_SLOT_CHECK="$(ykman otp info | grep "$YKFDE_CHALLENGE_SLOT" | awk '{print $3}')" +[ "$DBG" ] && printf '%s\n' " > YubiKey slot status 'ykman otp info': slot $YKFDE_CHALLENGE_SLOT: $YKFDE_SLOT_CHECK" -if [ "$YKFDE_SLOT_CHECK" != 1 ]; then +if [ "$YKFDE_SLOT_CHECK" != "programmed" ]; then printf '%s\n' "ERROR: Chosen YubiKey slot '$YKFDE_CHALLENGE_SLOT' isn't configured. Please choose slot configured for 'HMAC-SHA1 Challenge-Response' mode in '/etc/ykfde.conf'" exit 1 fi @@ -140,9 +140,10 @@ while [ -z "$YKFDE_CHALLENGE" ]; do done while [ -z "$YKFDE_RESPONSE" ]; do - [ "$DBG" ] && printf '%s\n' " Running: 'ykchalresp -$YKFDE_CHALLENGE_SLOT $YKFDE_CHALLENGE'..." + YKFDE_REAL_CHALLENGE="$(printf '%s' "$YKFDE_CHALLENGE" | od --endian=big -t x1 -An | tr -d ' ,\n')" + [ "$DBG" ] && printf '%s\n' " Running: 'ykman otp calculate $YKFDE_CHALLENGE_SLOT $YKFDE_REAL_CHALLENGE'..." echo " Remember to touch the device if necessary." - YKFDE_RESPONSE="$(printf %s "$YKFDE_CHALLENGE" | ykchalresp -"$YKFDE_CHALLENGE_SLOT" -i- | tr -d '\n')" || true + YKFDE_RESPONSE="$(printf '%s' "$YKFDE_REAL_CHALLENGE" | ykman otp calculate "$YKFDE_CHALLENGE_SLOT" -- | tr -d '\n')" || true [ "$DBG" ] && printf '%s\n' " Received response: '$YKFDE_RESPONSE'" done diff --git a/testrun.sh b/testrun.sh index 5894e26..ceafe72 100755 --- a/testrun.sh +++ b/testrun.sh @@ -37,24 +37,42 @@ truncate -s 20M "$YKFDE_TMPFILE" cleanup() { rm -f "$YKFDE_TMPFILE" + rm -rf initramfs } trap cleanup EXIT echo "INFO: Testing 'ykfde-format' script." -DBG=1 ykfde-format "$YKFDE_TMPFILE" +DBG=1 bash "$(pwd)/src/ykfde-format" "$YKFDE_TMPFILE" echo "Test 'ykfde-format' script successfully passed." echo "INFO: Testing 'ykfde-enroll' script." printf '%s\n' "test" | cryptsetup luksFormat "$YKFDE_TMPFILE" echo "INFO: Old LUKS passphrase is 'test'." -ykfde-enroll -d "$YKFDE_TMPFILE" -s 7 -v +bash "$(pwd)/src/ykfde-enroll" -d "$YKFDE_TMPFILE" -s 7 -v echo "Test 'ykfde-enroll' script successfully passed." echo "INFO: Testing 'ykfde-open' script." -ykfde-open -d "$YKFDE_TMPFILE" -n ykfde-test -v +bash "$(pwd)/src/ykfde-open" -d "$YKFDE_TMPFILE" -n ykfde-test -v cryptsetup close ykfde-test echo "Test 'ykfde-open' script successfully passed." -echo "All tests successfully passed." - +echo "INFO: Testing initramfs..." +mkdir -p "$(pwd)/initramfs" +mkinitcpio -d "$(pwd)/initramfs" +status=1 +status=$(chroot "$(pwd)/initramfs" /bin/sh -c "export CRYPTOGRAPHY_OPENSSL_NO_LEGACY=1; ykman otp info; exit 0" 2>&1 | awk ' + { + if ($0 ~ /No YubiKey detected/) { + print "0"; + exit 0; + } + }' +) +if [[ "$status" == 0 ]] +then + echo "All tests successfully passed." +else + echo "The image didnot pass the test, please file a bug report to: https://github.com/agherzan/yubikey-full-disk-encryption/issues" + exit 127 +fi exit 0