Change the crypt-storage file to be hex encoded instead of raw binary. To update from the previous configuration, convert your crypt-storage file from raw binary to hex.
This commit is contained in:
parent
cce9712331
commit
20cfaf0faa
@ -68,7 +68,7 @@ let
|
|||||||
mount -t ${yubikey.storage.fsType} ${toString yubikey.storage.device} ${yubikey.storage.mountPoint}
|
mount -t ${yubikey.storage.fsType} ${toString yubikey.storage.device} ${yubikey.storage.mountPoint}
|
||||||
|
|
||||||
local uuid_r
|
local uuid_r
|
||||||
uuid_r="$(take 16 ${yubikey.storage.mountPoint}${yubikey.storage.path} | rbtohex)"
|
uuid_r="$(take 32 ${yubikey.storage.mountPoint}${yubikey.storage.path})"
|
||||||
|
|
||||||
local uuid_luks
|
local uuid_luks
|
||||||
uuid_luks="$(cryptsetup luksUUID ${device} | take 36 | tr -d '-')"
|
uuid_luks="$(cryptsetup luksUUID ${device} | take 36 | tr -d '-')"
|
||||||
@ -91,9 +91,9 @@ let
|
|||||||
|
|
||||||
k_blob="$(ykchalresp -${toString yubikey.slot} -x $challenge 2>/dev/null)"
|
k_blob="$(ykchalresp -${toString yubikey.slot} -x $challenge 2>/dev/null)"
|
||||||
|
|
||||||
aes_blob_decrypted="$(drop 16 ${yubikey.storage.mountPoint}${yubikey.storage.path} | openssl-wrap enc -d -aes-256-ctr -K $k_blob -iv $uuid_r | rbtohex)"
|
aes_blob_decrypted="$(drop 32 ${yubikey.storage.mountPoint}${yubikey.storage.path} | hextorb | openssl-wrap enc -d -aes-256-ctr -K $k_blob -iv $uuid_r | rbtohex)"
|
||||||
|
|
||||||
checksum="$(echo -n $aes_blob_decrypted | hextorb | drop 84 | rbtohex)"
|
checksum="$(echo -n $aes_blob_decrypted | drop 168)"
|
||||||
if [ "$(echo -n $aes_blob_decrypted | hextorb | take 84 | openssl-wrap dgst -binary -sha512 | rbtohex)" == "$checksum" ]; then
|
if [ "$(echo -n $aes_blob_decrypted | hextorb | take 84 | openssl-wrap dgst -binary -sha512 | rbtohex)" == "$checksum" ]; then
|
||||||
checksum_correct=1
|
checksum_correct=1
|
||||||
break
|
break
|
||||||
@ -110,10 +110,10 @@ let
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
local k_yubi
|
local k_yubi
|
||||||
k_yubi="$(echo -n $aes_blob_decrypted | hextorb | take 20 | rbtohex)"
|
k_yubi="$(echo -n $aes_blob_decrypted | take 40)"
|
||||||
|
|
||||||
local k_luks
|
local k_luks
|
||||||
k_luks="$(echo -n $aes_blob_decrypted | hextorb | drop 20 | take 64 | rbtohex)"
|
k_luks="$(echo -n $aes_blob_decrypted | drop 40 | take 128)"
|
||||||
|
|
||||||
echo -n "$k_luks" | hextorb | cryptsetup luksOpen ${device} ${name} ${optionalString allowDiscards "--allow-discards"} --key-file=-
|
echo -n "$k_luks" | hextorb | cryptsetup luksOpen ${device} ${name} ${optionalString allowDiscards "--allow-discards"} --key-file=-
|
||||||
|
|
||||||
@ -139,8 +139,8 @@ let
|
|||||||
local new_k_blob
|
local new_k_blob
|
||||||
new_k_blob="$(echo -n $new_challenge | hextorb | openssl-wrap dgst -binary -sha1 -mac HMAC -macopt hexkey:$k_yubi | rbtohex)"
|
new_k_blob="$(echo -n $new_challenge | hextorb | openssl-wrap dgst -binary -sha1 -mac HMAC -macopt hexkey:$k_yubi | rbtohex)"
|
||||||
|
|
||||||
echo -n "$new_uuid_r" | hextorb > ${yubikey.storage.mountPoint}${yubikey.storage.path}
|
echo -n "$new_uuid_r" > ${yubikey.storage.mountPoint}${yubikey.storage.path}
|
||||||
echo -n "$k_yubi$k_luks$checksum" | hextorb | openssl-wrap enc -e -aes-256-ctr -K "$new_k_blob" -iv "$new_uuid_r" >> ${yubikey.storage.mountPoint}${yubikey.storage.path}
|
echo -n "$k_yubi$k_luks$checksum" | hextorb | openssl-wrap enc -e -aes-256-ctr -K "$new_k_blob" -iv "$new_uuid_r" | rbtohex >> ${yubikey.storage.mountPoint}${yubikey.storage.path}
|
||||||
else
|
else
|
||||||
echo "Warning: Could not obtain new UUID, current challenge persists!"
|
echo "Warning: Could not obtain new UUID, current challenge persists!"
|
||||||
fi
|
fi
|
||||||
|
Loading…
Reference in New Issue
Block a user