fix test

2020-10-13 14:10:22 +02:00
9 changed files with 15 additions and 373 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -5,6 +5,4 @@
 fido2luks.bash
 fido2luks.elv
 fido2luks.fish
-fido2luks.zsh
+fido2luks.zsh
 result
 result-*
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -377,7 +377,7 @@ dependencies = [
 [[package]]
 name = "fido2luks"
-version = "0.2.16"
+version = "0.2.15"
 dependencies = [
 "ctap_hmac",
 "failure",
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "fido2luks"
-version = "0.2.16"
+version = "0.2.15"
 authors = ["shimunn <shimun@shimun.net>"]
 edition = "2018"
@@ -48,7 +48,6 @@ extended-description = "Decrypt your LUKS partition using a FIDO2 compatible aut
 assets = [
    ["target/release/fido2luks", "usr/bin/", "755"],
    ["fido2luks.bash", "usr/share/bash-completion/completions/fido2luks", "644"],
    ["pam_mount/fido2luksmounthelper.sh", "usr/bin/", "755"],
    ["initramfs-tools/keyscript.sh", "/lib/cryptsetup/scripts/fido2luks", "755" ],
    ["initramfs-tools/hook/fido2luks.sh", "etc/initramfs-tools/hooks/", "755" ],
    ["initramfs-tools/fido2luks.conf", "etc/", "644"],
--- a/1
+++ b/1
@@ -21,6 +21,5 @@ build() {
 package() {
    install -Dm 755 target/release/${pkgname} -t "${pkgdir}/usr/bin"
    install -Dm 755 ../pam_mount/fido2luksmounthelper.sh -t "${pkgdir}/usr/bin"
    install -Dm 644 ../fido2luks.bash "${pkgdir}/usr/share/bash-completion/completions/fido2luks"
 }
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
 This will allow you to unlock your LUKS encrypted disk with an FIDO2 compatible key.
-Note: This has only been tested under Fedora 31, [Ubuntu 20.04](initramfs-tools/), [NixOS](https://nixos.org/nixos/manual/#sec-luks-file-systems-fido2) using a Solo Key, Trezor Model T, YubiKey(fw >= [5.2.3](https://support.yubico.com/hc/en-us/articles/360016649319-YubiKey-5-2-3-Enhancements-to-FIDO-2-Support))
+Note: This has only been tested under Fedora 31, [Ubuntu 20.04](initramfs-tools/), [NixOS](https://nixos.org/nixos/manual/#sec-luks-file-systems-fido2) using a Solo Key, Trezor Model T
 ## Setup
--- a/flake.lock
+++ b/flake.lock
@@ -1,61 +0,0 @@
 {
  "nodes": {
    "naersk": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1612192764,
        "narHash": "sha256-7EnLtZQWP6511G1ZPA7FmJlqAr3hWsAYb24tvTvJ/ec=",
        "owner": "nmattia",
        "repo": "naersk",
        "rev": "6e149bfd726a8ebefa415f2d713ba6d942435abd",
        "type": "github"
      },
      "original": {
        "owner": "nmattia",
        "repo": "naersk",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
        "lastModified": 1611910458,
        "narHash": "sha256-//j54S14v9lp3YKizS1WZW3WKwLjGTzvwhHfUAaRBPQ=",
        "path": "/nix/store/z5g10k571cc5q9yvr0bafzswp0ggawjw-source",
        "rev": "6e7f25001fe6874f7ae271891f709bbf50a22c45",
        "type": "path"
      },
      "original": {
        "id": "nixpkgs",
        "type": "indirect"
      }
    },
    "root": {
      "inputs": {
        "naersk": "naersk",
        "nixpkgs": "nixpkgs",
        "utils": "utils"
      }
    },
    "utils": {
      "locked": {
        "lastModified": 1610051610,
        "narHash": "sha256-U9rPz/usA1/Aohhk7Cmc2gBrEEKRzcW4nwPWMPwja4Y=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "3982c9903e93927c2164caa727cd3f6a0e6d14cc",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    }
  },
  "root": "root",
  "version": 7
 }
--- a/flake.nix
+++ b/flake.nix
@@ -1,61 +0,0 @@
 {
  description = "Decrypt your LUKS partition using a FIDO2 compatible authenticator";
  inputs = {
    utils.url = "github:numtide/flake-utils";
    naersk = {
      url = "github:nmattia/naersk";
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };
  outputs = { self, nixpkgs, utils, naersk }:
    let
      root = ./.;
      pname = (builtins.fromTOML (builtins.readFile ./Cargo.toml)).package.name;
      forPkgs = pkgs:
        let
          naersk-lib = naersk.lib."${pkgs.system}";
          buildInputs = with pkgs; [ cryptsetup ];
          LIBCLANG_PATH = "${pkgs.clang.cc.lib}/lib";
          nativeBuildInputs = with pkgs; [
            pkgconfig
            clang
          ];
        in
        rec {
          # `nix build`
          packages.${pname} = naersk-lib.buildPackage {
            inherit pname root buildInputs nativeBuildInputs LIBCLANG_PATH;
          };
          defaultPackage = packages.${pname};
          # `nix run`
          apps.${pname} = utils.lib.mkApp {
            drv = packages.${pname};
          };
          defaultApp = apps.${pname};
          # `nix flake check`
          checks = {
            fmt = with pkgs; runCommandLocal "${pname}-fmt" { buildInputs = [ cargo rustfmt nixpkgs-fmt ]; } ''
              cd ${root}
              cargo fmt -- --check
              nixpkgs-fmt --check *.nix
              touch $out
            '';
          };
          # `nix develop`
          devShell = pkgs.mkShell {
            nativeBuildInputs = with pkgs; [ rustc cargo rustfmt nixpkgs-fmt ] ++ nativeBuildInputs;
            inherit buildInputs LIBCLANG_PATH;
          };
        };
      forSystem = system: forPkgs nixpkgs.legacyPackages."${system}";
    in
    (utils.lib.eachSystem [ "aarch64-linux" "i686-linux" "x86_64-linux" ] forSystem) // {
      overlay = final: prev: (forPkgs final).packages;
    };
 }
--- a/pam_mount/fido2luksmounthelper.sh
+++ b/pam_mount/fido2luksmounthelper.sh
@@ -1,220 +0,0 @@
 #!/bin/bash
 #
 # This is a rather minimal example Argbash potential
 # Example taken from http://argbash.readthedocs.io/en/stable/example.html
 #
 # ARG_POSITIONAL_SINGLE([operation],[Operation to perform (mount|umount)],[])
 # ARG_OPTIONAL_SINGLE([credentials-type],[c],[Type of the credentials to use (external|embedded)])
 # ARG_OPTIONAL_SINGLE([device],[d],[Name of the device to create])
 # ARG_OPTIONAL_SINGLE([mount-point],[m],[Path of the mount point to use])
 # ARG_OPTIONAL_BOOLEAN([ask-pin],[a],[Ask for a pin],[off])
 # ARG_OPTIONAL_SINGLE([salt],[s],[Salt to use],[""])
 # ARG_HELP([Unlocks/Locks a LUKS volume and mount/unmount it in the given mount point.])
 # ARGBASH_GO()
 # needed because of Argbash --> m4_ignore([
 ### START OF CODE GENERATED BY Argbash v2.9.0 one line above ###
 # Argbash is a bash code generator used to get arguments parsing right.
 # Argbash is FREE SOFTWARE, see https://argbash.io for more info
 # Generated online by https://argbash.io/generate
 die()
 {
 	local _ret="${2:-1}"
 	test "${_PRINT_HELP:-no}" = yes && print_help >&2
 	echo "$1" >&2
 	exit "${_ret}"
 }
 begins_with_short_option()
 {
 	local first_option all_short_options='cdmash'
 	first_option="${1:0:1}"
 	test "$all_short_options" = "${all_short_options/$first_option/}" && return 1 || return 0
 }
 # THE DEFAULTS INITIALIZATION - POSITIONALS
 _positionals=()
 # THE DEFAULTS INITIALIZATION - OPTIONALS
 _arg_credentials_type=
 _arg_device=
 _arg_mount_point=
 _arg_ask_pin="off"
 _arg_salt=""
 print_help()
 {
 	printf '%s\n' "Unlocks/Locks a LUKS volume and mount/unmount it in the given mount point."
 	printf 'Usage: %s [-c|--credentials-type <arg>] [-d|--device <arg>] [-m|--mount-point <arg>] [-a|--(no-)ask-pin] [-s|--salt <arg>] [-h|--help] <operation>\n' "$0"
 	printf '\t%s\n' "<operation>: Operation to perform (mount|umount)"
 	printf '\t%s\n' "-c, --credentials-type: Type of the credentials to use (external|embedded) (no default)"
 	printf '\t%s\n' "-d, --device: Name of the device to create (no default)"
 	printf '\t%s\n' "-m, --mount-point: Path of the mount point to use (no default)"
 	printf '\t%s\n' "-a, --ask-pin, --no-ask-pin: Ask for a pin (off by default)"
 	printf '\t%s\n' "-s, --salt: Salt to use (default: '""')"
 	printf '\t%s\n' "-h, --help: Prints help"
 }
 parse_commandline()
 {
 	_positionals_count=0
 	while test $# -gt 0
 	do
 		_key="$1"
 		case "$_key" in
 			-c|--credentials-type)
 				test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1
 				_arg_credentials_type="$2"
 				shift
 				;;
 			--credentials-type=*)
 				_arg_credentials_type="${_key##--credentials-type=}"
 				;;
 			-c*)
 				_arg_credentials_type="${_key##-c}"
 				;;
 			-d|--device)
 				test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1
 				_arg_device="$2"
 				shift
 				;;
 			--device=*)
 				_arg_device="${_key##--device=}"
 				;;
 			-d*)
 				_arg_device="${_key##-d}"
 				;;
 			-m|--mount-point)
 				test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1
 				_arg_mount_point="$2"
 				shift
 				;;
 			--mount-point=*)
 				_arg_mount_point="${_key##--mount-point=}"
 				;;
 			-m*)
 				_arg_mount_point="${_key##-m}"
 				;;
 			-a|--no-ask-pin|--ask-pin)
 				_arg_ask_pin="on"
 				test "${1:0:5}" = "--no-" && _arg_ask_pin="off"
 				;;
 			-a*)
 				_arg_ask_pin="on"
 				_next="${_key##-a}"
 				if test -n "$_next" -a "$_next" != "$_key"
 				then
 					{ begins_with_short_option "$_next" && shift && set -- "-a" "-${_next}" "$@"; } || die "The short option '$_key' can't be decomposed to ${_key:0:2} and -${_key:2}, because ${_key:0:2} doesn't accept value and '-${_key:2:1}' doesn't correspond to a short option."
 				fi
 				;;
 			-s|--salt)
 				test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1
 				_arg_salt="$2"
 				shift
 				;;
 			--salt=*)
 				_arg_salt="${_key##--salt=}"
 				;;
 			-s*)
 				_arg_salt="${_key##-s}"
 				;;
 			-h|--help)
 				print_help
 				exit 0
 				;;
 			-h*)
 				print_help
 				exit 0
 				;;
 			*)
 				_last_positional="$1"
 				_positionals+=("$_last_positional")
 				_positionals_count=$((_positionals_count + 1))
 				;;
 		esac
 		shift
 	done
 }
 handle_passed_args_count()
 {
 	local _required_args_string="'operation'"
 	test "${_positionals_count}" -ge 1 || _PRINT_HELP=yes die "FATAL ERROR: Not enough positional arguments - we require exactly 1 (namely: $_required_args_string), but got only ${_positionals_count}." 1
 	test "${_positionals_count}" -le 1 || _PRINT_HELP=yes die "FATAL ERROR: There were spurious positional arguments --- we expect exactly 1 (namely: $_required_args_string), but got ${_positionals_count} (the last one was: '${_last_positional}')." 1
 }
 assign_positional_args()
 {
 	local _positional_name _shift_for=$1
 	_positional_names="_arg_operation "
 	shift "$_shift_for"
 	for _positional_name in ${_positional_names}
 	do
 		test $# -gt 0 || break
 		eval "$_positional_name=\${1}" || die "Error during argument parsing, possibly an Argbash bug." 1
 		shift
 	done
 }
 parse_commandline "$@"
 handle_passed_args_count
 assign_positional_args 1 "${_positionals[@]}"
 # OTHER STUFF GENERATED BY Argbash
 ### END OF CODE GENERATED BY Argbash (sortof) ### ])
 # [ <-- needed because of Argbash
 if [ -z ${_arg_mount_point} ]; then
  die "Missing '--mount-point' argument"
 fi
 if [ -z ${_arg_device} ]; then
  die "Missing '--device' argument"
 fi
 ASK_PIN=${_arg_ask_pin}
 OPERATION=${_arg_operation}
 DEVICE=${_arg_device}
 DEVICE_NAME=$(sed "s|/|_|g" <<< ${DEVICE})
 MOUNT_POINT=${_arg_mount_point}
 CREDENTIALS_TYPE=${_arg_credentials_type}
 SALT=${_arg_salt}
 CONF_FILE_PATH="/etc/fido2luksmounthelper.conf"
 if [ "${OPERATION}" == "mount" ]; then
 	if [ "${CREDENTIALS_TYPE}" == "external" ]; then
    if  [ -f ${CONF_FILE_PATH} ]; then
 			if [ "${ASK_PIN}" == "on" ]; then
 				read PASSWORD
 			fi
 			CREDENTIALS=$(<${CONF_FILE_PATH})
 		else
 			die "The configuration file '${CONF_FILE_PATH}' is missing. Please create it or use embedded credentials."
 		fi
 		printf ${PASSWORD} | fido2luks open --salt string:${SALT} --pin --pin-source /dev/stdin ${DEVICE} ${DEVICE_NAME} ${CREDENTIALS}
 	elif [ "${CREDENTIALS_TYPE}" == "embedded" ]; then
 		if [ "${ASK_PIN}" == "on" ]; then
 			read PASSWORD
 		fi
 		printf ${PASSWORD} | fido2luks open-token --salt string:${SALT} --pin --pin-source /dev/stdin ${DEVICE} ${DEVICE_NAME}
 	else
 		die "Given credential-type '${CREDENTIALS_TYPE}' is invalid. It must be 'external' or 'embedded'"
 	fi 
 	mount /dev/mapper/${DEVICE_NAME} ${MOUNT_POINT}
 elif [ "${OPERATION}" == "umount" ]; then
  umount ${MOUNT_POINT}
  cryptsetup luksClose ${DEVICE_NAME}
 else
  die "Given operation '${OPERATION}' is invalid. It must be 'mount' or 'unmount'"
 fi
 exit 0
 # ] <-- needed because of Argbash
--- a/src/cli.rs
+++ b/src/cli.rs
@@ -71,12 +71,6 @@ pub fn parse_cmdline() -> Args {
    Args::from_args()
 }
 pub fn prompt_interaction(interactive: bool) {
    if interactive {
        println!("Authorize using your FIDO device");
    }
 }
 pub fn run_cli() -> Fido2LuksResult<()> {
    let mut stdout = io::stdout();
    let args = parse_cmdline();
@@ -115,7 +109,6 @@ pub fn run_cli() -> Fido2LuksResult<()> {
            } else {
                secret.salt.obtain_sha256(&secret.password_helper)
            }?;
            prompt_interaction(interactive);
            let (secret, _cred) = derive_secret(
                credentials.ids.0.as_slice(),
                &salt,
@@ -171,27 +164,23 @@ pub fn run_cli() -> Fido2LuksResult<()> {
                    } => Ok((util::read_keyfile(file)?, None)),
                    OtherSecret {
                        fido_device: true, ..
-                    } => {
+                    } => Ok(derive_secret(
-                        prompt_interaction(interactive);
+                        &credentials.ids.0,
-                        Ok(derive_secret(
+                        &salt(salt_q, verify)?,
-                            &credentials.ids.0,
+                        authenticator.await_time,
-                            &salt(salt_q, verify)?,
+                        pin.as_deref(),
-                            authenticator.await_time,
+                    )
-                            pin.as_deref(),
+                    .map(|(secret, cred)| (secret[..].to_vec(), Some(cred)))?),
                        )
                        .map(|(secret, cred)| (secret[..].to_vec(), Some(cred)))?)
                    }
                    _ => Ok((
                        util::read_password(salt_q, verify)?.as_bytes().to_vec(),
                        None,
                    )),
                }
            };
-            let secret = |q: &str, verify: bool| -> Fido2LuksResult<([u8; 32], FidoCredential)> {
+            let secret = |verify: bool| -> Fido2LuksResult<([u8; 32], FidoCredential)> {
                prompt_interaction(interactive);
                derive_secret(
                    &credentials.ids.0,
-                    &salt(q, verify)?,
+                    &salt("Password", verify)?,
                    authenticator.await_time,
                    pin.as_deref(),
                )
@@ -201,7 +190,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
            match &args.command {
                Command::AddKey { exclusive, .. } => {
                    let (existing_secret, _) = other_secret("Current password", false)?;
-                    let (new_secret, cred) = secret("Password to be added", true)?;
+                    let (new_secret, cred) = secret(true)?;
                    let added_slot = luks_dev.add_key(
                        &new_secret,
                        &existing_secret[..],
@@ -226,7 +215,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
                    Ok(())
                }
                Command::ReplaceKey { add_password, .. } => {
-                    let (existing_secret, _) = secret("Current password", false)?;
+                    let (existing_secret, _) = secret(false)?;
                    let (replacement_secret, cred) = other_secret("Replacement password", true)?;
                    let slot = if *add_password {
                        luks_dev.add_key(
@@ -285,7 +274,6 @@ pub fn run_cli() -> Fido2LuksResult<()> {
            // Cow shouldn't be necessary
            let secret = |credentials: Cow<'_, Vec<HexEncoded>>| {
                prompt_interaction(interactive);
                derive_secret(
                    credentials.as_ref(),
                    &salt("Password", false)?,