patch secret_gen before obtaing first secret

mention clang build dependency
enable fido requests to be sent to multiple devices at once
2020-04-06 23:33:41 +02:00 · 2020-04-06 22:52:15 +02:00 · 2020-04-06 21:38:11 +02:00 · 2020-04-06 20:18:00 +02:00 · 2020-04-05 23:24:18 +02:00 · 2020-04-03 22:02:05 +02:00
8 changed files with 977 additions and 484 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "fido2luks"
-version = "0.2.3"
+version = "0.2.6"
 authors = ["shimunn <shimun@shimun.net>"]
 edition = "2018"
@@ -14,16 +14,13 @@ categories = ["command-line-utilities"]
 license-file = "LICENSE"
 [dependencies]
-ctap_hmac = "0.2.1"
+ctap_hmac = { version="0.4.1", features = ["request_multiple"] }
 cryptsetup-rs = "0.2.1"
 libcryptsetup-sys = "0.1.2"
 hex = "0.3.2"
 ring = "0.13.5"
 failure = "0.1.5"
 rpassword = "4.0.1"
 structopt = "0.3.2"
 libcryptsetup-rs = "0.2.0"
 [profile.release]
 lto = true
--- a/README.md
+++ b/README.md
@@ -9,7 +9,7 @@ Note: This has only been tested under Fedora 31 using a Solo Key, Trezor Model T
 ### Prerequisites
 ```
-dnf install cargo cryptsetup-devel -y
+dnf install clang cargo cryptsetup-devel -y
 ```
 ### Device
--- a/src/cli.rs
+++ b/src/cli.rs
@@ -1,85 +1,24 @@
 use crate::error::*;
 use crate::luks;
 use crate::*;
 use cryptsetup_rs as luks;
 use cryptsetup_rs::api::{CryptDeviceHandle, CryptDeviceOpenBuilder, Luks1Params};
 use cryptsetup_rs::{CryptDevice, Luks1CryptDevice};
 use libcryptsetup_sys::crypt_keyslot_info;
 use structopt::StructOpt;
-use failure::_core::fmt::{Error, Formatter};
+use ctap::{FidoCredential, FidoErrorKind};
 use failure::_core::fmt::{Display, Error, Formatter};
 use failure::_core::str::FromStr;
 use failure::_core::time::Duration;
 use std::io::Write;
 use std::process::exit;
 use std::thread;
 use crate::util::read_password;
 use std::time::SystemTime;
 pub fn add_key_to_luks(
    device: PathBuf,
    secret: &[u8; 32],
    old_secret: Box<dyn Fn() -> Fido2LuksResult<Vec<u8>>>,
    exclusive: bool,
 ) -> Fido2LuksResult<u8> {
    fn offer_format(
        _dev: CryptDeviceOpenBuilder,
    ) -> Fido2LuksResult<CryptDeviceHandle<Luks1Params>> {
        unimplemented!()
    }
    let dev =
        || -> luks::device::Result<CryptDeviceOpenBuilder> { luks::open(&device.canonicalize()?) };
    let prev_key = old_secret()?;
    let mut handle = match dev()?.luks1() {
        Ok(handle) => handle,
        Err(luks::device::Error::BlkidError(_)) => offer_format(dev()?)?,
        Err(luks::device::Error::CryptsetupError(errno)) => {
            //if i32::from(errno) == 555
            dbg!(errno);
            offer_format(dev()?)?
        } //TODO: find correct errorno and offer to format as luks
        err => err?,
    };
    handle.set_iteration_time(50);
    let slot = handle.add_keyslot(secret, Some(prev_key.as_slice()), None)?;
    if exclusive {
        for old_slot in 0..8u8 {
            if old_slot != slot
                && (handle.keyslot_status(old_slot.into()) == crypt_keyslot_info::CRYPT_SLOT_ACTIVE
                    || handle.keyslot_status(old_slot.into())
                        == crypt_keyslot_info::CRYPT_SLOT_ACTIVE_LAST)
            {
                handle.destroy_keyslot(old_slot)?;
            }
        }
    }
    Ok(slot)
 }
 pub fn add_password_to_luks(
    device: PathBuf,
    secret: &[u8; 32],
    new_secret: Box<dyn Fn() -> Fido2LuksResult<Vec<u8>>>,
    add_password: bool,
 ) -> Fido2LuksResult<u8> {
    let dev = luks::open(&device.canonicalize()?)?;
    let mut handle = dev.luks1()?;
    let prev_slot = if add_password {
        Some(handle.add_keyslot(&secret[..], Some(&secret[..]), None)?)
    } else {
        None
    };
    let slot = handle.update_keyslot(&new_secret()?[..], &secret[..], prev_slot)?;
    Ok(slot)
 }
 #[derive(Debug, Eq, PartialEq, Clone)]
-pub struct HexEncoded(Vec<u8>);
+pub struct HexEncoded(pub Vec<u8>);
-impl std::fmt::Display for HexEncoded {
+impl Display for HexEncoded {
    fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error> {
        f.write_str(&hex::encode(&self.0))
    }
@@ -93,6 +32,30 @@ impl FromStr for HexEncoded {
    }
 }
 #[derive(Debug, Eq, PartialEq, Clone)]
 pub struct CommaSeparated<T: FromStr + Display>(pub Vec<T>);
 impl<T: Display + FromStr> Display for CommaSeparated<T> {
    fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error> {
        for i in &self.0 {
            f.write_str(&i.to_string())?;
            f.write_str(",")?;
        }
        Ok(())
    }
 }
 impl<T: Display + FromStr> FromStr for CommaSeparated<T> {
    type Err = <T as FromStr>::Err;
    fn from_str(s: &str) -> Result<Self, Self::Err> {
        Ok(CommaSeparated(
            s.split(',')
                .map(|part| <T as FromStr>::from_str(part))
                .collect::<Result<Vec<_>, _>>()?,
        ))
    }
 }
 #[derive(Debug, StructOpt)]
 pub struct Args {
    /// Request passwords via Stdin instead of using the password helper
@@ -104,9 +67,9 @@ pub struct Args {
 #[derive(Debug, StructOpt, Clone)]
 pub struct SecretGeneration {
-    /// FIDO credential id, generate using fido2luks credential
+    /// FIDO credential ids, seperated by ',' generate using fido2luks credential
    #[structopt(name = "credential-id", env = "FIDO2LUKS_CREDENTIAL_ID")]
-    pub credential_id: HexEncoded,
+    pub credential_ids: CommaSeparated<HexEncoded>,
    /// Salt for secret generation, defaults to 'ask'
    ///
    /// Options:{n}
@@ -136,19 +99,40 @@ pub struct SecretGeneration {
        default_value = "15"
    )]
    pub await_authenticator: u64,
    /// Request the password twice to ensure it being correct
    #[structopt(
        long = "verify-password",
        env = "FIDO2LUKS_VERIFY_PASSWORD",
        hidden = true
    )]
    pub verify_password: Option<bool>,
 }
 impl SecretGeneration {
-    pub fn patch(&self, args: &Args) -> Self {
+    pub fn patch(&self, args: &Args, verify_password: Option<bool>) -> Self {
        let mut me = self.clone();
        if args.interactive {
            me.password_helper = PasswordHelper::Stdin;
        }
        me.verify_password = me.verify_password.or(verify_password);
        me
    }
-    pub fn obtain_secret(&self) -> Fido2LuksResult<[u8; 32]> {
+    pub fn obtain_secret(&self, password_query: &str) -> Fido2LuksResult<[u8; 32]> {
-        let salt = self.salt.obtain(&self.password_helper)?;
+        let mut salt = [0u8; 32];
        match self.password_helper {
            PasswordHelper::Stdin if !self.verify_password.unwrap_or(true) => {
                salt.copy_from_slice(&util::sha256(&[&read_password(
                    password_query,
                    self.verify_password.unwrap_or(true),
                )?
                .as_bytes()[..]]));
            }
            _ => {
                salt = self.salt.obtain(&self.password_helper)?;
            }
        }
        let timeout = Duration::from_secs(self.await_authenticator);
        let start = SystemTime::now();
@@ -164,13 +148,60 @@ impl SecretGeneration {
            }
            thread::sleep(Duration::from_millis(500));
        }
        let credentials = &self
            .credential_ids
            .0
            .iter()
            .map(|HexEncoded(id)| FidoCredential {
                id: id.to_vec(),
                public_key: None,
            })
            .collect::<Vec<_>>();
        let credentials = credentials.iter().collect::<Vec<_>>();
        Ok(assemble_secret(
-            &perform_challenge(&self.credential_id.0, &salt)?,
+            &perform_challenge(&credentials[..], &salt, timeout - start.elapsed().unwrap())?,
            &salt,
        ))
    }
 }
 #[derive(Debug, StructOpt, Clone)]
 pub struct LuksSettings {
    /// Number of milliseconds required to derive the volume decryption key
    /// Defaults to 10ms when using an authenticator or the default by cryptsetup when using a password
    #[structopt(long = "kdf-time", name = "kdf-time")]
    kdf_time: Option<u64>,
 }
 #[derive(Debug, StructOpt, Clone)]
 pub struct OtherSecret {
    /// Use a keyfile instead of a password
    #[structopt(short = "d", long = "keyfile", conflicts_with = "fido_device")]
    keyfile: Option<PathBuf>,
    /// Use another fido device instead of a password
    /// Note: this requires for the credential fot the other device to be passed as argument as well
    #[structopt(short = "f", long = "fido-device", conflicts_with = "keyfile")]
    fido_device: bool,
 }
 impl OtherSecret {
    pub fn obtain(
        &self,
        secret_gen: &SecretGeneration,
        verify_password: bool,
        password_question: &str,
    ) -> Fido2LuksResult<Vec<u8>> {
        match &self.keyfile {
            Some(keyfile) => util::read_keyfile(keyfile.clone()),
            None if self.fido_device => {
                Ok(Vec::from(&secret_gen.obtain_secret(password_question)?[..]))
            }
            None => util::read_password(password_question, verify_password)
                .map(|p| p.as_bytes().to_vec()),
        }
    }
 }
 #[derive(Debug, StructOpt)]
 pub enum Command {
    #[structopt(name = "print-secret")]
@@ -189,11 +220,12 @@ pub enum Command {
        /// Will wipe all other keys
        #[structopt(short = "e", long = "exclusive")]
        exclusive: bool,
-        /// Use a keyfile instead of typing a previous password
+        #[structopt(flatten)]
-        #[structopt(short = "d", long = "keyfile")]
+        existing_secret: OtherSecret,
        keyfile: Option<PathBuf>,
        #[structopt(flatten)]
        secret_gen: SecretGeneration,
        #[structopt(flatten)]
        luks_settings: LuksSettings,
    },
    /// Replace a previously added key with a password
    #[structopt(name = "replace-key")]
@@ -203,11 +235,12 @@ pub enum Command {
        /// Add the password and keep the key
        #[structopt(short = "a", long = "add-password")]
        add_password: bool,
-        /// Use a keyfile instead of typing a previous password
+        #[structopt(flatten)]
-        #[structopt(short = "d", long = "keyfile")]
+        replacement: OtherSecret,
        keyfile: Option<PathBuf>,
        #[structopt(flatten)]
        secret_gen: SecretGeneration,
        #[structopt(flatten)]
        luks_settings: LuksSettings,
    },
    /// Open the LUKS device
    #[structopt(name = "open")]
@@ -250,7 +283,9 @@ pub fn run_cli() -> Fido2LuksResult<()> {
            binary,
            ref secret_gen,
        } => {
-            let secret = secret_gen.patch(&args).obtain_secret()?;
+            let secret = secret_gen
                .patch(&args, Some(false))
                .obtain_secret("Password")?;
            if *binary {
                stdout.write(&secret[..])?;
            } else {
@@ -261,48 +296,51 @@ pub fn run_cli() -> Fido2LuksResult<()> {
        Command::AddKey {
            device,
            exclusive,
-            keyfile,
+            existing_secret,
            ref secret_gen,
            luks_settings,
        } => {
-            let secret = secret_gen.patch(&args).obtain_secret()?;
+            let secret_gen = secret_gen.patch(&args, None);
-            let slot = add_key_to_luks(
+            let old_secret = existing_secret.obtain(&secret_gen, false, "Existing password")?;
            let secret = secret_gen.obtain_secret("Password")?;
            let added_slot = luks::add_key(
                device.clone(),
                &secret,
-                if let Some(keyfile) = keyfile.clone() {
+                &old_secret[..],
-                    Box::new(move || util::read_keyfile(keyfile.clone()))
+                luks_settings.kdf_time.or(Some(10)),
                } else {
                    Box::new(|| {
                        util::read_password("Old password", true).map(|p| p.as_bytes().to_vec())
                    })
                },
                *exclusive,
            )?;
-            println!(
+            if *exclusive {
-                "Added to key to device {}, slot: {}",
+                let destroyed = luks::remove_keyslots(&device, &[added_slot])?;
-                device.display(),
+                println!(
-                slot
+                    "Added to key to device {}, slot: {}\nRemoved {} old keys",
-            );
+                    device.display(),
                    added_slot,
                    destroyed
                );
            } else {
                println!(
                    "Added to key to device {}, slot: {}",
                    device.display(),
                    added_slot
                );
            }
            Ok(())
        }
        Command::ReplaceKey {
            device,
            add_password,
-            keyfile,
+            replacement,
            ref secret_gen,
            luks_settings,
        } => {
-            let secret = secret_gen.patch(&args).obtain_secret()?;
+            let secret_gen = secret_gen.patch(&args, Some(false));
-            let slot = add_password_to_luks(
+            let secret = secret_gen.obtain_secret("Password")?;
-                device.clone(),
+            let new_secret = replacement.obtain(&secret_gen, true, "Replacement password")?;
-                &secret,
+            let slot = if *add_password {
-                if let Some(keyfile) = keyfile.clone() {
+                luks::add_key(device, &new_secret[..], &secret, luks_settings.kdf_time)
-                    Box::new(move || util::read_keyfile(keyfile.clone()))
+            } else {
-                } else {
+                luks::replace_key(device, &new_secret[..], &secret, luks_settings.kdf_time)
-                    Box::new(|| {
+            }?;
                        util::read_password("Password to add", true).map(|p| p.as_bytes().to_vec())
                    })
                },
                *add_password,
            )?;
            println!(
                "Added to password to device {}, slot: {}",
                device.display(),
@@ -318,16 +356,25 @@ pub fn run_cli() -> Fido2LuksResult<()> {
        } => {
            let mut retries = *retries;
            loop {
-                let secret = secret_gen.patch(&args).obtain_secret()?;
+                match secret_gen
-                match open_container(&device, &name, &secret) {
+                    .patch(&args, Some(false))
-                    Err(e) => match e {
+                    .obtain_secret("Password")
-                        Fido2LuksError::WrongSecret if retries > 0 => {
+                    .and_then(|secret| luks::open_container(&device, &name, &secret))
-                            retries -= 1;
+                {
-                            eprintln!("{}", e);
+                    Err(e) => {
-                            continue;
+                        match e {
                            Fido2LuksError::WrongSecret if retries > 0 => (),
                            Fido2LuksError::AuthenticatorError { ref cause }
                                if cause.kind() == FidoErrorKind::Timeout && retries > 0 =>
                            {
                                ()
                            }
                            e => break Err(e)?,
                        }
-                        e => Err(e)?,
+                        retries -= 1;
-                    },
+                        eprintln!("{}", e);
                    }
                    res => break res,
                }
            }
--- a/src/device.rs
+++ b/src/device.rs
@@ -1,91 +1,49 @@
 use crate::error::*;
 use crate::util::sha256;
 use crate::util;
 use ctap::{
-    self,
+    self, extensions::hmac::HmacExtension, request_multiple_devices, FidoAssertionRequestBuilder,
-    extensions::hmac::{FidoHmacCredential, HmacExtension},
+    FidoCredential, FidoCredentialRequestBuilder, FidoDevice, FidoError, FidoErrorKind,
    AuthenticatorOptions, FidoDevice, FidoError, FidoErrorKind, PublicKeyCredentialRpEntity,
    PublicKeyCredentialUserEntity,
 };
 use std::time::Duration;
 const RP_ID: &'static str = "fido2luks";
-fn authenticator_options() -> Option<AuthenticatorOptions> {
+pub fn make_credential_id(name: Option<&str>) -> Fido2LuksResult<FidoCredential> {
-    Some(AuthenticatorOptions {
+    let mut request = FidoCredentialRequestBuilder::default().rp_id(RP_ID);
-        uv: false, //TODO: should get this from config
+    if let Some(user_name) = name {
-        rk: true,
+        request = request.user_name(user_name);
    })
 }
 fn authenticator_rp() -> PublicKeyCredentialRpEntity<'static> {
    PublicKeyCredentialRpEntity {
        id: RP_ID,
        name: None,
        icon: None,
    }
    let request = request.build().unwrap();
    let make_credential = |device: &mut FidoDevice| device.make_hmac_credential(&request);
    Ok(request_multiple_devices(
        get_devices()?
            .iter_mut()
            .map(|device| (device, &make_credential)),
        None,
    )?)
 }
-fn authenticator_user(name: Option<&str>) -> PublicKeyCredentialUserEntity {
+pub fn perform_challenge(
-    PublicKeyCredentialUserEntity {
+    credentials: &[&FidoCredential],
-        id: &[0u8],
+    salt: &[u8; 32],
-        name: name.unwrap_or(""),
+    timeout: Duration,
-        icon: None,
+) -> Fido2LuksResult<[u8; 32]> {
-        display_name: name,
+    let request = FidoAssertionRequestBuilder::default()
-    }
+        .rp_id(RP_ID)
-}
+        .credentials(credentials)
-
+        .build()
-pub fn make_credential_id(name: Option<&str>) -> Fido2LuksResult<FidoHmacCredential> {
+        .unwrap();
-    let mut errs = Vec::new();
+    let get_assertion = |device: &mut FidoDevice| {
-    match get_devices()? {
+        device.get_hmac_assertion(&request, &util::sha256(&[&salt[..]]), None)
        ref devs if devs.is_empty() => Err(Fido2LuksError::NoAuthenticatorError)?,
        devs => {
            for mut dev in devs.into_iter() {
                match dev
                    .make_hmac_credential_full(
                        authenticator_rp(),
                        authenticator_user(name),
                        &[0u8; 32],
                        &[],
                        authenticator_options(),
                    )
                    .map(|cred| cred.into())
                {
                    //TODO: make credentials device specific
                    Ok(cred) => {
                        return Ok(cred);
                    }
                    Err(e) => {
                        errs.push(e);
                    }
                }
            }
        }
    }
    Err(errs.pop().ok_or(Fido2LuksError::NoAuthenticatorError)?)?
 }
 pub fn perform_challenge(credential_id: &[u8], salt: &[u8; 32]) -> Fido2LuksResult<[u8; 32]> {
    let cred = FidoHmacCredential {
        id: credential_id.to_vec(),
        rp_id: RP_ID.to_string(),
    };
-    let mut errs = Vec::new();
+    let (_, (secret, _)) = request_multiple_devices(
-    match get_devices()? {
+        get_devices()?
-        ref devs if devs.is_empty() => Err(Fido2LuksError::NoAuthenticatorError)?,
+            .iter_mut()
-        devs => {
+            .map(|device| (device, &get_assertion)),
-            for mut dev in devs.into_iter() {
+        Some(timeout),
-                match dev.get_hmac_assertion(&cred, &sha256(&[&salt[..]]), None, None) {
+    )?;
-                    Ok(secret) => {
+    Ok(secret)
                        return Ok(secret.0);
                    }
                    Err(e) => {
                        errs.push(e);
                    }
                }
            }
        }
    }
    Err(errs.pop().ok_or(Fido2LuksError::NoAuthenticatorError)?)?
 }
 pub fn get_devices() -> Fido2LuksResult<Vec<FidoDevice>> {
--- a/src/error.rs
+++ b/src/error.rs
@@ -14,7 +14,9 @@ pub enum Fido2LuksError {
    #[fail(display = "no authenticator found, please ensure your device is plugged in")]
    NoAuthenticatorError,
    #[fail(display = "luks err")]
-    LuksError { cause: cryptsetup_rs::device::Error },
+    LuksError {
        cause: libcryptsetup_rs::LibcryptErr,
    },
    #[fail(display = "no authenticator found, please ensure your device is plugged in")]
    IoError { cause: io::Error },
    #[fail(display = "supplied secret isn't valid for this device")]
@@ -44,6 +46,7 @@ pub enum AskPassError {
    Mismatch,
 }
 use libcryptsetup_rs::LibcryptErr;
 use std::string::FromUtf8Error;
 use Fido2LuksError::*;
@@ -53,17 +56,16 @@ impl From<FidoError> for Fido2LuksError {
    }
 }
-impl From<cryptsetup_rs::device::Error> for Fido2LuksError {
+impl From<LibcryptErr> for Fido2LuksError {
-    fn from(e: cryptsetup_rs::device::Error) -> Self {
+    fn from(e: LibcryptErr) -> Self {
        match e {
-            cryptsetup_rs::device::Error::CryptsetupError(error_no) if error_no.0 == 1i32 => {
+            LibcryptErr::IOError(e) if e.raw_os_error().iter().any(|code| code == &1i32) => {
                WrongSecret
            }
-            e => LuksError { cause: e },
+            _ => LuksError { cause: e },
        }
    }
 }
 impl From<io::Error> for Fido2LuksError {
    fn from(e: io::Error) -> Self {
        IoError { cause: e }
--- a/src/luks.rs
+++ b/src/luks.rs
@@ -0,0 +1,83 @@
 use crate::error::*;
 use libcryptsetup_rs::{CryptActivateFlags, CryptDevice, CryptInit, EncryptionFormat, KeyslotInfo};
 use std::path::Path;
 fn load_device_handle<P: AsRef<Path>>(path: P) -> Fido2LuksResult<CryptDevice> {
    let mut device = CryptInit::init(path.as_ref())?;
    //TODO: determine luks version some way other way than just trying
    let mut load = |format| device.context_handle().load::<()>(format, None).map(|_| ());
    vec![EncryptionFormat::Luks2, EncryptionFormat::Luks1]
        .into_iter()
        .fold(None, |res, format| match res {
            Some(Ok(())) => res,
            Some(e) => Some(e.or(load(format))),
            None => Some(load(format)),
        })
        .unwrap()?;
    Ok(device)
 }
 pub fn open_container<P: AsRef<Path>>(path: P, name: &str, secret: &[u8]) -> Fido2LuksResult<()> {
    let mut device = load_device_handle(path)?;
    device
        .activate_handle()
        .activate_by_passphrase(Some(name), None, secret, CryptActivateFlags::empty())
        .map(|_slot| ())
        .map_err(|_e| Fido2LuksError::WrongSecret)
 }
 pub fn add_key<P: AsRef<Path>>(
    path: P,
    secret: &[u8],
    old_secret: &[u8],
    iteration_time: Option<u64>,
 ) -> Fido2LuksResult<u32> {
    let mut device = load_device_handle(path)?;
    if let Some(millis) = iteration_time {
        device.settings_handle().set_iteration_time(millis)
    }
    let slot = device
        .keyslot_handle(None)
        .add_by_passphrase(old_secret, secret)?;
    Ok(slot)
 }
 pub fn remove_keyslots<P: AsRef<Path>>(path: P, exclude: &[u32]) -> Fido2LuksResult<u32> {
    let mut device = load_device_handle(path)?;
    let mut handle;
    let mut destroyed = 0;
    //TODO: detect how many keyslots there are instead of trying within a given range
    for slot in 0..1024 {
        handle = device.keyslot_handle(Some(slot));
        match handle.status()? {
            KeyslotInfo::Inactive => continue,
            KeyslotInfo::Active if !exclude.contains(&slot) => {
                handle.destroy()?;
                destroyed += 1;
            }
            _ => (),
        }
        match handle.status()? {
            KeyslotInfo::ActiveLast => break,
            _ => (),
        }
    }
    Ok(destroyed)
 }
 pub fn replace_key<P: AsRef<Path>>(
    path: P,
    secret: &[u8],
    old_secret: &[u8],
    iteration_time: Option<u64>,
 ) -> Fido2LuksResult<u32> {
    let mut device = load_device_handle(path)?;
    // Set iteration time not sure wether this applies to luks2 as well
    if let Some(millis) = iteration_time {
        device.settings_handle().set_iteration_time(millis)
    }
    Ok(device
        .keyslot_handle(None)
        .change_by_passphrase(None, None, old_secret, secret)? as u32)
 }
--- a/src/main.rs
+++ b/src/main.rs
@@ -5,9 +5,6 @@ use crate::cli::*;
 use crate::config::*;
 use crate::device::*;
 use crate::error::*;
 use cryptsetup_rs as luks;
 use cryptsetup_rs::Luks1CryptDevice;
 use std::io;
 use std::path::PathBuf;
 use std::process::exit;
@@ -16,14 +13,9 @@ mod cli;
 mod config;
 mod device;
 mod error;
 mod luks;
 mod util;
 fn open_container(device: &PathBuf, name: &str, secret: &[u8; 32]) -> Fido2LuksResult<()> {
    let mut handle = luks::open(device.canonicalize()?)?.luks1()?;
    let _slot = handle.activate(name, &secret[..])?;
    Ok(())
 }
 fn assemble_secret(hmac_result: &[u8], salt: &[u8]) -> [u8; 32] {
    util::sha256(&[salt, hmac_result])
 }
Author	SHA1	Message	Date
shimun	b94f45d1ff	patch secret_gen before obtaing first secret	2020-04-06 23:33:41 +02:00
shimun	c8fb636846	mention clang build dependency	2020-04-06 22:52:15 +02:00
shimun	49e2835f60	enable fido requests to be sent to multiple devices at once	2020-04-06 21:38:11 +02:00
shimun	d5c0d48f03	allow another fido device to be used as previous secret	2020-04-06 20:18:00 +02:00
shimun	ad2451f548	add timeout	2020-04-05 23:24:18 +02:00
shimun	bb7ee7c1ce	request password only once if possible	2020-04-03 22:02:05 +02:00
shimun	0ba77963d2	update ctap_hmac	2020-04-02 17:22:15 +02:00
shimun	1658800553	request_multiple	2020-04-01 20:24:49 +02:00
shimun	a394b7d1d1	libcryptsetup-rs patch	2020-03-28 14:54:36 +01:00
shimun	c99d7f562d	support luks2	2020-03-27 20:08:54 +01:00
shimun	c4f781e6e3	only process keyslots within a given range	2020-03-27 20:03:42 +01:00
shimun	f6de4a033e	more detailed messages	2020-03-27 18:28:33 +01:00
shimun	f5880346b9	switch to libcryptsetup-rs	2020-03-27 18:09:38 +01:00
shimun	6089b254b4	switch to libcryptsetup-rs for luks2 support	2020-03-22 17:39:44 +01:00