add nix flake

Obvious password promt (#29 )
* obvious password promt * prompt interaction with FIDO device
2021-02-08 16:06:56 +01:00 · 2021-02-08 15:58:41 +01:00 · 2020-11-17 13:05:45 +01:00 · 2020-11-01 21:18:13 +01:00 · 2020-11-01 18:21:04 +01:00 · 2020-10-13 14:17:22 +02:00
11 changed files with 439 additions and 70 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -5,4 +5,6 @@
 fido2luks.bash
 fido2luks.elv
 fido2luks.fish
-fido2luks.zsh
+fido2luks.zsh
+result
+result-*
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -52,9 +52,9 @@ checksum = "1d49d90015b3c36167a20fe2810c5cd875ad504b39cff3d4eae7977e6b7c1cb2"

 [[package]]
 name = "autocfg"
-version = "1.0.0"
+version = "1.0.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f8aac770f1885fd7e387acedd76065302551364496e46b3dd00860b2f8359b9d"
+checksum = "cdb031dd78e28731d87d56cc8ffef4a8f36ca26c38fe2de700543e627f8a464a"

 [[package]]
 name = "backtrace"
@@ -72,9 +72,9 @@ dependencies = [

 [[package]]
 name = "bindgen"
-version = "0.54.1"
+version = "0.54.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f4d49b80beb70d76cdac92f5681e666f9a697c737c4f4117a67229a0386dc736"
+checksum = "66c0bb6167449588ff70803f4127f0684f9063097eca5016f37eb52b92c2cf36"
 dependencies = [
 "bitflags",
 "cexpr",
@@ -86,7 +86,7 @@ dependencies = [
 "lazycell",
 "log",
 "peeking_take_while",
- "proc-macro2 1.0.19",
+ "proc-macro2 1.0.20",
 "quote 1.0.7",
 "regex",
 "rustc-hash",
@@ -118,9 +118,9 @@ dependencies = [

 [[package]]
 name = "cc"
-version = "1.0.58"
+version = "1.0.59"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f9a06fb2e53271d7c279ec1efea6ab691c35a2ae67ec0d91d7acec0caf13b518"
+checksum = "66120af515773fb005778dc07c261bd201ec8ce50bd6e7144c927753fe013381"

 [[package]]
 name = "cexpr"
@@ -150,9 +150,9 @@ dependencies = [

 [[package]]
 name = "clap"
-version = "2.33.2"
+version = "2.33.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "10040cdf04294b565d9e0319955430099ec3813a64c952b86a41200ad714ae48"
+checksum = "37e58ac78573c40708d45522f0d80fa2f01cc4f9b4e2bf749807255454312002"
 dependencies = [
 "ansi_term",
 "atty",
@@ -188,12 +188,12 @@ dependencies = [

 [[package]]
 name = "crossbeam-channel"
-version = "0.4.3"
+version = "0.4.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "09ee0cc8804d5393478d743b035099520087a5186f3b93fa58cec08fa62407b6"
+checksum = "b153fe7cbef478c567df0f972e02e6d736db11affe43dfc9c56a9374d1adfb87"
 dependencies = [
- "cfg-if",
 "crossbeam-utils",
+ "maybe-uninit",
 ]

 [[package]]
@@ -213,7 +213,7 @@ version = "0.8.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "058ed274caafc1f60c4997b5fc07bf7dc7cca454af7c6e81edffe5f33f70dace"
 dependencies = [
- "autocfg 1.0.0",
+ "autocfg 1.0.1",
 "cfg-if",
 "crossbeam-utils",
 "lazy_static",
@@ -239,7 +239,7 @@ version = "0.7.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c3c7c73a2d1e9fc0886a08b93e98eb643461230d5f1925e4036204d5f2e261a8"
 dependencies = [
- "autocfg 1.0.0",
+ "autocfg 1.0.1",
 "cfg-if",
 "lazy_static",
 ]
@@ -292,10 +292,10 @@ checksum = "f0c960ae2da4de88a91b2d920c2a7233b400bc33cb28453a2987822d8392519b"
 dependencies = [
 "fnv",
 "ident_case",
- "proc-macro2 1.0.19",
+ "proc-macro2 1.0.20",
 "quote 1.0.7",
 "strsim 0.9.3",
- "syn 1.0.38",
+ "syn 1.0.40",
 ]

 [[package]]
@@ -306,7 +306,7 @@ checksum = "d9b5a2f4ac4969822c62224815d069952656cadc7084fdca9751e6d959189b72"
 dependencies = [
 "darling_core",
 "quote 1.0.7",
- "syn 1.0.38",
+ "syn 1.0.40",
 ]

 [[package]]
@@ -317,9 +317,9 @@ checksum = "a2658621297f2cf68762a6f7dc0bb7e1ff2cfd6583daef8ee0fed6f7ec468ec0"
 dependencies = [
 "darling",
 "derive_builder_core",
- "proc-macro2 1.0.19",
+ "proc-macro2 1.0.20",
 "quote 1.0.7",
- "syn 1.0.38",
+ "syn 1.0.40",
 ]

 [[package]]
@@ -329,9 +329,9 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2791ea3e372c8495c0bc2033991d76b512cd799d07491fbd6890124db9458bef"
 dependencies = [
 "darling",
- "proc-macro2 1.0.19",
+ "proc-macro2 1.0.20",
 "quote 1.0.7",
- "syn 1.0.38",
+ "syn 1.0.40",
 ]

 [[package]]
@@ -369,15 +369,15 @@ version = "0.1.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "aa4da3c766cd7a0db8242e326e9e4e081edd567072893ed320008189715366a4"
 dependencies = [
- "proc-macro2 1.0.19",
+ "proc-macro2 1.0.20",
 "quote 1.0.7",
- "syn 1.0.38",
+ "syn 1.0.40",
 "synstructure",
 ]

 [[package]]
 name = "fido2luks"
-version = "0.2.13"
+version = "0.2.16"
 dependencies = [
 "ctap_hmac",
 "failure",
@@ -474,15 +474,15 @@ checksum = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646"

 [[package]]
 name = "lazycell"
-version = "1.2.1"
+version = "1.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b294d6fa9ee409a054354afc4352b0b9ef7ca222c69b8812cbea9e7d2bf3783f"
+checksum = "830d08ce1d1d941e6b30645f1a0eb5643013d835ce3779a5fc208261dbe10f55"

 [[package]]
 name = "libc"
-version = "0.2.74"
+version = "0.2.76"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a2f02823cf78b754822df5f7f268fb59822e7296276d3e069d8e8cb26a14bd10"
+checksum = "755456fae044e6fa1ebbbd1b3e902ae19e73097ed4ed87bb79934a867c007bc3"

 [[package]]
 name = "libcryptsetup-rs"
@@ -548,14 +548,14 @@ version = "0.5.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c198b026e1bbf08a937e94c6c60f9ec4a2267f5b0d2eec9c1b21b061ce2be55f"
 dependencies = [
- "autocfg 1.0.0",
+ "autocfg 1.0.1",
 ]

 [[package]]
 name = "miniz_oxide"
-version = "0.4.0"
+version = "0.4.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "be0f75932c1f6cfae3c04000e40114adf955636e19040f9c0a2c380702aa1c7f"
+checksum = "4d7559a8a40d0f97e1edea3220f698f78b1c5ab67532e49f68fde3910323b722"
 dependencies = [
 "adler",
 ]
@@ -587,7 +587,7 @@ version = "0.2.12"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ac267bcc07f48ee5f8935ab0d24f316fb722d7a1292e2913f0cc196b29ffd611"
 dependencies = [
- "autocfg 1.0.0",
+ "autocfg 1.0.1",
 ]

 [[package]]
@@ -615,9 +615,9 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "da25490ff9892aab3fcf7c36f08cfb902dd3e71ca0f9f9517bea02a73a5ce38c"
 dependencies = [
 "proc-macro-error-attr",
- "proc-macro2 1.0.19",
+ "proc-macro2 1.0.20",
 "quote 1.0.7",
- "syn 1.0.38",
+ "syn 1.0.40",
 "version_check",
 ]

@@ -627,7 +627,7 @@ version = "1.0.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a1be40180e52ecc98ad80b184934baf3d0d29f979574e439af5a55274b35f869"
 dependencies = [
- "proc-macro2 1.0.19",
+ "proc-macro2 1.0.20",
 "quote 1.0.7",
 "version_check",
 ]
@@ -643,9 +643,9 @@ dependencies = [

 [[package]]
 name = "proc-macro2"
-version = "1.0.19"
+version = "1.0.20"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "04f5f085b5d71e2188cb8271e5da0161ad52c3f227a661a3c135fdf28e258b12"
+checksum = "175c513d55719db99da20232b06cda8bab6b83ec2d04e3283edf0213c37c1a29"
 dependencies = [
 "unicode-xid 0.2.1",
 ]
@@ -671,7 +671,7 @@ version = "1.0.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "aa563d17ecb180e500da1cfd2b028310ac758de548efdd203e18f283af693f37"
 dependencies = [
- "proc-macro2 1.0.19",
+ "proc-macro2 1.0.20",
 ]

 [[package]]
@@ -922,9 +922,9 @@ version = "1.0.115"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "609feed1d0a73cc36a0182a840a9b37b4a82f0b1150369f0536a9e3f2a31dc48"
 dependencies = [
- "proc-macro2 1.0.19",
+ "proc-macro2 1.0.20",
 "quote 1.0.7",
- "syn 1.0.38",
+ "syn 1.0.40",
 ]

 [[package]]
@@ -958,9 +958,9 @@ checksum = "6446ced80d6c486436db5c078dde11a9f73d42b57fb273121e160b84f63d894c"

 [[package]]
 name = "structopt"
-version = "0.3.16"
+version = "0.3.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "de5472fb24d7e80ae84a7801b7978f95a19ec32cb1876faea59ab711eb901976"
+checksum = "6cc388d94ffabf39b5ed5fadddc40147cb21e605f53db6f8f36a625d27489ac5"
 dependencies = [
 "clap",
 "lazy_static",
@@ -969,15 +969,15 @@ dependencies = [

 [[package]]
 name = "structopt-derive"
-version = "0.4.9"
+version = "0.4.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1e0eb37335aeeebe51be42e2dc07f031163fbabfa6ac67d7ea68b5c2f68d5f99"
+checksum = "5e2513111825077552a6751dfad9e11ce0fba07d7276a3943a037d7e93e64c5f"
 dependencies = [
 "heck",
 "proc-macro-error",
- "proc-macro2 1.0.19",
+ "proc-macro2 1.0.20",
 "quote 1.0.7",
- "syn 1.0.38",
+ "syn 1.0.40",
 ]

 [[package]]
@@ -993,11 +993,11 @@ dependencies = [

 [[package]]
 name = "syn"
-version = "1.0.38"
+version = "1.0.40"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e69abc24912995b3038597a7a593be5053eb0fb44f3cc5beec0deb421790c1f4"
+checksum = "963f7d3cc59b59b9325165add223142bbf1df27655d07789f109896d353d8350"
 dependencies = [
- "proc-macro2 1.0.19",
+ "proc-macro2 1.0.20",
 "quote 1.0.7",
 "unicode-xid 0.2.1",
 ]
@@ -1008,9 +1008,9 @@ version = "0.12.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b834f2d66f734cb897113e34aaff2f1ab4719ca946f9a7358dba8f8064148701"
 dependencies = [
- "proc-macro2 1.0.19",
+ "proc-macro2 1.0.20",
 "quote 1.0.7",
- "syn 1.0.38",
+ "syn 1.0.40",
 "unicode-xid 0.2.1",
 ]

@@ -1043,11 +1043,12 @@ dependencies = [

 [[package]]
 name = "time"
-version = "0.1.43"
+version = "0.1.44"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ca8a50ef2360fbd1eeb0ecd46795a87a19024eb4b53c5dc916ca1fd95fe62438"
+checksum = "6db9e6914ab8b1ae1c260a4ae7a49b6c5611b40328a735b21862567685e73255"
 dependencies = [
 "libc",
+ "wasi",
 "winapi",
 ]

@@ -1102,6 +1103,12 @@ version = "0.9.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b5a972e5669d67ba988ce3dc826706fb0a8b01471c088cb0b6110b805cc36aed"

+[[package]]
+name = "wasi"
+version = "0.10.0+wasi-snapshot-preview1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1a143597ca7c7793eff794def352d41792a93c481eb1042423ff7ff72ba2c31f"
+
 [[package]]
 name = "which"
 version = "3.1.1"
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "fido2luks"
-version = "0.2.13"
+version = "0.2.16"
 authors = ["shimunn <shimun@shimun.net>"]
 edition = "2018"

@@ -48,6 +48,7 @@ extended-description = "Decrypt your LUKS partition using a FIDO2 compatible aut
 assets = [
    ["target/release/fido2luks", "usr/bin/", "755"],
    ["fido2luks.bash", "usr/share/bash-completion/completions/fido2luks", "644"],
+    ["pam_mount/fido2luksmounthelper.sh", "usr/bin/", "755"],
    ["initramfs-tools/keyscript.sh", "/lib/cryptsetup/scripts/fido2luks", "755" ],
    ["initramfs-tools/hook/fido2luks.sh", "etc/initramfs-tools/hooks/", "755" ],
    ["initramfs-tools/fido2luks.conf", "etc/", "644"],
--- a/3
+++ b/3
@@ -21,5 +21,6 @@ build() {

 package() {
    install -Dm 755 target/release/${pkgname} -t "${pkgdir}/usr/bin"
-    install -Dm 644 fido2luks.bash "${pkgdir}/usr/share/bash-completion/completions/fido2luks"
+    install -Dm 755 ../pam_mount/fido2luksmounthelper.sh -t "${pkgdir}/usr/bin"
+    install -Dm 644 ../fido2luks.bash "${pkgdir}/usr/share/bash-completion/completions/fido2luks"
 }
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@

 This will allow you to unlock your LUKS encrypted disk with an FIDO2 compatible key.

-Note: This has only been tested under Fedora 31, [Ubuntu 20.04](initramfs-tools/), [NixOS](https://nixos.org/nixos/manual/#sec-luks-file-systems-fido2) using a Solo Key, Trezor Model T
+Note: This has only been tested under Fedora 31, [Ubuntu 20.04](initramfs-tools/), [NixOS](https://nixos.org/nixos/manual/#sec-luks-file-systems-fido2) using a Solo Key, Trezor Model T, YubiKey(fw >= [5.2.3](https://support.yubico.com/hc/en-us/articles/360016649319-YubiKey-5-2-3-Enhancements-to-FIDO-2-Support))

 ## Setup

--- a/flake.lock
+++ b/flake.lock
@@ -0,0 +1,61 @@
+{
+  "nodes": {
+    "naersk": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1612192764,
+        "narHash": "sha256-7EnLtZQWP6511G1ZPA7FmJlqAr3hWsAYb24tvTvJ/ec=",
+        "owner": "nmattia",
+        "repo": "naersk",
+        "rev": "6e149bfd726a8ebefa415f2d713ba6d942435abd",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nmattia",
+        "repo": "naersk",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1611910458,
+        "narHash": "sha256-//j54S14v9lp3YKizS1WZW3WKwLjGTzvwhHfUAaRBPQ=",
+        "path": "/nix/store/z5g10k571cc5q9yvr0bafzswp0ggawjw-source",
+        "rev": "6e7f25001fe6874f7ae271891f709bbf50a22c45",
+        "type": "path"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "type": "indirect"
+      }
+    },
+    "root": {
+      "inputs": {
+        "naersk": "naersk",
+        "nixpkgs": "nixpkgs",
+        "utils": "utils"
+      }
+    },
+    "utils": {
+      "locked": {
+        "lastModified": 1610051610,
+        "narHash": "sha256-U9rPz/usA1/Aohhk7Cmc2gBrEEKRzcW4nwPWMPwja4Y=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "3982c9903e93927c2164caa727cd3f6a0e6d14cc",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
--- a/flake.nix
+++ b/flake.nix
@@ -0,0 +1,61 @@
+{
+  description = "Decrypt your LUKS partition using a FIDO2 compatible authenticator";
+
+  inputs = {
+    utils.url = "github:numtide/flake-utils";
+    naersk = {
+      url = "github:nmattia/naersk";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+  };
+
+  outputs = { self, nixpkgs, utils, naersk }:
+    let
+      root = ./.;
+      pname = (builtins.fromTOML (builtins.readFile ./Cargo.toml)).package.name;
+      forPkgs = pkgs:
+        let
+          naersk-lib = naersk.lib."${pkgs.system}";
+          buildInputs = with pkgs; [ cryptsetup ];
+          LIBCLANG_PATH = "${pkgs.clang.cc.lib}/lib";
+          nativeBuildInputs = with pkgs; [
+            pkgconfig
+            clang
+          ];
+        in
+        rec {
+          # `nix build`
+          packages.${pname} = naersk-lib.buildPackage {
+            inherit pname root buildInputs nativeBuildInputs LIBCLANG_PATH;
+          };
+          defaultPackage = packages.${pname};
+
+          # `nix run`
+          apps.${pname} = utils.lib.mkApp {
+            drv = packages.${pname};
+          };
+          defaultApp = apps.${pname};
+
+          # `nix flake check`
+          checks = {
+            fmt = with pkgs; runCommandLocal "${pname}-fmt" { buildInputs = [ cargo rustfmt nixpkgs-fmt ]; } ''
+              cd ${root}
+              cargo fmt -- --check
+              nixpkgs-fmt --check *.nix
+              touch $out
+            '';
+          };
+
+          # `nix develop`
+          devShell = pkgs.mkShell {
+            nativeBuildInputs = with pkgs; [ rustc cargo rustfmt nixpkgs-fmt ] ++ nativeBuildInputs;
+            inherit buildInputs LIBCLANG_PATH;
+          };
+        };
+      forSystem = system: forPkgs nixpkgs.legacyPackages."${system}";
+    in
+    (utils.lib.eachSystem [ "aarch64-linux" "i686-linux" "x86_64-linux" ] forSystem) // {
+      overlay = final: prev: (forPkgs final).packages;
+    };
+
+}
--- a/initramfs-tools/keyscript.sh
+++ b/initramfs-tools/keyscript.sh
@@ -7,4 +7,8 @@ if [ -z "$FIDO2LUKS_PASSWORD_HELPER" ]; then
 	export FIDO2LUKS_PASSWORD_HELPER="plymouth ask-for-password --prompt '$MSG'"
 fi

+if [ "$FIDO2LUKS_USE_TOKEN" -eq 1 ]; then
+	export FIDO2LUKS_CREDENTIAL_ID="$FIDO2LUKS_CREDENTIAL_ID,$(fido2luks token list --csv $CRYPTTAB_SOURCE)"
+fi
+
 fido2luks print-secret --bin
--- a/pam_mount/fido2luksmounthelper.sh
+++ b/pam_mount/fido2luksmounthelper.sh
@@ -0,0 +1,220 @@
+#!/bin/bash
+#
+# This is a rather minimal example Argbash potential
+# Example taken from http://argbash.readthedocs.io/en/stable/example.html
+#
+# ARG_POSITIONAL_SINGLE([operation],[Operation to perform (mount|umount)],[])
+# ARG_OPTIONAL_SINGLE([credentials-type],[c],[Type of the credentials to use (external|embedded)])
+# ARG_OPTIONAL_SINGLE([device],[d],[Name of the device to create])
+# ARG_OPTIONAL_SINGLE([mount-point],[m],[Path of the mount point to use])
+# ARG_OPTIONAL_BOOLEAN([ask-pin],[a],[Ask for a pin],[off])
+# ARG_OPTIONAL_SINGLE([salt],[s],[Salt to use],[""])
+# ARG_HELP([Unlocks/Locks a LUKS volume and mount/unmount it in the given mount point.])
+# ARGBASH_GO()
+# needed because of Argbash --> m4_ignore([
+### START OF CODE GENERATED BY Argbash v2.9.0 one line above ###
+# Argbash is a bash code generator used to get arguments parsing right.
+# Argbash is FREE SOFTWARE, see https://argbash.io for more info
+# Generated online by https://argbash.io/generate
+
+
+die()
+{
+	local _ret="${2:-1}"
+	test "${_PRINT_HELP:-no}" = yes && print_help >&2
+	echo "$1" >&2
+	exit "${_ret}"
+}
+
+
+begins_with_short_option()
+{
+	local first_option all_short_options='cdmash'
+	first_option="${1:0:1}"
+	test "$all_short_options" = "${all_short_options/$first_option/}" && return 1 || return 0
+}
+
+# THE DEFAULTS INITIALIZATION - POSITIONALS
+_positionals=()
+# THE DEFAULTS INITIALIZATION - OPTIONALS
+_arg_credentials_type=
+_arg_device=
+_arg_mount_point=
+_arg_ask_pin="off"
+_arg_salt=""
+
+
+print_help()
+{
+	printf '%s\n' "Unlocks/Locks a LUKS volume and mount/unmount it in the given mount point."
+	printf 'Usage: %s [-c|--credentials-type <arg>] [-d|--device <arg>] [-m|--mount-point <arg>] [-a|--(no-)ask-pin] [-s|--salt <arg>] [-h|--help] <operation>\n' "$0"
+	printf '\t%s\n' "<operation>: Operation to perform (mount|umount)"
+	printf '\t%s\n' "-c, --credentials-type: Type of the credentials to use (external|embedded) (no default)"
+	printf '\t%s\n' "-d, --device: Name of the device to create (no default)"
+	printf '\t%s\n' "-m, --mount-point: Path of the mount point to use (no default)"
+	printf '\t%s\n' "-a, --ask-pin, --no-ask-pin: Ask for a pin (off by default)"
+	printf '\t%s\n' "-s, --salt: Salt to use (default: '""')"
+	printf '\t%s\n' "-h, --help: Prints help"
+}
+
+
+parse_commandline()
+{
+	_positionals_count=0
+	while test $# -gt 0
+	do
+		_key="$1"
+		case "$_key" in
+			-c|--credentials-type)
+				test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1
+				_arg_credentials_type="$2"
+				shift
+				;;
+			--credentials-type=*)
+				_arg_credentials_type="${_key##--credentials-type=}"
+				;;
+			-c*)
+				_arg_credentials_type="${_key##-c}"
+				;;
+			-d|--device)
+				test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1
+				_arg_device="$2"
+				shift
+				;;
+			--device=*)
+				_arg_device="${_key##--device=}"
+				;;
+			-d*)
+				_arg_device="${_key##-d}"
+				;;
+			-m|--mount-point)
+				test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1
+				_arg_mount_point="$2"
+				shift
+				;;
+			--mount-point=*)
+				_arg_mount_point="${_key##--mount-point=}"
+				;;
+			-m*)
+				_arg_mount_point="${_key##-m}"
+				;;
+			-a|--no-ask-pin|--ask-pin)
+				_arg_ask_pin="on"
+				test "${1:0:5}" = "--no-" && _arg_ask_pin="off"
+				;;
+			-a*)
+				_arg_ask_pin="on"
+				_next="${_key##-a}"
+				if test -n "$_next" -a "$_next" != "$_key"
+				then
+					{ begins_with_short_option "$_next" && shift && set -- "-a" "-${_next}" "$@"; } || die "The short option '$_key' can't be decomposed to ${_key:0:2} and -${_key:2}, because ${_key:0:2} doesn't accept value and '-${_key:2:1}' doesn't correspond to a short option."
+				fi
+				;;
+			-s|--salt)
+				test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1
+				_arg_salt="$2"
+				shift
+				;;
+			--salt=*)
+				_arg_salt="${_key##--salt=}"
+				;;
+			-s*)
+				_arg_salt="${_key##-s}"
+				;;
+			-h|--help)
+				print_help
+				exit 0
+				;;
+			-h*)
+				print_help
+				exit 0
+				;;
+			*)
+				_last_positional="$1"
+				_positionals+=("$_last_positional")
+				_positionals_count=$((_positionals_count + 1))
+				;;
+		esac
+		shift
+	done
+}
+
+
+handle_passed_args_count()
+{
+	local _required_args_string="'operation'"
+	test "${_positionals_count}" -ge 1 || _PRINT_HELP=yes die "FATAL ERROR: Not enough positional arguments - we require exactly 1 (namely: $_required_args_string), but got only ${_positionals_count}." 1
+	test "${_positionals_count}" -le 1 || _PRINT_HELP=yes die "FATAL ERROR: There were spurious positional arguments --- we expect exactly 1 (namely: $_required_args_string), but got ${_positionals_count} (the last one was: '${_last_positional}')." 1
+}
+
+
+assign_positional_args()
+{
+	local _positional_name _shift_for=$1
+	_positional_names="_arg_operation "
+
+	shift "$_shift_for"
+	for _positional_name in ${_positional_names}
+	do
+		test $# -gt 0 || break
+		eval "$_positional_name=\${1}" || die "Error during argument parsing, possibly an Argbash bug." 1
+		shift
+	done
+}
+
+parse_commandline "$@"
+handle_passed_args_count
+assign_positional_args 1 "${_positionals[@]}"
+
+# OTHER STUFF GENERATED BY Argbash
+
+### END OF CODE GENERATED BY Argbash (sortof) ### ])
+# [ <-- needed because of Argbash
+
+if [ -z ${_arg_mount_point} ]; then
+  die "Missing '--mount-point' argument"
+fi
+
+if [ -z ${_arg_device} ]; then
+  die "Missing '--device' argument"
+fi
+
+ASK_PIN=${_arg_ask_pin}
+OPERATION=${_arg_operation}
+DEVICE=${_arg_device}
+DEVICE_NAME=$(sed "s|/|_|g" <<< ${DEVICE})
+MOUNT_POINT=${_arg_mount_point}
+CREDENTIALS_TYPE=${_arg_credentials_type}
+SALT=${_arg_salt}
+CONF_FILE_PATH="/etc/fido2luksmounthelper.conf"
+
+if [ "${OPERATION}" == "mount" ]; then
+	if [ "${CREDENTIALS_TYPE}" == "external" ]; then
+    if  [ -f ${CONF_FILE_PATH} ]; then
+			if [ "${ASK_PIN}" == "on" ]; then
+				read PASSWORD
+			fi
+			CREDENTIALS=$(<${CONF_FILE_PATH})
+		else
+			die "The configuration file '${CONF_FILE_PATH}' is missing. Please create it or use embedded credentials."
+		fi
+		printf ${PASSWORD} | fido2luks open --salt string:${SALT} --pin --pin-source /dev/stdin ${DEVICE} ${DEVICE_NAME} ${CREDENTIALS}
+	elif [ "${CREDENTIALS_TYPE}" == "embedded" ]; then
+		if [ "${ASK_PIN}" == "on" ]; then
+			read PASSWORD
+		fi
+		printf ${PASSWORD} | fido2luks open-token --salt string:${SALT} --pin --pin-source /dev/stdin ${DEVICE} ${DEVICE_NAME}
+	else
+		die "Given credential-type '${CREDENTIALS_TYPE}' is invalid. It must be 'external' or 'embedded'"
+	fi 
+	mount /dev/mapper/${DEVICE_NAME} ${MOUNT_POINT}
+elif [ "${OPERATION}" == "umount" ]; then
+  umount ${MOUNT_POINT}
+  cryptsetup luksClose ${DEVICE_NAME}
+else
+  die "Given operation '${OPERATION}' is invalid. It must be 'mount' or 'unmount'"
+fi
+
+exit 0
+
+# ] <-- needed because of Argbash
--- a/src/cli.rs
+++ b/src/cli.rs
@@ -25,7 +25,7 @@ fn read_pin(ap: &AuthenticatorParameters) -> Fido2LuksResult<String> {
    if let Some(src) = ap.pin_source.as_ref() {
        let mut pin = String::new();
        File::open(src)?.read_to_string(&mut pin)?;
-        Ok(pin)
+        Ok(pin.trim_end_matches("\n").to_string()) //remove trailing newline
    } else {
        util::read_password("Authenticator PIN", false)
    }
@@ -71,6 +71,12 @@ pub fn parse_cmdline() -> Args {
    Args::from_args()
 }

+pub fn prompt_interaction(interactive: bool) {
+    if interactive {
+        println!("Authorize using your FIDO device");
+    }
+}
+
 pub fn run_cli() -> Fido2LuksResult<()> {
    let mut stdout = io::stdout();
    let args = parse_cmdline();
@@ -109,6 +115,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
            } else {
                secret.salt.obtain_sha256(&secret.password_helper)
            }?;
+            prompt_interaction(interactive);
            let (secret, _cred) = derive_secret(
                credentials.ids.0.as_slice(),
                &salt,
@@ -164,23 +171,27 @@ pub fn run_cli() -> Fido2LuksResult<()> {
                    } => Ok((util::read_keyfile(file)?, None)),
                    OtherSecret {
                        fido_device: true, ..
-                    } => Ok(derive_secret(
-                        &credentials.ids.0,
-                        &salt(salt_q, verify)?,
-                        authenticator.await_time,
-                        pin.as_deref(),
-                    )
-                    .map(|(secret, cred)| (secret[..].to_vec(), Some(cred)))?),
+                    } => {
+                        prompt_interaction(interactive);
+                        Ok(derive_secret(
+                            &credentials.ids.0,
+                            &salt(salt_q, verify)?,
+                            authenticator.await_time,
+                            pin.as_deref(),
+                        )
+                        .map(|(secret, cred)| (secret[..].to_vec(), Some(cred)))?)
+                    }
                    _ => Ok((
                        util::read_password(salt_q, verify)?.as_bytes().to_vec(),
                        None,
                    )),
                }
            };
-            let secret = |verify: bool| -> Fido2LuksResult<([u8; 32], FidoCredential)> {
+            let secret = |q: &str, verify: bool| -> Fido2LuksResult<([u8; 32], FidoCredential)> {
+                prompt_interaction(interactive);
                derive_secret(
                    &credentials.ids.0,
-                    &salt("Password", verify)?,
+                    &salt(q, verify)?,
                    authenticator.await_time,
                    pin.as_deref(),
                )
@@ -190,7 +201,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
            match &args.command {
                Command::AddKey { exclusive, .. } => {
                    let (existing_secret, _) = other_secret("Current password", false)?;
-                    let (new_secret, cred) = secret(true)?;
+                    let (new_secret, cred) = secret("Password to be added", true)?;
                    let added_slot = luks_dev.add_key(
                        &new_secret,
                        &existing_secret[..],
@@ -215,7 +226,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
                    Ok(())
                }
                Command::ReplaceKey { add_password, .. } => {
-                    let (existing_secret, _) = secret(false)?;
+                    let (existing_secret, _) = secret("Current password", false)?;
                    let (replacement_secret, cred) = other_secret("Replacement password", true)?;
                    let slot = if *add_password {
                        luks_dev.add_key(
@@ -274,6 +285,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {

            // Cow shouldn't be necessary
            let secret = |credentials: Cow<'_, Vec<HexEncoded>>| {
+                prompt_interaction(interactive);
                derive_secret(
                    credentials.as_ref(),
                    &salt("Password", false)?,
--- a/src/cli_args/config.rs
+++ b/src/cli_args/config.rs
@@ -198,7 +198,7 @@ mod test {
    fn input_salt_obtain() {
        assert_eq!(
            SecretInput::String("abc".into())
-                .obtain(&PasswordHelper::Stdin)
+                .obtain_sha256(&PasswordHelper::Stdin)
                .unwrap(),
            [
                186, 120, 22, 191, 143, 1, 207, 234, 65, 65, 64, 222, 93, 174, 34, 35, 176, 3, 97,
Author	SHA1	Message	Date
shimun	b3495c45f3	add nix flake	2021-02-08 16:06:56 +01:00
shimunn	17ca487b85	Obvious password promt (#29 ) * obvious password promt * prompt interaction with FIDO device	2021-02-08 15:58:41 +01:00
shimun	b0404f2fc1	minimum YubiKey firmware version Some checks reported errors continuous-integration/drone/push Build encountered an error Details	2020-11-17 13:05:45 +01:00
shimunn	de21e3ef8d	Merge pull request #21 from aacebedo/master Added an helper script to be used with pam_mount	2020-11-01 21:18:13 +01:00
Alexandre ACEBEDO	8a7b3addbb	Added an helper script to be used with pam_mount	2020-11-01 18:21:04 +01:00
shimun	e7e44cd61b	fix test All checks were successful continuous-integration/drone/push Build is passing Details	2020-10-13 14:17:22 +02:00
shimun	0ec859f4a6	remove trailing newline from pin Some checks failed continuous-integration/drone/push Build is failing Details	2020-09-25 12:40:34 +02:00
shimun	55bae4161e	add credentials situated in the luks header to credential list Some checks failed continuous-integration/drone/push Build is failing Details	2020-09-19 18:23:21 +02:00
shimun	086c1a0594	file path must be relative to src Some checks failed continuous-integration/drone/push Build is failing Details	2020-09-05 19:35:36 +02:00
shimun	c2e38eb06f	generate shell completions during build Some checks failed continuous-integration/drone/push Build is failing Details continuous-integration/drone/tag Build is failing Details	2020-09-05 18:52:07 +02:00