0.2.3

use await-dev per default
update & tidy readme
2020-01-20 22:43:06 +01:00 · 2020-01-16 19:41:59 +01:00 · 2020-01-15 16:46:15 +01:00 · 2020-01-13 23:23:45 +01:00 · 2020-01-13 21:54:09 +01:00 · 2020-01-13 17:44:51 +01:00
10 changed files with 264 additions and 75 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -115,15 +115,25 @@ dependencies = [
 "uuid 0.7.4 (registry+https://github.com/rust-lang/crates.io-index)",
 ]

+[[package]]
+name = "csv-core"
+version = "0.1.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+dependencies = [
+ "memchr 2.2.1 (registry+https://github.com/rust-lang/crates.io-index)",
+]
+
 [[package]]
 name = "ctap_hmac"
-version = "0.1.1"
+version = "0.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 dependencies = [
 "byteorder 1.3.2 (registry+https://github.com/rust-lang/crates.io-index)",
 "cbor-codec 0.7.1 (registry+https://github.com/rust-lang/crates.io-index)",
+ "csv-core 0.1.6 (registry+https://github.com/rust-lang/crates.io-index)",
 "failure 0.1.5 (registry+https://github.com/rust-lang/crates.io-index)",
 "failure_derive 0.1.5 (registry+https://github.com/rust-lang/crates.io-index)",
+ "hex 0.4.0 (registry+https://github.com/rust-lang/crates.io-index)",
 "num-derive 0.2.5 (registry+https://github.com/rust-lang/crates.io-index)",
 "num-traits 0.2.8 (registry+https://github.com/rust-lang/crates.io-index)",
 "rand 0.6.5 (registry+https://github.com/rust-lang/crates.io-index)",
@@ -173,15 +183,15 @@ dependencies = [

 [[package]]
 name = "fido2luks"
-version = "0.2.1"
+version = "0.2.3"
 dependencies = [
 "cryptsetup-rs 0.2.1 (registry+https://github.com/rust-lang/crates.io-index)",
- "ctap_hmac 0.1.1 (registry+https://github.com/rust-lang/crates.io-index)",
+ "ctap_hmac 0.2.1 (registry+https://github.com/rust-lang/crates.io-index)",
 "failure 0.1.5 (registry+https://github.com/rust-lang/crates.io-index)",
 "hex 0.3.2 (registry+https://github.com/rust-lang/crates.io-index)",
 "libcryptsetup-sys 0.1.2 (registry+https://github.com/rust-lang/crates.io-index)",
+ "ring 0.13.5 (registry+https://github.com/rust-lang/crates.io-index)",
 "rpassword 4.0.1 (registry+https://github.com/rust-lang/crates.io-index)",
- "rust-crypto 0.2.36 (registry+https://github.com/rust-lang/crates.io-index)",
 "structopt 0.3.2 (registry+https://github.com/rust-lang/crates.io-index)",
 ]

@@ -208,6 +218,11 @@ name = "hex"
 version = "0.3.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"

+[[package]]
+name = "hex"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+
 [[package]]
 name = "lazy_static"
 version = "1.4.0"
@@ -235,6 +250,14 @@ dependencies = [
 "cfg-if 0.1.10 (registry+https://github.com/rust-lang/crates.io-index)",
 ]

+[[package]]
+name = "memchr"
+version = "2.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+dependencies = [
+ "libc 0.2.62 (registry+https://github.com/rust-lang/crates.io-index)",
+]
+
 [[package]]
 name = "num-derive"
 version = "0.2.5"
@@ -619,7 +642,8 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 "checksum clap 2.33.0 (registry+https://github.com/rust-lang/crates.io-index)" = "5067f5bb2d80ef5d68b4c87db81601f0b75bca627bc2ef76b141d7b846a3c6d9"
 "checksum cloudabi 0.0.3 (registry+https://github.com/rust-lang/crates.io-index)" = "ddfc5b9aa5d4507acaf872de71051dfd0e309860e88966e1051e462a077aac4f"
 "checksum cryptsetup-rs 0.2.1 (registry+https://github.com/rust-lang/crates.io-index)" = "8b1eb6abff80fdc7b52c37b3e58f5a4cbda78bffc01ac7b02c1296552a07028a"
-"checksum ctap_hmac 0.1.1 (registry+https://github.com/rust-lang/crates.io-index)" = "4f91b9400ac9c99e3280065f5bfd6eb7f0a9bb737a7fd166fda4153338e115e3"
+"checksum csv-core 0.1.6 (registry+https://github.com/rust-lang/crates.io-index)" = "9b5cadb6b25c77aeff80ba701712494213f4a8418fcda2ee11b6560c3ad0bf4c"
+"checksum ctap_hmac 0.2.1 (registry+https://github.com/rust-lang/crates.io-index)" = "4d57004228e303ed0d161f081020240d969ce18b623c3f4503645e1a06b42ae7"
 "checksum errno 0.2.4 (registry+https://github.com/rust-lang/crates.io-index)" = "c2a071601ed01b988f896ab14b95e67335d1eeb50190932a1320f7fe3cadc84e"
 "checksum errno-dragonfly 0.1.1 (registry+https://github.com/rust-lang/crates.io-index)" = "14ca354e36190500e1e1fb267c647932382b54053c50b14970856c0b00a35067"
 "checksum failure 0.1.5 (registry+https://github.com/rust-lang/crates.io-index)" = "795bd83d3abeb9220f257e597aa0080a508b27533824adf336529648f6abf7e2"
@@ -628,10 +652,12 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 "checksum gcc 0.3.55 (registry+https://github.com/rust-lang/crates.io-index)" = "8f5f3913fa0bfe7ee1fd8248b6b9f42a5af4b9d65ec2dd2c3c26132b950ecfc2"
 "checksum heck 0.3.1 (registry+https://github.com/rust-lang/crates.io-index)" = "20564e78d53d2bb135c343b3f47714a56af2061f1c928fdb541dc7b9fdd94205"
 "checksum hex 0.3.2 (registry+https://github.com/rust-lang/crates.io-index)" = "805026a5d0141ffc30abb3be3173848ad46a1b1664fe632428479619a3644d77"
+"checksum hex 0.4.0 (registry+https://github.com/rust-lang/crates.io-index)" = "023b39be39e3a2da62a94feb433e91e8bcd37676fbc8bea371daf52b7a769a3e"
 "checksum lazy_static 1.4.0 (registry+https://github.com/rust-lang/crates.io-index)" = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646"
 "checksum libc 0.2.62 (registry+https://github.com/rust-lang/crates.io-index)" = "34fcd2c08d2f832f376f4173a231990fa5aef4e99fb569867318a227ef4c06ba"
 "checksum libcryptsetup-sys 0.1.2 (registry+https://github.com/rust-lang/crates.io-index)" = "f8cab37dfc7316ea263a42ffa51b4b75c9022538576350d7a416de697384f596"
 "checksum log 0.4.8 (registry+https://github.com/rust-lang/crates.io-index)" = "14b6052be84e6b71ab17edffc2eeabf5c2c3ae1fdb464aae35ac50c67a44e1f7"
+"checksum memchr 2.2.1 (registry+https://github.com/rust-lang/crates.io-index)" = "88579771288728879b57485cc7d6b07d648c9f0141eb955f8ab7f9d45394468e"
 "checksum num-derive 0.2.5 (registry+https://github.com/rust-lang/crates.io-index)" = "eafd0b45c5537c3ba526f79d3e75120036502bebacbb3f3220914067ce39dbf2"
 "checksum num-traits 0.2.8 (registry+https://github.com/rust-lang/crates.io-index)" = "6ba9a427cfca2be13aa6f6403b0b7e7368fe982bfa16fccc450ce74c46cd9b32"
 "checksum pkg-config 0.3.16 (registry+https://github.com/rust-lang/crates.io-index)" = "72d5370d90f49f70bd033c3d75e87fc529fbfff9d6f7cccef07d6170079d91ea"
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "fido2luks"
-version = "0.2.1"
+version = "0.2.3"
 authors = ["shimunn <shimun@shimun.net>"]
 edition = "2018"

@@ -14,14 +14,13 @@ categories = ["command-line-utilities"]
 license-file = "LICENSE"

 [dependencies]
-#ctap = "0.1.0"
-ctap_hmac = "0.1.1"
+ctap_hmac = "0.2.1"
 cryptsetup-rs = "0.2.1"
 libcryptsetup-sys = "0.1.2"


 hex = "0.3.2"
-rust-crypto = "0.2.36"
+ring = "0.13.5"
 failure = "0.1.5"
 rpassword = "4.0.1"
 structopt = "0.3.2"
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@

 This will allow you to unlock your luks encrypted disk with an fido2 compatible key

-Note: This has only been tested under Fedora 30 using a Solo Key
+Note: This has only been tested under Fedora 31 using a Solo Key, Trezor Model T

 ## Setup

@@ -17,18 +17,22 @@ dnf install cargo cryptsetup-devel -y
 ```
 git clone https://github.com/shimunn/fido2luks.git && cd fido2luks

-#Alternativly cargo build --release && sudo cp target/release/fido2luks /usr/bin/
-CARGO_INSTALL_ROOT=/usr sudo -E cargo install -f --path .
+# Alternativly cargo build --release && sudo cp target/release/fido2luks /usr/bin/
+sudo -E cargo install -f --path . --root /usr

-echo FIDO2LUKS_CREDENTIAL_ID=$(fido2luks credential) >> dracut/96luks-2fa/fido2luks.conf
+# Copy template
+cp dracut/96luks-2fa/fido2luks.conf /etc/
+# Name is optional but useful if your authenticator has a display
+echo FIDO2LUKS_CREDENTIAL_ID=$(fido2luks credential [NAME]) >> /etc/fido2luks.conf

+# Load config into env
 set -a
-. dracut/96luks-2fa/fido2luks.conf
+. /etc/fido2luks.conf

-#Repeat for each luks volume
+# Repeat for each luks volume
 sudo -E fido2luks -i add-key /dev/disk/by-uuid/<DISK_UUID>

-#Test(only works if the luks container isn't active)
+# Test(only works if the luks container isn't active)
 sudo -E fido2luks -i open /dev/disk/by-uuid/<DISK_UUID> luks-<DISK_UUID>

 ```
@@ -45,13 +49,13 @@ sudo make install

 Add `rd.luks.2fa=<CREDENTIAL_ID>:<DISK_UUID>` to `GRUB_CMDLINE_LINUX` in /etc/default/grub

-Note: This is only required for your root disk, systemd will try to unlock all other luks partions using the same key if you added it using `fido2luks add-key`
+Note: This is only required for your root disk, systemd will try to unlock all other LUKS partions using the same key if you added it using `fido2luks add-key`

 ```
 grub2-mkconfig > /boot/grub2/grub.cfg
 ```

-I'd also recommend to copy the executable onto /boot so that it is accessible in case you have to access your disk from a live system
+I'd also recommend to copy the executable onto /boot so that it is accessible in case you have to access your disk from a rescue system

 ```
 mkdir /boot/fido2luks/
@@ -61,12 +65,12 @@ cp /etc/fido2luks.conf /boot/fido2luks/

 ## Test

-Just reboot and see if it works, if thats the case you should remove your old less secure password from your luks header:
+Just reboot and see if it works, if that's the case you should remove your old less secure password from your LUKS header:

 ```
-#Recommend in case you lose your authenticator, store this backupfile somewhere safe
+# Recommend in case you lose your authenticator, store this backupfile somewhere safe
 cryptsetup luksHeaderBackup /dev/disk/by-uuid/<DISK_UUID> --header-backup-file luks_backup_<DISK_UUID>
-#There is no turning back if you mess this up, make sure you made a backup
+# There is no turning back if you mess this up, make sure you made a backup
 fido2luks -i add-key --exclusive /dev/disk/by-uuid/<DISK_UUID>
 ```

@@ -74,9 +78,10 @@ fido2luks -i add-key --exclusive /dev/disk/by-uuid/<DISK_UUID>

 ### Password less

-Remove your previous secret as described in the next section, incase you already added one.
+Remove your previous secret as described in the next section, in case you've already added one.

 Open `/etc/fido2luks.conf` and replace `FIDO2LUKS_SALT=Ask` with `FIDO2LUKS_SALT=string:<YOUR_RANDOM_STRING>`
+but be warned that this password will be included to into your initramfs.

 Import the new config into env:

@@ -96,5 +101,5 @@ set -a
 . fido2luks.conf
 sudo -E fido2luks -i replace-key /dev/disk/by-uuid/<DISK_UUID>

-sudo rm -rf /usr/lib/dracut/modules.d/96luks-2fa /etc/dracut.conf.d/luks-2fa.conf
+sudo rm -rf /usr/lib/dracut/modules.d/96luks-2fa /etc/dracut.conf.d/luks-2fa.conf /etc/fido2luks.conf
 ```
--- a/dracut/96luks-2fa/luks-2fa-generator.sh
+++ b/dracut/96luks-2fa/luks-2fa-generator.sh
@@ -9,7 +9,7 @@ MOUNT=$(command -v mount)
 UMOUNT=$(command -v umount)

 TIMEOUT=120
-CON_MSG="Please connect your authenicator"
+CON_MSG="Please connect your authenticator"

 generate_service () {
        local credential_id=$1 target_uuid=$2 timeout=$3 sd_dir=${4:-$NORMAL_DIR}
@@ -19,6 +19,10 @@ generate_service () {

        local crypto_target_service="systemd-cryptsetup@luks\x2d${sd_target_uuid}.service"
        local sd_service="${sd_dir}/luks-2fa@luks\x2d${sd_target_uuid}.service"
+        local fido2luks_args="--bin"
+        if [ ! -z "$timeout" ]; then
+          fido2luks_args="$fido2luks_args --await-dev ${timeout}"
+        fi
        {
                printf -- "[Unit]"
                printf -- "\nDescription=%s" "2fa for luks"
@@ -27,18 +31,15 @@ generate_service () {
                printf -- "\nBefore=%s umount.target luks-2fa.target" "$crypto_target_service"
                printf -- "\nConflicts=umount.target"
                printf -- "\nDefaultDependencies=no"
-                printf -- "\nJobTimeoutSec=%s" "$timeout"
-
+                [ ! -z "$timeout" ] && printf -- "\nJobTimeoutSec=%s" "$timeout"
                printf -- "\n\n[Service]"
                printf -- "\nType=oneshot"
                printf -- "\nRemainAfterExit=yes"
                printf -- "\nEnvironmentFile=%s" "/etc/fido2luks.conf"
-                printf -- "\nEnvironment=FIDO2LUKS_CREDENTIAL_ID='%s'" "$credential_id"
+                [ ! -z "$credential_id" ] && printf -- "\nEnvironment=FIDO2LUKS_CREDENTIAL_ID='%s'" "$credential_id"
                printf -- "\nKeyringMode=%s" "shared"
 		            printf -- "\nExecStartPre=-/usr/bin/plymouth display-message --text \"${CON_MSG}\""
-		            printf -- "\nExecStartPre=-/bin/bash -c \"while ! ${FIDO2LUKS} connected; do /usr/bin/sleep 1; done\""
-		            printf -- "\nExecStartPre=-/usr/bin/plymouth hide-message --text \"${CON_MSG}\""
-                printf -- "\nExecStart=/bin/bash -c \"${FIDO2LUKS} print-secret --bin | ${CRYPTSETUP} attach 'luks-%s' '/dev/disk/by-uuid/%s' '/dev/stdin'\"" "$target_uuid" "$target_uuid"
+                printf -- "\nExecStart=/bin/bash -c \"${FIDO2LUKS} print-secret $fido2luks_args | ${CRYPTSETUP} attach 'luks-%s' '/dev/disk/by-uuid/%s' '/dev/stdin'\"" "$target_uuid" "$target_uuid"
                printf -- "\nExecStop=${CRYPTSETUP} detach 'luks-%s'" "$target_uuid"
        } > "$sd_service"

--- a/src/cli.rs
+++ b/src/cli.rs
@@ -8,9 +8,15 @@ use cryptsetup_rs::{CryptDevice, Luks1CryptDevice};
 use libcryptsetup_sys::crypt_keyslot_info;
 use structopt::StructOpt;

+use failure::_core::fmt::{Error, Formatter};
+use failure::_core::str::FromStr;
+use failure::_core::time::Duration;
 use std::io::Write;
-use std::process::exit;

+use std::process::exit;
+use std::thread;
+
+use std::time::SystemTime;
 pub fn add_key_to_luks(
    device: PathBuf,
    secret: &[u8; 32],
@@ -70,8 +76,21 @@ pub fn add_password_to_luks(
    Ok(slot)
 }

-pub fn authenticator_connected() -> Fido2LuksResult<bool> {
-    Ok(!device::get_devices()?.is_empty())
+#[derive(Debug, Eq, PartialEq, Clone)]
+pub struct HexEncoded(Vec<u8>);
+
+impl std::fmt::Display for HexEncoded {
+    fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error> {
+        f.write_str(&hex::encode(&self.0))
+    }
+}
+
+impl FromStr for HexEncoded {
+    type Err = hex::FromHexError;
+
+    fn from_str(s: &str) -> Result<Self, Self::Err> {
+        Ok(HexEncoded(hex::decode(s)?))
+    }
 }

 #[derive(Debug, StructOpt)]
@@ -87,11 +106,11 @@ pub struct Args {
 pub struct SecretGeneration {
    /// FIDO credential id, generate using fido2luks credential
    #[structopt(name = "credential-id", env = "FIDO2LUKS_CREDENTIAL_ID")]
-    pub credential_id: String,
+    pub credential_id: HexEncoded,
    /// Salt for secret generation, defaults to 'ask'
    ///
    /// Options:{n}
-    ///  - ask              : Promt user using password helper{n}
+    ///  - ask              : Prompt user using password helper{n}
    ///  - file:<PATH>      : Will read <FILE>{n}
    ///  - string:<STRING>  : Will use <STRING>, which will be handled like a password provided to the 'ask' option{n}
    #[structopt(
@@ -105,9 +124,18 @@ pub struct SecretGeneration {
    #[structopt(
        name = "password-helper",
        env = "FIDO2LUKS_PASSWORD_HELPER",
-        default_value = "/usr/bin/systemd-ask-password 'Please enter second factor for LUKS disk encryption!'"
+        default_value = "/usr/bin/env systemd-ask-password 'Please enter second factor for LUKS disk encryption!'"
    )]
    pub password_helper: PasswordHelper,
+
+    /// Await for an authenticator to be connected, timeout after n seconds
+    #[structopt(
+        long = "await-dev",
+        name = "await-dev",
+        env = "FIDO2LUKS_DEVICE_AWAIT",
+        default_value = "15"
+    )]
+    pub await_authenticator: u64,
 }

 impl SecretGeneration {
@@ -121,8 +149,23 @@ impl SecretGeneration {

    pub fn obtain_secret(&self) -> Fido2LuksResult<[u8; 32]> {
        let salt = self.salt.obtain(&self.password_helper)?;
+        let timeout = Duration::from_secs(self.await_authenticator);
+        let start = SystemTime::now();
+
+        while let Ok(el) = start.elapsed() {
+            if el > timeout {
+                Err(error::Fido2LuksError::NoAuthenticatorError)?;
+            }
+            if get_devices()
+                .map(|devices| !devices.is_empty())
+                .unwrap_or(false)
+            {
+                break;
+            }
+            thread::sleep(Duration::from_millis(500));
+        }
        Ok(assemble_secret(
-            &perform_challenge(&self.credential_id, &salt)?,
+            &perform_challenge(&self.credential_id.0, &salt)?,
            &salt,
        ))
    }
@@ -146,13 +189,12 @@ pub enum Command {
        /// Will wipe all other keys
        #[structopt(short = "e", long = "exclusive")]
        exclusive: bool,
-        /// Use a keyfile instead of a password
+        /// Use a keyfile instead of typing a previous password
        #[structopt(short = "d", long = "keyfile")]
        keyfile: Option<PathBuf>,
        #[structopt(flatten)]
        secret_gen: SecretGeneration,
    },
-
    /// Replace a previously added key with a password
    #[structopt(name = "replace-key")]
    ReplaceKey {
@@ -161,7 +203,7 @@ pub enum Command {
        /// Add the password and keep the key
        #[structopt(short = "a", long = "add-password")]
        add_password: bool,
-        /// Use a keyfile instead of a password
+        /// Use a keyfile instead of typing a previous password
        #[structopt(short = "d", long = "keyfile")]
        keyfile: Option<PathBuf>,
        #[structopt(flatten)]
@@ -174,12 +216,18 @@ pub enum Command {
        device: PathBuf,
        #[structopt(env = "FIDO2LUKS_MAPPER_NAME")]
        name: String,
+        #[structopt(short = "r", long = "max-retries", default_value = "0")]
+        retries: i32,
        #[structopt(flatten)]
        secret_gen: SecretGeneration,
    },
    /// Generate a new FIDO credential
    #[structopt(name = "credential")]
-    Credential,
+    Credential {
+        /// Name to be displayed on the authenticator if it has a display
+        #[structopt(env = "FIDO2LUKS_CREDENTIAL_NAME")]
+        name: Option<String>,
+    },
    /// Check if an authenticator is connected
    #[structopt(name = "connected")]
    Connected,
@@ -193,8 +241,8 @@ pub fn run_cli() -> Fido2LuksResult<()> {
    let mut stdout = io::stdout();
    let args = parse_cmdline();
    match &args.command {
-        Command::Credential => {
-            let cred = make_credential_id()?;
+        Command::Credential { name } => {
+            let cred = make_credential_id(name.as_ref().map(|n| n.as_ref()))?;
            println!("{}", hex::encode(&cred.id));
            Ok(())
        }
@@ -265,10 +313,24 @@ pub fn run_cli() -> Fido2LuksResult<()> {
        Command::Open {
            device,
            name,
+            retries,
            ref secret_gen,
        } => {
+            let mut retries = *retries;
+            loop {
                let secret = secret_gen.patch(&args).obtain_secret()?;
-            open_container(&device, &name, &secret)
+                match open_container(&device, &name, &secret) {
+                    Err(e) => match e {
+                        Fido2LuksError::WrongSecret if retries > 0 => {
+                            retries -= 1;
+                            eprintln!("{}", e);
+                            continue;
+                        }
+                        e => Err(e)?,
+                    },
+                    res => break res,
+                }
+            }
        }
        Command::Connected => match get_devices() {
            Ok(ref devs) if !devs.is_empty() => {
--- a/src/config.rs
+++ b/src/config.rs
@@ -1,7 +1,6 @@
 use crate::error::*;
 use crate::*;
-use crypto::digest::Digest;
-use crypto::sha2::Sha256;
+use ring::digest;

 use std::fmt;
 use std::fs::File;
@@ -57,7 +56,7 @@ impl fmt::Display for InputSalt {

 impl InputSalt {
    pub fn obtain(&self, password_helper: &PasswordHelper) -> Fido2LuksResult<[u8; 32]> {
-        let mut digest = Sha256::new();
+        let mut digest = digest::Context::new(&digest::SHA256);
        match self {
            InputSalt::File { path } => {
                let mut do_io = || {
@@ -65,7 +64,7 @@ impl InputSalt {
                    let mut buf = [0u8; 512];
                    loop {
                        let red = reader.read(&mut buf)?;
-                        digest.input(&buf[0..red]);
+                        digest.update(&buf[0..red]);
                        if red == 0 {
                            break;
                        }
@@ -75,12 +74,12 @@ impl InputSalt {
                do_io().map_err(|cause| Fido2LuksError::KeyfileError { cause })?;
            }
            InputSalt::AskPassword => {
-                digest.input(password_helper.obtain()?.as_bytes());
+                digest.update(password_helper.obtain()?.as_bytes());
            }
-            InputSalt::String(s) => digest.input(s.as_bytes()),
+            InputSalt::String(s) => digest.update(s.as_bytes()),
        }
        let mut salt = [0u8; 32];
-        digest.result(&mut salt);
+        salt.as_mut().copy_from_slice(digest.finish().as_ref());
        Ok(salt)
    }
 }
@@ -95,7 +94,7 @@ pub enum PasswordHelper {
 impl Default for PasswordHelper {
    fn default() -> Self {
        PasswordHelper::Script(
-            "/usr/bin/systemd-ask-password 'Please enter second factor for LUKS disk encryption!'"
+            "/usr/bin/env systemd-ask-password 'Please enter second factor for LUKS disk encryption!'"
                .into(),
        )
    }
@@ -170,4 +169,17 @@ mod test {
        assert_eq!("ask".parse::<InputSalt>().unwrap(), InputSalt::AskPassword);
        assert_eq!("lol".parse::<InputSalt>().unwrap(), InputSalt::default());
    }
+
+    #[test]
+    fn input_salt_obtain() {
+        assert_eq!(
+            InputSalt::String("abc".into())
+                .obtain(&PasswordHelper::Stdin)
+                .unwrap(),
+            [
+                186, 120, 22, 191, 143, 1, 207, 234, 65, 65, 64, 222, 93, 174, 34, 35, 176, 3, 97,
+                163, 150, 23, 122, 156, 180, 16, 255, 97, 242, 0, 21, 173
+            ]
+        )
+    }
 }
--- a/src/device.rs
+++ b/src/device.rs
@@ -1,16 +1,56 @@
 use crate::error::*;
+use crate::util::sha256;

-use ctap;
-use ctap::extensions::hmac::{FidoHmacCredential, HmacExtension};
-use ctap::{FidoDevice, FidoError, FidoErrorKind};
+use ctap::{
+    self,
+    extensions::hmac::{FidoHmacCredential, HmacExtension},
+    AuthenticatorOptions, FidoDevice, FidoError, FidoErrorKind, PublicKeyCredentialRpEntity,
+    PublicKeyCredentialUserEntity,
+};

-pub fn make_credential_id() -> Fido2LuksResult<FidoHmacCredential> {
+const RP_ID: &'static str = "fido2luks";
+
+fn authenticator_options() -> Option<AuthenticatorOptions> {
+    Some(AuthenticatorOptions {
+        uv: false, //TODO: should get this from config
+        rk: true,
+    })
+}
+
+fn authenticator_rp() -> PublicKeyCredentialRpEntity<'static> {
+    PublicKeyCredentialRpEntity {
+        id: RP_ID,
+        name: None,
+        icon: None,
+    }
+}
+
+fn authenticator_user(name: Option<&str>) -> PublicKeyCredentialUserEntity {
+    PublicKeyCredentialUserEntity {
+        id: &[0u8],
+        name: name.unwrap_or(""),
+        icon: None,
+        display_name: name,
+    }
+}
+
+pub fn make_credential_id(name: Option<&str>) -> Fido2LuksResult<FidoHmacCredential> {
    let mut errs = Vec::new();
    match get_devices()? {
        ref devs if devs.is_empty() => Err(Fido2LuksError::NoAuthenticatorError)?,
        devs => {
            for mut dev in devs.into_iter() {
-                match dev.make_hmac_credential() {
+                match dev
+                    .make_hmac_credential_full(
+                        authenticator_rp(),
+                        authenticator_user(name),
+                        &[0u8; 32],
+                        &[],
+                        authenticator_options(),
+                    )
+                    .map(|cred| cred.into())
+                {
+                    //TODO: make credentials device specific
                    Ok(cred) => {
                        return Ok(cred);
                    }
@@ -24,19 +64,19 @@ pub fn make_credential_id() -> Fido2LuksResult<FidoHmacCredential> {
    Err(errs.pop().ok_or(Fido2LuksError::NoAuthenticatorError)?)?
 }

-pub fn perform_challenge(credential_id: &str, salt: &[u8; 32]) -> Fido2LuksResult<[u8; 32]> {
+pub fn perform_challenge(credential_id: &[u8], salt: &[u8; 32]) -> Fido2LuksResult<[u8; 32]> {
    let cred = FidoHmacCredential {
-        id: hex::decode(credential_id).unwrap(),
-        rp_id: "hmac".to_string(),
+        id: credential_id.to_vec(),
+        rp_id: RP_ID.to_string(),
    };
    let mut errs = Vec::new();
    match get_devices()? {
        ref devs if devs.is_empty() => Err(Fido2LuksError::NoAuthenticatorError)?,
        devs => {
            for mut dev in devs.into_iter() {
-                match dev.hmac_challange(&cred, &salt[..]) {
+                match dev.get_hmac_assertion(&cred, &sha256(&[&salt[..]]), None, None) {
                    Ok(secret) => {
-                        return Ok(secret);
+                        return Ok(secret.0);
                    }
                    Err(e) => {
                        errs.push(e);
--- a/src/error.rs
+++ b/src/error.rs
@@ -11,11 +11,11 @@ pub enum Fido2LuksError {
    KeyfileError { cause: io::Error },
    #[fail(display = "authenticator error: {}", cause)]
    AuthenticatorError { cause: ctap::FidoError },
-    #[fail(display = "no authenticator found, please ensure you device is plugged in")]
+    #[fail(display = "no authenticator found, please ensure your device is plugged in")]
    NoAuthenticatorError,
    #[fail(display = "luks err")]
    LuksError { cause: cryptsetup_rs::device::Error },
-    #[fail(display = "no authenticator found, please ensure you device is plugged in")]
+    #[fail(display = "no authenticator found, please ensure your device is plugged in")]
    IoError { cause: io::Error },
    #[fail(display = "supplied secret isn't valid for this device")]
    WrongSecret,
@@ -23,6 +23,19 @@ pub enum Fido2LuksError {
    StringEncodingError { cause: FromUtf8Error },
 }

+impl Fido2LuksError {
+    pub fn exit_code(&self) -> i32 {
+        use Fido2LuksError::*;
+        match self {
+            AskPassError { .. } | KeyfileError { .. } => 2,
+            AuthenticatorError { .. } => 3,
+            NoAuthenticatorError => 4,
+            WrongSecret => 5,
+            _ => 1,
+        }
+    }
+}
+
 #[derive(Debug, Fail)]
 pub enum AskPassError {
    #[fail(display = "unable to retrieve password: {}", _0)]
--- a/src/main.rs
+++ b/src/main.rs
@@ -5,13 +5,12 @@ use crate::cli::*;
 use crate::config::*;
 use crate::device::*;
 use crate::error::*;
-use crypto::digest::Digest;
-use crypto::sha2::Sha256;
 use cryptsetup_rs as luks;
 use cryptsetup_rs::Luks1CryptDevice;

-use std::io::{self};
+use std::io;
 use std::path::PathBuf;
+use std::process::exit;

 mod cli;
 mod config;
@@ -26,14 +25,35 @@ fn open_container(device: &PathBuf, name: &str, secret: &[u8; 32]) -> Fido2LuksR
 }

 fn assemble_secret(hmac_result: &[u8], salt: &[u8]) -> [u8; 32] {
-    let mut digest = Sha256::new();
-    digest.input(salt);
-    digest.input(hmac_result);
-    let mut secret = [0u8; 32];
-    digest.result(&mut secret);
-    secret
+    util::sha256(&[salt, hmac_result])
 }

 fn main() -> Fido2LuksResult<()> {
-    run_cli()
+    match run_cli() {
+        Err(e) => {
+            #[cfg(debug_assertions)]
+            eprintln!("{:?}", e);
+            #[cfg(not(debug_assertions))]
+            eprintln!("{}", e);
+            exit(e.exit_code())
+        }
+        _ => exit(0),
+    }
+}
+
+#[cfg(test)]
+mod test {
+
+    use super::*;
+
+    #[test]
+    fn test_assemble_secret() {
+        assert_eq!(
+            assemble_secret(b"abc", b"def"),
+            [
+                46, 82, 82, 140, 142, 159, 249, 196, 227, 160, 142, 72, 151, 77, 59, 62, 180, 36,
+                33, 47, 241, 94, 17, 232, 133, 103, 247, 32, 152, 253, 43, 19
+            ]
+        )
+    }
 }
--- a/src/util.rs
+++ b/src/util.rs
@@ -1,8 +1,19 @@
 use crate::error::*;
+use ring::digest;
 use std::fs::File;
 use std::io::Read;
 use std::path::PathBuf;

+pub fn sha256<'a>(messages: &[&[u8]]) -> [u8; 32] {
+    let mut digest = digest::Context::new(&digest::SHA256);
+    for m in messages.iter() {
+        digest.update(m);
+    }
+    let mut secret = [0u8; 32];
+    secret.as_mut().copy_from_slice(digest.finish().as_ref());
+    secret
+}
+
 pub fn read_password(q: &str, verify: bool) -> Fido2LuksResult<String> {
    match rpassword::read_password_from_tty(Some(&[q, ": "].join("")))? {
        ref pass
Author	SHA1	Message	Date
shimun	03e34ec790	0.2.3 Some checks failed continuous-integration/drone/push Build is passing Details continuous-integration/drone/tag Build is failing Details	2020-01-20 22:43:06 +01:00
shimun	a437106fcb	use await-dev per default All checks were successful continuous-integration/drone/push Build is passing Details	2020-01-16 19:41:59 +01:00
shimun	7ed948d53b	update & tidy readme All checks were successful continuous-integration/drone/push Build is passing Details	2020-01-15 16:46:15 +01:00
shimun	c4e08413c0	Added --await-dev flag All checks were successful continuous-integration/drone/push Build is passing Details	2020-01-13 23:23:45 +01:00
shimunn	7429706920	Merge pull request #7 from mmahut/patch-1 All checks were successful continuous-integration/drone/push Build is passing Details error.rs: typo	2020-01-13 21:54:09 +01:00
Marek Mahut	a5fd5fa9f6	error.rs: typo	2020-01-13 17:44:51 +01:00
shimun	659fafdfb4	update to 0.2.2 Some checks failed continuous-integration/drone/push Build is passing Details continuous-integration/drone/tag Build is failing Details	2020-01-10 21:44:33 +01:00
shimun	7f2668eded	allow for named credentials	2020-01-10 21:32:39 +01:00
shimunn	ae714cdef3	Merge pull request #6 from mmahut/fixid All checks were successful continuous-integration/drone/push Build is passing Details match rp_id to fido2luks	2020-01-10 19:47:31 +01:00
shimunn	ae802e5e71	Merge pull request #5 from mmahut/env use password helper in modified environments	2020-01-10 19:47:01 +01:00
Marek Mahut	a5f0444d24	match rp_id to fido2luks	2020-01-10 17:13:56 +01:00
Marek Mahut	a307d87d88	use password helper in modified environments	2020-01-10 16:52:22 +01:00
shimun	721dded6d2	WIP: 0.2.2 All checks were successful continuous-integration/drone/push Build is passing Details Warning: This release cointains changes to way credentials are generated, which may cause your authenticator to reject the old credential.	2020-01-09 22:22:54 +01:00
Shimun	e7049a281a	Use fido2luks as rp_id instead if default hmac, consider making All checks were successful continuous-integration/drone/push Build is passing Details credenials device specific	2020-01-02 15:35:32 +01:00
shimun	5d1c7beb4d	added flag to retry open command All checks were successful continuous-integration/drone/push Build is passing Details	2019-10-12 22:46:54 +02:00
shimun	2bac911b32	assigned exit codes to error cases	2019-10-12 22:46:20 +02:00
shimun	9a8ea993b5	fmt All checks were successful continuous-integration/drone/push Build is passing Details	2019-10-12 13:40:24 +02:00
shimunn	7eb9dcc928	Merge pull request #2 from jannic/add-test-cases Some checks failed continuous-integration/drone/push Build is failing Details Add test case for hash calculations	2019-10-12 13:24:33 +02:00
shimunn	509e300a8f	Merge pull request #1 from jannic/port-to-ring Use ring for sha256 calculation	2019-10-12 13:24:18 +02:00
Jan Niehusmann	42945956a6	Add test case for hash calculations While replacing the implementation of sha256, I noticed that there is no test case actually calling the hash calculations. Added two such test cases. Please note that I didn't verify that the result is correct, but just took the value the existing implementation returned. So those tests will only catch future regressions.	2019-10-11 22:15:21 +00:00
Jan Niehusmann	3cf5ccf2a0	Use ring for sha256 calculation According to https://rustsec.org/advisories/RUSTSEC-2016-0005.html, rust-crypto is unmaintained. Crates depending on rust-crypto should be ported to other crates. This port replaces rust-crypto with the sha2 implementation of ring, as fido2luks already depends on it via ctap_hmac. Note that it uses an old version of ring, so I used the same version, here.	2019-10-11 22:06:00 +00:00