add nix flake

minimum YubiKey firmware version
Merge pull request #21 from aacebedo/master
2021-02-07 14:08:11 +01:00 · 2020-11-17 13:05:45 +01:00 · 2020-11-01 21:18:13 +01:00 · 2020-11-01 18:21:04 +01:00 · 2020-10-13 14:17:22 +02:00 · 2020-09-25 12:40:34 +02:00
12 changed files with 352 additions and 258 deletions
--- a/.drone.yml
+++ b/.drone.yml
@@ -12,7 +12,7 @@ steps:
   environment:
    DEBIAN_FRONTEND: noninteractive
   commands:
-    - apt update && apt install -y cargo libkeyutils-dev libclang-dev clang pkg-config libcryptsetup-dev libpam-dev 
+    - apt update && apt install -y cargo libkeyutils-dev libclang-dev clang pkg-config libcryptsetup-dev 
    - cargo test --locked
 - name: publish
   image: ubuntu:focal
@@ -22,7 +22,7 @@ steps:
     from_secret: cargo_tkn
   commands:
    - grep -E 'version ?= ?"${DRONE_TAG}"' -i Cargo.toml || (printf "incorrect crate/tag version" && exit 1)
-    - apt update && apt install -y cargo libkeyutils-dev libclang-dev clang pkg-config libcryptsetup-dev libpam-dev
+    - apt update && apt install -y cargo libkeyutils-dev libclang-dev clang pkg-config libcryptsetup-dev 
    - cargo package --all-features
    - cargo publish --all-features
   when:
--- a/.gitignore
+++ b/.gitignore
@@ -2,7 +2,8 @@
 **/*.rs.bk
 .idea/
 *.iml
+result
 fido2luks.bash
 fido2luks.elv
 fido2luks.fish
-fido2luks.zsh
+fido2luks.zsh
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -383,14 +383,12 @@ dependencies = [
 "failure",
 "hex",
 "libcryptsetup-rs",
- "pamsm",
 "ring",
 "rpassword",
 "serde",
 "serde_derive",
 "serde_json",
 "structopt",
- "sudo",
 ]

 [[package]]
@@ -598,12 +596,6 @@ version = "0.20.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1ab52be62400ca80aa00285d25253d7f7c437b7375c4de678f5405d3afe82ca5"

-[[package]]
-name = "pamsm"
-version = "0.4.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3580ed2ebe075c74db583233318abf4b07bc8d9a40c7691d0ae9c186e19e43dd"
-
 [[package]]
 name = "peeking_take_while"
 version = "0.1.2"
@@ -988,16 +980,6 @@ dependencies = [
 "syn 1.0.40",
 ]

-[[package]]
-name = "sudo"
-version = "0.5.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2a88e74edf206f281aff2820aa2066c781331044c770626dcafe19491f214e05"
-dependencies = [
- "libc",
- "log",
-]
-
 [[package]]
 name = "syn"
 version = "0.15.44"
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -24,8 +24,6 @@ libcryptsetup-rs = "0.4.1"
 serde_json = "1.0.51"
 serde_derive = "1.0.106"
 serde = "1.0.106"
-pamsm = { version = "0.4.1", features = ["libpam"] }
-sudo = "0.5.0"

 [build-dependencies]
 ctap_hmac = { version="0.4.2", features = ["request_multiple"] }
@@ -34,7 +32,6 @@ ring = "0.13.5"
 failure = "0.1.5"
 rpassword = "4.0.1"
 libcryptsetup-rs = "0.4.1"
-pamsm = { version = "0.4.1", features = ["libpam"] }
 structopt = "0.3.2"

 [profile.release]
@@ -44,23 +41,14 @@ panic = 'abort'
 incremental = false
 overflow-checks = false

-[[bin]]
-name = "fido2luks"
-path = "src/main.rs"
-
-[lib]
-name = "fido2luks_pam"
-path = "src/lib.rs"
-crate-type = ["cdylib"]
-
 [package.metadata.deb]
 depends = "$auto, cryptsetup"
-build-depends = "libclang-dev, libcryptsetup-dev, libpam-dev"
+build-depends = "libclang-dev, libcryptsetup-dev"
 extended-description = "Decrypt your LUKS partition using a FIDO2 compatible authenticator"
 assets = [
    ["target/release/fido2luks", "usr/bin/", "755"],
-    ["target/release/libfido2luks_pam.so", "usr/lib/x86_64-linux-gnu/security/pam_fido2luks.so", "755"],
    ["fido2luks.bash", "usr/share/bash-completion/completions/fido2luks", "644"],
+    ["pam_mount/fido2luksmounthelper.sh", "usr/bin/", "755"],
    ["initramfs-tools/keyscript.sh", "/lib/cryptsetup/scripts/fido2luks", "755" ],
    ["initramfs-tools/hook/fido2luks.sh", "etc/initramfs-tools/hooks/", "755" ],
    ["initramfs-tools/fido2luks.conf", "etc/", "644"],
--- a/1
+++ b/1
@@ -21,5 +21,6 @@ build() {

 package() {
    install -Dm 755 target/release/${pkgname} -t "${pkgdir}/usr/bin"
+    install -Dm 755 ../pam_mount/fido2luksmounthelper.sh -t "${pkgdir}/usr/bin"
    install -Dm 644 ../fido2luks.bash "${pkgdir}/usr/share/bash-completion/completions/fido2luks"
 }
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@

 This will allow you to unlock your LUKS encrypted disk with an FIDO2 compatible key.

-Note: This has only been tested under Fedora 31, [Ubuntu 20.04](initramfs-tools/), [NixOS](https://nixos.org/nixos/manual/#sec-luks-file-systems-fido2) using a Solo Key, Trezor Model T
+Note: This has only been tested under Fedora 31, [Ubuntu 20.04](initramfs-tools/), [NixOS](https://nixos.org/nixos/manual/#sec-luks-file-systems-fido2) using a Solo Key, Trezor Model T, YubiKey(fw >= [5.2.3](https://support.yubico.com/hc/en-us/articles/360016649319-YubiKey-5-2-3-Enhancements-to-FIDO-2-Support))

 ## Setup

--- a/flake.lock
+++ b/flake.lock
@@ -0,0 +1,61 @@
+{
+  "nodes": {
+    "naersk": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1612192764,
+        "narHash": "sha256-7EnLtZQWP6511G1ZPA7FmJlqAr3hWsAYb24tvTvJ/ec=",
+        "owner": "nmattia",
+        "repo": "naersk",
+        "rev": "6e149bfd726a8ebefa415f2d713ba6d942435abd",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nmattia",
+        "repo": "naersk",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1611910458,
+        "narHash": "sha256-//j54S14v9lp3YKizS1WZW3WKwLjGTzvwhHfUAaRBPQ=",
+        "path": "/nix/store/z5g10k571cc5q9yvr0bafzswp0ggawjw-source",
+        "rev": "6e7f25001fe6874f7ae271891f709bbf50a22c45",
+        "type": "path"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "type": "indirect"
+      }
+    },
+    "root": {
+      "inputs": {
+        "naersk": "naersk",
+        "nixpkgs": "nixpkgs",
+        "utils": "utils"
+      }
+    },
+    "utils": {
+      "locked": {
+        "lastModified": 1610051610,
+        "narHash": "sha256-U9rPz/usA1/Aohhk7Cmc2gBrEEKRzcW4nwPWMPwja4Y=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "3982c9903e93927c2164caa727cd3f6a0e6d14cc",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
--- a/flake.nix
+++ b/flake.nix
@@ -0,0 +1,61 @@
+{
+  description = "Decrypt your LUKS partition using a FIDO2 compatible authenticator";
+
+  inputs = {
+    utils.url = "github:numtide/flake-utils";
+    naersk = {
+      url = "github:nmattia/naersk";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+  };
+
+  outputs = { self, nixpkgs, utils, naersk }:
+    let
+      root = ./.;
+      pname = (builtins.fromTOML (builtins.readFile ./Cargo.toml)).package.name;
+      forPkgs = pkgs:
+        let
+          naersk-lib = naersk.lib."${pkgs.system}";
+          buildInputs = with pkgs; [ cryptsetup ];
+          LIBCLANG_PATH = "${pkgs.clang.cc.lib}/lib";
+          nativeBuildInputs = with pkgs; [
+            pkgconfig
+            clang
+          ];
+        in
+        rec {
+          # `nix build`
+          packages.${pname} = naersk-lib.buildPackage {
+            inherit pname root buildInputs nativeBuildInputs LIBCLANG_PATH;
+          };
+          defaultPackage = packages.${pname};
+
+          # `nix run`
+          apps.${pname} = utils.lib.mkApp {
+            drv = packages.${pname};
+          };
+          defaultApp = apps.${pname};
+
+          # `nix flake check`
+          checks = {
+            fmt = with pkgs; runCommandLocal "${pname}-fmt" { buildInputs = [ cargo rustfmt nixpkgs-fmt ]; } ''
+              cd ${root}
+              cargo fmt -- --check
+              nixpkgs-fmt --check *.nix
+              touch $out
+            '';
+          };
+
+          # `nix develop`
+          devShell = pkgs.mkShell {
+            nativeBuildInputs = with pkgs; [ rustc cargo rustfmt nixpkgs-fmt ] ++ nativeBuildInputs;
+            inherit buildInputs LIBCLANG_PATH;
+          };
+        };
+      forSystem = system: forPkgs nixpkgs.legacyPackages."${system}";
+    in
+    (utils.lib.eachSystem [ "aarch64-linux" "i686-linux" "x86_64-linux" ] forSystem) // {
+      overlay = final: prev: (forPkgs final).packages;
+    };
+
+}
--- a/pam_mount/fido2luksmounthelper.sh
+++ b/pam_mount/fido2luksmounthelper.sh
@@ -0,0 +1,220 @@
+#!/bin/bash
+#
+# This is a rather minimal example Argbash potential
+# Example taken from http://argbash.readthedocs.io/en/stable/example.html
+#
+# ARG_POSITIONAL_SINGLE([operation],[Operation to perform (mount|umount)],[])
+# ARG_OPTIONAL_SINGLE([credentials-type],[c],[Type of the credentials to use (external|embedded)])
+# ARG_OPTIONAL_SINGLE([device],[d],[Name of the device to create])
+# ARG_OPTIONAL_SINGLE([mount-point],[m],[Path of the mount point to use])
+# ARG_OPTIONAL_BOOLEAN([ask-pin],[a],[Ask for a pin],[off])
+# ARG_OPTIONAL_SINGLE([salt],[s],[Salt to use],[""])
+# ARG_HELP([Unlocks/Locks a LUKS volume and mount/unmount it in the given mount point.])
+# ARGBASH_GO()
+# needed because of Argbash --> m4_ignore([
+### START OF CODE GENERATED BY Argbash v2.9.0 one line above ###
+# Argbash is a bash code generator used to get arguments parsing right.
+# Argbash is FREE SOFTWARE, see https://argbash.io for more info
+# Generated online by https://argbash.io/generate
+
+
+die()
+{
+	local _ret="${2:-1}"
+	test "${_PRINT_HELP:-no}" = yes && print_help >&2
+	echo "$1" >&2
+	exit "${_ret}"
+}
+
+
+begins_with_short_option()
+{
+	local first_option all_short_options='cdmash'
+	first_option="${1:0:1}"
+	test "$all_short_options" = "${all_short_options/$first_option/}" && return 1 || return 0
+}
+
+# THE DEFAULTS INITIALIZATION - POSITIONALS
+_positionals=()
+# THE DEFAULTS INITIALIZATION - OPTIONALS
+_arg_credentials_type=
+_arg_device=
+_arg_mount_point=
+_arg_ask_pin="off"
+_arg_salt=""
+
+
+print_help()
+{
+	printf '%s\n' "Unlocks/Locks a LUKS volume and mount/unmount it in the given mount point."
+	printf 'Usage: %s [-c|--credentials-type <arg>] [-d|--device <arg>] [-m|--mount-point <arg>] [-a|--(no-)ask-pin] [-s|--salt <arg>] [-h|--help] <operation>\n' "$0"
+	printf '\t%s\n' "<operation>: Operation to perform (mount|umount)"
+	printf '\t%s\n' "-c, --credentials-type: Type of the credentials to use (external|embedded) (no default)"
+	printf '\t%s\n' "-d, --device: Name of the device to create (no default)"
+	printf '\t%s\n' "-m, --mount-point: Path of the mount point to use (no default)"
+	printf '\t%s\n' "-a, --ask-pin, --no-ask-pin: Ask for a pin (off by default)"
+	printf '\t%s\n' "-s, --salt: Salt to use (default: '""')"
+	printf '\t%s\n' "-h, --help: Prints help"
+}
+
+
+parse_commandline()
+{
+	_positionals_count=0
+	while test $# -gt 0
+	do
+		_key="$1"
+		case "$_key" in
+			-c|--credentials-type)
+				test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1
+				_arg_credentials_type="$2"
+				shift
+				;;
+			--credentials-type=*)
+				_arg_credentials_type="${_key##--credentials-type=}"
+				;;
+			-c*)
+				_arg_credentials_type="${_key##-c}"
+				;;
+			-d|--device)
+				test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1
+				_arg_device="$2"
+				shift
+				;;
+			--device=*)
+				_arg_device="${_key##--device=}"
+				;;
+			-d*)
+				_arg_device="${_key##-d}"
+				;;
+			-m|--mount-point)
+				test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1
+				_arg_mount_point="$2"
+				shift
+				;;
+			--mount-point=*)
+				_arg_mount_point="${_key##--mount-point=}"
+				;;
+			-m*)
+				_arg_mount_point="${_key##-m}"
+				;;
+			-a|--no-ask-pin|--ask-pin)
+				_arg_ask_pin="on"
+				test "${1:0:5}" = "--no-" && _arg_ask_pin="off"
+				;;
+			-a*)
+				_arg_ask_pin="on"
+				_next="${_key##-a}"
+				if test -n "$_next" -a "$_next" != "$_key"
+				then
+					{ begins_with_short_option "$_next" && shift && set -- "-a" "-${_next}" "$@"; } || die "The short option '$_key' can't be decomposed to ${_key:0:2} and -${_key:2}, because ${_key:0:2} doesn't accept value and '-${_key:2:1}' doesn't correspond to a short option."
+				fi
+				;;
+			-s|--salt)
+				test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1
+				_arg_salt="$2"
+				shift
+				;;
+			--salt=*)
+				_arg_salt="${_key##--salt=}"
+				;;
+			-s*)
+				_arg_salt="${_key##-s}"
+				;;
+			-h|--help)
+				print_help
+				exit 0
+				;;
+			-h*)
+				print_help
+				exit 0
+				;;
+			*)
+				_last_positional="$1"
+				_positionals+=("$_last_positional")
+				_positionals_count=$((_positionals_count + 1))
+				;;
+		esac
+		shift
+	done
+}
+
+
+handle_passed_args_count()
+{
+	local _required_args_string="'operation'"
+	test "${_positionals_count}" -ge 1 || _PRINT_HELP=yes die "FATAL ERROR: Not enough positional arguments - we require exactly 1 (namely: $_required_args_string), but got only ${_positionals_count}." 1
+	test "${_positionals_count}" -le 1 || _PRINT_HELP=yes die "FATAL ERROR: There were spurious positional arguments --- we expect exactly 1 (namely: $_required_args_string), but got ${_positionals_count} (the last one was: '${_last_positional}')." 1
+}
+
+
+assign_positional_args()
+{
+	local _positional_name _shift_for=$1
+	_positional_names="_arg_operation "
+
+	shift "$_shift_for"
+	for _positional_name in ${_positional_names}
+	do
+		test $# -gt 0 || break
+		eval "$_positional_name=\${1}" || die "Error during argument parsing, possibly an Argbash bug." 1
+		shift
+	done
+}
+
+parse_commandline "$@"
+handle_passed_args_count
+assign_positional_args 1 "${_positionals[@]}"
+
+# OTHER STUFF GENERATED BY Argbash
+
+### END OF CODE GENERATED BY Argbash (sortof) ### ])
+# [ <-- needed because of Argbash
+
+if [ -z ${_arg_mount_point} ]; then
+  die "Missing '--mount-point' argument"
+fi
+
+if [ -z ${_arg_device} ]; then
+  die "Missing '--device' argument"
+fi
+
+ASK_PIN=${_arg_ask_pin}
+OPERATION=${_arg_operation}
+DEVICE=${_arg_device}
+DEVICE_NAME=$(sed "s|/|_|g" <<< ${DEVICE})
+MOUNT_POINT=${_arg_mount_point}
+CREDENTIALS_TYPE=${_arg_credentials_type}
+SALT=${_arg_salt}
+CONF_FILE_PATH="/etc/fido2luksmounthelper.conf"
+
+if [ "${OPERATION}" == "mount" ]; then
+	if [ "${CREDENTIALS_TYPE}" == "external" ]; then
+    if  [ -f ${CONF_FILE_PATH} ]; then
+			if [ "${ASK_PIN}" == "on" ]; then
+				read PASSWORD
+			fi
+			CREDENTIALS=$(<${CONF_FILE_PATH})
+		else
+			die "The configuration file '${CONF_FILE_PATH}' is missing. Please create it or use embedded credentials."
+		fi
+		printf ${PASSWORD} | fido2luks open --salt string:${SALT} --pin --pin-source /dev/stdin ${DEVICE} ${DEVICE_NAME} ${CREDENTIALS}
+	elif [ "${CREDENTIALS_TYPE}" == "embedded" ]; then
+		if [ "${ASK_PIN}" == "on" ]; then
+			read PASSWORD
+		fi
+		printf ${PASSWORD} | fido2luks open-token --salt string:${SALT} --pin --pin-source /dev/stdin ${DEVICE} ${DEVICE_NAME}
+	else
+		die "Given credential-type '${CREDENTIALS_TYPE}' is invalid. It must be 'external' or 'embedded'"
+	fi 
+	mount /dev/mapper/${DEVICE_NAME} ${MOUNT_POINT}
+elif [ "${OPERATION}" == "umount" ]; then
+  umount ${MOUNT_POINT}
+  cryptsetup luksClose ${DEVICE_NAME}
+else
+  die "Given operation '${OPERATION}' is invalid. It must be 'mount' or 'unmount'"
+fi
+
+exit 0
+
+# ] <-- needed because of Argbash
--- a/src/cli.rs
+++ b/src/cli.rs
@@ -25,7 +25,7 @@ fn read_pin(ap: &AuthenticatorParameters) -> Fido2LuksResult<String> {
    if let Some(src) = ap.pin_source.as_ref() {
        let mut pin = String::new();
        File::open(src)?.read_to_string(&mut pin)?;
-        Ok(pin)
+        Ok(pin.trim_end_matches("\n").to_string()) //remove trailing newline
    } else {
        util::read_password("Authenticator PIN", false)
    }
--- a/src/error.rs
+++ b/src/error.rs
@@ -1,10 +1,10 @@
 use ctap::FidoError;
 use libcryptsetup_rs::LibcryptErr;
-use pamsm::PamError;
 use std::io;
 use std::io::ErrorKind;
 use std::string::FromUtf8Error;
 use Fido2LuksError::*;
+
 pub type Fido2LuksResult<T> = Result<T, Fido2LuksError>;

 #[derive(Debug, Fail)]
@@ -29,10 +29,6 @@ pub enum Fido2LuksError {
    WrongSecret,
    #[fail(display = "not an utf8 string")]
    StringEncodingError { cause: FromUtf8Error },
-    #[fail(display = "elevated privileges required")]
-    MissingPrivileges,
-    #[fail(display = "{}", cause)]
-    Configuration { cause: ConfigurationError },
 }

 impl Fido2LuksError {
@@ -54,26 +50,6 @@ pub enum AskPassError {
    IO(io::Error),
    #[fail(display = "provided passwords don't match")]
    Mismatch,
-    #[fail(display = "unable to retrieve password: {}", _0)]
-    Pam(PamError),
-}
-
-impl From<PamError> for AskPassError {
-    fn from(e: PamError) -> Self {
-        AskPassError::Pam(e)
-    }
-}
-
-impl From<io::Error> for AskPassError {
-    fn from(e: io::Error) -> Self {
-        AskPassError::IO(e)
-    }
-}
-
-impl From<AskPassError> for Fido2LuksError {
-    fn from(cause: AskPassError) -> Self {
-        Fido2LuksError::AskPassError { cause }
-    }
 }

 #[derive(Debug, Fail)]
@@ -136,16 +112,3 @@ impl From<FromUtf8Error> for Fido2LuksError {
        StringEncodingError { cause: e }
    }
 }
-#[derive(Debug, Fail)]
-pub enum ConfigurationError {
-    #[fail(display = "config is missing some values: {:?}", _0)]
-    Missing(Vec<String>),
-    #[fail(display = "config attribute {} contains an invalid value: {}", _1, _0)]
-    InvalidValue(String, String),
-}
-
-impl From<ConfigurationError> for Fido2LuksError {
-    fn from(cause: ConfigurationError) -> Fido2LuksError {
-        Fido2LuksError::Configuration { cause }
-    }
-}
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -1,183 +0,0 @@
-#[macro_use]
-extern crate failure;
-extern crate ctap_hmac as ctap;
-#[macro_use]
-extern crate serde_derive;
-use crate::cli_args::{CommaSeparated, HexEncoded};
-use crate::device::*;
-use crate::error::*;
-use crate::luks::*;
-use ctap::FidoCredential;
-use failure::_core::time::Duration;
-use pamsm::PamLibExt;
-use pamsm::*;
-use std::collections::{HashMap, HashSet};
-use std::path::Path;
-use std::str::FromStr;
-use sudo::{self, RunningAs};
-
-pub mod cli_args;
-pub mod device;
-pub mod error;
-pub mod luks;
-pub mod util;
-
-struct PamFido2Luks;
-
-impl PamFido2Luks {
-    fn open(
-        &self,
-        user: String,
-        mut password: impl FnMut(&str) -> PamResult<String>,
-        args: Vec<String>,
-    ) -> Fido2LuksResult<()> {
-        let args: HashMap<String, String> = args
-            .into_iter()
-            .filter_map(|arg| {
-                let mut parts = arg.split("=");
-                parts
-                    .by_ref()
-                    .next()
-                    .map(|key| (key.to_string(), parts.collect::<Vec<_>>().join("=")))
-            })
-            .collect();
-
-        let credentials = match args.get("credentials").map(|creds| {
-            <CommaSeparated<String>>::from_str(creds)
-                .map(|cs| cs.0)
-                .map_err(|_| ConfigurationError::InvalidValue("credentials".into(), creds.into()))
-        }) {
-            Some(creds) => creds?,
-            _ => Vec::new(),
-        };
-        let pin = args.get("pin");
-        let pin_prefix = args
-            .get("pin-prefix")
-            .map(|p| p.parse::<bool>().unwrap_or_default())
-            .unwrap_or_default();
-        let device = args
-            .get("device")
-            .map(|device| device.replace("%user%", user.as_str()));
-        let name = args
-            .get("name")
-            .map(|name| name.replace("%user%", user.as_str()));
-
-        let mut attempts = args
-            .get("attempts")
-            .and_then(|a| a.parse::<usize>().ok())
-            .unwrap_or(3);
-
-        if let (Some(device), Some(name)) = (device, name) {
-            if !Path::new(&device).exists() || Path::new(&format!("/dev/mapper/{}", name)).exists()
-            {
-                return Ok(());
-            }
-            // root required to mount luks
-            match sudo::check() {
-                RunningAs::User => return Err(Fido2LuksError::MissingPrivileges),
-                _ => {
-                    sudo::escalate_if_needed().map_err(|_| Fido2LuksError::MissingPrivileges)?;
-                }
-            }
-            let mut device = LuksDevice::load(device)?;
-            let mut additional_credentials: HashSet<String> = HashSet::new();
-            if device.is_luks2()? {
-                for token in device.tokens()? {
-                    let (_, token) = token?;
-                    additional_credentials.extend(token.credential.into_iter());
-                }
-            }
-            let credentials: Vec<FidoCredential> = credentials
-                .into_iter()
-                .chain(additional_credentials.into_iter())
-                .map(|cred| HexEncoded::from_str(cred.as_str()))
-                .map(|cred| FidoCredential {
-                    id: cred.unwrap().0,
-                    public_key: None,
-                })
-                .collect();
-            let credentials: Vec<&FidoCredential> = credentials.iter().collect();
-            if !credentials.is_empty() {
-                loop {
-                    let (pin, pass) = if pin_prefix {
-                        let password = password("PIN + FIDO2 salt (pin:password):")
-                            .map_err(|e| Fido2LuksError::AskPassError { cause: e.into() })?;
-                        let mut parts = password.split(":");
-                        (
-                            parts.next().map(|p| p.to_string()).or(pin.cloned()),
-                            parts.collect::<Vec<_>>().join(":"),
-                        )
-                    } else {
-                        (
-                            pin.cloned(),
-                            password("FIDO2 salt: ")
-                                .map_err(|e| Fido2LuksError::AskPassError { cause: e.into() })?,
-                        )
-                    };
-
-                    let salt = util::sha256(&[pass.as_bytes()]);
-                    let secret = util::sha256(&[
-                        &salt,
-                        &perform_challenge(
-                            &credentials[..],
-                            &salt,
-                            Duration::from_secs(15),
-                            pin.as_ref().map(String::as_str),
-                        )?
-                        .0[..],
-                    ]);
-                    match device.activate(name.as_str(), &secret[..], None) {
-                        Ok(_) => return Ok(()),
-                        _ if attempts > 0 => {
-                            attempts -= 1;
-                            continue;
-                        }
-                        Err(e) => break Err(e),
-                    }
-                }
-            } else {
-                Err(ConfigurationError::Missing(vec!["credentials".into()]).into())
-            }
-        } else {
-            Ok(())
-        }
-    }
-}
-
-impl PamServiceModule for PamFido2Luks {
-    fn authenticate(pamh: Pam, _flag: PamFlag, args: Vec<String>) -> PamError {
-        let perfrom_authenticate = move || -> Fido2LuksResult<()> {
-            let user = match pamh.get_cached_user() {
-                Err(e) => Err(AskPassError::Pam(e))?,
-                Ok(p) => p.map(|s| s.to_str().map(str::to_string).unwrap()),
-            };
-            let mut password = match pamh.get_authtok(None) {
-                Err(e) => Err(AskPassError::Pam(e))?,
-                Ok(p) => p.map(|s| s.to_str().map(str::to_string).unwrap()),
-            };
-            if let Some(user) = user {
-                PamFido2Luks.open(
-                    user,
-                    move |q: &str| match password.take() {
-                        Some(pass) => Ok(pass),
-                        None => pamh
-                            .conv(Some(q), PamMsgStyle::PROMPT_ECHO_OFF)
-                            .map(|s| s.map(|s| s.to_str().unwrap()).unwrap_or("").to_string()),
-                    },
-                    args,
-                )
-            } else {
-                Err(AskPassError::Pam(PamError::AUTH_ERR))?
-            }
-        };
-        match perfrom_authenticate() {
-            Ok(_) => PamError::SUCCESS,
-            Err(e) => {
-                eprintln!("{}", e);
-                PamError::AUTH_ERR
-            }
-        }
-    }
-}
-
-pam_module!(PamFido2Luks);
Author	SHA1	Message	Date
shimun	e42f962368	add nix flake All checks were successful continuous-integration/drone/push Build is passing Details	2021-02-07 14:08:11 +01:00
shimun	b0404f2fc1	minimum YubiKey firmware version Some checks reported errors continuous-integration/drone/push Build encountered an error Details	2020-11-17 13:05:45 +01:00
shimunn	de21e3ef8d	Merge pull request #21 from aacebedo/master Added an helper script to be used with pam_mount	2020-11-01 21:18:13 +01:00
Alexandre ACEBEDO	8a7b3addbb	Added an helper script to be used with pam_mount	2020-11-01 18:21:04 +01:00
shimun	e7e44cd61b	fix test All checks were successful continuous-integration/drone/push Build is passing Details	2020-10-13 14:17:22 +02:00
shimun	0ec859f4a6	remove trailing newline from pin Some checks failed continuous-integration/drone/push Build is failing Details	2020-09-25 12:40:34 +02:00