patch secret_gen before obtaing first secret

error.rs: typo

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "fido2luks"
-version = "0.2.2"
+version = "0.2.6"
 authors = ["shimunn <shimun@shimun.net>"]
 edition = "2018"
 
@@ -14,17 +14,13 @@ categories = ["command-line-utilities"]
 license-file = "LICENSE"
 
 [dependencies]
-#ctap = "0.1.0"
+ctap_hmac = { version="0.4.1", features = ["request_multiple"] }
-ctap_hmac = "0.2.1"
-cryptsetup-rs = "0.2.1"
-libcryptsetup-sys = "0.1.2"
-
-
 hex = "0.3.2"
 ring = "0.13.5"
 failure = "0.1.5"
 rpassword = "4.0.1"
 structopt = "0.3.2"
+libcryptsetup-rs = "0.2.0"
 
 [profile.release]
 lto = true

README.md

@@ -9,7 +9,7 @@ Note: This has only been tested under Fedora 31 using a Solo Key, Trezor Model T
 ### Prerequisites
 
 ```
-dnf install cargo cryptsetup-devel -y
+dnf install clang cargo cryptsetup-devel -y
 ```
 
 ### Device
@@ -17,18 +17,22 @@ dnf install cargo cryptsetup-devel -y
 ```
 git clone https://github.com/shimunn/fido2luks.git && cd fido2luks
 
-#Alternativly cargo build --release && sudo cp target/release/fido2luks /usr/bin/
+# Alternativly cargo build --release && sudo cp target/release/fido2luks /usr/bin/
-CARGO_INSTALL_ROOT=/usr sudo -E cargo install -f --path .
+sudo -E cargo install -f --path . --root /usr
 
-echo FIDO2LUKS_CREDENTIAL_ID=$(fido2luks credential) >> dracut/96luks-2fa/fido2luks.conf
+# Copy template
+cp dracut/96luks-2fa/fido2luks.conf /etc/
+# Name is optional but useful if your authenticator has a display
+echo FIDO2LUKS_CREDENTIAL_ID=$(fido2luks credential [NAME]) >> /etc/fido2luks.conf
 
+# Load config into env
 set -a
-. dracut/96luks-2fa/fido2luks.conf
+. /etc/fido2luks.conf
 
-#Repeat for each luks volume
+# Repeat for each luks volume
 sudo -E fido2luks -i add-key /dev/disk/by-uuid/<DISK_UUID>
 
-#Test(only works if the luks container isn't active)
+# Test(only works if the luks container isn't active)
 sudo -E fido2luks -i open /dev/disk/by-uuid/<DISK_UUID> luks-<DISK_UUID>
 
 ```
@@ -45,13 +49,13 @@ sudo make install
 
 Add `rd.luks.2fa=<CREDENTIAL_ID>:<DISK_UUID>` to `GRUB_CMDLINE_LINUX` in /etc/default/grub
 
-Note: This is only required for your root disk, systemd will try to unlock all other luks partions using the same key if you added it using `fido2luks add-key`
+Note: This is only required for your root disk, systemd will try to unlock all other LUKS partions using the same key if you added it using `fido2luks add-key`
 
 ```
 grub2-mkconfig > /boot/grub2/grub.cfg
 ```
 
-I'd also recommend to copy the executable onto /boot so that it is accessible in case you have to access your disk from a live system
+I'd also recommend to copy the executable onto /boot so that it is accessible in case you have to access your disk from a rescue system
 
 ```
 mkdir /boot/fido2luks/
@@ -61,12 +65,12 @@ cp /etc/fido2luks.conf /boot/fido2luks/
 
 ## Test
 
-Just reboot and see if it works, if thats the case you should remove your old less secure password from your luks header:
+Just reboot and see if it works, if that's the case you should remove your old less secure password from your LUKS header:
 
 ```
-#Recommend in case you lose your authenticator, store this backupfile somewhere safe
+# Recommend in case you lose your authenticator, store this backupfile somewhere safe
 cryptsetup luksHeaderBackup /dev/disk/by-uuid/<DISK_UUID> --header-backup-file luks_backup_<DISK_UUID>
-#There is no turning back if you mess this up, make sure you made a backup
+# There is no turning back if you mess this up, make sure you made a backup
 fido2luks -i add-key --exclusive /dev/disk/by-uuid/<DISK_UUID>
 ```
 
@@ -74,9 +78,10 @@ fido2luks -i add-key --exclusive /dev/disk/by-uuid/<DISK_UUID>
 
 ### Password less
 
-Remove your previous secret as described in the next section, incase you already added one.
+Remove your previous secret as described in the next section, in case you've already added one.
 
 Open `/etc/fido2luks.conf` and replace `FIDO2LUKS_SALT=Ask` with `FIDO2LUKS_SALT=string:<YOUR_RANDOM_STRING>`
+but be warned that this password will be included to into your initramfs.
 
 Import the new config into env:
 
@@ -96,5 +101,5 @@ set -a
 . fido2luks.conf
 sudo -E fido2luks -i replace-key /dev/disk/by-uuid/<DISK_UUID>
 
-sudo rm -rf /usr/lib/dracut/modules.d/96luks-2fa /etc/dracut.conf.d/luks-2fa.conf
+sudo rm -rf /usr/lib/dracut/modules.d/96luks-2fa /etc/dracut.conf.d/luks-2fa.conf /etc/fido2luks.conf
 ```

dracut/96luks-2fa/luks-2fa-generator.sh

@@ -9,7 +9,7 @@ MOUNT=$(command -v mount)
 UMOUNT=$(command -v umount)
 
 TIMEOUT=120
-CON_MSG="Please connect your authenicator"
+CON_MSG="Please connect your authenticator"
 
 generate_service () {
         local credential_id=$1 target_uuid=$2 timeout=$3 sd_dir=${4:-$NORMAL_DIR}
@@ -19,6 +19,10 @@ generate_service () {
 
         local crypto_target_service="systemd-cryptsetup@luks\x2d${sd_target_uuid}.service"
         local sd_service="${sd_dir}/luks-2fa@luks\x2d${sd_target_uuid}.service"
+        local fido2luks_args="--bin"
+        if [ ! -z "$timeout" ]; then
+          fido2luks_args="$fido2luks_args --await-dev ${timeout}"
+        fi
         {
                 printf -- "[Unit]"
                 printf -- "\nDescription=%s" "2fa for luks"
@@ -27,18 +31,15 @@ generate_service () {
                 printf -- "\nBefore=%s umount.target luks-2fa.target" "$crypto_target_service"
                 printf -- "\nConflicts=umount.target"
                 printf -- "\nDefaultDependencies=no"
-                printf -- "\nJobTimeoutSec=%s" "$timeout"
+                [ ! -z "$timeout" ] && printf -- "\nJobTimeoutSec=%s" "$timeout"
-
                 printf -- "\n\n[Service]"
                 printf -- "\nType=oneshot"
                 printf -- "\nRemainAfterExit=yes"
                 printf -- "\nEnvironmentFile=%s" "/etc/fido2luks.conf"
-                printf -- "\nEnvironment=FIDO2LUKS_CREDENTIAL_ID='%s'" "$credential_id"
+                [ ! -z "$credential_id" ] && printf -- "\nEnvironment=FIDO2LUKS_CREDENTIAL_ID='%s'" "$credential_id"
                 printf -- "\nKeyringMode=%s" "shared"
 		            printf -- "\nExecStartPre=-/usr/bin/plymouth display-message --text \"${CON_MSG}\""
-		            printf -- "\nExecStartPre=-/bin/bash -c \"while ! ${FIDO2LUKS} connected; do /usr/bin/sleep 1; done\""
+                printf -- "\nExecStart=/bin/bash -c \"${FIDO2LUKS} print-secret $fido2luks_args | ${CRYPTSETUP} attach 'luks-%s' '/dev/disk/by-uuid/%s' '/dev/stdin'\"" "$target_uuid" "$target_uuid"
-		            printf -- "\nExecStartPre=-/usr/bin/plymouth hide-message --text \"${CON_MSG}\""
-                printf -- "\nExecStart=/bin/bash -c \"${FIDO2LUKS} print-secret --bin | ${CRYPTSETUP} attach 'luks-%s' '/dev/disk/by-uuid/%s' '/dev/stdin'\"" "$target_uuid" "$target_uuid"
                 printf -- "\nExecStop=${CRYPTSETUP} detach 'luks-%s'" "$target_uuid"
         } > "$sd_service"
 

src/cli.rs

@@ -1,73 +1,59 @@
 use crate::error::*;
+use crate::luks;
 use crate::*;
 
-use cryptsetup_rs as luks;
-use cryptsetup_rs::api::{CryptDeviceHandle, CryptDeviceOpenBuilder, Luks1Params};
-use cryptsetup_rs::{CryptDevice, Luks1CryptDevice};
-
-use libcryptsetup_sys::crypt_keyslot_info;
 use structopt::StructOpt;
 
+use ctap::{FidoCredential, FidoErrorKind};
+use failure::_core::fmt::{Display, Error, Formatter};
+use failure::_core::str::FromStr;
+use failure::_core::time::Duration;
 use std::io::Write;
 use std::process::exit;
+use std::thread;
 
-pub fn add_key_to_luks(
+use crate::util::read_password;
-    device: PathBuf,
+use std::time::SystemTime;
-    secret: &[u8; 32],
+
-    old_secret: Box<dyn Fn() -> Fido2LuksResult<Vec<u8>>>,
+#[derive(Debug, Eq, PartialEq, Clone)]
-    exclusive: bool,
+pub struct HexEncoded(pub Vec<u8>);
-) -> Fido2LuksResult<u8> {
+
-    fn offer_format(
+impl Display for HexEncoded {
-        _dev: CryptDeviceOpenBuilder,
+    fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error> {
-    ) -> Fido2LuksResult<CryptDeviceHandle<Luks1Params>> {
+        f.write_str(&hex::encode(&self.0))
-        unimplemented!()
     }
-    let dev =
-        || -> luks::device::Result<CryptDeviceOpenBuilder> { luks::open(&device.canonicalize()?) };
-
-    let prev_key = old_secret()?;
-
-    let mut handle = match dev()?.luks1() {
-        Ok(handle) => handle,
-        Err(luks::device::Error::BlkidError(_)) => offer_format(dev()?)?,
-        Err(luks::device::Error::CryptsetupError(errno)) => {
-            //if i32::from(errno) == 555
-            dbg!(errno);
-            offer_format(dev()?)?
-        } //TODO: find correct errorno and offer to format as luks
-        err => err?,
-    };
-    handle.set_iteration_time(50);
-    let slot = handle.add_keyslot(secret, Some(prev_key.as_slice()), None)?;
-    if exclusive {
-        for old_slot in 0..8u8 {
-            if old_slot != slot
-                && (handle.keyslot_status(old_slot.into()) == crypt_keyslot_info::CRYPT_SLOT_ACTIVE
-                    || handle.keyslot_status(old_slot.into())
-                        == crypt_keyslot_info::CRYPT_SLOT_ACTIVE_LAST)
-            {
-                handle.destroy_keyslot(old_slot)?;
-            }
-        }
-    }
-    Ok(slot)
 }
 
-pub fn add_password_to_luks(
+impl FromStr for HexEncoded {
-    device: PathBuf,
+    type Err = hex::FromHexError;
-    secret: &[u8; 32],
+
-    new_secret: Box<dyn Fn() -> Fido2LuksResult<Vec<u8>>>,
+    fn from_str(s: &str) -> Result<Self, Self::Err> {
-    add_password: bool,
+        Ok(HexEncoded(hex::decode(s)?))
-) -> Fido2LuksResult<u8> {
+    }
-    let dev = luks::open(&device.canonicalize()?)?;
+}
-    let mut handle = dev.luks1()?;
+
-    let prev_slot = if add_password {
+#[derive(Debug, Eq, PartialEq, Clone)]
-        Some(handle.add_keyslot(&secret[..], Some(&secret[..]), None)?)
+pub struct CommaSeparated<T: FromStr + Display>(pub Vec<T>);
-    } else {
+
-        None
+impl<T: Display + FromStr> Display for CommaSeparated<T> {
-    };
+    fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error> {
-    let slot = handle.update_keyslot(&new_secret()?[..], &secret[..], prev_slot)?;
+        for i in &self.0 {
-    Ok(slot)
+            f.write_str(&i.to_string())?;
+            f.write_str(",")?;
+        }
+        Ok(())
+    }
+}
+
+impl<T: Display + FromStr> FromStr for CommaSeparated<T> {
+    type Err = <T as FromStr>::Err;
+    fn from_str(s: &str) -> Result<Self, Self::Err> {
+        Ok(CommaSeparated(
+            s.split(',')
+                .map(|part| <T as FromStr>::from_str(part))
+                .collect::<Result<Vec<_>, _>>()?,
+        ))
+    }
 }
 
 #[derive(Debug, StructOpt)]
@@ -81,13 +67,13 @@ pub struct Args {
 
 #[derive(Debug, StructOpt, Clone)]
 pub struct SecretGeneration {
-    /// FIDO credential id, generate using fido2luks credential
+    /// FIDO credential ids, seperated by ',' generate using fido2luks credential
     #[structopt(name = "credential-id", env = "FIDO2LUKS_CREDENTIAL_ID")]
-    pub credential_id: String,
+    pub credential_ids: CommaSeparated<HexEncoded>,
     /// Salt for secret generation, defaults to 'ask'
     ///
     /// Options:{n}
-    ///  - ask              : Promt user using password helper{n}
+    ///  - ask              : Prompt user using password helper{n}
     ///  - file:<PATH>      : Will read <FILE>{n}
     ///  - string:<STRING>  : Will use <STRING>, which will be handled like a password provided to the 'ask' option{n}
     #[structopt(
@@ -104,26 +90,118 @@ pub struct SecretGeneration {
         default_value = "/usr/bin/env systemd-ask-password 'Please enter second factor for LUKS disk encryption!'"
     )]
     pub password_helper: PasswordHelper,
+
+    /// Await for an authenticator to be connected, timeout after n seconds
+    #[structopt(
+        long = "await-dev",
+        name = "await-dev",
+        env = "FIDO2LUKS_DEVICE_AWAIT",
+        default_value = "15"
+    )]
+    pub await_authenticator: u64,
+
+    /// Request the password twice to ensure it being correct
+    #[structopt(
+        long = "verify-password",
+        env = "FIDO2LUKS_VERIFY_PASSWORD",
+        hidden = true
+    )]
+    pub verify_password: Option<bool>,
 }
 
 impl SecretGeneration {
-    pub fn patch(&self, args: &Args) -> Self {
+    pub fn patch(&self, args: &Args, verify_password: Option<bool>) -> Self {
         let mut me = self.clone();
         if args.interactive {
             me.password_helper = PasswordHelper::Stdin;
         }
+        me.verify_password = me.verify_password.or(verify_password);
         me
     }
 
-    pub fn obtain_secret(&self) -> Fido2LuksResult<[u8; 32]> {
+    pub fn obtain_secret(&self, password_query: &str) -> Fido2LuksResult<[u8; 32]> {
-        let salt = self.salt.obtain(&self.password_helper)?;
+        let mut salt = [0u8; 32];
+        match self.password_helper {
+            PasswordHelper::Stdin if !self.verify_password.unwrap_or(true) => {
+                salt.copy_from_slice(&util::sha256(&[&read_password(
+                    password_query,
+                    self.verify_password.unwrap_or(true),
+                )?
+                .as_bytes()[..]]));
+            }
+            _ => {
+                salt = self.salt.obtain(&self.password_helper)?;
+            }
+        }
+        let timeout = Duration::from_secs(self.await_authenticator);
+        let start = SystemTime::now();
+
+        while let Ok(el) = start.elapsed() {
+            if el > timeout {
+                Err(error::Fido2LuksError::NoAuthenticatorError)?;
+            }
+            if get_devices()
+                .map(|devices| !devices.is_empty())
+                .unwrap_or(false)
+            {
+                break;
+            }
+            thread::sleep(Duration::from_millis(500));
+        }
+        let credentials = &self
+            .credential_ids
+            .0
+            .iter()
+            .map(|HexEncoded(id)| FidoCredential {
+                id: id.to_vec(),
+                public_key: None,
+            })
+            .collect::<Vec<_>>();
+        let credentials = credentials.iter().collect::<Vec<_>>();
         Ok(assemble_secret(
-            &perform_challenge(&self.credential_id, &salt)?,
+            &perform_challenge(&credentials[..], &salt, timeout - start.elapsed().unwrap())?,
             &salt,
         ))
     }
 }
 
+#[derive(Debug, StructOpt, Clone)]
+pub struct LuksSettings {
+    /// Number of milliseconds required to derive the volume decryption key
+    /// Defaults to 10ms when using an authenticator or the default by cryptsetup when using a password
+    #[structopt(long = "kdf-time", name = "kdf-time")]
+    kdf_time: Option<u64>,
+}
+
+#[derive(Debug, StructOpt, Clone)]
+pub struct OtherSecret {
+    /// Use a keyfile instead of a password
+    #[structopt(short = "d", long = "keyfile", conflicts_with = "fido_device")]
+    keyfile: Option<PathBuf>,
+    /// Use another fido device instead of a password
+    /// Note: this requires for the credential fot the other device to be passed as argument as well
+    #[structopt(short = "f", long = "fido-device", conflicts_with = "keyfile")]
+    fido_device: bool,
+}
+
+impl OtherSecret {
+    pub fn obtain(
+        &self,
+        secret_gen: &SecretGeneration,
+        verify_password: bool,
+        password_question: &str,
+    ) -> Fido2LuksResult<Vec<u8>> {
+        match &self.keyfile {
+            Some(keyfile) => util::read_keyfile(keyfile.clone()),
+            None if self.fido_device => {
+                Ok(Vec::from(&secret_gen.obtain_secret(password_question)?[..]))
+            }
+            None => util::read_password(password_question, verify_password)
+                .map(|p| p.as_bytes().to_vec()),
+        }
+    }
+}
+
 #[derive(Debug, StructOpt)]
 pub enum Command {
     #[structopt(name = "print-secret")]
@@ -142,13 +220,13 @@ pub enum Command {
         /// Will wipe all other keys
         #[structopt(short = "e", long = "exclusive")]
         exclusive: bool,
-        /// Use a keyfile instead of a password
+        #[structopt(flatten)]
-        #[structopt(short = "d", long = "keyfile")]
+        existing_secret: OtherSecret,
-        keyfile: Option<PathBuf>,
         #[structopt(flatten)]
         secret_gen: SecretGeneration,
+        #[structopt(flatten)]
+        luks_settings: LuksSettings,
     },
-
     /// Replace a previously added key with a password
     #[structopt(name = "replace-key")]
     ReplaceKey {
@@ -157,11 +235,12 @@ pub enum Command {
         /// Add the password and keep the key
         #[structopt(short = "a", long = "add-password")]
         add_password: bool,
-        /// Use a keyfile instead of a password
+        #[structopt(flatten)]
-        #[structopt(short = "d", long = "keyfile")]
+        replacement: OtherSecret,
-        keyfile: Option<PathBuf>,
         #[structopt(flatten)]
         secret_gen: SecretGeneration,
+        #[structopt(flatten)]
+        luks_settings: LuksSettings,
     },
     /// Open the LUKS device
     #[structopt(name = "open")]
@@ -204,7 +283,9 @@ pub fn run_cli() -> Fido2LuksResult<()> {
             binary,
             ref secret_gen,
         } => {
-            let secret = secret_gen.patch(&args).obtain_secret()?;
+            let secret = secret_gen
+                .patch(&args, Some(false))
+                .obtain_secret("Password")?;
             if *binary {
                 stdout.write(&secret[..])?;
             } else {
@@ -215,48 +296,51 @@ pub fn run_cli() -> Fido2LuksResult<()> {
         Command::AddKey {
             device,
             exclusive,
-            keyfile,
+            existing_secret,
             ref secret_gen,
+            luks_settings,
         } => {
-            let secret = secret_gen.patch(&args).obtain_secret()?;
+            let secret_gen = secret_gen.patch(&args, None);
-            let slot = add_key_to_luks(
+            let old_secret = existing_secret.obtain(&secret_gen, false, "Existing password")?;
+            let secret = secret_gen.obtain_secret("Password")?;
+            let added_slot = luks::add_key(
                 device.clone(),
                 &secret,
-                if let Some(keyfile) = keyfile.clone() {
+                &old_secret[..],
-                    Box::new(move || util::read_keyfile(keyfile.clone()))
+                luks_settings.kdf_time.or(Some(10)),
-                } else {
-                    Box::new(|| {
-                        util::read_password("Old password", true).map(|p| p.as_bytes().to_vec())
-                    })
-                },
-                *exclusive,
             )?;
-            println!(
+            if *exclusive {
-                "Added to key to device {}, slot: {}",
+                let destroyed = luks::remove_keyslots(&device, &[added_slot])?;
-                device.display(),
+                println!(
-                slot
+                    "Added to key to device {}, slot: {}\nRemoved {} old keys",
-            );
+                    device.display(),
+                    added_slot,
+                    destroyed
+                );
+            } else {
+                println!(
+                    "Added to key to device {}, slot: {}",
+                    device.display(),
+                    added_slot
+                );
+            }
             Ok(())
         }
         Command::ReplaceKey {
             device,
             add_password,
-            keyfile,
+            replacement,
             ref secret_gen,
+            luks_settings,
         } => {
-            let secret = secret_gen.patch(&args).obtain_secret()?;
+            let secret_gen = secret_gen.patch(&args, Some(false));
-            let slot = add_password_to_luks(
+            let secret = secret_gen.obtain_secret("Password")?;
-                device.clone(),
+            let new_secret = replacement.obtain(&secret_gen, true, "Replacement password")?;
-                &secret,
+            let slot = if *add_password {
-                if let Some(keyfile) = keyfile.clone() {
+                luks::add_key(device, &new_secret[..], &secret, luks_settings.kdf_time)
-                    Box::new(move || util::read_keyfile(keyfile.clone()))
+            } else {
-                } else {
+                luks::replace_key(device, &new_secret[..], &secret, luks_settings.kdf_time)
-                    Box::new(|| {
+            }?;
-                        util::read_password("Password to add", true).map(|p| p.as_bytes().to_vec())
-                    })
-                },
-                *add_password,
-            )?;
             println!(
                 "Added to password to device {}, slot: {}",
                 device.display(),
@@ -272,16 +356,25 @@ pub fn run_cli() -> Fido2LuksResult<()> {
         } => {
             let mut retries = *retries;
             loop {
-                let secret = secret_gen.patch(&args).obtain_secret()?;
+                match secret_gen
-                match open_container(&device, &name, &secret) {
+                    .patch(&args, Some(false))
-                    Err(e) => match e {
+                    .obtain_secret("Password")
-                        Fido2LuksError::WrongSecret if retries > 0 => {
+                    .and_then(|secret| luks::open_container(&device, &name, &secret))
-                            retries -= 1;
+                {
-                            eprintln!("{}", e);
+                    Err(e) => {
-                            continue;
+                        match e {
+                            Fido2LuksError::WrongSecret if retries > 0 => (),
+                            Fido2LuksError::AuthenticatorError { ref cause }
+                                if cause.kind() == FidoErrorKind::Timeout && retries > 0 =>
+                            {
+                                ()
+                            }
+
+                            e => break Err(e)?,
                         }
-                        e => Err(e)?,
+                        retries -= 1;
-                    },
+                        eprintln!("{}", e);
+                    }
                     res => break res,
                 }
             }

src/device.rs

@@ -1,91 +1,49 @@
 use crate::error::*;
-use crate::util::sha256;
 
+use crate::util;
 use ctap::{
-    self,
+    self, extensions::hmac::HmacExtension, request_multiple_devices, FidoAssertionRequestBuilder,
-    extensions::hmac::{FidoHmacCredential, HmacExtension},
+    FidoCredential, FidoCredentialRequestBuilder, FidoDevice, FidoError, FidoErrorKind,
-    AuthenticatorOptions, FidoDevice, FidoError, FidoErrorKind, PublicKeyCredentialRpEntity,
-    PublicKeyCredentialUserEntity,
 };
+use std::time::Duration;
 
 const RP_ID: &'static str = "fido2luks";
 
-fn authenticator_options() -> Option<AuthenticatorOptions> {
+pub fn make_credential_id(name: Option<&str>) -> Fido2LuksResult<FidoCredential> {
-    Some(AuthenticatorOptions {
+    let mut request = FidoCredentialRequestBuilder::default().rp_id(RP_ID);
-        uv: false, //TODO: should get this from config
+    if let Some(user_name) = name {
-        rk: true,
+        request = request.user_name(user_name);
-    })
-}
-
-fn authenticator_rp() -> PublicKeyCredentialRpEntity<'static> {
-    PublicKeyCredentialRpEntity {
-        id: RP_ID,
-        name: None,
-        icon: None,
     }
+    let request = request.build().unwrap();
+    let make_credential = |device: &mut FidoDevice| device.make_hmac_credential(&request);
+    Ok(request_multiple_devices(
+        get_devices()?
+            .iter_mut()
+            .map(|device| (device, &make_credential)),
+        None,
+    )?)
 }
 
-fn authenticator_user(name: Option<&str>) -> PublicKeyCredentialUserEntity {
+pub fn perform_challenge(
-    PublicKeyCredentialUserEntity {
+    credentials: &[&FidoCredential],
-        id: &[0u8],
+    salt: &[u8; 32],
-        name: name.unwrap_or(""),
+    timeout: Duration,
-        icon: None,
+) -> Fido2LuksResult<[u8; 32]> {
-        display_name: name,
+    let request = FidoAssertionRequestBuilder::default()
-    }
+        .rp_id(RP_ID)
-}
+        .credentials(credentials)
-
+        .build()
-pub fn make_credential_id(name: Option<&str>) -> Fido2LuksResult<FidoHmacCredential> {
+        .unwrap();
-    let mut errs = Vec::new();
+    let get_assertion = |device: &mut FidoDevice| {
-    match get_devices()? {
+        device.get_hmac_assertion(&request, &util::sha256(&[&salt[..]]), None)
-        ref devs if devs.is_empty() => Err(Fido2LuksError::NoAuthenticatorError)?,
-        devs => {
-            for mut dev in devs.into_iter() {
-                match dev
-                    .make_hmac_credential_full(
-                        authenticator_rp(),
-                        authenticator_user(name),
-                        &[0u8; 32],
-                        &[],
-                        authenticator_options(),
-                    )
-                    .map(|cred| cred.into())
-                {
-                    //TODO: make credentials device specific
-                    Ok(cred) => {
-                        return Ok(cred);
-                    }
-                    Err(e) => {
-                        errs.push(e);
-                    }
-                }
-            }
-        }
-    }
-    Err(errs.pop().ok_or(Fido2LuksError::NoAuthenticatorError)?)?
-}
-
-pub fn perform_challenge(credential_id: &str, salt: &[u8; 32]) -> Fido2LuksResult<[u8; 32]> {
-    let cred = FidoHmacCredential {
-        id: hex::decode(credential_id).unwrap(),
-        rp_id: RP_ID.to_string(),
     };
-    let mut errs = Vec::new();
+    let (_, (secret, _)) = request_multiple_devices(
-    match get_devices()? {
+        get_devices()?
-        ref devs if devs.is_empty() => Err(Fido2LuksError::NoAuthenticatorError)?,
+            .iter_mut()
-        devs => {
+            .map(|device| (device, &get_assertion)),
-            for mut dev in devs.into_iter() {
+        Some(timeout),
-                match dev.get_hmac_assertion(&cred, &sha256(&[&salt[..]]), None, None) {
+    )?;
-                    Ok(secret) => {
+    Ok(secret)
-                        return Ok(secret.0);
-                    }
-                    Err(e) => {
-                        errs.push(e);
-                    }
-                }
-            }
-        }
-    }
-    Err(errs.pop().ok_or(Fido2LuksError::NoAuthenticatorError)?)?
 }
 
 pub fn get_devices() -> Fido2LuksResult<Vec<FidoDevice>> {

src/error.rs

@@ -11,11 +11,13 @@ pub enum Fido2LuksError {
     KeyfileError { cause: io::Error },
     #[fail(display = "authenticator error: {}", cause)]
     AuthenticatorError { cause: ctap::FidoError },
-    #[fail(display = "no authenticator found, please ensure you device is plugged in")]
+    #[fail(display = "no authenticator found, please ensure your device is plugged in")]
     NoAuthenticatorError,
     #[fail(display = "luks err")]
-    LuksError { cause: cryptsetup_rs::device::Error },
+    LuksError {
-    #[fail(display = "no authenticator found, please ensure you device is plugged in")]
+        cause: libcryptsetup_rs::LibcryptErr,
+    },
+    #[fail(display = "no authenticator found, please ensure your device is plugged in")]
     IoError { cause: io::Error },
     #[fail(display = "supplied secret isn't valid for this device")]
     WrongSecret,
@@ -44,6 +46,7 @@ pub enum AskPassError {
     Mismatch,
 }
 
+use libcryptsetup_rs::LibcryptErr;
 use std::string::FromUtf8Error;
 use Fido2LuksError::*;
 
@@ -53,17 +56,16 @@ impl From<FidoError> for Fido2LuksError {
     }
 }
 
-impl From<cryptsetup_rs::device::Error> for Fido2LuksError {
+impl From<LibcryptErr> for Fido2LuksError {
-    fn from(e: cryptsetup_rs::device::Error) -> Self {
+    fn from(e: LibcryptErr) -> Self {
         match e {
-            cryptsetup_rs::device::Error::CryptsetupError(error_no) if error_no.0 == 1i32 => {
+            LibcryptErr::IOError(e) if e.raw_os_error().iter().any(|code| code == &1i32) => {
                 WrongSecret
             }
-            e => LuksError { cause: e },
+            _ => LuksError { cause: e },
         }
     }
 }
-
 impl From<io::Error> for Fido2LuksError {
     fn from(e: io::Error) -> Self {
         IoError { cause: e }

src/luks.rs

@@ -0,0 +1,83 @@
+use crate::error::*;
+
+use libcryptsetup_rs::{CryptActivateFlags, CryptDevice, CryptInit, EncryptionFormat, KeyslotInfo};
+use std::path::Path;
+
+fn load_device_handle<P: AsRef<Path>>(path: P) -> Fido2LuksResult<CryptDevice> {
+    let mut device = CryptInit::init(path.as_ref())?;
+    //TODO: determine luks version some way other way than just trying
+    let mut load = |format| device.context_handle().load::<()>(format, None).map(|_| ());
+    vec![EncryptionFormat::Luks2, EncryptionFormat::Luks1]
+        .into_iter()
+        .fold(None, |res, format| match res {
+            Some(Ok(())) => res,
+            Some(e) => Some(e.or(load(format))),
+            None => Some(load(format)),
+        })
+        .unwrap()?;
+    Ok(device)
+}
+
+pub fn open_container<P: AsRef<Path>>(path: P, name: &str, secret: &[u8]) -> Fido2LuksResult<()> {
+    let mut device = load_device_handle(path)?;
+    device
+        .activate_handle()
+        .activate_by_passphrase(Some(name), None, secret, CryptActivateFlags::empty())
+        .map(|_slot| ())
+        .map_err(|_e| Fido2LuksError::WrongSecret)
+}
+
+pub fn add_key<P: AsRef<Path>>(
+    path: P,
+    secret: &[u8],
+    old_secret: &[u8],
+    iteration_time: Option<u64>,
+) -> Fido2LuksResult<u32> {
+    let mut device = load_device_handle(path)?;
+    if let Some(millis) = iteration_time {
+        device.settings_handle().set_iteration_time(millis)
+    }
+    let slot = device
+        .keyslot_handle(None)
+        .add_by_passphrase(old_secret, secret)?;
+    Ok(slot)
+}
+
+pub fn remove_keyslots<P: AsRef<Path>>(path: P, exclude: &[u32]) -> Fido2LuksResult<u32> {
+    let mut device = load_device_handle(path)?;
+    let mut handle;
+    let mut destroyed = 0;
+    //TODO: detect how many keyslots there are instead of trying within a given range
+    for slot in 0..1024 {
+        handle = device.keyslot_handle(Some(slot));
+        match handle.status()? {
+            KeyslotInfo::Inactive => continue,
+            KeyslotInfo::Active if !exclude.contains(&slot) => {
+                handle.destroy()?;
+                destroyed += 1;
+            }
+            _ => (),
+        }
+        match handle.status()? {
+            KeyslotInfo::ActiveLast => break,
+            _ => (),
+        }
+    }
+    Ok(destroyed)
+}
+
+pub fn replace_key<P: AsRef<Path>>(
+    path: P,
+    secret: &[u8],
+    old_secret: &[u8],
+    iteration_time: Option<u64>,
+) -> Fido2LuksResult<u32> {
+    let mut device = load_device_handle(path)?;
+    // Set iteration time not sure wether this applies to luks2 as well
+    if let Some(millis) = iteration_time {
+        device.settings_handle().set_iteration_time(millis)
+    }
+    Ok(device
+        .keyslot_handle(None)
+        .change_by_passphrase(None, None, old_secret, secret)? as u32)
+}

src/main.rs

@@ -5,9 +5,6 @@ use crate::cli::*;
 use crate::config::*;
 use crate::device::*;
 use crate::error::*;
-use cryptsetup_rs as luks;
-use cryptsetup_rs::Luks1CryptDevice;
-
 use std::io;
 use std::path::PathBuf;
 use std::process::exit;
@@ -16,14 +13,9 @@ mod cli;
 mod config;
 mod device;
 mod error;
+mod luks;
 mod util;
 
-fn open_container(device: &PathBuf, name: &str, secret: &[u8; 32]) -> Fido2LuksResult<()> {
-    let mut handle = luks::open(device.canonicalize()?)?.luks1()?;
-    let _slot = handle.activate(name, &secret[..])?;
-    Ok(())
-}
-
 fn assemble_secret(hmac_result: &[u8], salt: &[u8]) -> [u8; 32] {
     util::sha256(&[salt, hmac_result])
 }