err

* create PKGBUILD file

* use build & install method

* add package dependencies

.drone.yml

@@ -3,32 +3,27 @@ name: default
 
 steps:
  - name: fmt
-   image: rust:1.37.0
+   image: rust:1.43.0
    commands:
-     -  rustup component add rustfmt
+     - rustup component add rustfmt
-     -  cargo fmt --all -- --check
+     - cargo fmt --all -- --check
  - name: test
-   image: rust:1.37.0
+   image: ubuntu:focal
+   environment:
+    DEBIAN_FRONTEND: noninteractive
    commands:
-    - apt update && apt install -y libcryptsetup-dev libkeyutils-dev
+    - apt update && apt install -y cargo libkeyutils-dev libclang-dev clang pkg-config libcryptsetup-dev libpam-dev 
-    - cargo test
+    - cargo test --locked
-
+ - name: publish
- - name: build
+   image: ubuntu:focal
-   image: rust:1.37.0
+   environment:
+    DEBIAN_FRONTEND: noninteractive
+    CARGO_REGISTRY_TOKEN:
+     from_secret: cargo_tkn
    commands:
-    - apt update && apt install -y libcryptsetup-dev libkeyutils-dev
+    - grep -E 'version ?= ?"${DRONE_TAG}"' -i Cargo.toml || (printf "incorrect crate/tag version" && exit 1)
-    - cargo install -f --path . --root .
+    - apt update && apt install -y cargo libkeyutils-dev libclang-dev clang pkg-config libcryptsetup-dev libpam-dev
+    - cargo package --all-features
+    - cargo publish --all-features
    when:
     event: tag
- - name: publish
-   image: plugins/github-release
-   settings:
-     api_key:
-      from_secret: github_release
-     files:
-      - bin/fido2luks
-     checksum:
-      - md5
-      - sha256
-   when:
-    event: tag    

.gitignore

@@ -2,3 +2,7 @@
 **/*.rs.bk
 .idea/
 *.iml
+fido2luks.bash
+fido2luks.elv
+fido2luks.fish
+fido2luks.zsh

Cargo.lock

@@ -1,10 +1,25 @@
 # This file is automatically @generated by Cargo.
 # It is not intended for manual editing.
 [[package]]
-name = "aho-corasick"
+name = "addr2line"
-version = "0.7.10"
+version = "0.13.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8716408b8bc624ed7f65d223ddb9ac2d044c0547b6fa4b0d554f3a9540496ada"
+checksum = "1b6a2d3371669ab3ca9797670853d61402b03d0b4b9ebf33d677dfa720203072"
+dependencies = [
+ "gimli",
+]
+
+[[package]]
+name = "adler"
+version = "0.2.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ee2a4ec343196209d6594e19543ae87a39f96d5534d7174822a3ad825dd6ed7e"
+
+[[package]]
+name = "aho-corasick"
+version = "0.7.13"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "043164d8ba5c4c3035fec9bbee8647c0261d788f3474306f93bb65901cae0e86"
 dependencies = [
  "memchr",
 ]
@@ -37,37 +52,29 @@ checksum = "1d49d90015b3c36167a20fe2810c5cd875ad504b39cff3d4eae7977e6b7c1cb2"
 
 [[package]]
 name = "autocfg"
-version = "1.0.0"
+version = "1.0.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f8aac770f1885fd7e387acedd76065302551364496e46b3dd00860b2f8359b9d"
+checksum = "cdb031dd78e28731d87d56cc8ffef4a8f36ca26c38fe2de700543e627f8a464a"
 
 [[package]]
 name = "backtrace"
-version = "0.3.46"
+version = "0.3.50"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b1e692897359247cc6bb902933361652380af0f1b7651ae5c5013407f30e109e"
+checksum = "46254cf2fdcdf1badb5934448c1bcbe046a56537b3987d96c51a7afc5d03f293"
 dependencies = [
- "backtrace-sys",
+ "addr2line",
  "cfg-if",
  "libc",
+ "miniz_oxide",
+ "object",
  "rustc-demangle",
 ]
 
-[[package]]
-name = "backtrace-sys"
-version = "0.1.35"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7de8aba10a69c8e8d7622c5710229485ec32e9d55fdad160ea559c086fdcd118"
-dependencies = [
- "cc",
- "libc",
-]
-
 [[package]]
 name = "bindgen"
-version = "0.53.2"
+version = "0.54.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6bb26d6a69a335b8cb0e7c7e9775cd5666611dc50a37177c3f2cedcfc040e8c8"
+checksum = "66c0bb6167449588ff70803f4127f0684f9063097eca5016f37eb52b92c2cf36"
 dependencies = [
  "bitflags",
  "cexpr",
@@ -79,8 +86,8 @@ dependencies = [
  "lazycell",
  "log",
  "peeking_take_while",
- "proc-macro2 1.0.10",
+ "proc-macro2 1.0.20",
- "quote 1.0.3",
+ "quote 1.0.7",
  "regex",
  "rustc-hash",
  "shlex",
@@ -111,9 +118,9 @@ dependencies = [
 
 [[package]]
 name = "cc"
-version = "1.0.50"
+version = "1.0.59"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "95e28fa049fda1c330bcf9d723be7663a899c4679724b34c81e9f5a326aab8cd"
+checksum = "66120af515773fb005778dc07c261bd201ec8ce50bd6e7144c927753fe013381"
 
 [[package]]
 name = "cexpr"
@@ -143,9 +150,9 @@ dependencies = [
 
 [[package]]
 name = "clap"
-version = "2.33.0"
+version = "2.33.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5067f5bb2d80ef5d68b4c87db81601f0b75bca627bc2ef76b141d7b846a3c6d9"
+checksum = "37e58ac78573c40708d45522f0d80fa2f01cc4f9b4e2bf749807255454312002"
 dependencies = [
  "ansi_term",
  "atty",
@@ -181,9 +188,9 @@ dependencies = [
 
 [[package]]
 name = "crossbeam-channel"
-version = "0.4.2"
+version = "0.4.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cced8691919c02aac3cb0a1bc2e9b73d89e832bf9a06fc579d4e71b68a2da061"
+checksum = "b153fe7cbef478c567df0f972e02e6d736db11affe43dfc9c56a9374d1adfb87"
 dependencies = [
  "crossbeam-utils",
  "maybe-uninit",
@@ -206,7 +213,7 @@ version = "0.8.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "058ed274caafc1f60c4997b5fc07bf7dc7cca454af7c6e81edffe5f33f70dace"
 dependencies = [
- "autocfg 1.0.0",
+ "autocfg 1.0.1",
  "cfg-if",
  "crossbeam-utils",
  "lazy_static",
@@ -217,12 +224,13 @@ dependencies = [
 
 [[package]]
 name = "crossbeam-queue"
-version = "0.2.1"
+version = "0.2.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c695eeca1e7173472a32221542ae469b3e9aac3a4fc81f7696bcad82029493db"
+checksum = "774ba60a54c213d409d5353bda12d49cd68d14e45036a285234c8d6f91f92570"
 dependencies = [
  "cfg-if",
  "crossbeam-utils",
+ "maybe-uninit",
 ]
 
 [[package]]
@@ -231,7 +239,7 @@ version = "0.7.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c3c7c73a2d1e9fc0886a08b93e98eb643461230d5f1925e4036204d5f2e261a8"
 dependencies = [
- "autocfg 1.0.0",
+ "autocfg 1.0.1",
  "cfg-if",
  "lazy_static",
 ]
@@ -284,10 +292,10 @@ checksum = "f0c960ae2da4de88a91b2d920c2a7233b400bc33cb28453a2987822d8392519b"
 dependencies = [
  "fnv",
  "ident_case",
- "proc-macro2 1.0.10",
+ "proc-macro2 1.0.20",
- "quote 1.0.3",
+ "quote 1.0.7",
  "strsim 0.9.3",
- "syn 1.0.17",
+ "syn 1.0.40",
 ]
 
 [[package]]
@@ -297,8 +305,8 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d9b5a2f4ac4969822c62224815d069952656cadc7084fdca9751e6d959189b72"
 dependencies = [
  "darling_core",
- "quote 1.0.3",
+ "quote 1.0.7",
- "syn 1.0.17",
+ "syn 1.0.40",
 ]
 
 [[package]]
@@ -309,9 +317,9 @@ checksum = "a2658621297f2cf68762a6f7dc0bb7e1ff2cfd6583daef8ee0fed6f7ec468ec0"
 dependencies = [
  "darling",
  "derive_builder_core",
- "proc-macro2 1.0.10",
+ "proc-macro2 1.0.20",
- "quote 1.0.3",
+ "quote 1.0.7",
- "syn 1.0.17",
+ "syn 1.0.40",
 ]
 
 [[package]]
@@ -321,16 +329,16 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2791ea3e372c8495c0bc2033991d76b512cd799d07491fbd6890124db9458bef"
 dependencies = [
  "darling",
- "proc-macro2 1.0.10",
+ "proc-macro2 1.0.20",
- "quote 1.0.3",
+ "quote 1.0.7",
- "syn 1.0.17",
+ "syn 1.0.40",
 ]
 
 [[package]]
 name = "either"
-version = "1.5.3"
+version = "1.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bb1f6b1ce1c140482ea30ddd3335fc0024ac7ee112895426e0a629a6c20adfe3"
+checksum = "cd56b59865bce947ac5958779cfa508f6c3b9497cc762b7e24a12d11ccde2c4f"
 
 [[package]]
 name = "env_logger"
@@ -347,9 +355,9 @@ dependencies = [
 
 [[package]]
 name = "failure"
-version = "0.1.7"
+version = "0.1.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b8529c2421efa3066a5cbd8063d2244603824daccb6936b079010bb2aa89464b"
+checksum = "d32e9bd16cc02eae7db7ef620b392808b89f6a5e16bb3497d159c6b92a0f4f86"
 dependencies = [
  "backtrace",
  "failure_derive",
@@ -357,34 +365,39 @@ dependencies = [
 
 [[package]]
 name = "failure_derive"
-version = "0.1.7"
+version = "0.1.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "030a733c8287d6213886dd487564ff5c8f6aae10278b3588ed177f9d18f8d231"
+checksum = "aa4da3c766cd7a0db8242e326e9e4e081edd567072893ed320008189715366a4"
 dependencies = [
- "proc-macro2 1.0.10",
+ "proc-macro2 1.0.20",
- "quote 1.0.3",
+ "quote 1.0.7",
- "syn 1.0.17",
+ "syn 1.0.40",
  "synstructure",
 ]
 
 [[package]]
 name = "fido2luks"
-version = "0.2.7"
+version = "0.2.15"
 dependencies = [
  "ctap_hmac",
  "failure",
  "hex",
  "libcryptsetup-rs",
+ "pamsm",
  "ring",
  "rpassword",
+ "serde",
+ "serde_derive",
+ "serde_json",
  "structopt",
+ "sudo",
 ]
 
 [[package]]
 name = "fnv"
-version = "1.0.6"
+version = "1.0.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2fad85553e09a6f881f739c29f0b00b0f01357c743266d478b68951ce23285f3"
+checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1"
 
 [[package]]
 name = "fuchsia-cprng"
@@ -398,6 +411,12 @@ version = "0.3.55"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8f5f3913fa0bfe7ee1fd8248b6b9f42a5af4b9d65ec2dd2c3c26132b950ecfc2"
 
+[[package]]
+name = "gimli"
+version = "0.22.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "aaf91faf136cb47367fa430cd46e37a788775e7fa104f8b4bcb3861dc389b724"
+
 [[package]]
 name = "glob"
 version = "0.3.0"
@@ -415,9 +434,9 @@ dependencies = [
 
 [[package]]
 name = "hermit-abi"
-version = "0.1.10"
+version = "0.1.15"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "725cf19794cf90aa94e65050cb4191ff5d8fa87a498383774c47b332e3af952e"
+checksum = "3deed196b6e7f9e44a2ae8d94225d80302d81208b1bb673fd21fe634645c85a9"
 dependencies = [
  "libc",
 ]
@@ -445,9 +464,9 @@ checksum = "b9e0384b61958566e926dc50660321d12159025e767c18e043daf26b70104c39"
 
 [[package]]
 name = "itoa"
-version = "0.4.5"
+version = "0.4.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b8b7a7c0c47db5545ed3fef7468ee7bb5b74691498139e4b3f6a20685dc6dd8e"
+checksum = "dc6f3ad7b9d11a0c00842ff8de1b60ee58661048eb8049ed33c73594f359d7e6"
 
 [[package]]
 name = "lazy_static"
@@ -457,35 +476,36 @@ checksum = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646"
 
 [[package]]
 name = "lazycell"
-version = "1.2.1"
+version = "1.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b294d6fa9ee409a054354afc4352b0b9ef7ca222c69b8812cbea9e7d2bf3783f"
+checksum = "830d08ce1d1d941e6b30645f1a0eb5643013d835ce3779a5fc208261dbe10f55"
 
 [[package]]
 name = "libc"
-version = "0.2.68"
+version = "0.2.76"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dea0c0405123bba743ee3f91f49b1c7cfb684eef0da0a50110f758ccf24cdff0"
+checksum = "755456fae044e6fa1ebbbd1b3e902ae19e73097ed4ed87bb79934a867c007bc3"
 
 [[package]]
 name = "libcryptsetup-rs"
-version = "0.2.0"
+version = "0.4.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c0177fd0ec022a5adb247e13e3238309913c28102a811227ad5de6a55697f152"
+checksum = "b9042dbf4b7e4309494949696496e230c9052af64559d3441627d639898c172c"
 dependencies = [
  "either",
  "libc",
  "libcryptsetup-rs-sys",
  "pkg-config",
+ "semver",
  "serde_json",
  "uuid",
 ]
 
 [[package]]
 name = "libcryptsetup-rs-sys"
-version = "0.1.2"
+version = "0.1.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0c605998e81e2a99c1f4c5d0be45ea1df6f1dc45dc64f5ca2847b0dbebf49ae7"
+checksum = "4b75a2b946509fb39fdb4b232c973166da14be373d09a43eb36b82f775d8244e"
 dependencies = [
  "bindgen",
  "cc",
@@ -505,9 +525,9 @@ dependencies = [
 
 [[package]]
 name = "log"
-version = "0.4.8"
+version = "0.4.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "14b6052be84e6b71ab17edffc2eeabf5c2c3ae1fdb464aae35ac50c67a44e1f7"
+checksum = "4fabed175da42fed1fa0746b0ea71f412aa9d35e76e95e59b192c64b9dc2bf8b"
 dependencies = [
  "cfg-if",
 ]
@@ -526,18 +546,27 @@ checksum = "3728d817d99e5ac407411fa471ff9800a778d88a24685968b36824eaf4bee400"
 
 [[package]]
 name = "memoffset"
-version = "0.5.4"
+version = "0.5.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b4fc2c02a7e374099d4ee95a193111f72d2110197fe200272371758f6c3643d8"
+checksum = "c198b026e1bbf08a937e94c6c60f9ec4a2267f5b0d2eec9c1b21b061ce2be55f"
 dependencies = [
- "autocfg 1.0.0",
+ "autocfg 1.0.1",
+]
+
+[[package]]
+name = "miniz_oxide"
+version = "0.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4d7559a8a40d0f97e1edea3220f698f78b1c5ab67532e49f68fde3910323b722"
+dependencies = [
+ "adler",
 ]
 
 [[package]]
 name = "nom"
-version = "5.1.1"
+version = "5.1.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0b471253da97532da4b61552249c521e01e736071f71c1a4f7ebbfbf0a06aad6"
+checksum = "ffb4262d26ed83a1c0a33a38fe2bb15797329c85770da05e6b828ddb782627af"
 dependencies = [
  "memchr",
  "version_check",
@@ -556,13 +585,25 @@ dependencies = [
 
 [[package]]
 name = "num-traits"
-version = "0.2.11"
+version = "0.2.12"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c62be47e61d1842b9170f0fdeec8eba98e60e90e5446449a0545e5152acd7096"
+checksum = "ac267bcc07f48ee5f8935ab0d24f316fb722d7a1292e2913f0cc196b29ffd611"
 dependencies = [
- "autocfg 1.0.0",
+ "autocfg 1.0.1",
 ]
 
+[[package]]
+name = "object"
+version = "0.20.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1ab52be62400ca80aa00285d25253d7f7c437b7375c4de678f5405d3afe82ca5"
+
+[[package]]
+name = "pamsm"
+version = "0.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3580ed2ebe075c74db583233318abf4b07bc8d9a40c7691d0ae9c186e19e43dd"
+
 [[package]]
 name = "peeking_take_while"
 version = "0.1.2"
@@ -571,33 +612,31 @@ checksum = "19b17cddbe7ec3f8bc800887bab5e717348c95ea2ca0b1bf0837fb964dc67099"
 
 [[package]]
 name = "pkg-config"
-version = "0.3.17"
+version = "0.3.18"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "05da548ad6865900e60eaba7f589cc0783590a92e940c26953ff81ddbab2d677"
+checksum = "d36492546b6af1463394d46f0c834346f31548646f6ba10849802c9c9a27ac33"
 
 [[package]]
 name = "proc-macro-error"
-version = "0.4.12"
+version = "1.0.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "18f33027081eba0a6d8aba6d1b1c3a3be58cbb12106341c2d5759fcd9b5277e7"
+checksum = "da25490ff9892aab3fcf7c36f08cfb902dd3e71ca0f9f9517bea02a73a5ce38c"
 dependencies = [
  "proc-macro-error-attr",
- "proc-macro2 1.0.10",
+ "proc-macro2 1.0.20",
- "quote 1.0.3",
+ "quote 1.0.7",
- "syn 1.0.17",
+ "syn 1.0.40",
  "version_check",
 ]
 
 [[package]]
 name = "proc-macro-error-attr"
-version = "0.4.12"
+version = "1.0.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8a5b4b77fdb63c1eca72173d68d24501c54ab1269409f6b672c85deb18af69de"
+checksum = "a1be40180e52ecc98ad80b184934baf3d0d29f979574e439af5a55274b35f869"
 dependencies = [
- "proc-macro2 1.0.10",
+ "proc-macro2 1.0.20",
- "quote 1.0.3",
+ "quote 1.0.7",
- "syn 1.0.17",
- "syn-mid",
  "version_check",
 ]
 
@@ -612,11 +651,11 @@ dependencies = [
 
 [[package]]
 name = "proc-macro2"
-version = "1.0.10"
+version = "1.0.20"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "df246d292ff63439fea9bc8c0a270bed0e390d5ebd4db4ba15aba81111b5abe3"
+checksum = "175c513d55719db99da20232b06cda8bab6b83ec2d04e3283edf0213c37c1a29"
 dependencies = [
- "unicode-xid 0.2.0",
+ "unicode-xid 0.2.1",
 ]
 
 [[package]]
@@ -636,11 +675,11 @@ dependencies = [
 
 [[package]]
 name = "quote"
-version = "1.0.3"
+version = "1.0.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2bdc6c187c65bca4260c9011c9e3132efe4909da44726bad24cf7572ae338d7f"
+checksum = "aa563d17ecb180e500da1cfd2b028310ac758de548efdd203e18f283af693f37"
 dependencies = [
- "proc-macro2 1.0.10",
+ "proc-macro2 1.0.20",
 ]
 
 [[package]]
@@ -781,17 +820,11 @@ dependencies = [
  "rand_core 0.3.1",
 ]
 
-[[package]]
-name = "redox_syscall"
-version = "0.1.56"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2439c63f3f6139d1b57529d16bc3b8bb855230c8efcc5d3a896c8bea7c3b1e84"
-
 [[package]]
 name = "regex"
-version = "1.3.6"
+version = "1.3.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7f6946991529684867e47d86474e3a6d0c0ab9b82d5821e314b1ede31fa3a4b3"
+checksum = "9c3780fcf44b193bc4d09f36d2a3c87b251da4a046c87795a0d35f4f927ad8e6"
 dependencies = [
  "aho-corasick",
  "memchr",
@@ -801,9 +834,9 @@ dependencies = [
 
 [[package]]
 name = "regex-syntax"
-version = "0.6.17"
+version = "0.6.18"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7fe5bd57d1d7414c6b5ed48563a2c855d995ff777729dcd91c369ec7fea395ae"
+checksum = "26412eb97c6b088a6997e05f69403a802a92d520de2f8e63c2b65f9e0f47c4e8"
 
 [[package]]
 name = "ring"
@@ -860,9 +893,9 @@ checksum = "dcf128d1287d2ea9d80910b5f1120d0b8eede3fbf1abe91c40d39ea7d51e6fda"
 
 [[package]]
 name = "ryu"
-version = "1.0.3"
+version = "1.0.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "535622e6be132bccd223f4bb2b8ac8d53cda3c7a6394944d3b2b33fb974f9d76"
+checksum = "71d301d4193d031abdd79ff7e3dd721168a9572ef3fe51a1517aba235bd8f86e"
 
 [[package]]
 name = "scopeguard"
@@ -887,15 +920,26 @@ checksum = "388a1df253eca08550bef6c72392cfe7c30914bf41df5269b68cbd6ff8f570a3"
 
 [[package]]
 name = "serde"
-version = "1.0.106"
+version = "1.0.115"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "36df6ac6412072f67cf767ebbde4133a5b2e88e76dc6187fa7104cd16f783399"
+checksum = "e54c9a88f2da7238af84b5101443f0c0d0a3bbdc455e34a5c9497b1903ed55d5"
+
+[[package]]
+name = "serde_derive"
+version = "1.0.115"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "609feed1d0a73cc36a0182a840a9b37b4a82f0b1150369f0536a9e3f2a31dc48"
+dependencies = [
+ "proc-macro2 1.0.20",
+ "quote 1.0.7",
+ "syn 1.0.40",
+]
 
 [[package]]
 name = "serde_json"
-version = "1.0.51"
+version = "1.0.57"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "da07b57ee2623368351e9a0488bb0b261322a15a6e0ae53e243cbdc0f4208da9"
+checksum = "164eacbdb13512ec2745fb09d51fd5b22b0d65ed294a1dcf7285a360c80a675c"
 dependencies = [
  "itoa",
  "ryu",
@@ -922,9 +966,9 @@ checksum = "6446ced80d6c486436db5c078dde11a9f73d42b57fb273121e160b84f63d894c"
 
 [[package]]
 name = "structopt"
-version = "0.3.12"
+version = "0.3.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c8faa2719539bbe9d77869bfb15d4ee769f99525e707931452c97b693b3f159d"
+checksum = "6cc388d94ffabf39b5ed5fadddc40147cb21e605f53db6f8f36a625d27489ac5"
 dependencies = [
  "clap",
  "lazy_static",
@@ -933,15 +977,25 @@ dependencies = [
 
 [[package]]
 name = "structopt-derive"
-version = "0.4.5"
+version = "0.4.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3f88b8e18c69496aad6f9ddf4630dd7d585bcaf765786cb415b9aec2fe5a0430"
+checksum = "5e2513111825077552a6751dfad9e11ce0fba07d7276a3943a037d7e93e64c5f"
 dependencies = [
  "heck",
  "proc-macro-error",
- "proc-macro2 1.0.10",
+ "proc-macro2 1.0.20",
- "quote 1.0.3",
+ "quote 1.0.7",
- "syn 1.0.17",
+ "syn 1.0.40",
+]
+
+[[package]]
+name = "sudo"
+version = "0.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2a88e74edf206f281aff2820aa2066c781331044c770626dcafe19491f214e05"
+dependencies = [
+ "libc",
+ "log",
 ]
 
 [[package]]
@@ -957,36 +1011,25 @@ dependencies = [
 
 [[package]]
 name = "syn"
-version = "1.0.17"
+version = "1.0.40"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0df0eb663f387145cab623dea85b09c2c5b4b0aef44e945d928e682fce71bb03"
+checksum = "963f7d3cc59b59b9325165add223142bbf1df27655d07789f109896d353d8350"
 dependencies = [
- "proc-macro2 1.0.10",
+ "proc-macro2 1.0.20",
- "quote 1.0.3",
+ "quote 1.0.7",
- "unicode-xid 0.2.0",
+ "unicode-xid 0.2.1",
-]
-
-[[package]]
-name = "syn-mid"
-version = "0.5.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7be3539f6c128a931cf19dcee741c1af532c7fd387baa739c03dd2e96479338a"
-dependencies = [
- "proc-macro2 1.0.10",
- "quote 1.0.3",
- "syn 1.0.17",
 ]
 
 [[package]]
 name = "synstructure"
-version = "0.12.3"
+version = "0.12.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "67656ea1dc1b41b1451851562ea232ec2e5a80242139f7e679ceccfb5d61f545"
+checksum = "b834f2d66f734cb897113e34aaff2f1ab4719ca946f9a7358dba8f8064148701"
 dependencies = [
- "proc-macro2 1.0.10",
+ "proc-macro2 1.0.20",
- "quote 1.0.3",
+ "quote 1.0.7",
- "syn 1.0.17",
+ "syn 1.0.40",
- "unicode-xid 0.2.0",
+ "unicode-xid 0.2.1",
 ]
 
 [[package]]
@@ -1018,12 +1061,12 @@ dependencies = [
 
 [[package]]
 name = "time"
-version = "0.1.42"
+version = "0.1.44"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "db8dcfca086c1143c9270ac42a2bbd8a7ee477b78ac8e45b19abfb0cbede4b6f"
+checksum = "6db9e6914ab8b1ae1c260a4ae7a49b6c5611b40328a735b21862567685e73255"
 dependencies = [
  "libc",
- "redox_syscall",
+ "wasi",
  "winapi",
 ]
 
@@ -1035,9 +1078,9 @@ checksum = "e83e153d1053cbb5a118eeff7fd5be06ed99153f00dbcd8ae310c5fb2b22edc0"
 
 [[package]]
 name = "unicode-width"
-version = "0.1.7"
+version = "0.1.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "caaa9d531767d1ff2150b9332433f32a24622147e5ebb1f26409d5da67afd479"
+checksum = "9337591893a19b88d8d87f2cec1e73fad5cdfd10e5a6f349f498ad6ea2ffb1e3"
 
 [[package]]
 name = "unicode-xid"
@@ -1047,9 +1090,9 @@ checksum = "fc72304796d0818e357ead4e000d19c9c174ab23dc11093ac919054d20a6a7fc"
 
 [[package]]
 name = "unicode-xid"
-version = "0.2.0"
+version = "0.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "826e7639553986605ec5979c7dd957c7895e93eabed50ab2ffa7f6128a75097c"
+checksum = "f7fe0bb3479651439c9112f72b6c505038574c9fbb575ed1bf3b797fa39dd564"
 
 [[package]]
 name = "untrusted"
@@ -1068,15 +1111,21 @@ dependencies = [
 
 [[package]]
 name = "vec_map"
-version = "0.8.1"
+version = "0.8.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "05c78687fb1a80548ae3250346c3db86a80a7cdd77bda190189f2d0a0987c81a"
+checksum = "f1bddf1187be692e79c5ffeab891132dfb0f236ed36a43c7ed39f1165ee20191"
 
 [[package]]
 name = "version_check"
-version = "0.9.1"
+version = "0.9.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "078775d0255232fb988e6fccf26ddc9d1ac274299aaedcedce21c6f72cc533ce"
+checksum = "b5a972e5669d67ba988ce3dc826706fb0a8b01471c088cb0b6110b805cc36aed"
+
+[[package]]
+name = "wasi"
+version = "0.10.0+wasi-snapshot-preview1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1a143597ca7c7793eff794def352d41792a93c481eb1042423ff7ff72ba2c31f"
 
 [[package]]
 name = "which"
@@ -1089,9 +1138,9 @@ dependencies = [
 
 [[package]]
 name = "winapi"
-version = "0.3.8"
+version = "0.3.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8093091eeb260906a183e6ae1abdba2ef5ef2257a21801128899c3fc699229c6"
+checksum = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419"
 dependencies = [
  "winapi-i686-pc-windows-gnu",
  "winapi-x86_64-pc-windows-gnu",
@@ -1105,9 +1154,9 @@ checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6"
 
 [[package]]
 name = "winapi-util"
-version = "0.1.4"
+version = "0.1.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fa515c5163a99cc82bab70fd3bfdd36d827be85de63737b40fcef2ce084a436e"
+checksum = "70ec6ce85bb158151cae5e5c87f95a8e97d2c0c4b001223f33a334e3ce5de178"
 dependencies = [
  "winapi",
 ]

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "fido2luks"
-version = "0.2.7"
+version = "0.2.15"
 authors = ["shimunn <shimun@shimun.net>"]
 edition = "2018"
 
@@ -11,7 +11,7 @@ repository = "https://github.com/shimunn/fido2luks"
 readme = "README.md"
 keywords = ["luks", "fido2", "u2f"]
 categories = ["command-line-utilities"]
-license-file = "LICENSE"
+license = "MPL-2.0"
 
 [dependencies]
 ctap_hmac = { version="0.4.2", features = ["request_multiple"] }
@@ -20,7 +20,22 @@ ring = "0.13.5"
 failure = "0.1.5"
 rpassword = "4.0.1"
 structopt = "0.3.2"
-libcryptsetup-rs = "0.2.0"
+libcryptsetup-rs = "0.4.1"
+serde_json = "1.0.51"
+serde_derive = "1.0.106"
+serde = "1.0.106"
+pamsm = { version = "0.4.1", features = ["libpam"] }
+sudo = "0.5.0"
+
+[build-dependencies]
+ctap_hmac = { version="0.4.2", features = ["request_multiple"] }
+hex = "0.3.2"
+ring = "0.13.5"
+failure = "0.1.5"
+rpassword = "4.0.1"
+libcryptsetup-rs = "0.4.1"
+pamsm = { version = "0.4.1", features = ["libpam"] }
+structopt = "0.3.2"
 
 [profile.release]
 lto = true
@@ -28,3 +43,26 @@ opt-level = 'z'
 panic = 'abort'
 incremental = false
 overflow-checks = false
+
+[[bin]]
+name = "fido2luks"
+path = "src/main.rs"
+
+[lib]
+name = "fido2luks_pam"
+path = "src/lib.rs"
+crate-type = ["cdylib"]
+
+[package.metadata.deb]
+depends = "$auto, cryptsetup"
+build-depends = "libclang-dev, libcryptsetup-dev, libpam-dev"
+extended-description = "Decrypt your LUKS partition using a FIDO2 compatible authenticator"
+assets = [
+    ["target/release/fido2luks", "usr/bin/", "755"],
+    ["target/release/libfido2luks_pam.so", "usr/lib/x86_64-linux-gnu/security/pam_fido2luks.so", "755"],
+    ["fido2luks.bash", "usr/share/bash-completion/completions/fido2luks", "644"],
+    ["initramfs-tools/keyscript.sh", "/lib/cryptsetup/scripts/fido2luks", "755" ],
+    ["initramfs-tools/hook/fido2luks.sh", "etc/initramfs-tools/hooks/", "755" ],
+    ["initramfs-tools/fido2luks.conf", "etc/", "644"],
+]
+conf-files = ["/etc/fido2luks.conf"]

PKGBUILD

@@ -0,0 +1,25 @@
+# Maintainer: shimunn <shimun@shimun.net>
+pkgname=fido2luks
+pkgver=0.2.12
+pkgrel=1
+makedepends=('rust' 'cargo' 'cryptsetup' 'clang')
+depends=('cryptsetup')
+arch=('i686' 'x86_64' 'armv6h' 'armv7h')
+pkgdesc="Decrypt your LUKS partition using a FIDO2 compatible authenticator"
+url="https://github.com/shimunn/fido2luks"
+license=('MPL-2.0')
+
+pkgver() {
+	# Use tag version if possible otherwise concat project version and git ref
+	git describe --exact-match --tags HEAD 2> /dev/null || \
+		echo "$(cargo pkgid | cut -d'#' -f2).$(git describe --always)"
+}
+
+build() {
+    cargo build --release --locked --all-features --target-dir=target
+}
+
+package() {
+    install -Dm 755 target/release/${pkgname} -t "${pkgdir}/usr/bin"
+    install -Dm 644 ../fido2luks.bash "${pkgdir}/usr/share/bash-completion/completions/fido2luks"
+}

README.md

@@ -1,8 +1,8 @@
 # fido2luks [![Crates.io Version](https://img.shields.io/crates/v/fido2luks.svg)](https://crates.io/crates/fido2luks)
 
-This will allow you to unlock your luks encrypted disk with an fido2 compatible key
+This will allow you to unlock your LUKS encrypted disk with an FIDO2 compatible key.
 
-Note: This has only been tested under Fedora 31 using a Solo Key, Trezor Model T
+Note: This has only been tested under Fedora 31, [Ubuntu 20.04](initramfs-tools/), [NixOS](https://nixos.org/nixos/manual/#sec-luks-file-systems-fido2) using a Solo Key, Trezor Model T
 
 ## Setup
 
@@ -30,6 +30,8 @@ set -a
 . /etc/fido2luks.conf
 
 # Repeat for each luks volume
+# You can also use the `--token` flag when using LUKS2 which will then store the credential in the LUKS header,
+# enabling you to use `fido2luks open-token` without passing a credential as parameter
 sudo -E fido2luks -i add-key /dev/disk/by-uuid/<DISK_UUID>
 
 # Test(only works if the luks container isn't active)
@@ -63,7 +65,7 @@ cp /usr/bin/fido2luks /boot/fido2luks/
 cp /etc/fido2luks.conf /boot/fido2luks/
 ```
 
-## Test
+## Testing
 
 Just reboot and see if it works, if that's the case you should remove your old less secure password from your LUKS header:
 
@@ -71,6 +73,8 @@ Just reboot and see if it works, if that's the case you should remove your old l
 # Recommend in case you lose your authenticator, store this backupfile somewhere safe
 cryptsetup luksHeaderBackup /dev/disk/by-uuid/<DISK_UUID> --header-backup-file luks_backup_<DISK_UUID>
 # There is no turning back if you mess this up, make sure you made a backup
+# You can also pass `--token` if you're using LUKS2 which will then store the credential in the LUKS header,
+# which will enable you to use `fido2luks open-token` without passing a credential as parameter
 fido2luks -i add-key --exclusive /dev/disk/by-uuid/<DISK_UUID>
 ```
 
@@ -92,6 +96,13 @@ set -a
 
 Then add the new secret to each device and update dracut afterwards `dracut -f`
 
+### Multiple keys
+
+Additional/backup keys are supported, Multiple fido2luks credentials can be added to your /etc/fido2luks.conf file. Credential tokens are comma separated.
+```
+FIDO2LUKS_CREDENTIAL_ID=<CREDENTIAL1>,<CREDENTIAL2>,<CREDENTIAL3>
+```
+
 ## Removal
 
 Remove `rd.luks.2fa` from `GRUB_CMDLINE_LINUX` in /etc/default/grub
@@ -103,3 +114,17 @@ sudo -E fido2luks -i replace-key /dev/disk/by-uuid/<DISK_UUID>
 
 sudo rm -rf /usr/lib/dracut/modules.d/96luks-2fa /etc/dracut.conf.d/luks-2fa.conf /etc/fido2luks.conf
 ```
+
+## License
+
+Licensed under
+
+ * Mozilla Public License 2.0, ([LICENSE-MPL](LICENSE-MPL) or https://www.mozilla.org/en-US/MPL/2.0/)
+
+### Contribution
+
+Unless you explicitly state otherwise, any contribution intentionally
+submitted for inclusion in the work by you, as defined in the MPL 2.0
+license, shall be licensed as above, without any additional terms or
+conditions.
+

build.rs

@@ -0,0 +1,24 @@
+#![allow(warnings)]
+#[macro_use]
+extern crate failure;
+extern crate ctap_hmac as ctap;
+
+#[path = "src/cli_args/mod.rs"]
+mod cli_args;
+#[path = "src/error.rs"]
+mod error;
+#[path = "src/util.rs"]
+mod util;
+
+use cli_args::Args;
+use std::env;
+use std::str::FromStr;
+use structopt::clap::Shell;
+use structopt::StructOpt;
+
+fn main() {
+    // generate completion scripts, zsh does panic for some reason
+    for shell in Shell::variants().iter().filter(|shell| **shell != "zsh") {
+        Args::clap().gen_completions(env!("CARGO_PKG_NAME"), Shell::from_str(shell).unwrap(), ".");
+    }
+}

initramfs-tools/Makefile

@@ -0,0 +1,11 @@
+.PHONY: install
+install:
+	chmod +x hook/fido2luks.sh keyscript.sh
+	cp -f hook/fido2luks.sh /etc/initramfs-tools/hooks/
+	mkdir -p /usr/share/fido2luks
+	cp -f keyscript.sh /lib/cryptsetup/scripts/fido2luks
+	update-initramfs -u
+remove:
+	sh -c "grep 'keyscript=fido2luks' -i /etc/crypttab && ( echo 'ERROR: your system is still setup to use fido2luks during boot' && exit 1) || exit 0"
+	rm /etc/initramfs-tools/hooks/fido2luks.sh /lib/cryptsetup/scripts/fido2luks
+	update-initramfs -u

initramfs-tools/README.md

@@ -0,0 +1,34 @@
+## Initramfs-tools based systems(Ubuntu and derivatives)
+
+For easiest installation [download and install the precompiled deb from releases.](https://github.com/shimunn/fido2luks/releases). However it is possible to build from source via the instructions on the main readme.
+
+```
+sudo -s
+
+# Insert FIDO key.
+fido2luks credential
+# Tap FIDO key
+# Copy returned string <CREDENTIAL>
+
+nano /etc/fido2luks.conf
+# Insert <CREDENTIAL> 
+# FIDO2LUKS_CREDENTIAL_ID=<CREDENTIAL> 
+
+set -a
+. /etc/fido2luks.conf
+fido2luks -i add-key /dev/<LUKS PARTITION>
+# Current password: <Any current LUKS password>
+# Password: <Password used as FIDO challange>
+# Tap FIDO key
+
+nano /etc/crypttab
+# Append to end ",discard,initramfs,keyscript=fido2luks"
+# E.g. sda6_crypt UUID=XXXXXXXXXX none luks,discard,initramfs,keyscript=fido2luks
+
+update-initramfs -u
+
+
+```
+
+[Recording showing part of the setup](https://shimun.net/fido2luks/setup.svg)
+

initramfs-tools/fido2luks.conf

@@ -0,0 +1,3 @@
+FIDO2LUKS_SALT=Ask
+#FIDO2LUKS_PASSWORD_HELPER="/usr/bin/plymouth ask-for-password --prompt 'FIDO2 password salt'"
+FIDO2LUKS_CREDENTIAL_ID=

initramfs-tools/hook/fido2luks.sh

@@ -0,0 +1,14 @@
+#!/bin/sh
+
+case "$1" in
+prereqs)
+	echo ""
+	exit 0
+	;;
+
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+copy_file config /etc/fido2luks.conf /etc/fido2luks.conf
+copy_exec /usr/bin/fido2luks
+exit 0

initramfs-tools/keyscript.sh

@@ -0,0 +1,14 @@
+#!/bin/sh
+set -a
+. /etc/fido2luks.conf
+
+if [ -z "$FIDO2LUKS_PASSWORD_HELPER" ]; then
+	MSG="FIDO2 password salt for $CRYPTTAB_NAME"
+	export FIDO2LUKS_PASSWORD_HELPER="plymouth ask-for-password --prompt '$MSG'"
+fi
+
+if [ "$FIDO2LUKS_USE_TOKEN" -eq 1 ]; then
+	export FIDO2LUKS_CREDENTIAL_ID="$FIDO2LUKS_CREDENTIAL_ID,$(fido2luks token list --csv $CRYPTTAB_SOURCE)"
+fi
+
+fido2luks print-secret --bin

src/cli.rs

@@ -1,269 +1,70 @@
 use crate::error::*;
-use crate::luks;
+use crate::luks::{Fido2LuksToken, LuksDevice};
+use crate::util::sha256;
 use crate::*;
+use cli_args::*;
 
+use structopt::clap::Shell;
 use structopt::StructOpt;
 
 use ctap::{FidoCredential, FidoErrorKind};
-use failure::_core::fmt::{Display, Error, Formatter};
-use failure::_core::str::FromStr;
-use failure::_core::time::Duration;
-use std::io::Write;
-use std::process::exit;
-use std::thread;
 
-use crate::util::read_password;
+use std::io::{Read, Write};
+use std::str::FromStr;
+use std::thread;
+use std::time::Duration;
+
+use std::borrow::Cow;
+use std::collections::HashSet;
+use std::fs::File;
 use std::time::SystemTime;
 
-#[derive(Debug, Eq, PartialEq, Clone)]
+pub use cli_args::Args;
-pub struct HexEncoded(pub Vec<u8>);
 
-impl Display for HexEncoded {
+fn read_pin(ap: &AuthenticatorParameters) -> Fido2LuksResult<String> {
-    fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error> {
+    if let Some(src) = ap.pin_source.as_ref() {
-        f.write_str(&hex::encode(&self.0))
+        let mut pin = String::new();
+        File::open(src)?.read_to_string(&mut pin)?;
+        Ok(pin)
+    } else {
+        util::read_password("Authenticator PIN", false)
     }
 }
 
-impl FromStr for HexEncoded {
+fn derive_secret(
-    type Err = hex::FromHexError;
+    credentials: &[HexEncoded],
+    salt: &[u8; 32],
+    timeout: u64,
+    pin: Option<&str>,
+) -> Fido2LuksResult<([u8; 32], FidoCredential)> {
+    let timeout = Duration::from_secs(timeout);
+    let start = SystemTime::now();
 
-    fn from_str(s: &str) -> Result<Self, Self::Err> {
+    while let Ok(el) = start.elapsed() {
-        Ok(HexEncoded(hex::decode(s)?))
+        if el > timeout {
-    }
+            return Err(error::Fido2LuksError::NoAuthenticatorError);
-}
-
-#[derive(Debug, Eq, PartialEq, Clone)]
-pub struct CommaSeparated<T: FromStr + Display>(pub Vec<T>);
-
-impl<T: Display + FromStr> Display for CommaSeparated<T> {
-    fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error> {
-        for i in &self.0 {
-            f.write_str(&i.to_string())?;
-            f.write_str(",")?;
         }
-        Ok(())
+        if get_devices()
-    }
+            .map(|devices| !devices.is_empty())
-}
+            .unwrap_or(false)
-
+        {
-impl<T: Display + FromStr> FromStr for CommaSeparated<T> {
+            break;
-    type Err = <T as FromStr>::Err;
-    fn from_str(s: &str) -> Result<Self, Self::Err> {
-        Ok(CommaSeparated(
-            s.split(',')
-                .map(|part| <T as FromStr>::from_str(part))
-                .collect::<Result<Vec<_>, _>>()?,
-        ))
-    }
-}
-
-#[derive(Debug, StructOpt)]
-pub struct Args {
-    /// Request passwords via Stdin instead of using the password helper
-    #[structopt(short = "i", long = "interactive")]
-    pub interactive: bool,
-    #[structopt(subcommand)]
-    pub command: Command,
-}
-
-#[derive(Debug, StructOpt, Clone)]
-pub struct SecretGeneration {
-    /// FIDO credential ids, seperated by ',' generate using fido2luks credential
-    #[structopt(name = "credential-id", env = "FIDO2LUKS_CREDENTIAL_ID")]
-    pub credential_ids: CommaSeparated<HexEncoded>,
-    /// Salt for secret generation, defaults to 'ask'
-    ///
-    /// Options:{n}
-    ///  - ask              : Prompt user using password helper{n}
-    ///  - file:<PATH>      : Will read <FILE>{n}
-    ///  - string:<STRING>  : Will use <STRING>, which will be handled like a password provided to the 'ask' option{n}
-    #[structopt(
-        name = "salt",
-        long = "salt",
-        env = "FIDO2LUKS_SALT",
-        default_value = "ask"
-    )]
-    pub salt: InputSalt,
-    /// Script used to obtain passwords, overridden by --interactive flag
-    #[structopt(
-        name = "password-helper",
-        env = "FIDO2LUKS_PASSWORD_HELPER",
-        default_value = "/usr/bin/env systemd-ask-password 'Please enter second factor for LUKS disk encryption!'"
-    )]
-    pub password_helper: PasswordHelper,
-
-    /// Await for an authenticator to be connected, timeout after n seconds
-    #[structopt(
-        long = "await-dev",
-        name = "await-dev",
-        env = "FIDO2LUKS_DEVICE_AWAIT",
-        default_value = "15"
-    )]
-    pub await_authenticator: u64,
-
-    /// Request the password twice to ensure it being correct
-    #[structopt(
-        long = "verify-password",
-        env = "FIDO2LUKS_VERIFY_PASSWORD",
-        hidden = true
-    )]
-    pub verify_password: Option<bool>,
-}
-
-impl SecretGeneration {
-    pub fn patch(&self, args: &Args, verify_password: Option<bool>) -> Self {
-        let mut me = self.clone();
-        if args.interactive {
-            me.password_helper = PasswordHelper::Stdin;
         }
-        me.verify_password = me.verify_password.or(verify_password);
+        thread::sleep(Duration::from_millis(500));
-        me
     }
 
-    pub fn obtain_secret(&self, password_query: &str) -> Fido2LuksResult<[u8; 32]> {
+    let credentials = credentials
-        let mut salt = [0u8; 32];
+        .iter()
-        match self.password_helper {
+        .map(|hex| FidoCredential {
-            PasswordHelper::Stdin if !self.verify_password.unwrap_or(true) => {
+            id: hex.0.clone(),
-                salt.copy_from_slice(&util::sha256(&[&read_password(
+            public_key: None,
-                    password_query,
+        })
-                    self.verify_password.unwrap_or(true),
+        .collect::<Vec<_>>();
-                )?
+    let credentials = credentials.iter().collect::<Vec<_>>();
-                .as_bytes()[..]]));
+    let (unsalted, cred) =
-            }
+        perform_challenge(&credentials, salt, timeout - start.elapsed().unwrap(), pin)?;
-            _ => {
-                salt = self.salt.obtain(&self.password_helper)?;
-            }
-        }
-        let timeout = Duration::from_secs(self.await_authenticator);
-        let start = SystemTime::now();
 
-        while let Ok(el) = start.elapsed() {
+    Ok((sha256(&[salt, &unsalted[..]]), cred.clone()))
-            if el > timeout {
-                return Err(error::Fido2LuksError::NoAuthenticatorError);
-            }
-            if get_devices()
-                .map(|devices| !devices.is_empty())
-                .unwrap_or(false)
-            {
-                break;
-            }
-            thread::sleep(Duration::from_millis(500));
-        }
-        let credentials = &self
-            .credential_ids
-            .0
-            .iter()
-            .map(|HexEncoded(id)| FidoCredential {
-                id: id.to_vec(),
-                public_key: None,
-            })
-            .collect::<Vec<_>>();
-        let credentials = credentials.iter().collect::<Vec<_>>();
-        Ok(assemble_secret(
-            &perform_challenge(&credentials[..], &salt, timeout - start.elapsed().unwrap())?,
-            &salt,
-        ))
-    }
-}
-
-#[derive(Debug, StructOpt, Clone)]
-pub struct LuksSettings {
-    /// Number of milliseconds required to derive the volume decryption key
-    /// Defaults to 10ms when using an authenticator or the default by cryptsetup when using a password
-    #[structopt(long = "kdf-time", name = "kdf-time")]
-    kdf_time: Option<u64>,
-}
-
-#[derive(Debug, StructOpt, Clone)]
-pub struct OtherSecret {
-    /// Use a keyfile instead of a password
-    #[structopt(short = "d", long = "keyfile", conflicts_with = "fido_device")]
-    keyfile: Option<PathBuf>,
-    /// Use another fido device instead of a password
-    /// Note: this requires for the credential fot the other device to be passed as argument as well
-    #[structopt(short = "f", long = "fido-device", conflicts_with = "keyfile")]
-    fido_device: bool,
-}
-
-impl OtherSecret {
-    pub fn obtain(
-        &self,
-        secret_gen: &SecretGeneration,
-        verify_password: bool,
-        password_question: &str,
-    ) -> Fido2LuksResult<Vec<u8>> {
-        match &self.keyfile {
-            Some(keyfile) => util::read_keyfile(keyfile.clone()),
-            None if self.fido_device => {
-                Ok(Vec::from(&secret_gen.obtain_secret(password_question)?[..]))
-            }
-            None => util::read_password(password_question, verify_password)
-                .map(|p| p.as_bytes().to_vec()),
-        }
-    }
-}
-
-#[derive(Debug, StructOpt)]
-pub enum Command {
-    #[structopt(name = "print-secret")]
-    PrintSecret {
-        /// Prints the secret as binary instead of hex encoded
-        #[structopt(short = "b", long = "bin")]
-        binary: bool,
-        #[structopt(flatten)]
-        secret_gen: SecretGeneration,
-    },
-    /// Adds a generated key to the specified LUKS device
-    #[structopt(name = "add-key")]
-    AddKey {
-        #[structopt(env = "FIDO2LUKS_DEVICE")]
-        device: PathBuf,
-        /// Will wipe all other keys
-        #[structopt(short = "e", long = "exclusive")]
-        exclusive: bool,
-        #[structopt(flatten)]
-        existing_secret: OtherSecret,
-        #[structopt(flatten)]
-        secret_gen: SecretGeneration,
-        #[structopt(flatten)]
-        luks_settings: LuksSettings,
-    },
-    /// Replace a previously added key with a password
-    #[structopt(name = "replace-key")]
-    ReplaceKey {
-        #[structopt(env = "FIDO2LUKS_DEVICE")]
-        device: PathBuf,
-        /// Add the password and keep the key
-        #[structopt(short = "a", long = "add-password")]
-        add_password: bool,
-        #[structopt(flatten)]
-        replacement: OtherSecret,
-        #[structopt(flatten)]
-        secret_gen: SecretGeneration,
-        #[structopt(flatten)]
-        luks_settings: LuksSettings,
-    },
-    /// Open the LUKS device
-    #[structopt(name = "open")]
-    Open {
-        #[structopt(env = "FIDO2LUKS_DEVICE")]
-        device: PathBuf,
-        #[structopt(env = "FIDO2LUKS_MAPPER_NAME")]
-        name: String,
-        #[structopt(short = "r", long = "max-retries", default_value = "0")]
-        retries: i32,
-        #[structopt(flatten)]
-        secret_gen: SecretGeneration,
-    },
-    /// Generate a new FIDO credential
-    #[structopt(name = "credential")]
-    Credential {
-        /// Name to be displayed on the authenticator if it has a display
-        #[structopt(env = "FIDO2LUKS_CREDENTIAL_NAME")]
-        name: Option<String>,
-    },
-    /// Check if an authenticator is connected
-    #[structopt(name = "connected")]
-    Connected,
 }
 
 pub fn parse_cmdline() -> Args {
@@ -273,19 +74,47 @@ pub fn parse_cmdline() -> Args {
 pub fn run_cli() -> Fido2LuksResult<()> {
     let mut stdout = io::stdout();
     let args = parse_cmdline();
+    let interactive = args.interactive;
     match &args.command {
-        Command::Credential { name } => {
+        Command::Credential {
-            let cred = make_credential_id(name.as_ref().map(|n| n.as_ref()))?;
+            authenticator,
+            name,
+        } => {
+            let pin_string;
+            let pin = if authenticator.pin {
+                pin_string = read_pin(authenticator)?;
+                Some(pin_string.as_ref())
+            } else {
+                None
+            };
+            let cred = make_credential_id(name.as_ref().map(|n| n.as_ref()), pin)?;
             println!("{}", hex::encode(&cred.id));
             Ok(())
         }
         Command::PrintSecret {
             binary,
-            ref secret_gen,
+            authenticator,
+            credentials,
+            secret,
         } => {
-            let secret = secret_gen
+            let pin_string;
-                .patch(&args, Some(false))
+            let pin = if authenticator.pin {
-                .obtain_secret("Password")?;
+                pin_string = read_pin(authenticator)?;
+                Some(pin_string.as_ref())
+            } else {
+                None
+            };
+            let salt = if interactive || secret.password_helper == PasswordHelper::Stdin {
+                util::read_password_hashed("Password", false)
+            } else {
+                secret.salt.obtain_sha256(&secret.password_helper)
+            }?;
+            let (secret, _cred) = derive_secret(
+                credentials.ids.0.as_slice(),
+                &salt,
+                authenticator.await_time,
+                pin,
+            )?;
             if *binary {
                 stdout.write_all(&secret[..])?;
             } else {
@@ -294,73 +123,186 @@ pub fn run_cli() -> Fido2LuksResult<()> {
             Ok(stdout.flush()?)
         }
         Command::AddKey {
-            device,
+            luks,
-            exclusive,
+            authenticator,
-            existing_secret,
+            credentials,
-            ref secret_gen,
+            secret,
-            luks_settings,
+            luks_mod,
-        } => {
+            existing_secret: other_secret,
-            let secret_gen = secret_gen.patch(&args, None);
+            token,
-            let old_secret = existing_secret.obtain(&secret_gen, false, "Existing password")?;
+            ..
-            let secret = secret_gen.obtain_secret("Password")?;
-            let added_slot = luks::add_key(
-                device.clone(),
-                &secret,
-                &old_secret[..],
-                luks_settings.kdf_time.or(Some(10)),
-            )?;
-            if *exclusive {
-                let destroyed = luks::remove_keyslots(&device, &[added_slot])?;
-                println!(
-                    "Added to key to device {}, slot: {}\nRemoved {} old keys",
-                    device.display(),
-                    added_slot,
-                    destroyed
-                );
-            } else {
-                println!(
-                    "Added to key to device {}, slot: {}",
-                    device.display(),
-                    added_slot
-                );
-            }
-            Ok(())
         }
-        Command::ReplaceKey {
+        | Command::ReplaceKey {
-            device,
+            luks,
-            add_password,
+            authenticator,
-            replacement,
+            credentials,
-            ref secret_gen,
+            secret,
-            luks_settings,
+            luks_mod,
+            replacement: other_secret,
+            token,
+            ..
         } => {
-            let secret_gen = secret_gen.patch(&args, Some(false));
+            let pin = if authenticator.pin {
-            let secret = secret_gen.obtain_secret("Password")?;
+                Some(read_pin(authenticator)?)
-            let new_secret = replacement.obtain(&secret_gen, true, "Replacement password")?;
-            let slot = if *add_password {
-                luks::add_key(device, &new_secret[..], &secret, luks_settings.kdf_time)
             } else {
-                luks::replace_key(device, &new_secret[..], &secret, luks_settings.kdf_time)
+                None
-            }?;
+            };
-            println!(
+            let salt = |q: &str, verify: bool| -> Fido2LuksResult<[u8; 32]> {
-                "Added to password to device {}, slot: {}",
+                if interactive || secret.password_helper == PasswordHelper::Stdin {
-                device.display(),
+                    util::read_password_hashed(q, verify)
-                slot
+                } else {
-            );
+                    secret.salt.obtain_sha256(&secret.password_helper)
-            Ok(())
+                }
+            };
+            let other_secret = |salt_q: &str,
+                                verify: bool|
+             -> Fido2LuksResult<(Vec<u8>, Option<FidoCredential>)> {
+                match other_secret {
+                    OtherSecret {
+                        keyfile: Some(file),
+                        ..
+                    } => Ok((util::read_keyfile(file)?, None)),
+                    OtherSecret {
+                        fido_device: true, ..
+                    } => Ok(derive_secret(
+                        &credentials.ids.0,
+                        &salt(salt_q, verify)?,
+                        authenticator.await_time,
+                        pin.as_deref(),
+                    )
+                    .map(|(secret, cred)| (secret[..].to_vec(), Some(cred)))?),
+                    _ => Ok((
+                        util::read_password(salt_q, verify)?.as_bytes().to_vec(),
+                        None,
+                    )),
+                }
+            };
+            let secret = |verify: bool| -> Fido2LuksResult<([u8; 32], FidoCredential)> {
+                derive_secret(
+                    &credentials.ids.0,
+                    &salt("Password", verify)?,
+                    authenticator.await_time,
+                    pin.as_deref(),
+                )
+            };
+            let mut luks_dev = LuksDevice::load(&luks.device)?;
+            // Non overlap
+            match &args.command {
+                Command::AddKey { exclusive, .. } => {
+                    let (existing_secret, _) = other_secret("Current password", false)?;
+                    let (new_secret, cred) = secret(true)?;
+                    let added_slot = luks_dev.add_key(
+                        &new_secret,
+                        &existing_secret[..],
+                        luks_mod.kdf_time.or(Some(10)),
+                        Some(&cred.id[..]).filter(|_| *token),
+                    )?;
+                    if *exclusive {
+                        let destroyed = luks_dev.remove_keyslots(&[added_slot])?;
+                        println!(
+                            "Added to key to device {}, slot: {}\nRemoved {} old keys",
+                            luks.device.display(),
+                            added_slot,
+                            destroyed
+                        );
+                    } else {
+                        println!(
+                            "Added to key to device {}, slot: {}",
+                            luks.device.display(),
+                            added_slot
+                        );
+                    }
+                    Ok(())
+                }
+                Command::ReplaceKey { add_password, .. } => {
+                    let (existing_secret, _) = secret(false)?;
+                    let (replacement_secret, cred) = other_secret("Replacement password", true)?;
+                    let slot = if *add_password {
+                        luks_dev.add_key(
+                            &replacement_secret[..],
+                            &existing_secret,
+                            luks_mod.kdf_time,
+                            cred.as_ref().filter(|_| *token).map(|cred| &cred.id[..]),
+                        )
+                    } else {
+                        luks_dev.replace_key(
+                            &replacement_secret[..],
+                            &existing_secret,
+                            luks_mod.kdf_time,
+                            cred.as_ref().filter(|_| *token).map(|cred| &cred.id[..]),
+                        )
+                    }?;
+                    println!(
+                        "Added to password to device {}, slot: {}",
+                        luks.device.display(),
+                        slot
+                    );
+                    Ok(())
+                }
+                _ => unreachable!(),
+            }
         }
         Command::Open {
-            device,
+            luks,
+            authenticator,
+            secret,
+            name,
+            retries,
+            ..
+        }
+        | Command::OpenToken {
+            luks,
+            authenticator,
+            secret,
             name,
             retries,
-            ref secret_gen,
         } => {
+            let pin_string;
+            let pin = if authenticator.pin {
+                pin_string = read_pin(authenticator)?;
+                Some(pin_string.as_ref())
+            } else {
+                None
+            };
+            let salt = |q: &str, verify: bool| -> Fido2LuksResult<[u8; 32]> {
+                if interactive || secret.password_helper == PasswordHelper::Stdin {
+                    util::read_password_hashed(q, verify)
+                } else {
+                    secret.salt.obtain_sha256(&secret.password_helper)
+                }
+            };
+
+            // Cow shouldn't be necessary
+            let secret = |credentials: Cow<'_, Vec<HexEncoded>>| {
+                derive_secret(
+                    credentials.as_ref(),
+                    &salt("Password", false)?,
+                    authenticator.await_time,
+                    pin,
+                )
+            };
+
             let mut retries = *retries;
+            let mut luks_dev = LuksDevice::load(&luks.device)?;
             loop {
-                match secret_gen
+                let secret = match &args.command {
-                    .patch(&args, Some(false))
+                    Command::Open { credentials, .. } => secret(Cow::Borrowed(&credentials.ids.0))
-                    .obtain_secret("Password")
+                        .and_then(|(secret, _cred)| luks_dev.activate(&name, &secret, luks.slot)),
-                    .and_then(|secret| luks::open_container(&device, &name, &secret))
+                    Command::OpenToken { .. } => luks_dev.activate_token(
-                {
+                        &name,
+                        Box::new(|credentials: Vec<String>| {
+                            let creds = credentials
+                                .into_iter()
+                                .flat_map(|cred| HexEncoded::from_str(cred.as_ref()).ok())
+                                .collect::<Vec<_>>();
+                            secret(Cow::Owned(creds))
+                                .map(|(secret, cred)| (secret, hex::encode(&cred.id)))
+                        }),
+                        luks.slot,
+                    ),
+                    _ => unreachable!(),
+                };
+                match secret {
                     Err(e) => {
                         match e {
                             Fido2LuksError::WrongSecret if retries > 0 => {}
@@ -372,7 +314,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
                         retries -= 1;
                         eprintln!("{}", e);
                     }
-                    res => break res,
+                    res => break res.map(|_| ()),
                 }
             }
         }
@@ -383,5 +325,141 @@ pub fn run_cli() -> Fido2LuksResult<()> {
             }
             _ => exit(1),
         },
+        Command::Token(cmd) => match cmd {
+            TokenCommand::List {
+                device,
+                csv: dump_credentials,
+            } => {
+                let mut dev = LuksDevice::load(device)?;
+                let mut creds = Vec::new();
+                for token in dev.tokens()? {
+                    let (id, token) = token?;
+                    for cred in token.credential.iter() {
+                        if !creds.contains(cred) {
+                            creds.push(cred.clone());
+                            if *dump_credentials {
+                                print!("{}{}", if creds.len() == 1 { "" } else { "," }, cred);
+                            }
+                        }
+                    }
+                    if *dump_credentials {
+                        continue;
+                    }
+                    println!(
+                        "{}:\n\tSlots: {}\n\tCredentials: {}",
+                        id,
+                        if token.keyslots.is_empty() {
+                            "None".into()
+                        } else {
+                            token.keyslots.iter().cloned().collect::<Vec<_>>().join(",")
+                        },
+                        token
+                            .credential
+                            .iter()
+                            .map(|cred| format!(
+                                "{} ({})",
+                                cred,
+                                creds.iter().position(|c| c == cred).unwrap().to_string()
+                            ))
+                            .collect::<Vec<_>>()
+                            .join(",")
+                    );
+                }
+                if *dump_credentials {
+                    println!();
+                }
+                Ok(())
+            }
+            TokenCommand::Add {
+                device,
+                credentials,
+                slot,
+            } => {
+                let mut dev = LuksDevice::load(device)?;
+                let mut tokens = Vec::new();
+                for token in dev.tokens()? {
+                    let (id, token) = token?;
+                    if token.keyslots.contains(&slot.to_string()) {
+                        tokens.push((id, token));
+                    }
+                }
+                let count = if tokens.is_empty() {
+                    dev.add_token(&Fido2LuksToken::with_credentials(&credentials.ids.0, *slot))?;
+                    1
+                } else {
+                    tokens.len()
+                };
+                for (id, mut token) in tokens {
+                    token
+                        .credential
+                        .extend(credentials.ids.0.iter().map(|h| h.to_string()));
+                    dev.update_token(id, &token)?;
+                }
+                println!("Updated {} tokens", count);
+                Ok(())
+            }
+            TokenCommand::Remove {
+                device,
+                credentials,
+                token_id,
+            } => {
+                let mut dev = LuksDevice::load(device)?;
+                let mut tokens = Vec::new();
+                for token in dev.tokens()? {
+                    let (id, token) = token?;
+                    if let Some(token_id) = token_id {
+                        if id == *token_id {
+                            tokens.push((id, token));
+                        }
+                    } else {
+                        tokens.push((id, token));
+                    }
+                }
+                let count = tokens.len();
+                for (id, mut token) in tokens {
+                    token.credential = token
+                        .credential
+                        .into_iter()
+                        .filter(|cred| !credentials.ids.0.iter().any(|h| &h.to_string() == cred))
+                        .collect();
+                    dev.update_token(id, &token)?;
+                }
+                println!("Updated {} tokens", count);
+                Ok(())
+            }
+            TokenCommand::GC { device } => {
+                let mut dev = LuksDevice::load(device)?;
+                let mut creds: HashSet<String> = HashSet::new();
+                let mut remove = Vec::new();
+                for token in dev.tokens()? {
+                    let (id, token) = token?;
+                    if token.keyslots.is_empty() || token.credential.is_empty() {
+                        creds.extend(token.credential);
+                        remove.push(id);
+                    }
+                }
+                for id in remove.iter().rev() {
+                    dev.remove_token(*id)?;
+                }
+                println!(
+                    "Removed {} tokens, affected credentials: {}",
+                    remove.len(),
+                    creds.into_iter().collect::<Vec<_>>().join(",")
+                );
+                Ok(())
+            }
+        },
+        Command::GenerateCompletions { shell, out_dir } => {
+            Args::clap().gen_completions(
+                env!("CARGO_PKG_NAME"),
+                match shell.as_ref() {
+                    "bash" => Shell::Bash,
+                    "fish" => Shell::Fish,
+                    _ => unreachable!("structopt shouldn't allow us to reach this point"),
+                },
+                &out_dir,
+            );
+            Ok(())
+        }
     }
 }

src/cli_args/config.rs

@@ -10,33 +10,33 @@ use std::process::Command;
 use std::str::FromStr;
 
 #[derive(Debug, Clone, PartialEq)]
-pub enum InputSalt {
+pub enum SecretInput {
     AskPassword,
     String(String),
     File { path: PathBuf },
 }
 
-impl Default for InputSalt {
+impl Default for SecretInput {
     fn default() -> Self {
-        InputSalt::AskPassword
+        SecretInput::AskPassword
     }
 }
 
-impl From<&str> for InputSalt {
+impl From<&str> for SecretInput {
     fn from(s: &str) -> Self {
         let mut parts = s.split(':');
         match parts.next() {
-            Some("ask") | Some("Ask") => InputSalt::AskPassword,
+            Some("ask") | Some("Ask") => SecretInput::AskPassword,
-            Some("file") => InputSalt::File {
+            Some("file") => SecretInput::File {
                 path: parts.collect::<Vec<_>>().join(":").into(),
             },
-            Some("string") => InputSalt::String(parts.collect::<Vec<_>>().join(":")),
+            Some("string") => SecretInput::String(parts.collect::<Vec<_>>().join(":")),
             _ => Self::default(),
         }
     }
 }
 
-impl FromStr for InputSalt {
+impl FromStr for SecretInput {
     type Err = Fido2LuksError;
 
     fn from_str(s: &str) -> Result<Self, Self::Err> {
@@ -44,21 +44,42 @@ impl FromStr for InputSalt {
     }
 }
 
-impl fmt::Display for InputSalt {
+impl fmt::Display for SecretInput {
     fn fmt(&self, f: &mut fmt::Formatter<'_>) -> Result<(), fmt::Error> {
         f.write_str(&match self {
-            InputSalt::AskPassword => "ask".to_string(),
+            SecretInput::AskPassword => "ask".to_string(),
-            InputSalt::String(s) => ["string", s].join(":"),
+            SecretInput::String(s) => ["string", s].join(":"),
-            InputSalt::File { path } => ["file", path.display().to_string().as_str()].join(":"),
+            SecretInput::File { path } => ["file", path.display().to_string().as_str()].join(":"),
         })
     }
 }
 
-impl InputSalt {
+impl SecretInput {
-    pub fn obtain(&self, password_helper: &PasswordHelper) -> Fido2LuksResult<[u8; 32]> {
+    pub fn obtain_string(&self, password_helper: &PasswordHelper) -> Fido2LuksResult<String> {
+        Ok(String::from_utf8(self.obtain(password_helper)?)?)
+    }
+
+    pub fn obtain(&self, password_helper: &PasswordHelper) -> Fido2LuksResult<Vec<u8>> {
+        let mut secret = Vec::new();
+        match self {
+            SecretInput::File { path } => {
+                //TODO: replace with try_blocks
+                let mut do_io = || File::open(path)?.read_to_end(&mut secret);
+                do_io().map_err(|cause| Fido2LuksError::KeyfileError { cause })?;
+            }
+            SecretInput::AskPassword => {
+                secret.extend_from_slice(password_helper.obtain()?.as_bytes())
+            }
+
+            SecretInput::String(s) => secret.extend_from_slice(s.as_bytes()),
+        }
+        Ok(secret)
+    }
+
+    pub fn obtain_sha256(&self, password_helper: &PasswordHelper) -> Fido2LuksResult<[u8; 32]> {
         let mut digest = digest::Context::new(&digest::SHA256);
         match self {
-            InputSalt::File { path } => {
+            SecretInput::File { path } => {
                 let mut do_io = || {
                     let mut reader = File::open(path)?;
                     let mut buf = [0u8; 512];
@@ -73,10 +94,7 @@ impl InputSalt {
                 };
                 do_io().map_err(|cause| Fido2LuksError::KeyfileError { cause })?;
             }
-            InputSalt::AskPassword => {
+            _ => digest.update(self.obtain(password_helper)?.as_slice()),
-                digest.update(password_helper.obtain()?.as_bytes());
-            }
-            InputSalt::String(s) => digest.update(s.as_bytes()),
         }
         let mut salt = [0u8; 32];
         salt.as_mut().copy_from_slice(digest.finish().as_ref());
@@ -84,7 +102,7 @@ impl InputSalt {
     }
 }
 
-#[derive(Debug, Clone)]
+#[derive(Debug, Clone, PartialEq, Eq)]
 pub enum PasswordHelper {
     Script(String),
     #[allow(dead_code)]
@@ -135,10 +153,9 @@ impl PasswordHelper {
             Systemd => unimplemented!(),
             Stdin => Ok(util::read_password("Password", true)?),
             Script(password_helper) => {
-                let mut helper_parts = password_helper.split(' ');
+                let password = Command::new("sh")
-
+                    .arg("-c")
-                let password = Command::new((&mut helper_parts).next().unwrap())
+                    .arg(&password_helper)
-                    .args(helper_parts)
                     .output()
                     .map_err(|e| Fido2LuksError::AskPassError {
                         cause: error::AskPassError::IO(e),
@@ -158,24 +175,30 @@ mod test {
     #[test]
     fn input_salt_from_str() {
         assert_eq!(
-            "file:/tmp/abc".parse::<InputSalt>().unwrap(),
+            "file:/tmp/abc".parse::<SecretInput>().unwrap(),
-            InputSalt::File {
+            SecretInput::File {
                 path: "/tmp/abc".into()
             }
         );
         assert_eq!(
-            "string:abc".parse::<InputSalt>().unwrap(),
+            "string:abc".parse::<SecretInput>().unwrap(),
-            InputSalt::String("abc".into())
+            SecretInput::String("abc".into())
+        );
+        assert_eq!(
+            "ask".parse::<SecretInput>().unwrap(),
+            SecretInput::AskPassword
+        );
+        assert_eq!(
+            "lol".parse::<SecretInput>().unwrap(),
+            SecretInput::default()
         );
-        assert_eq!("ask".parse::<InputSalt>().unwrap(), InputSalt::AskPassword);
-        assert_eq!("lol".parse::<InputSalt>().unwrap(), InputSalt::default());
     }
 
     #[test]
     fn input_salt_obtain() {
         assert_eq!(
-            InputSalt::String("abc".into())
+            SecretInput::String("abc".into())
-                .obtain(&PasswordHelper::Stdin)
+                .obtain_sha256(&PasswordHelper::Stdin)
                 .unwrap(),
             [
                 186, 120, 22, 191, 143, 1, 207, 234, 65, 65, 64, 222, 93, 174, 34, 35, 176, 3, 97,

src/cli_args/mod.rs

@@ -0,0 +1,293 @@
+use std::fmt::{Display, Error, Formatter};
+use std::path::PathBuf;
+use std::str::FromStr;
+use structopt::clap::AppSettings;
+use structopt::StructOpt;
+
+mod config;
+
+pub use config::*;
+
+#[derive(Debug, Eq, PartialEq, Clone)]
+pub struct HexEncoded(pub Vec<u8>);
+
+impl Display for HexEncoded {
+    fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error> {
+        f.write_str(&hex::encode(&self.0))
+    }
+}
+
+impl AsRef<[u8]> for HexEncoded {
+    fn as_ref(&self) -> &[u8] {
+        &self.0[..]
+    }
+}
+
+impl FromStr for HexEncoded {
+    type Err = hex::FromHexError;
+
+    fn from_str(s: &str) -> Result<Self, Self::Err> {
+        Ok(HexEncoded(hex::decode(s)?))
+    }
+}
+
+#[derive(Debug, Eq, PartialEq, Clone)]
+pub struct CommaSeparated<T: FromStr + Display>(pub Vec<T>);
+
+impl<T: Display + FromStr> Display for CommaSeparated<T> {
+    fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error> {
+        for i in &self.0 {
+            f.write_str(&i.to_string())?;
+            f.write_str(",")?;
+        }
+        Ok(())
+    }
+}
+
+impl<T: Display + FromStr> FromStr for CommaSeparated<T> {
+    type Err = <T as FromStr>::Err;
+    fn from_str(s: &str) -> Result<Self, Self::Err> {
+        Ok(CommaSeparated(
+            s.split(',')
+                .map(|part| <T as FromStr>::from_str(part))
+                .collect::<Result<Vec<_>, _>>()?,
+        ))
+    }
+}
+
+#[derive(Debug, StructOpt)]
+pub struct Credentials {
+    /// FIDO credential ids, separated by ',' generate using fido2luks credential
+    #[structopt(name = "credential-id", env = "FIDO2LUKS_CREDENTIAL_ID")]
+    pub ids: CommaSeparated<HexEncoded>,
+}
+
+#[derive(Debug, StructOpt)]
+pub struct AuthenticatorParameters {
+    /// Request a PIN to unlock the authenticator
+    #[structopt(short = "P", long = "pin")]
+    pub pin: bool,
+
+    /// Location to read PIN from
+    #[structopt(long = "pin-source", env = "FIDO2LUKS_PIN_SOURCE")]
+    pub pin_source: Option<PathBuf>,
+
+    /// Await for an authenticator to be connected, timeout after n seconds
+    #[structopt(
+        long = "await-dev",
+        name = "await-dev",
+        env = "FIDO2LUKS_DEVICE_AWAIT",
+        default_value = "15"
+    )]
+    pub await_time: u64,
+}
+
+#[derive(Debug, StructOpt)]
+pub struct LuksParameters {
+    #[structopt(env = "FIDO2LUKS_DEVICE")]
+    pub device: PathBuf,
+
+    /// Try to unlock the device using a specifc keyslot, ignore all other slots
+    #[structopt(long = "slot", env = "FIDO2LUKS_DEVICE_SLOT")]
+    pub slot: Option<u32>,
+}
+
+#[derive(Debug, StructOpt, Clone)]
+pub struct LuksModParameters {
+    /// Number of milliseconds required to derive the volume decryption key
+    /// Defaults to 10ms when using an authenticator or the default by cryptsetup when using a password
+    #[structopt(long = "kdf-time", name = "kdf-time")]
+    pub kdf_time: Option<u64>,
+}
+
+#[derive(Debug, StructOpt)]
+pub struct SecretParameters {
+    /// Salt for secret generation, defaults to 'ask'
+    ///
+    /// Options:{n}
+    ///  - ask              : Prompt user using password helper{n}
+    ///  - file:<PATH>      : Will read <FILE>{n}
+    ///  - string:<STRING>  : Will use <STRING>, which will be handled like a password provided to the 'ask' option{n}
+    #[structopt(
+        name = "salt",
+        long = "salt",
+        env = "FIDO2LUKS_SALT",
+        default_value = "ask"
+    )]
+    pub salt: SecretInput,
+    /// Script used to obtain passwords, overridden by --interactive flag
+    #[structopt(
+        name = "password-helper",
+        env = "FIDO2LUKS_PASSWORD_HELPER",
+        default_value = "/usr/bin/env systemd-ask-password 'Please enter second factor for LUKS disk encryption!'"
+    )]
+    pub password_helper: PasswordHelper,
+}
+#[derive(Debug, StructOpt)]
+pub struct Args {
+    /// Request passwords via Stdin instead of using the password helper
+    #[structopt(short = "i", long = "interactive")]
+    pub interactive: bool,
+    #[structopt(subcommand)]
+    pub command: Command,
+}
+
+#[derive(Debug, StructOpt, Clone)]
+pub struct OtherSecret {
+    /// Use a keyfile instead of a password
+    #[structopt(short = "d", long = "keyfile", conflicts_with = "fido_device")]
+    pub keyfile: Option<PathBuf>,
+    /// Use another fido device instead of a password
+    /// Note: this requires for the credential fot the other device to be passed as argument as well
+    #[structopt(short = "f", long = "fido-device", conflicts_with = "keyfile")]
+    pub fido_device: bool,
+}
+
+#[derive(Debug, StructOpt)]
+pub enum Command {
+    #[structopt(name = "print-secret")]
+    PrintSecret {
+        /// Prints the secret as binary instead of hex encoded
+        #[structopt(short = "b", long = "bin")]
+        binary: bool,
+        #[structopt(flatten)]
+        credentials: Credentials,
+        #[structopt(flatten)]
+        authenticator: AuthenticatorParameters,
+        #[structopt(flatten)]
+        secret: SecretParameters,
+    },
+    /// Adds a generated key to the specified LUKS device
+    #[structopt(name = "add-key")]
+    AddKey {
+        #[structopt(flatten)]
+        luks: LuksParameters,
+        #[structopt(flatten)]
+        credentials: Credentials,
+        #[structopt(flatten)]
+        authenticator: AuthenticatorParameters,
+        #[structopt(flatten)]
+        secret: SecretParameters,
+        /// Will wipe all other keys
+        #[structopt(short = "e", long = "exclusive")]
+        exclusive: bool,
+        /// Will add an token to your LUKS 2 header, including the credential id
+        #[structopt(short = "t", long = "token")]
+        token: bool,
+        #[structopt(flatten)]
+        existing_secret: OtherSecret,
+        #[structopt(flatten)]
+        luks_mod: LuksModParameters,
+    },
+    /// Replace a previously added key with a password
+    #[structopt(name = "replace-key")]
+    ReplaceKey {
+        #[structopt(flatten)]
+        luks: LuksParameters,
+        #[structopt(flatten)]
+        credentials: Credentials,
+        #[structopt(flatten)]
+        authenticator: AuthenticatorParameters,
+        #[structopt(flatten)]
+        secret: SecretParameters,
+        /// Add the password and keep the key
+        #[structopt(short = "a", long = "add-password")]
+        add_password: bool,
+        /// Will add an token to your LUKS 2 header, including the credential id
+        #[structopt(short = "t", long = "token")]
+        token: bool,
+        #[structopt(flatten)]
+        replacement: OtherSecret,
+        #[structopt(flatten)]
+        luks_mod: LuksModParameters,
+    },
+    /// Open the LUKS device
+    #[structopt(name = "open")]
+    Open {
+        #[structopt(flatten)]
+        luks: LuksParameters,
+        #[structopt(env = "FIDO2LUKS_MAPPER_NAME")]
+        name: String,
+        #[structopt(flatten)]
+        credentials: Credentials,
+        #[structopt(flatten)]
+        authenticator: AuthenticatorParameters,
+        #[structopt(flatten)]
+        secret: SecretParameters,
+        #[structopt(short = "r", long = "max-retries", default_value = "0")]
+        retries: i32,
+    },
+    /// Open the LUKS device using credentials embedded in the LUKS 2 header
+    #[structopt(name = "open-token")]
+    OpenToken {
+        #[structopt(flatten)]
+        luks: LuksParameters,
+        #[structopt(env = "FIDO2LUKS_MAPPER_NAME")]
+        name: String,
+        #[structopt(flatten)]
+        authenticator: AuthenticatorParameters,
+        #[structopt(flatten)]
+        secret: SecretParameters,
+        #[structopt(short = "r", long = "max-retries", default_value = "0")]
+        retries: i32,
+    },
+    /// Generate a new FIDO credential
+    #[structopt(name = "credential")]
+    Credential {
+        #[structopt(flatten)]
+        authenticator: AuthenticatorParameters,
+        /// Name to be displayed on the authenticator if it has a display
+        #[structopt(env = "FIDO2LUKS_CREDENTIAL_NAME")]
+        name: Option<String>,
+    },
+    /// Check if an authenticator is connected
+    #[structopt(name = "connected")]
+    Connected,
+    Token(TokenCommand),
+    /// Generate bash completion scripts
+    #[structopt(name = "completions", setting = AppSettings::Hidden)]
+    GenerateCompletions {
+        /// Shell to generate completions for: bash, fish
+        #[structopt(possible_values = &["bash", "fish"])]
+        shell: String,
+        out_dir: PathBuf,
+    },
+}
+
+///LUKS2 token related operations
+#[derive(Debug, StructOpt)]
+pub enum TokenCommand {
+    /// List all tokens associated with the specified device
+    List {
+        #[structopt(env = "FIDO2LUKS_DEVICE")]
+        device: PathBuf,
+        /// Dump all credentials as CSV
+        #[structopt(long = "csv")]
+        csv: bool,
+    },
+    /// Add credential to a keyslot
+    Add {
+        #[structopt(env = "FIDO2LUKS_DEVICE")]
+        device: PathBuf,
+        #[structopt(flatten)]
+        credentials: Credentials,
+        /// Slot to which the credentials will be added
+        #[structopt(long = "slot", env = "FIDO2LUKS_DEVICE_SLOT")]
+        slot: u32,
+    },
+    /// Remove credentials from token(s)
+    Remove {
+        #[structopt(env = "FIDO2LUKS_DEVICE")]
+        device: PathBuf,
+        #[structopt(flatten)]
+        credentials: Credentials,
+        /// Token from which the credentials will be removed
+        #[structopt(long = "token")]
+        token_id: Option<u32>,
+    },
+    /// Remove all unassigned tokens
+    GC {
+        #[structopt(env = "FIDO2LUKS_DEVICE")]
+        device: PathBuf,
+    },
+}

src/device.rs

@@ -9,13 +9,21 @@ use std::time::Duration;
 
 const RP_ID: &str = "fido2luks";
 
-pub fn make_credential_id(name: Option<&str>) -> Fido2LuksResult<FidoCredential> {
+pub fn make_credential_id(
+    name: Option<&str>,
+    pin: Option<&str>,
+) -> Fido2LuksResult<FidoCredential> {
     let mut request = FidoCredentialRequestBuilder::default().rp_id(RP_ID);
     if let Some(user_name) = name {
         request = request.user_name(user_name);
     }
     let request = request.build().unwrap();
-    let make_credential = |device: &mut FidoDevice| device.make_hmac_credential(&request);
+    let make_credential = |device: &mut FidoDevice| {
+        if let Some(pin) = pin {
+            device.unlock(pin)?;
+        }
+        device.make_hmac_credential(&request)
+    };
     Ok(request_multiple_devices(
         get_devices()?
             .iter_mut()
@@ -24,26 +32,30 @@ pub fn make_credential_id(name: Option<&str>) -> Fido2LuksResult<FidoCredential>
     )?)
 }
 
-pub fn perform_challenge(
+pub fn perform_challenge<'a>(
-    credentials: &[&FidoCredential],
+    credentials: &'a [&'a FidoCredential],
     salt: &[u8; 32],
     timeout: Duration,
-) -> Fido2LuksResult<[u8; 32]> {
+    pin: Option<&str>,
+) -> Fido2LuksResult<([u8; 32], &'a FidoCredential)> {
     let request = FidoAssertionRequestBuilder::default()
         .rp_id(RP_ID)
         .credentials(credentials)
         .build()
         .unwrap();
     let get_assertion = |device: &mut FidoDevice| {
+        if let Some(pin) = pin {
+            device.unlock(pin)?;
+        }
         device.get_hmac_assertion(&request, &util::sha256(&[&salt[..]]), None)
     };
-    let (_, (secret, _)) = request_multiple_devices(
+    let (credential, (secret, _)) = request_multiple_devices(
         get_devices()?
             .iter_mut()
             .map(|device| (device, &get_assertion)),
         Some(timeout),
     )?;
-    Ok(secret)
+    Ok((secret, credential))
 }
 
 pub fn get_devices() -> Fido2LuksResult<Vec<FidoDevice>> {

src/error.rs

@@ -1,6 +1,10 @@
 use ctap::FidoError;
+use libcryptsetup_rs::LibcryptErr;
+use pamsm::PamError;
 use std::io;
-
+use std::io::ErrorKind;
+use std::string::FromUtf8Error;
+use Fido2LuksError::*;
 pub type Fido2LuksResult<T> = Result<T, Fido2LuksError>;
 
 #[derive(Debug, Fail)]
@@ -13,16 +17,22 @@ pub enum Fido2LuksError {
     AuthenticatorError { cause: ctap::FidoError },
     #[fail(display = "no authenticator found, please ensure your device is plugged in")]
     NoAuthenticatorError,
-    #[fail(display = "luks err")]
+    #[fail(display = " {}", cause)]
-    LuksError {
+    CryptsetupError {
         cause: libcryptsetup_rs::LibcryptErr,
     },
-    #[fail(display = "no authenticator found, please ensure your device is plugged in")]
+    #[fail(display = "{}", cause)]
+    LuksError { cause: LuksError },
+    #[fail(display = "{}", cause)]
     IoError { cause: io::Error },
     #[fail(display = "supplied secret isn't valid for this device")]
     WrongSecret,
     #[fail(display = "not an utf8 string")]
     StringEncodingError { cause: FromUtf8Error },
+    #[fail(display = "elevated privileges required")]
+    MissingPrivileges,
+    #[fail(display = "{}", cause)]
+    Configuration { cause: ConfigurationError },
 }
 
 impl Fido2LuksError {
@@ -44,11 +54,60 @@ pub enum AskPassError {
     IO(io::Error),
     #[fail(display = "provided passwords don't match")]
     Mismatch,
+    #[fail(display = "unable to retrieve password: {}", _0)]
+    Pam(PamError),
 }
 
-use libcryptsetup_rs::LibcryptErr;
+impl From<PamError> for AskPassError {
-use std::string::FromUtf8Error;
+    fn from(e: PamError) -> Self {
-use Fido2LuksError::*;
+        AskPassError::Pam(e)
+    }
+}
+
+impl From<io::Error> for AskPassError {
+    fn from(e: io::Error) -> Self {
+        AskPassError::IO(e)
+    }
+}
+
+impl From<AskPassError> for Fido2LuksError {
+    fn from(cause: AskPassError) -> Self {
+        Fido2LuksError::AskPassError { cause }
+    }
+}
+
+#[derive(Debug, Fail)]
+pub enum LuksError {
+    #[fail(display = "This feature requires to the LUKS device to be formatted as LUKS 2")]
+    Luks2Required,
+    #[fail(display = "Invalid token: {}", _0)]
+    InvalidToken(String),
+    #[fail(display = "No token found")]
+    NoToken,
+    #[fail(display = "The device already exists")]
+    DeviceExists,
+}
+
+impl LuksError {
+    pub fn activate(e: LibcryptErr) -> Fido2LuksError {
+        match e {
+            LibcryptErr::IOError(ref io) => match io.raw_os_error() {
+                Some(1) if io.kind() == ErrorKind::PermissionDenied => Fido2LuksError::WrongSecret,
+                Some(17) => Fido2LuksError::LuksError {
+                    cause: LuksError::DeviceExists,
+                },
+                _ => return Fido2LuksError::CryptsetupError { cause: e },
+            },
+            _ => Fido2LuksError::CryptsetupError { cause: e },
+        }
+    }
+}
+
+impl From<LuksError> for Fido2LuksError {
+    fn from(e: LuksError) -> Self {
+        Fido2LuksError::LuksError { cause: e }
+    }
+}
 
 impl From<FidoError> for Fido2LuksError {
     fn from(e: FidoError) -> Self {
@@ -62,7 +121,7 @@ impl From<LibcryptErr> for Fido2LuksError {
             LibcryptErr::IOError(e) if e.raw_os_error().iter().any(|code| code == &1i32) => {
                 WrongSecret
             }
-            _ => LuksError { cause: e },
+            _ => CryptsetupError { cause: e },
         }
     }
 }
@@ -77,3 +136,16 @@ impl From<FromUtf8Error> for Fido2LuksError {
         StringEncodingError { cause: e }
     }
 }
+#[derive(Debug, Fail)]
+pub enum ConfigurationError {
+    #[fail(display = "config is missing some values: {:?}", _0)]
+    Missing(Vec<String>),
+    #[fail(display = "config attribute {} contains an invalid value: {}", _1, _0)]
+    InvalidValue(String, String),
+}
+
+impl From<ConfigurationError> for Fido2LuksError {
+    fn from(cause: ConfigurationError) -> Fido2LuksError {
+        Fido2LuksError::Configuration { cause }
+    }
+}

src/lib.rs

@@ -0,0 +1,183 @@
+#[macro_use]
+extern crate failure;
+extern crate ctap_hmac as ctap;
+#[macro_use]
+extern crate serde_derive;
+use crate::cli_args::{CommaSeparated, HexEncoded};
+use crate::device::*;
+use crate::error::*;
+use crate::luks::*;
+use ctap::FidoCredential;
+use failure::_core::time::Duration;
+use pamsm::PamLibExt;
+use pamsm::*;
+use std::collections::{HashMap, HashSet};
+use std::path::Path;
+use std::str::FromStr;
+use sudo::{self, RunningAs};
+
+pub mod cli_args;
+pub mod device;
+pub mod error;
+pub mod luks;
+pub mod util;
+
+struct PamFido2Luks;
+
+impl PamFido2Luks {
+    fn open(
+        &self,
+        user: String,
+        mut password: impl FnMut(&str) -> PamResult<String>,
+        args: Vec<String>,
+    ) -> Fido2LuksResult<()> {
+        let args: HashMap<String, String> = args
+            .into_iter()
+            .filter_map(|arg| {
+                let mut parts = arg.split("=");
+                parts
+                    .by_ref()
+                    .next()
+                    .map(|key| (key.to_string(), parts.collect::<Vec<_>>().join("=")))
+            })
+            .collect();
+
+        let credentials = match args.get("credentials").map(|creds| {
+            <CommaSeparated<String>>::from_str(creds)
+                .map(|cs| cs.0)
+                .map_err(|_| ConfigurationError::InvalidValue("credentials".into(), creds.into()))
+        }) {
+            Some(creds) => creds?,
+            _ => Vec::new(),
+        };
+        let pin = args.get("pin");
+        let pin_prefix = args
+            .get("pin-prefix")
+            .map(|p| p.parse::<bool>().unwrap_or_default())
+            .unwrap_or_default();
+        let device = args
+            .get("device")
+            .map(|device| device.replace("%user%", user.as_str()));
+        let name = args
+            .get("name")
+            .map(|name| name.replace("%user%", user.as_str()));
+
+        let mut attempts = args
+            .get("attempts")
+            .and_then(|a| a.parse::<usize>().ok())
+            .unwrap_or(3);
+
+        if let (Some(device), Some(name)) = (device, name) {
+            if !Path::new(&device).exists() || Path::new(&format!("/dev/mapper/{}", name)).exists()
+            {
+                return Ok(());
+            }
+            // root required to mount luks
+            match sudo::check() {
+                RunningAs::User => return Err(Fido2LuksError::MissingPrivileges),
+                _ => {
+                    sudo::escalate_if_needed().map_err(|_| Fido2LuksError::MissingPrivileges)?;
+                }
+            }
+            let mut device = LuksDevice::load(device)?;
+            let mut additional_credentials: HashSet<String> = HashSet::new();
+            if device.is_luks2()? {
+                for token in device.tokens()? {
+                    let (_, token) = token?;
+                    additional_credentials.extend(token.credential.into_iter());
+                }
+            }
+            let credentials: Vec<FidoCredential> = credentials
+                .into_iter()
+                .chain(additional_credentials.into_iter())
+                .map(|cred| HexEncoded::from_str(cred.as_str()))
+                .map(|cred| FidoCredential {
+                    id: cred.unwrap().0,
+                    public_key: None,
+                })
+                .collect();
+            let credentials: Vec<&FidoCredential> = credentials.iter().collect();
+            if !credentials.is_empty() {
+                loop {
+                    let (pin, pass) = if pin_prefix {
+                        let password = password("PIN + FIDO2 salt (pin:password):")
+                            .map_err(|e| Fido2LuksError::AskPassError { cause: e.into() })?;
+                        let mut parts = password.split(":");
+                        (
+                            parts.next().map(|p| p.to_string()).or(pin.cloned()),
+                            parts.collect::<Vec<_>>().join(":"),
+                        )
+                    } else {
+                        (
+                            pin.cloned(),
+                            password("FIDO2 salt: ")
+                                .map_err(|e| Fido2LuksError::AskPassError { cause: e.into() })?,
+                        )
+                    };
+
+                    let salt = util::sha256(&[pass.as_bytes()]);
+                    let secret = util::sha256(&[
+                        &salt,
+                        &perform_challenge(
+                            &credentials[..],
+                            &salt,
+                            Duration::from_secs(15),
+                            pin.as_ref().map(String::as_str),
+                        )?
+                        .0[..],
+                    ]);
+                    match device.activate(name.as_str(), &secret[..], None) {
+                        Ok(_) => return Ok(()),
+                        _ if attempts > 0 => {
+                            attempts -= 1;
+                            continue;
+                        }
+                        Err(e) => break Err(e),
+                    }
+                }
+            } else {
+                Err(ConfigurationError::Missing(vec!["credentials".into()]).into())
+            }
+        } else {
+            Ok(())
+        }
+    }
+}
+
+impl PamServiceModule for PamFido2Luks {
+    fn authenticate(pamh: Pam, _flag: PamFlag, args: Vec<String>) -> PamError {
+        let perfrom_authenticate = move || -> Fido2LuksResult<()> {
+            let user = match pamh.get_cached_user() {
+                Err(e) => Err(AskPassError::Pam(e))?,
+                Ok(p) => p.map(|s| s.to_str().map(str::to_string).unwrap()),
+            };
+            let mut password = match pamh.get_authtok(None) {
+                Err(e) => Err(AskPassError::Pam(e))?,
+                Ok(p) => p.map(|s| s.to_str().map(str::to_string).unwrap()),
+            };
+            if let Some(user) = user {
+                PamFido2Luks.open(
+                    user,
+                    move |q: &str| match password.take() {
+                        Some(pass) => Ok(pass),
+                        None => pamh
+                            .conv(Some(q), PamMsgStyle::PROMPT_ECHO_OFF)
+                            .map(|s| s.map(|s| s.to_str().unwrap()).unwrap_or("").to_string()),
+                    },
+                    args,
+                )
+            } else {
+                Err(AskPassError::Pam(PamError::AUTH_ERR))?
+            }
+        };
+        match perfrom_authenticate() {
+            Ok(_) => PamError::SUCCESS,
+            Err(e) => {
+                eprintln!("{}", e);
+                PamError::AUTH_ERR
+            }
+        }
+    }
+}
+
+pam_module!(PamFido2Luks);

src/luks.rs

@@ -1,82 +1,327 @@
 use crate::error::*;
 
-use libcryptsetup_rs::{CryptActivateFlags, CryptDevice, CryptInit, EncryptionFormat, KeyslotInfo};
+use libcryptsetup_rs::{
+    CryptActivateFlags, CryptDevice, CryptInit, CryptTokenInfo, EncryptionFormat, KeyslotInfo,
+    TokenInput,
+};
+use std::collections::{HashMap, HashSet};
 use std::path::Path;
 
-fn load_device_handle<P: AsRef<Path>>(path: P) -> Fido2LuksResult<CryptDevice> {
+pub struct LuksDevice {
-    let mut device = CryptInit::init(path.as_ref())?;
+    device: CryptDevice,
-    //TODO: determine luks version some way other way than just trying
+    luks2: Option<bool>,
-    let mut load = |format| device.context_handle().load::<()>(format, None).map(|_| ());
+}
-    vec![EncryptionFormat::Luks2, EncryptionFormat::Luks1]
+
-        .into_iter()
+impl LuksDevice {
-        .fold(None, |res, format| match res {
+    pub fn load<P: AsRef<Path>>(path: P) -> Fido2LuksResult<LuksDevice> {
-            Some(Ok(())) => res,
+        let mut device = CryptInit::init(path.as_ref())?;
-            Some(e) => Some(e.or_else(|_| load(format))),
+        device.context_handle().load::<()>(None, None)?;
-            None => Some(load(format)),
+        Ok(Self {
+            device,
+            luks2: None,
         })
-        .unwrap()?;
-    Ok(device)
-}
-
-pub fn open_container<P: AsRef<Path>>(path: P, name: &str, secret: &[u8]) -> Fido2LuksResult<()> {
-    let mut device = load_device_handle(path)?;
-    device
-        .activate_handle()
-        .activate_by_passphrase(Some(name), None, secret, CryptActivateFlags::empty())
-        .map(|_slot| ())
-        .map_err(|_e| Fido2LuksError::WrongSecret)
-}
-
-pub fn add_key<P: AsRef<Path>>(
-    path: P,
-    secret: &[u8],
-    old_secret: &[u8],
-    iteration_time: Option<u64>,
-) -> Fido2LuksResult<u32> {
-    let mut device = load_device_handle(path)?;
-    if let Some(millis) = iteration_time {
-        device.settings_handle().set_iteration_time(millis)
     }
-    let slot = device
-        .keyslot_handle(None)
-        .add_by_passphrase(old_secret, secret)?;
-    Ok(slot)
-}
 
-pub fn remove_keyslots<P: AsRef<Path>>(path: P, exclude: &[u32]) -> Fido2LuksResult<u32> {
+    pub fn is_luks2(&mut self) -> Fido2LuksResult<bool> {
-    let mut device = load_device_handle(path)?;
+        if let Some(luks2) = self.luks2 {
-    let mut handle;
+            Ok(luks2)
-    let mut destroyed = 0;
+        } else {
-    //TODO: detect how many keyslots there are instead of trying within a given range
+            self.luks2 = Some(match self.device.format_handle().get_type()? {
-    for slot in 0..1024 {
+                EncryptionFormat::Luks2 => true,
-        handle = device.keyslot_handle(Some(slot));
+                _ => false,
-        match handle.status()? {
+            });
-            KeyslotInfo::Inactive => continue,
+            self.is_luks2()
-            KeyslotInfo::Active if !exclude.contains(&slot) => {
+        }
-                handle.destroy()?;
+    }
-                destroyed += 1;
+
+    fn require_luks2(&mut self) -> Fido2LuksResult<()> {
+        if !self.is_luks2()? {
+            return Err(LuksError::Luks2Required.into());
+        }
+        Ok(())
+    }
+
+    pub fn tokens<'a>(
+        &'a mut self,
+    ) -> Fido2LuksResult<Box<dyn Iterator<Item = Fido2LuksResult<(u32, Fido2LuksToken)>> + 'a>>
+    {
+        self.require_luks2()?;
+        Ok(Box::new(
+            (0..32)
+                .map(move |i| {
+                    let status = match self.device.token_handle().status(i) {
+                        Ok(status) => status,
+                        Err(err) => return Some(Err(Fido2LuksError::from(err))),
+                    };
+                    match status {
+                        CryptTokenInfo::Inactive => return None,
+                        CryptTokenInfo::Internal(s)
+                        | CryptTokenInfo::InternalUnknown(s)
+                        | CryptTokenInfo::ExternalUnknown(s)
+                        | CryptTokenInfo::External(s)
+                            if &s != Fido2LuksToken::default_type() =>
+                        {
+                            return None
+                        }
+                        _ => (),
+                    };
+                    let json = match self.device.token_handle().json_get(i) {
+                        Ok(json) => json,
+                        Err(err) => return Some(Err(Fido2LuksError::from(err))),
+                    };
+                    let info: Fido2LuksToken =
+                        match serde_json::from_value(json.clone()).map_err(|_| {
+                            Fido2LuksError::LuksError {
+                                cause: LuksError::InvalidToken(json.to_string()),
+                            }
+                        }) {
+                            Ok(info) => info,
+                            Err(err) => return Some(Err(Fido2LuksError::from(err))),
+                        };
+                    Some(Ok((i, info)))
+                })
+                .filter_map(|o| o),
+        ))
+    }
+
+    pub fn find_token(&mut self, slot: u32) -> Fido2LuksResult<Option<(u32, Fido2LuksToken)>> {
+        let slot_str = slot.to_string();
+        for token in self.tokens()? {
+            let (id, token) = token?;
+            if token.keyslots.contains(&slot_str) {
+                return Ok(Some((id, token)));
             }
-            _ => (),
-        }
-        if let KeyslotInfo::ActiveLast = handle.status()? {
-            break;
         }
+        Ok(None)
+    }
+
+    pub fn add_token(&mut self, data: &Fido2LuksToken) -> Fido2LuksResult<()> {
+        self.require_luks2()?;
+        self.device
+            .token_handle()
+            .json_set(TokenInput::AddToken(&serde_json::to_value(&data).unwrap()))?;
+        Ok(())
+    }
+
+    pub fn remove_token(&mut self, token: u32) -> Fido2LuksResult<()> {
+        self.require_luks2()?;
+        self.device
+            .token_handle()
+            .json_set(TokenInput::RemoveToken(token))?;
+        Ok(())
+    }
+
+    pub fn update_token(&mut self, token: u32, data: &Fido2LuksToken) -> Fido2LuksResult<()> {
+        self.require_luks2()?;
+        self.device
+            .token_handle()
+            .json_set(TokenInput::ReplaceToken(
+                token,
+                &serde_json::to_value(&data).unwrap(),
+            ))?;
+        Ok(())
+    }
+
+    pub fn add_key(
+        &mut self,
+        secret: &[u8],
+        old_secret: &[u8],
+        iteration_time: Option<u64>,
+        credential_id: Option<&[u8]>,
+    ) -> Fido2LuksResult<u32> {
+        if let Some(millis) = iteration_time {
+            self.device.settings_handle().set_iteration_time(millis)
+        }
+        let slot = self
+            .device
+            .keyslot_handle()
+            .add_by_passphrase(None, old_secret, secret)?;
+        if let Some(id) = credential_id {
+            self.device.token_handle().json_set(TokenInput::AddToken(
+                &serde_json::to_value(&Fido2LuksToken::new(id, slot)).unwrap(),
+            ))?;
+        }
+
+        Ok(slot)
+    }
+
+    pub fn remove_keyslots(&mut self, exclude: &[u32]) -> Fido2LuksResult<u32> {
+        let mut destroyed = 0;
+        let mut tokens = Vec::new();
+        for slot in 0..256 {
+            match self.device.keyslot_handle().status(slot)? {
+                KeyslotInfo::Inactive => continue,
+                KeyslotInfo::Active | KeyslotInfo::ActiveLast if !exclude.contains(&slot) => {
+                    if self.is_luks2()? {
+                        if let Some((id, _token)) = self.find_token(slot)? {
+                            tokens.push(id);
+                        }
+                    }
+                    self.device.keyslot_handle().destroy(slot)?;
+                    destroyed += 1;
+                }
+                KeyslotInfo::ActiveLast => break,
+                _ => (),
+            }
+            if self.device.keyslot_handle().status(slot)? == KeyslotInfo::ActiveLast {
+                break;
+            }
+        }
+        // Ensure indices stay valid
+        tokens.sort();
+        for token in tokens.iter().rev() {
+            self.remove_token(*token)?;
+        }
+        Ok(destroyed)
+    }
+
+    pub fn replace_key(
+        &mut self,
+        secret: &[u8],
+        old_secret: &[u8],
+        iteration_time: Option<u64>,
+        credential_id: Option<&[u8]>,
+    ) -> Fido2LuksResult<u32> {
+        if let Some(millis) = iteration_time {
+            self.device.settings_handle().set_iteration_time(millis)
+        }
+        // Use activate dry-run to locate keyslot
+        let slot = self.device.activate_handle().activate_by_passphrase(
+            None,
+            None,
+            old_secret,
+            CryptActivateFlags::empty(),
+        )?;
+        self.device.keyslot_handle().change_by_passphrase(
+            Some(slot),
+            Some(slot),
+            old_secret,
+            secret,
+        )? as u32;
+        if let Some(id) = credential_id {
+            if self.is_luks2()? {
+                let token = self.find_token(slot)?.map(|(t, _)| t);
+                let json = serde_json::to_value(&Fido2LuksToken::new(id, slot)).unwrap();
+                if let Some(token) = token {
+                    self.device
+                        .token_handle()
+                        .json_set(TokenInput::ReplaceToken(token, &json))?;
+                } else {
+                    self.device
+                        .token_handle()
+                        .json_set(TokenInput::AddToken(&json))?;
+                }
+            }
+        }
+        Ok(slot)
+    }
+
+    pub fn activate(
+        &mut self,
+        name: &str,
+        secret: &[u8],
+        slot_hint: Option<u32>,
+    ) -> Fido2LuksResult<u32> {
+        self.device
+            .activate_handle()
+            .activate_by_passphrase(Some(name), slot_hint, secret, CryptActivateFlags::empty())
+            .map_err(LuksError::activate)
+    }
+
+    pub fn activate_token(
+        &mut self,
+        name: &str,
+        secret: impl Fn(Vec<String>) -> Fido2LuksResult<([u8; 32], String)>,
+        slot_hint: Option<u32>,
+    ) -> Fido2LuksResult<u32> {
+        if !self.is_luks2()? {
+            return Err(LuksError::Luks2Required.into());
+        }
+        let mut creds: HashMap<String, HashSet<u32>> = HashMap::new();
+        for token in self.tokens()? {
+            let token = match token {
+                Ok((_id, t)) => t,
+                _ => continue, // An corrupted token should't lock the user out
+            };
+            let slots = || {
+                token
+                    .keyslots
+                    .iter()
+                    .filter_map(|slot| slot.parse::<u32>().ok())
+            };
+            for cred in token.credential.iter() {
+                creds
+                    .entry(cred.clone())
+                    .or_insert_with(|| slots().collect::<HashSet<u32>>())
+                    .extend(slots());
+            }
+        }
+        if creds.is_empty() {
+            return Err(Fido2LuksError::LuksError {
+                cause: LuksError::NoToken,
+            });
+        }
+        let (secret, credential) = secret(creds.keys().cloned().collect())?;
+        let empty;
+        let slots = if let Some(slots) = creds.get(&credential) {
+            slots
+        } else {
+            empty = HashSet::new();
+            &empty
+        };
+        //Try slots associated with the credential used
+        let slots = slots.iter().cloned().map(Option::Some).chain(
+            std::iter::once(slot_hint) // Try slot hint if there is one
+                .take(slot_hint.is_some() as usize)
+                .chain(std::iter::once(None).take(slots.is_empty() as usize)), // Try all slots as last resort
+        );
+        for slot in slots {
+            match self.activate(name, &secret, slot) {
+                Err(Fido2LuksError::WrongSecret) => (),
+                res => return res,
+            }
+        }
+        Err(Fido2LuksError::WrongSecret)
     }
-    Ok(destroyed)
 }
 
-pub fn replace_key<P: AsRef<Path>>(
+#[derive(Debug, Clone, Serialize, Deserialize)]
-    path: P,
+pub struct Fido2LuksToken {
-    secret: &[u8],
+    #[serde(rename = "type")]
-    old_secret: &[u8],
+    pub type_: String,
-    iteration_time: Option<u64>,
+    pub credential: HashSet<String>,
-) -> Fido2LuksResult<u32> {
+    pub keyslots: HashSet<String>,
-    let mut device = load_device_handle(path)?;
+}
-    // Set iteration time not sure wether this applies to luks2 as well
+
-    if let Some(millis) = iteration_time {
+impl Fido2LuksToken {
-        device.settings_handle().set_iteration_time(millis)
+    pub fn new(credential_id: impl AsRef<[u8]>, slot: u32) -> Self {
-    }
+        Self::with_credentials(std::iter::once(credential_id), slot)
-    Ok(device
+    }
-        .keyslot_handle(None)
+
-        .change_by_passphrase(None, None, old_secret, secret)? as u32)
+    pub fn with_credentials<I: IntoIterator<Item = B>, B: AsRef<[u8]>>(
+        credentials: I,
+        slot: u32,
+    ) -> Self {
+        Self {
+            credential: credentials
+                .into_iter()
+                .map(|cred| hex::encode(cred.as_ref()))
+                .collect(),
+            keyslots: vec![slot.to_string()].into_iter().collect(),
+            ..Default::default()
+        }
+    }
+    pub fn default_type() -> &'static str {
+        "fido2luks"
+    }
+}
+
+impl Default for Fido2LuksToken {
+    fn default() -> Self {
+        Self {
+            type_: Self::default_type().into(),
+            credential: HashSet::new(),
+            keyslots: HashSet::new(),
+        }
+    }
 }

src/main.rs

@@ -1,51 +1,27 @@
 #[macro_use]
 extern crate failure;
 extern crate ctap_hmac as ctap;
+#[macro_use]
+extern crate serde_derive;
 use crate::cli::*;
-use crate::config::*;
 use crate::device::*;
 use crate::error::*;
 use std::io;
-use std::path::PathBuf;
 use std::process::exit;
 
 mod cli;
-mod config;
+pub mod cli_args;
 mod device;
 mod error;
 mod luks;
 mod util;
 
-fn assemble_secret(hmac_result: &[u8], salt: &[u8]) -> [u8; 32] {
-    util::sha256(&[salt, hmac_result])
-}
-
 fn main() -> Fido2LuksResult<()> {
     match run_cli() {
         Err(e) => {
-            #[cfg(debug_assertions)]
             eprintln!("{:?}", e);
-            #[cfg(not(debug_assertions))]
-            eprintln!("{}", e);
             exit(e.exit_code())
         }
         _ => exit(0),
     }
 }
-
-#[cfg(test)]
-mod test {
-
-    use super::*;
-
-    #[test]
-    fn test_assemble_secret() {
-        assert_eq!(
-            assemble_secret(b"abc", b"def"),
-            [
-                46, 82, 82, 140, 142, 159, 249, 196, 227, 160, 142, 72, 151, 77, 59, 62, 180, 36,
-                33, 47, 241, 94, 17, 232, 133, 103, 247, 32, 152, 253, 43, 19
-            ]
-        )
-    }
-}

src/util.rs

@@ -29,6 +29,10 @@ pub fn read_password(q: &str, verify: bool) -> Fido2LuksResult<String> {
     }
 }
 
+pub fn read_password_hashed(q: &str, verify: bool) -> Fido2LuksResult<[u8; 32]> {
+    read_password(q, verify).map(|pass| sha256(&[pass.as_bytes()]))
+}
+
 pub fn read_keyfile<P: Into<PathBuf>>(path: P) -> Fido2LuksResult<Vec<u8>> {
     let mut file = File::open(path.into())?;
     let mut key = Vec::new();