generate README from docs

switch to license compatible with all dependencies
cargo-deb meta
2020-07-26 20:47:29 +02:00 · 2020-07-04 21:32:21 +02:00 · 2020-07-03 16:21:35 +02:00 · 2020-07-03 15:59:12 +02:00 · 2020-07-03 15:55:23 +02:00 · 2020-06-23 23:55:07 +02:00
17 changed files with 1690 additions and 895 deletions
--- a/.drone.yml
+++ b/.drone.yml
@@ -3,32 +3,32 @@ name: default
 steps:
 - name: fmt
-   image: rust:1.37.0
+   image: rust:1.43.0
   commands:
     -  rustup component add rustfmt
     -  cargo fmt --all -- --check
 - name: readme
   image: msrd0/cargo-readme@sha256:2b916451e576cda54f1e02703fa092b9d5af95bcf48426a1ef42872a19467fd3
   commands:
     - cargo readme > ~README.md
     - cmp -s README.md ~README.md || (printf "README.md need to be updated:\n"; cat ~README.md; exit 1)
 - name: test
-   image: rust:1.37.0
+   image: rust:1.43.0
   commands:
-    - apt update && apt install -y libcryptsetup-dev libkeyutils-dev
+    - apt update && apt install -y libkeyutils-dev libclang-dev clang pkg-config  
    - echo 'deb http://http.us.debian.org/debian unstable main non-free contrib' >> /etc/apt/sources.list.d/unstable.list && apt update && apt install -y libcryptsetup-dev
    - cargo test
-
+ - name: publish
- - name: build
+   image: rust:1.43.0
-   image: rust:1.37.0
+   environment:
    CARGO_REGISTRY_TOKEN:
     from_secret: cargo_tkn
   commands:
-    - apt update && apt install -y libcryptsetup-dev libkeyutils-dev
+    - grep -E 'version ?= ?"${DRONE_TAG}"' -i Cargo.toml || (printf "incorrect crate/tag version" && exit 1)
-    - cargo install -f --path . --root .
+    - apt update && apt install -y libkeyutils-dev libclang-dev clang pkg-config  
    - echo 'deb http://http.us.debian.org/debian unstable main non-free contrib' >> /etc/apt/sources.list.d/unstable.list && apt update && apt install -y libcryptsetup-dev
    - cargo package --all-features
    - cargo publish --all-features
   when:
    event: tag
- - name: publish
+   depends_on: ["fmt", "test", "readme"]
   image: plugins/github-release
   settings:
     api_key:
      from_secret: github_release
     files:
      - bin/fido2luks
     checksum:
      - md5
      - sha256
   when:
    event: tag    
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -55,9 +55,9 @@ dependencies = [
 [[package]]
 name = "backtrace-sys"
-version = "0.1.35"
+version = "0.1.36"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7de8aba10a69c8e8d7622c5710229485ec32e9d55fdad160ea559c086fdcd118"
+checksum = "78848718ee1255a2485d1309ad9cdecfc2e7d0362dd11c6829364c6b35ae1bc7"
 dependencies = [
 "cc",
 "libc",
@@ -111,9 +111,9 @@ dependencies = [
 [[package]]
 name = "cc"
-version = "1.0.50"
+version = "1.0.52"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "95e28fa049fda1c330bcf9d723be7663a899c4679724b34c81e9f5a326aab8cd"
+checksum = "c3d87b23d6a92cd03af510a5ade527033f6aa6fa92161e2d5863a907d4c5e31d"
 [[package]]
 name = "cexpr"
@@ -287,7 +287,7 @@ dependencies = [
 "proc-macro2 1.0.10",
 "quote 1.0.3",
 "strsim 0.9.3",
- "syn 1.0.17",
+ "syn 1.0.18",
 ]
 [[package]]
@@ -298,7 +298,7 @@ checksum = "d9b5a2f4ac4969822c62224815d069952656cadc7084fdca9751e6d959189b72"
 dependencies = [
 "darling_core",
 "quote 1.0.3",
- "syn 1.0.17",
+ "syn 1.0.18",
 ]
 [[package]]
@@ -311,7 +311,7 @@ dependencies = [
 "derive_builder_core",
 "proc-macro2 1.0.10",
 "quote 1.0.3",
- "syn 1.0.17",
+ "syn 1.0.18",
 ]
 [[package]]
@@ -323,7 +323,7 @@ dependencies = [
 "darling",
 "proc-macro2 1.0.10",
 "quote 1.0.3",
- "syn 1.0.17",
+ "syn 1.0.18",
 ]
 [[package]]
@@ -363,13 +363,13 @@ checksum = "030a733c8287d6213886dd487564ff5c8f6aae10278b3588ed177f9d18f8d231"
 dependencies = [
 "proc-macro2 1.0.10",
 "quote 1.0.3",
- "syn 1.0.17",
+ "syn 1.0.18",
 "synstructure",
 ]
 [[package]]
 name = "fido2luks"
-version = "0.2.7"
+version = "0.2.9"
 dependencies = [
 "ctap_hmac",
 "failure",
@@ -377,6 +377,9 @@ dependencies = [
 "libcryptsetup-rs",
 "ring",
 "rpassword",
 "serde",
 "serde_derive",
 "serde_json",
 "structopt",
 ]
@@ -415,9 +418,9 @@ dependencies = [
 [[package]]
 name = "hermit-abi"
-version = "0.1.10"
+version = "0.1.12"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "725cf19794cf90aa94e65050cb4191ff5d8fa87a498383774c47b332e3af952e"
+checksum = "61565ff7aaace3525556587bd2dc31d4a07071957be715e63ce7b1eccf51a8f4"
 dependencies = [
 "libc",
 ]
@@ -463,20 +466,21 @@ checksum = "b294d6fa9ee409a054354afc4352b0b9ef7ca222c69b8812cbea9e7d2bf3783f"
 [[package]]
 name = "libc"
-version = "0.2.68"
+version = "0.2.69"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dea0c0405123bba743ee3f91f49b1c7cfb684eef0da0a50110f758ccf24cdff0"
+checksum = "99e85c08494b21a9054e7fe1374a732aeadaff3980b6990b94bfd3a70f690005"
 [[package]]
 name = "libcryptsetup-rs"
-version = "0.2.0"
+version = "0.4.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c0177fd0ec022a5adb247e13e3238309913c28102a811227ad5de6a55697f152"
+checksum = "38cd24132ee0239515bc895782f65ab3e382a0f78e7cee30417159e5c6f81b6b"
 dependencies = [
 "either",
 "libc",
 "libcryptsetup-rs-sys",
 "pkg-config",
 "semver",
 "serde_json",
 "uuid",
 ]
@@ -577,26 +581,26 @@ checksum = "05da548ad6865900e60eaba7f589cc0783590a92e940c26953ff81ddbab2d677"
 [[package]]
 name = "proc-macro-error"
-version = "0.4.12"
+version = "1.0.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "18f33027081eba0a6d8aba6d1b1c3a3be58cbb12106341c2d5759fcd9b5277e7"
+checksum = "98e9e4b82e0ef281812565ea4751049f1bdcdfccda7d3f459f2e138a40c08678"
 dependencies = [
 "proc-macro-error-attr",
 "proc-macro2 1.0.10",
 "quote 1.0.3",
- "syn 1.0.17",
+ "syn 1.0.18",
 "version_check",
 ]
 [[package]]
 name = "proc-macro-error-attr"
-version = "0.4.12"
+version = "1.0.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8a5b4b77fdb63c1eca72173d68d24501c54ab1269409f6b672c85deb18af69de"
+checksum = "4f5444ead4e9935abd7f27dc51f7e852a0569ac888096d5ec2499470794e2e53"
 dependencies = [
 "proc-macro2 1.0.10",
 "quote 1.0.3",
- "syn 1.0.17",
+ "syn 1.0.18",
 "syn-mid",
 "version_check",
 ]
@@ -781,17 +785,11 @@ dependencies = [
 "rand_core 0.3.1",
 ]
 [[package]]
 name = "redox_syscall"
 version = "0.1.56"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2439c63f3f6139d1b57529d16bc3b8bb855230c8efcc5d3a896c8bea7c3b1e84"
 [[package]]
 name = "regex"
-version = "1.3.6"
+version = "1.3.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7f6946991529684867e47d86474e3a6d0c0ab9b82d5821e314b1ede31fa3a4b3"
+checksum = "a6020f034922e3194c711b82a627453881bc4682166cabb07134a10c26ba7692"
 dependencies = [
 "aho-corasick",
 "memchr",
@@ -860,9 +858,9 @@ checksum = "dcf128d1287d2ea9d80910b5f1120d0b8eede3fbf1abe91c40d39ea7d51e6fda"
 [[package]]
 name = "ryu"
-version = "1.0.3"
+version = "1.0.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "535622e6be132bccd223f4bb2b8ac8d53cda3c7a6394944d3b2b33fb974f9d76"
+checksum = "ed3d612bc64430efeb3f7ee6ef26d590dce0c43249217bddc62112540c7941e1"
 [[package]]
 name = "scopeguard"
@@ -891,6 +889,17 @@ version = "1.0.106"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "36df6ac6412072f67cf767ebbde4133a5b2e88e76dc6187fa7104cd16f783399"
 [[package]]
 name = "serde_derive"
 version = "1.0.106"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9e549e3abf4fb8621bd1609f11dfc9f5e50320802273b12f3811a67e6716ea6c"
 dependencies = [
 "proc-macro2 1.0.10",
 "quote 1.0.3",
 "syn 1.0.18",
 ]
 [[package]]
 name = "serde_json"
 version = "1.0.51"
@@ -922,9 +931,9 @@ checksum = "6446ced80d6c486436db5c078dde11a9f73d42b57fb273121e160b84f63d894c"
 [[package]]
 name = "structopt"
-version = "0.3.12"
+version = "0.3.14"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c8faa2719539bbe9d77869bfb15d4ee769f99525e707931452c97b693b3f159d"
+checksum = "863246aaf5ddd0d6928dfeb1a9ca65f505599e4e1b399935ef7e75107516b4ef"
 dependencies = [
 "clap",
 "lazy_static",
@@ -933,15 +942,15 @@ dependencies = [
 [[package]]
 name = "structopt-derive"
-version = "0.4.5"
+version = "0.4.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3f88b8e18c69496aad6f9ddf4630dd7d585bcaf765786cb415b9aec2fe5a0430"
+checksum = "d239ca4b13aee7a2142e6795cbd69e457665ff8037aed33b3effdc430d2f927a"
 dependencies = [
 "heck",
 "proc-macro-error",
 "proc-macro2 1.0.10",
 "quote 1.0.3",
- "syn 1.0.17",
+ "syn 1.0.18",
 ]
 [[package]]
@@ -957,9 +966,9 @@ dependencies = [
 [[package]]
 name = "syn"
-version = "1.0.17"
+version = "1.0.18"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0df0eb663f387145cab623dea85b09c2c5b4b0aef44e945d928e682fce71bb03"
+checksum = "410a7488c0a728c7ceb4ad59b9567eb4053d02e8cc7f5c0e0eeeb39518369213"
 dependencies = [
 "proc-macro2 1.0.10",
 "quote 1.0.3",
@@ -974,7 +983,7 @@ checksum = "7be3539f6c128a931cf19dcee741c1af532c7fd387baa739c03dd2e96479338a"
 dependencies = [
 "proc-macro2 1.0.10",
 "quote 1.0.3",
- "syn 1.0.17",
+ "syn 1.0.18",
 ]
 [[package]]
@@ -985,7 +994,7 @@ checksum = "67656ea1dc1b41b1451851562ea232ec2e5a80242139f7e679ceccfb5d61f545"
 dependencies = [
 "proc-macro2 1.0.10",
 "quote 1.0.3",
- "syn 1.0.17",
+ "syn 1.0.18",
 "unicode-xid 0.2.0",
 ]
@@ -1018,12 +1027,11 @@ dependencies = [
 [[package]]
 name = "time"
-version = "0.1.42"
+version = "0.1.43"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "db8dcfca086c1143c9270ac42a2bbd8a7ee477b78ac8e45b19abfb0cbede4b6f"
+checksum = "ca8a50ef2360fbd1eeb0ecd46795a87a19024eb4b53c5dc916ca1fd95fe62438"
 dependencies = [
 "libc",
 "redox_syscall",
 "winapi",
 ]
@@ -1105,9 +1113,9 @@ checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6"
 [[package]]
 name = "winapi-util"
-version = "0.1.4"
+version = "0.1.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fa515c5163a99cc82bab70fd3bfdd36d827be85de63737b40fcef2ce084a436e"
+checksum = "70ec6ce85bb158151cae5e5c87f95a8e97d2c0c4b001223f33a334e3ce5de178"
 dependencies = [
 "winapi",
 ]
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "fido2luks"
-version = "0.2.7"
+version = "0.2.9"
 authors = ["shimunn <shimun@shimun.net>"]
 edition = "2018"
@@ -11,7 +11,7 @@ repository = "https://github.com/shimunn/fido2luks"
 readme = "README.md"
 keywords = ["luks", "fido2", "u2f"]
 categories = ["command-line-utilities"]
-license-file = "LICENSE"
+license = "MPL 2.0"
 [dependencies]
 ctap_hmac = { version="0.4.2", features = ["request_multiple"] }
@@ -20,7 +20,10 @@ ring = "0.13.5"
 failure = "0.1.5"
 rpassword = "4.0.1"
 structopt = "0.3.2"
-libcryptsetup-rs = "0.2.0"
+libcryptsetup-rs = "0.4.1"
 serde_json = "1.0.51"
 serde_derive = "1.0.106"
 serde = "1.0.106"
 [profile.release]
 lto = true
@@ -28,3 +31,14 @@ opt-level = 'z'
 panic = 'abort'
 incremental = false
 overflow-checks = false
 [package.metadata.deb]
 depends = "$auto, cryptsetup"
 build-depends = "libclang-dev, libcryptsetup-dev"
 extended-description = "Decrypt your LUKS partition using a FIDO2 compatible authenticator"
 assets = [
    ["target/release/fido2luks", "usr/bin/", "755"],
    ["initramfs-tools/keyscript.sh", "/lib/cryptsetup/scripts/fido2luks", "755" ],
    ["initramfs-tools/hook/fido2luks.sh", "etc/initramfs-tools/hooks/", "755" ],
    ["initramfs-tools/fido2luks.conf", "etc/", "644"],
 ]
--- a/1047
+++ b/1047
--- a/README.md
+++ b/README.md
@@ -1,82 +1,75 @@
-# fido2luks [![Crates.io Version](https://img.shields.io/crates/v/fido2luks.svg)](https://crates.io/crates/fido2luks)
+[![Crates.io](https://img.shields.io/crates/v/fido2luks.svg)](https://crates.io/crates/fido2luks)
 # fido2luks
 This will allow you to unlock your luks encrypted disk with an fido2 compatible key
-Note: This has only been tested under Fedora 31 using a Solo Key, Trezor Model T
+Note: This has only been tested under Fedora 31, [Ubuntu 20.04](initramfs-tools/), [NixOS](https://nixos.org/nixos/manual/#sec-luks-file-systems-fido2) using a Solo Key, Trezor Model T
-## Setup
+### Setup
-### Prerequisites
+#### Prerequisites
-```
+```rust
 dnf install clang cargo cryptsetup-devel -y
 ```
-### Device
+#### Device
-```
+```rust
 git clone https://github.com/shimunn/fido2luks.git && cd fido2luks
 # Alternativly cargo build --release && sudo cp target/release/fido2luks /usr/bin/
 sudo -E cargo install -f --path . --root /usr
 # Copy template
 cp dracut/96luks-2fa/fido2luks.conf /etc/
 # Name is optional but useful if your authenticator has a display
 echo FIDO2LUKS_CREDENTIAL_ID=$(fido2luks credential [NAME]) >> /etc/fido2luks.conf
 # Load config into env
 set -a
 . /etc/fido2luks.conf
 # Repeat for each luks volume
 sudo -E fido2luks -i add-key /dev/disk/by-uuid/<DISK_UUID>
 # Test(only works if the luks container isn't active)
 sudo -E fido2luks -i open /dev/disk/by-uuid/<DISK_UUID> luks-<DISK_UUID>
 ```
-### Dracut
+#### Dracut
-```
+```rust
 cd dracut
 sudo make install
 ```
-### Grub
+#### Grub
 Add `rd.luks.2fa=<CREDENTIAL_ID>:<DISK_UUID>` to `GRUB_CMDLINE_LINUX` in /etc/default/grub
 Note: This is only required for your root disk, systemd will try to unlock all other LUKS partions using the same key if you added it using `fido2luks add-key`
-```
+```rust
 grub2-mkconfig > /boot/grub2/grub.cfg
 ```
 I'd also recommend to copy the executable onto /boot so that it is accessible in case you have to access your disk from a rescue system
-```
+```rust
 mkdir /boot/fido2luks/
 cp /usr/bin/fido2luks /boot/fido2luks/
 cp /etc/fido2luks.conf /boot/fido2luks/
 ```
-## Test
+### Test
 Just reboot and see if it works, if that's the case you should remove your old less secure password from your LUKS header:
-```
+```rust
 # Recommend in case you lose your authenticator, store this backupfile somewhere safe
 cryptsetup luksHeaderBackup /dev/disk/by-uuid/<DISK_UUID> --header-backup-file luks_backup_<DISK_UUID>
 # There is no turning back if you mess this up, make sure you made a backup
 fido2luks -i add-key --exclusive /dev/disk/by-uuid/<DISK_UUID>
 ```
-## Addtional settings
+### Addtional settings
-### Password less
+#### Password less
 Remove your previous secret as described in the next section, in case you've already added one.
@@ -85,21 +78,32 @@ but be warned that this password will be included to into your initramfs.
 Import the new config into env:
-```
+```rust
 set -a
 . /etc/fido2luks.conf
 ```
 Then add the new secret to each device and update dracut afterwards `dracut -f`
-## Removal
+### Removal
 Remove `rd.luks.2fa` from `GRUB_CMDLINE_LINUX` in /etc/default/grub
-```
+```rust
 set -a
 . fido2luks.conf
 sudo -E fido2luks -i replace-key /dev/disk/by-uuid/<DISK_UUID>
 sudo rm -rf /usr/lib/dracut/modules.d/96luks-2fa /etc/dracut.conf.d/luks-2fa.conf /etc/fido2luks.conf
 ```
 ## License
 Licensed under the Mozilla Public License 2.0, ([LICENSE-MPL](LICENSE) or https://www.mozilla.org/en-US/MPL/2.0/)
 ### Contribution
 Unless you explicitly state otherwise, any contribution intentionally
 submitted for inclusion in the work by you, as defined in the MPL 2.0
 license, shall be dual licensed as above, without any additional terms or
 conditions.
--- a/README.tpl
+++ b/README.tpl
@@ -0,0 +1,15 @@
 [![Crates.io](https://img.shields.io/crates/v/fido2luks.svg)](https://crates.io/crates/fido2luks)
 # {{crate}}
 {{readme}}
 ## License
 Licensed under the Mozilla Public License 2.0, ([LICENSE-MPL](LICENSE) or https://www.mozilla.org/en-US/MPL/2.0/)
 ### Contribution
 Unless you explicitly state otherwise, any contribution intentionally
 submitted for inclusion in the work by you, as defined in the MPL 2.0
 license, shall be dual licensed as above, without any additional terms or
 conditions.
--- a/initramfs-tools/Makefile
+++ b/initramfs-tools/Makefile
@@ -0,0 +1,11 @@
 .PHONY: install
 install:
 	chmod +x hook/fido2luks.sh keyscript.sh
 	cp -f hook/fido2luks.sh /etc/initramfs-tools/hooks/
 	mkdir -p /usr/share/fido2luks
 	cp -f keyscript.sh /lib/cryptsetup/scripts/fido2luks
 	update-initramfs -u
 remove:
 	sh -c "grep 'keyscript=fido2luks' -i /etc/crypttab && ( echo 'ERROR: your system is still setup to use fido2luks during boot' && exit 1) || exit 0"
 	rm /etc/initramfs-tools/hooks/fido2luks.sh /lib/cryptsetup/scripts/fido2luks
 	update-initramfs -u
--- a/initramfs-tools/README.md
+++ b/initramfs-tools/README.md
@@ -0,0 +1,13 @@
 ## Initramfs-tools based systems(Ubuntu and derivatives)
 After installation generate your credentials and add keys to your disk as described in the top-level README
 then add `initramfs,keyscript=fido2luks` to your `/etc/crypttab`
 Example:
 ```
 sda6_crypt UUID=9793d81a-4cfb-4712-85f3-c7a8d715112c none luks,discard,initramfs,keyscript=fido2luks
 ```
 But don't forget to run `make install` which will install all necessary scripts and regenerate your intrid.
 [Recording showing part of the setup](https://shimun.net/fido2luks/setup.svg)
--- a/initramfs-tools/fido2luks.conf
+++ b/initramfs-tools/fido2luks.conf
@@ -0,0 +1,3 @@
 FIDO2LUKS_SALT=Ask
 #FIDO2LUKS_PASSWORD_HELPER="/usr/bin/plymouth ask-for-password --promt 'FIDO2 password salt'"
 FIDO2LUKS_CREDENTIAL_ID=
--- a/initramfs-tools/hook/fido2luks.sh
+++ b/initramfs-tools/hook/fido2luks.sh
@@ -0,0 +1,14 @@
 #!/bin/sh
 case "$1" in
 prereqs)
 	echo ""
 	exit 0
 	;;
 esac
 . /usr/share/initramfs-tools/hook-functions
 copy_file config /etc/fido2luks.conf /etc/fido2luks.conf
 copy_exec /usr/bin/fido2luks
 exit 0
--- a/initramfs-tools/keyscript.sh
+++ b/initramfs-tools/keyscript.sh
@@ -0,0 +1,9 @@
 #!/bin/sh
 set -a
 . /etc/fido2luks.conf
 if [ -z "$FIDO2LUKS_PASSWORD_HELPER" ]; then
 	export FIDO2LUKS_PASSWORD_HELPER="plymouth ask-for-password --promt 'FIDO2 password salt for $CRYPTTAB_NAME'"
 fi
 fido2luks print-secret --bin
--- a/initramfs-tools/setup.svg
+++ b/initramfs-tools/setup.svg
--- a/src/cli.rs
+++ b/src/cli.rs
@@ -1,5 +1,55 @@
 //! ## Command line interface
 //! ### Generating a credential
 //! Credentials can be generated by using `fido2luks credential`
 //! this command will take an optional string as username your authenticator might be able to display
 //!
 //! `fido2luks credential 'My 2FA protected disk'`
 //!
 //! It is advisable to repeat this step and the next step for more than one authenticator, as backup
 //! ### Securing a disk
 //! To utilise the previously generated credential you simply run
 //!
 //! `fido2luks -i add-key <device> [<credential>,..]`
 //!
 //! You can also use `fido2luks -i add-key --exclusive <device> [<credential>,..]`
 //!
 //! which will add a new key and then remove ALL other keys.
 //! This command supports a fair amount of options for instance `--keyfile` which will allow you to
 //! add an authenticator to the `<device>`
 //!
 //! `-f` will utilise an previously added fido protected key to add another one
 //!
 //! `--token` will store the credential within the LUKS header, making it easily accessible even if
 //! you're unable to boot your system.
 //!
 //!
 //! `fido2luks -i replace-key <device> [<credential>,..]`
 //! works in a similar fashion but instead of adding a new key it'll update an existing one
 //!
 //!
 //! ### Unlocking a disk
 //! To open an LUKS container using your authenticator you simply run
 //!
 //! `fido2luks -i open <device> <name> [<credential>,..]`
 //!
 //! if successful your LUKS container will be accessible under `/dev/mapper/<name>`
 //! To avoid having to specify your credentials you may want to to use
 //!
 //! `fido2luks -i open-token <device> <name>`
 //!
 //! which should even be faster since it allows for the credential to be matched to the right keyslot
 //!
 //!
 //! ### Common options
 //!
 //! `--salt` Determines what data will be provided to the authenticator in order to derive the secret, the default being `ask` which will prompt the user for an password.
 //! Alternatives being `file:<PATH>` where the specified file will be hashed and then used as input, the same goes for the `string:<STRING>` option which will behave in the same manner as the `ask` option.
 //!
 //! `--pin` Allows for a PIN to be passed to the authenticator if needed, it is however recommended not to use a PIN since the bootscript doesn't support this feature atm.
 //!
 //! `--help` Will provide context dependant help for each command
 use crate::error::*;
 use crate::luks;
 use crate::*;
 use structopt::StructOpt;
@@ -12,7 +62,10 @@ use std::io::Write;
 use std::process::exit;
 use std::thread;
 use crate::luks::{Fido2LuksToken, LuksDevice};
 use crate::util::sha256;
 use std::borrow::Cow;
 use std::collections::HashSet;
 use std::time::SystemTime;
 #[derive(Debug, Eq, PartialEq, Clone)]
@@ -24,6 +77,12 @@ impl Display for HexEncoded {
    }
 }
 impl AsRef<[u8]> for HexEncoded {
    fn as_ref(&self) -> &[u8] {
        &self.0[..]
    }
 }
 impl FromStr for HexEncoded {
    type Err = hex::FromHexError;
@@ -58,7 +117,7 @@ impl<T: Display + FromStr> FromStr for CommaSeparated<T> {
 #[derive(Debug, StructOpt)]
 pub struct Credentials {
-    /// FIDO credential ids, seperated by ',' generate using fido2luks credential
+    /// FIDO credential ids, separated by ',' generate using fido2luks credential
    #[structopt(name = "credential-id", env = "FIDO2LUKS_CREDENTIAL_ID")]
    pub ids: CommaSeparated<HexEncoded>,
 }
@@ -126,7 +185,7 @@ fn derive_secret(
    salt: &[u8; 32],
    timeout: u64,
    pin: Option<&str>,
-) -> Fido2LuksResult<[u8; 32]> {
+) -> Fido2LuksResult<([u8; 32], FidoCredential)> {
    let timeout = Duration::from_secs(timeout);
    let start = SystemTime::now();
@@ -143,23 +202,18 @@ fn derive_secret(
        thread::sleep(Duration::from_millis(500));
    }
-    Ok(sha256(&[
+    let credentials = credentials
-        &perform_challenge(
+        .iter()
-            &credentials
+        .map(|hex| FidoCredential {
-                .iter()
+            id: hex.0.clone(),
-                .map(|hex| FidoCredential {
+            public_key: None,
-                    id: hex.0.clone(),
+        })
-                    public_key: None,
+        .collect::<Vec<_>>();
-                })
+    let credentials = credentials.iter().collect::<Vec<_>>();
-                .collect::<Vec<_>>()
+    let (unsalted, cred) =
-                .iter()
+        perform_challenge(&credentials, salt, timeout - start.elapsed().unwrap(), pin)?;
-                .collect::<Vec<_>>()[..],
+
-            salt,
+    Ok((sha256(&[salt, &unsalted[..]]), cred.clone()))
            timeout - start.elapsed().unwrap(),
            pin,
        )?[..],
        salt,
    ]))
 }
 fn read_pin() -> Fido2LuksResult<String> {
@@ -214,6 +268,9 @@ pub enum Command {
        /// Will wipe all other keys
        #[structopt(short = "e", long = "exclusive")]
        exclusive: bool,
        /// Will add an token to your LUKS 2 header, including the credential id
        #[structopt(short = "t", long = "token")]
        token: bool,
        #[structopt(flatten)]
        existing_secret: OtherSecret,
        #[structopt(flatten)]
@@ -233,6 +290,9 @@ pub enum Command {
        /// Add the password and keep the key
        #[structopt(short = "a", long = "add-password")]
        add_password: bool,
        /// Will add an token to your LUKS 2 header, including the credential id
        #[structopt(short = "t", long = "token")]
        token: bool,
        #[structopt(flatten)]
        replacement: OtherSecret,
        #[structopt(flatten)]
@@ -251,7 +311,20 @@ pub enum Command {
        authenticator: AuthenticatorParameters,
        #[structopt(flatten)]
        secret: SecretParameters,
-
+        #[structopt(short = "r", long = "max-retries", default_value = "0")]
        retries: i32,
    },
    /// Open the LUKS device using credentials embedded in the LUKS 2 header
    #[structopt(name = "open-token")]
    OpenToken {
        #[structopt(flatten)]
        luks: LuksParameters,
        #[structopt(env = "FIDO2LUKS_MAPPER_NAME")]
        name: String,
        #[structopt(flatten)]
        authenticator: AuthenticatorParameters,
        #[structopt(flatten)]
        secret: SecretParameters,
        #[structopt(short = "r", long = "max-retries", default_value = "0")]
        retries: i32,
    },
@@ -267,6 +340,45 @@ pub enum Command {
    /// Check if an authenticator is connected
    #[structopt(name = "connected")]
    Connected,
    Token(TokenCommand),
 }
 ///LUKS2 token related operations
 #[derive(Debug, StructOpt)]
 pub enum TokenCommand {
    /// List all tokens associated with the specified device
    List {
        #[structopt(env = "FIDO2LUKS_DEVICE")]
        device: PathBuf,
        /// Dump all credentials as CSV
        #[structopt(long = "csv")]
        csv: bool,
    },
    /// Add credential to a keyslot
    Add {
        #[structopt(env = "FIDO2LUKS_DEVICE")]
        device: PathBuf,
        #[structopt(flatten)]
        credentials: Credentials,
        /// Slot to which the credentials will be added
        #[structopt(long = "slot", env = "FIDO2LUKS_DEVICE_SLOT")]
        slot: u32,
    },
    /// Remove credentials from token(s)
    Remove {
        #[structopt(env = "FIDO2LUKS_DEVICE")]
        device: PathBuf,
        #[structopt(flatten)]
        credentials: Credentials,
        /// Token from which the credentials will be removed
        #[structopt(long = "token")]
        token_id: Option<u32>,
    },
    /// Remove all unassigned tokens
    GC {
        #[structopt(env = "FIDO2LUKS_DEVICE")]
        device: PathBuf,
    },
 }
 pub fn parse_cmdline() -> Args {
@@ -311,7 +423,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
            } else {
                secret.salt.obtain(&secret.password_helper)
            }?;
-            let secret = derive_secret(
+            let (secret, _cred) = derive_secret(
                credentials.ids.0.as_slice(),
                &salt,
                authenticator.await_time,
@@ -331,6 +443,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
            secret,
            luks_mod,
            existing_secret: other_secret,
            token,
            ..
        }
        | Command::ReplaceKey {
@@ -340,6 +453,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
            secret,
            luks_mod,
            replacement: other_secret,
            token,
            ..
        } => {
            let pin = if authenticator.pin {
@@ -354,12 +468,14 @@ pub fn run_cli() -> Fido2LuksResult<()> {
                    secret.salt.obtain(&secret.password_helper)
                }
            };
-            let other_secret = |salt_q: &str, verify: bool| -> Fido2LuksResult<Vec<u8>> {
+            let other_secret = |salt_q: &str,
                                verify: bool|
             -> Fido2LuksResult<(Vec<u8>, Option<FidoCredential>)> {
                match other_secret {
                    OtherSecret {
                        keyfile: Some(file),
                        ..
-                    } => util::read_keyfile(file),
+                    } => Ok((util::read_keyfile(file)?, None)),
                    OtherSecret {
                        fido_device: true, ..
                    } => Ok(derive_secret(
@@ -367,12 +483,15 @@ pub fn run_cli() -> Fido2LuksResult<()> {
                        &salt(salt_q, verify)?,
                        authenticator.await_time,
                        pin.as_deref(),
-                    )?[..]
+                    )
-                        .to_vec()),
+                    .map(|(secret, cred)| (secret[..].to_vec(), Some(cred)))?),
-                    _ => Ok(util::read_password(salt_q, verify)?.as_bytes().to_vec()),
+                    _ => Ok((
                        util::read_password(salt_q, verify)?.as_bytes().to_vec(),
                        None,
                    )),
                }
            };
-            let secret = |verify: bool| -> Fido2LuksResult<[u8; 32]> {
+            let secret = |verify: bool| -> Fido2LuksResult<([u8; 32], FidoCredential)> {
                derive_secret(
                    &credentials.ids.0,
                    &salt("Password", verify)?,
@@ -380,19 +499,20 @@ pub fn run_cli() -> Fido2LuksResult<()> {
                    pin.as_deref(),
                )
            };
            let mut luks_dev = LuksDevice::load(&luks.device)?;
            // Non overlap
            match &args.command {
                Command::AddKey { exclusive, .. } => {
-                    let existing_secret = other_secret("Current password", false)?;
+                    let (existing_secret, _) = other_secret("Current password", false)?;
-                    let new_secret = secret(true)?;
+                    let (new_secret, cred) = secret(true)?;
-                    let added_slot = luks::add_key(
+                    let added_slot = luks_dev.add_key(
                        &luks.device,
                        &new_secret,
                        &existing_secret[..],
                        luks_mod.kdf_time.or(Some(10)),
                        Some(&cred.id[..]).filter(|_| *token),
                    )?;
                    if *exclusive {
-                        let destroyed = luks::remove_keyslots(&luks.device, &[added_slot])?;
+                        let destroyed = luks_dev.remove_keyslots(&[added_slot])?;
                        println!(
                            "Added to key to device {}, slot: {}\nRemoved {} old keys",
                            luks.device.display(),
@@ -409,21 +529,21 @@ pub fn run_cli() -> Fido2LuksResult<()> {
                    Ok(())
                }
                Command::ReplaceKey { add_password, .. } => {
-                    let existing_secret = secret(false)?;
+                    let (existing_secret, _) = secret(false)?;
-                    let replacement_secret = other_secret("Replacement password", true)?;
+                    let (replacement_secret, cred) = other_secret("Replacement password", true)?;
                    let slot = if *add_password {
-                        luks::add_key(
+                        luks_dev.add_key(
                            &luks.device,
                            &replacement_secret[..],
                            &existing_secret,
                            luks_mod.kdf_time,
                            cred.as_ref().filter(|_| *token).map(|cred| &cred.id[..]),
                        )
                    } else {
-                        luks::replace_key(
+                        luks_dev.replace_key(
                            &luks.device,
                            &replacement_secret[..],
                            &existing_secret,
                            luks_mod.kdf_time,
                            cred.as_ref().filter(|_| *token).map(|cred| &cred.id[..]),
                        )
                    }?;
                    println!(
@@ -439,7 +559,14 @@ pub fn run_cli() -> Fido2LuksResult<()> {
        Command::Open {
            luks,
            authenticator,
-            credentials,
+            secret,
            name,
            retries,
            ..
        }
        | Command::OpenToken {
            luks,
            authenticator,
            secret,
            name,
            retries,
@@ -458,16 +585,38 @@ pub fn run_cli() -> Fido2LuksResult<()> {
                    secret.salt.obtain(&secret.password_helper)
                }
            };
-            let mut retries = *retries;
+
-            loop {
+            // Cow shouldn't be necessary
-                match derive_secret(
+            let secret = |credentials: Cow<'_, Vec<HexEncoded>>| {
-                    &credentials.ids.0,
+                derive_secret(
                    credentials.as_ref(),
                    &salt("Password", false)?,
                    authenticator.await_time,
                    pin,
                )
-                .and_then(|secret| luks::open_container(&luks.device, &name, &secret, luks.slot))
+            };
-                {
+
            let mut retries = *retries;
            let mut luks_dev = LuksDevice::load(&luks.device)?;
            loop {
                let secret = match &args.command {
                    Command::Open { credentials, .. } => secret(Cow::Borrowed(&credentials.ids.0))
                        .and_then(|(secret, _cred)| luks_dev.activate(&name, &secret, luks.slot)),
                    Command::OpenToken { .. } => luks_dev.activate_token(
                        &name,
                        Box::new(|credentials: Vec<String>| {
                            let creds = credentials
                                .into_iter()
                                .flat_map(|cred| HexEncoded::from_str(cred.as_ref()).ok())
                                .collect::<Vec<_>>();
                            secret(Cow::Owned(creds))
                                .map(|(secret, cred)| (secret, hex::encode(&cred.id)))
                        }),
                        luks.slot,
                    ),
                    _ => unreachable!(),
                };
                match secret {
                    Err(e) => {
                        match e {
                            Fido2LuksError::WrongSecret if retries > 0 => {}
@@ -479,7 +628,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
                        retries -= 1;
                        eprintln!("{}", e);
                    }
-                    res => break res,
+                    res => break res.map(|_| ()),
                }
            }
        }
@@ -490,5 +639,129 @@ pub fn run_cli() -> Fido2LuksResult<()> {
            }
            _ => exit(1),
        },
        Command::Token(cmd) => match cmd {
            TokenCommand::List {
                device,
                csv: dump_credentials,
            } => {
                let mut dev = LuksDevice::load(device)?;
                let mut creds = Vec::new();
                for token in dev.tokens()? {
                    let (id, token) = token?;
                    for cred in token.credential.iter() {
                        if !creds.contains(cred) {
                            creds.push(cred.clone());
                            if *dump_credentials {
                                print!("{}{}", if creds.len() == 1 { "" } else { "," }, cred);
                            }
                        }
                    }
                    if *dump_credentials {
                        continue;
                    }
                    println!(
                        "{}:\n\tSlots: {}\n\tCredentials: {}",
                        id,
                        if token.keyslots.is_empty() {
                            "None".into()
                        } else {
                            token.keyslots.iter().cloned().collect::<Vec<_>>().join(",")
                        },
                        token
                            .credential
                            .iter()
                            .map(|cred| format!(
                                "{} ({})",
                                cred,
                                creds.iter().position(|c| c == cred).unwrap().to_string()
                            ))
                            .collect::<Vec<_>>()
                            .join(",")
                    );
                }
                if *dump_credentials {
                    println!();
                }
                Ok(())
            }
            TokenCommand::Add {
                device,
                credentials,
                slot,
            } => {
                let mut dev = LuksDevice::load(device)?;
                let mut tokens = Vec::new();
                for token in dev.tokens()? {
                    let (id, token) = token?;
                    if token.keyslots.contains(&slot.to_string()) {
                        tokens.push((id, token));
                    }
                }
                let count = if tokens.is_empty() {
                    dev.add_token(&Fido2LuksToken::with_credentials(&credentials.ids.0, *slot))?;
                    1
                } else {
                    tokens.len()
                };
                for (id, mut token) in tokens {
                    token
                        .credential
                        .extend(credentials.ids.0.iter().map(|h| h.to_string()));
                    dev.update_token(id, &token)?;
                }
                println!("Updated {} tokens", count);
                Ok(())
            }
            TokenCommand::Remove {
                device,
                credentials,
                token_id,
            } => {
                let mut dev = LuksDevice::load(device)?;
                let mut tokens = Vec::new();
                for token in dev.tokens()? {
                    let (id, token) = token?;
                    if let Some(token_id) = token_id {
                        if id == *token_id {
                            tokens.push((id, token));
                        }
                    } else {
                        tokens.push((id, token));
                    }
                }
                let count = tokens.len();
                for (id, mut token) in tokens {
                    token.credential = token
                        .credential
                        .into_iter()
                        .filter(|cred| !credentials.ids.0.iter().any(|h| &h.to_string() == cred))
                        .collect();
                    dev.update_token(id, &token)?;
                }
                println!("Updated {} tokens", count);
                Ok(())
            }
            TokenCommand::GC { device } => {
                let mut dev = LuksDevice::load(device)?;
                let mut creds: HashSet<String> = HashSet::new();
                let mut remove = Vec::new();
                for token in dev.tokens()? {
                    let (id, token) = token?;
                    if token.keyslots.is_empty() || token.credential.is_empty() {
                        creds.extend(token.credential);
                        remove.push(id);
                    }
                }
                for id in remove.iter().rev() {
                    dev.remove_token(*id)?;
                }
                println!(
                    "Removed {} tokens, affected credentials: {}",
                    remove.len(),
                    creds.into_iter().collect::<Vec<_>>().join(",")
                );
                Ok(())
            }
        },
    }
 }
--- a/src/device.rs
+++ b/src/device.rs
@@ -32,12 +32,12 @@ pub fn make_credential_id(
    )?)
 }
-pub fn perform_challenge(
+pub fn perform_challenge<'a>(
-    credentials: &[&FidoCredential],
+    credentials: &'a [&'a FidoCredential],
    salt: &[u8; 32],
    timeout: Duration,
    pin: Option<&str>,
-) -> Fido2LuksResult<[u8; 32]> {
+) -> Fido2LuksResult<([u8; 32], &'a FidoCredential)> {
    let request = FidoAssertionRequestBuilder::default()
        .rp_id(RP_ID)
        .credentials(credentials)
@@ -49,13 +49,13 @@ pub fn perform_challenge(
        }
        device.get_hmac_assertion(&request, &util::sha256(&[&salt[..]]), None)
    };
-    let (_, (secret, _)) = request_multiple_devices(
+    let (credential, (secret, _)) = request_multiple_devices(
        get_devices()?
            .iter_mut()
            .map(|device| (device, &get_assertion)),
        Some(timeout),
    )?;
-    Ok(secret)
+    Ok((secret, credential))
 }
 pub fn get_devices() -> Fido2LuksResult<Vec<FidoDevice>> {
--- a/src/error.rs
+++ b/src/error.rs
@@ -13,11 +13,13 @@ pub enum Fido2LuksError {
    AuthenticatorError { cause: ctap::FidoError },
    #[fail(display = "no authenticator found, please ensure your device is plugged in")]
    NoAuthenticatorError,
-    #[fail(display = "luks err")]
+    #[fail(display = " {}", cause)]
-    LuksError {
+    CryptsetupError {
        cause: libcryptsetup_rs::LibcryptErr,
    },
-    #[fail(display = "no authenticator found, please ensure your device is plugged in")]
+    #[fail(display = "{}", cause)]
    LuksError { cause: LuksError },
    #[fail(display = "{}", cause)]
    IoError { cause: io::Error },
    #[fail(display = "supplied secret isn't valid for this device")]
    WrongSecret,
@@ -46,7 +48,41 @@ pub enum AskPassError {
    Mismatch,
 }
 #[derive(Debug, Fail)]
 pub enum LuksError {
    #[fail(display = "This feature requires to the LUKS device to be formatted as LUKS 2")]
    Luks2Required,
    #[fail(display = "Invalid token: {}", _0)]
    InvalidToken(String),
    #[fail(display = "No token found")]
    NoToken,
    #[fail(display = "The device already exists")]
    DeviceExists,
 }
 impl LuksError {
    pub fn activate(e: LibcryptErr) -> Fido2LuksError {
        match e {
            LibcryptErr::IOError(ref io) => match io.raw_os_error() {
                Some(1) if io.kind() == ErrorKind::PermissionDenied => Fido2LuksError::WrongSecret,
                Some(17) => Fido2LuksError::LuksError {
                    cause: LuksError::DeviceExists,
                },
                _ => return Fido2LuksError::CryptsetupError { cause: e },
            },
            _ => Fido2LuksError::CryptsetupError { cause: e },
        }
    }
 }
 impl From<LuksError> for Fido2LuksError {
    fn from(e: LuksError) -> Self {
        Fido2LuksError::LuksError { cause: e }
    }
 }
 use libcryptsetup_rs::LibcryptErr;
 use std::io::ErrorKind;
 use std::string::FromUtf8Error;
 use Fido2LuksError::*;
@@ -62,7 +98,7 @@ impl From<LibcryptErr> for Fido2LuksError {
            LibcryptErr::IOError(e) if e.raw_os_error().iter().any(|code| code == &1i32) => {
                WrongSecret
            }
-            _ => LuksError { cause: e },
+            _ => CryptsetupError { cause: e },
        }
    }
 }
--- a/src/luks.rs
+++ b/src/luks.rs
@@ -1,82 +1,336 @@
 use crate::error::*;
-use libcryptsetup_rs::{CryptActivateFlags, CryptDevice, CryptInit, EncryptionFormat, KeyslotInfo};
+use libcryptsetup_rs::{
    CryptActivateFlags, CryptDevice, CryptInit, CryptTokenInfo, EncryptionFormat, KeyslotInfo,
    TokenInput,
 };
 use std::collections::{HashMap, HashSet};
 use std::path::Path;
-fn load_device_handle<P: AsRef<Path>>(path: P) -> Fido2LuksResult<CryptDevice> {
+pub struct LuksDevice {
-    let mut device = CryptInit::init(path.as_ref())?;
+    device: CryptDevice,
-    //TODO: determine luks version some way other way than just trying
+    luks2: Option<bool>,
-    let mut load = |format| device.context_handle().load::<()>(format, None).map(|_| ());
+}
-    vec![EncryptionFormat::Luks2, EncryptionFormat::Luks1]
+/// Wrapper around [CryptDevice](libcryptsetup_rs::CryptDevice)
-        .into_iter()
+impl LuksDevice {
-        .fold(None, |res, format| match res {
+    pub fn load<P: AsRef<Path>>(path: P) -> Fido2LuksResult<LuksDevice> {
-            Some(Ok(())) => res,
+        let mut device = CryptInit::init(path.as_ref())?;
-            Some(e) => Some(e.or_else(|_| load(format))),
+        device.context_handle().load::<()>(None, None)?;
-            None => Some(load(format)),
+        Ok(Self {
            device,
            luks2: None,
        })
        .unwrap()?;
    Ok(device)
 }
 pub fn open_container<P: AsRef<Path>>(path: P, name: &str, secret: &[u8], slot_hint: Option<u32>) -> Fido2LuksResult<()> {
    let mut device = load_device_handle(path)?;
    device
        .activate_handle()
        .activate_by_passphrase(Some(name), slot_hint, secret, CryptActivateFlags::empty())
        .map(|_slot| ())
        .map_err(|_e| Fido2LuksError::WrongSecret)
 }
 pub fn add_key<P: AsRef<Path>>(
    path: P,
    secret: &[u8],
    old_secret: &[u8],
    iteration_time: Option<u64>,
 ) -> Fido2LuksResult<u32> {
    let mut device = load_device_handle(path)?;
    if let Some(millis) = iteration_time {
        device.settings_handle().set_iteration_time(millis)
    }
    let slot = device
        .keyslot_handle(None)
        .add_by_passphrase(old_secret, secret)?;
    Ok(slot)
 }
-pub fn remove_keyslots<P: AsRef<Path>>(path: P, exclude: &[u32]) -> Fido2LuksResult<u32> {
+    /// Check whether the device supports LUKS2
-    let mut device = load_device_handle(path)?;
+    pub fn is_luks2(&mut self) -> Fido2LuksResult<bool> {
-    let mut handle;
+        if let Some(luks2) = self.luks2 {
-    let mut destroyed = 0;
+            Ok(luks2)
-    //TODO: detect how many keyslots there are instead of trying within a given range
+        } else {
-    for slot in 0..1024 {
+            self.luks2 = Some(match self.device.format_handle().get_type()? {
-        handle = device.keyslot_handle(Some(slot));
+                EncryptionFormat::Luks2 => true,
-        match handle.status()? {
+                _ => false,
-            KeyslotInfo::Inactive => continue,
+            });
-            KeyslotInfo::Active if !exclude.contains(&slot) => {
+            self.is_luks2()
-                handle.destroy()?;
+        }
-                destroyed += 1;
+    }
    /// Check whether the device supports LUKS2, return an appropriate error if it does not
    fn require_luks2(&mut self) -> Fido2LuksResult<()> {
        if !self.is_luks2()? {
            return Err(LuksError::Luks2Required.into());
        }
        Ok(())
    }
    /// Returns an iterator over all tokens, of type fido2luks
    pub fn tokens<'a>(
        &'a mut self,
    ) -> Fido2LuksResult<Box<dyn Iterator<Item = Fido2LuksResult<(u32, Fido2LuksToken)>> + 'a>>
    {
        self.require_luks2()?;
        Ok(Box::new(
            (0..32)
                .map(move |i| {
                    let status = match self.device.token_handle().status(i) {
                        Ok(status) => status,
                        Err(err) => return Some(Err(Fido2LuksError::from(err))),
                    };
                    match status {
                        CryptTokenInfo::Inactive => return None,
                        CryptTokenInfo::Internal(s)
                        | CryptTokenInfo::InternalUnknown(s)
                        | CryptTokenInfo::ExternalUnknown(s)
                        | CryptTokenInfo::External(s)
                            if &s != Fido2LuksToken::default_type() =>
                        {
                            return None
                        }
                        _ => (),
                    };
                    let json = match self.device.token_handle().json_get(i) {
                        Ok(json) => json,
                        Err(err) => return Some(Err(Fido2LuksError::from(err))),
                    };
                    let info: Fido2LuksToken =
                        match serde_json::from_value(json.clone()).map_err(|_| {
                            Fido2LuksError::LuksError {
                                cause: LuksError::InvalidToken(json.to_string()),
                            }
                        }) {
                            Ok(info) => info,
                            Err(err) => return Some(Err(Fido2LuksError::from(err))),
                        };
                    Some(Ok((i, info)))
                })
                .filter_map(|o| o),
        ))
    }
    /// Returns the first token with an reference to the specified keyslot
    pub fn find_token(&mut self, slot: u32) -> Fido2LuksResult<Option<(u32, Fido2LuksToken)>> {
        let slot_str = slot.to_string();
        for token in self.tokens()? {
            let (id, token) = token?;
            if token.keyslots.contains(&slot_str) {
                return Ok(Some((id, token)));
            }
            _ => (),
        }
        if let KeyslotInfo::ActiveLast = handle.status()? {
            break;
        }
        Ok(None)
    }
    pub fn add_token(&mut self, data: &Fido2LuksToken) -> Fido2LuksResult<()> {
        self.require_luks2()?;
        self.device
            .token_handle()
            .json_set(TokenInput::AddToken(&serde_json::to_value(&data).unwrap()))?;
        Ok(())
    }
    pub fn remove_token(&mut self, token: u32) -> Fido2LuksResult<()> {
        self.require_luks2()?;
        self.device
            .token_handle()
            .json_set(TokenInput::RemoveToken(token))?;
        Ok(())
    }
    pub fn update_token(&mut self, token: u32, data: &Fido2LuksToken) -> Fido2LuksResult<()> {
        self.require_luks2()?;
        self.device
            .token_handle()
            .json_set(TokenInput::ReplaceToken(
                token,
                &serde_json::to_value(&data).unwrap(),
            ))?;
        Ok(())
    }
    /// Add a new key `secret` using `old_secret` with the specified `iteration_time` in milliseconds
    /// an LUKS2 token will be created if the device supports LUKS2 and a `credential_id` is provided
    pub fn add_key(
        &mut self,
        secret: &[u8],
        old_secret: &[u8],
        iteration_time: Option<u64>,
        credential_id: Option<&[u8]>,
    ) -> Fido2LuksResult<u32> {
        if let Some(millis) = iteration_time {
            self.device.settings_handle().set_iteration_time(millis)
        }
        let slot = self
            .device
            .keyslot_handle()
            .add_by_passphrase(None, old_secret, secret)?;
        if let Some(id) = credential_id {
            self.device.token_handle().json_set(TokenInput::AddToken(
                &serde_json::to_value(&Fido2LuksToken::new(id, slot)).unwrap(),
            ))?;
        }
        Ok(slot)
    }
    pub fn remove_keyslots(&mut self, exclude: &[u32]) -> Fido2LuksResult<u32> {
        let mut destroyed = 0;
        let mut tokens = Vec::new();
        for slot in 0..256 {
            match self.device.keyslot_handle().status(slot)? {
                KeyslotInfo::Inactive => continue,
                KeyslotInfo::Active | KeyslotInfo::ActiveLast if !exclude.contains(&slot) => {
                    if self.is_luks2()? {
                        if let Some((id, _token)) = self.find_token(slot)? {
                            tokens.push(id);
                        }
                    }
                    self.device.keyslot_handle().destroy(slot)?;
                    destroyed += 1;
                }
                KeyslotInfo::ActiveLast => break,
                _ => (),
            }
            if self.device.keyslot_handle().status(slot)? == KeyslotInfo::ActiveLast {
                break;
            }
        }
        // Ensure indices stay valid
        tokens.sort();
        for token in tokens.iter().rev() {
            self.remove_token(*token)?;
        }
        Ok(destroyed)
    }
    /// Replaces an existing key with `secret` using `old_secret` with the specified `iteration_time` in milliseconds
    /// an LUKS2 token will be created or updated if the device supports LUKS2 and a `credential_id` is provided
    pub fn replace_key(
        &mut self,
        secret: &[u8],
        old_secret: &[u8],
        iteration_time: Option<u64>,
        credential_id: Option<&[u8]>,
    ) -> Fido2LuksResult<u32> {
        if let Some(millis) = iteration_time {
            self.device.settings_handle().set_iteration_time(millis)
        }
        // Use activate dry-run to locate keyslot
        let slot = self.device.activate_handle().activate_by_passphrase(
            None,
            None,
            old_secret,
            CryptActivateFlags::empty(),
        )?;
        self.device.keyslot_handle().change_by_passphrase(
            Some(slot),
            Some(slot),
            old_secret,
            secret,
        )? as u32;
        if let Some(id) = credential_id {
            if self.is_luks2()? {
                let token = self.find_token(slot)?.map(|(t, _)| t);
                let json = serde_json::to_value(&Fido2LuksToken::new(id, slot)).unwrap();
                if let Some(token) = token {
                    self.device
                        .token_handle()
                        .json_set(TokenInput::ReplaceToken(token, &json))?;
                } else {
                    self.device
                        .token_handle()
                        .json_set(TokenInput::AddToken(&json))?;
                }
            }
        }
        Ok(slot)
    }
    pub fn activate(
        &mut self,
        name: &str,
        secret: &[u8],
        slot_hint: Option<u32>,
    ) -> Fido2LuksResult<u32> {
        self.device
            .activate_handle()
            .activate_by_passphrase(Some(name), slot_hint, secret, CryptActivateFlags::empty())
            .map_err(LuksError::activate)
    }
    pub fn activate_token(
        &mut self,
        name: &str,
        secret: impl Fn(Vec<String>) -> Fido2LuksResult<([u8; 32], String)>,
        slot_hint: Option<u32>,
    ) -> Fido2LuksResult<u32> {
        if !self.is_luks2()? {
            return Err(LuksError::Luks2Required.into());
        }
        let mut creds: HashMap<String, HashSet<u32>> = HashMap::new();
        for token in self.tokens()? {
            let token = match token {
                Ok((_id, t)) => t,
                _ => continue, // An corrupted token should't lock the user out
            };
            let slots = || {
                token
                    .keyslots
                    .iter()
                    .filter_map(|slot| slot.parse::<u32>().ok())
            };
            for cred in token.credential.iter() {
                creds
                    .entry(cred.clone())
                    .or_insert_with(|| slots().collect::<HashSet<u32>>())
                    .extend(slots());
            }
        }
        if creds.is_empty() {
            return Err(Fido2LuksError::LuksError {
                cause: LuksError::NoToken,
            });
        }
        let (secret, credential) = secret(creds.keys().cloned().collect())?;
        let empty;
        let slots = if let Some(slots) = creds.get(&credential) {
            slots
        } else {
            empty = HashSet::new();
            &empty
        };
        //Try slots associated with the credential used
        let slots = slots.iter().cloned().map(Option::Some).chain(
            std::iter::once(slot_hint) // Try slot hint if there is one
                .take(slot_hint.is_some() as usize)
                .chain(std::iter::once(None).take(slots.is_empty() as usize)), // Try all slots as last resort
        );
        for slot in slots {
            match self.activate(name, &secret, slot) {
                Err(Fido2LuksError::WrongSecret) => (),
                res => return res,
            }
        }
        Err(Fido2LuksError::WrongSecret)
    }
    Ok(destroyed)
 }
-pub fn replace_key<P: AsRef<Path>>(
+/// Represents a LUKS2 token
-    path: P,
+#[derive(Debug, Clone, Serialize, Deserialize)]
-    secret: &[u8],
+pub struct Fido2LuksToken {
-    old_secret: &[u8],
+    #[serde(rename = "type")]
-    iteration_time: Option<u64>,
+    pub type_: String,
-) -> Fido2LuksResult<u32> {
+    pub credential: HashSet<String>,
-    let mut device = load_device_handle(path)?;
+    pub keyslots: HashSet<String>,
-    // Set iteration time not sure wether this applies to luks2 as well
+}
-    if let Some(millis) = iteration_time {
+
-        device.settings_handle().set_iteration_time(millis)
+impl Fido2LuksToken {
-    }
+    pub fn new(credential_id: impl AsRef<[u8]>, slot: u32) -> Self {
-    Ok(device
+        Self::with_credentials(std::iter::once(credential_id), slot)
-        .keyslot_handle(None)
+    }
-        .change_by_passphrase(None, None, old_secret, secret)? as u32)
+
    pub fn with_credentials<I: IntoIterator<Item = B>, B: AsRef<[u8]>>(
        credentials: I,
        slot: u32,
    ) -> Self {
        Self {
            credential: credentials
                .into_iter()
                .map(|cred| hex::encode(cred.as_ref()))
                .collect(),
            keyslots: vec![slot.to_string()].into_iter().collect(),
            ..Default::default()
        }
    }
    pub fn default_type() -> &'static str {
        "fido2luks"
    }
 }
 impl Default for Fido2LuksToken {
    fn default() -> Self {
        Self {
            type_: Self::default_type().into(),
            credential: HashSet::new(),
            keyslots: HashSet::new(),
        }
    }
 }
--- a/src/main.rs
+++ b/src/main.rs
@@ -1,6 +1,116 @@
 //! This will allow you to unlock your luks encrypted disk with an fido2 compatible key
 //!
 //! Note: This has only been tested under Fedora 31, [Ubuntu 20.04](initramfs-tools/), [NixOS](https://nixos.org/nixos/manual/#sec-luks-file-systems-fido2) using a Solo Key, Trezor Model T
 //!
 //! ## Setup
 //!
 //! ### Prerequisites
 //!
 //! ```
 //! dnf install clang cargo cryptsetup-devel -y
 //! ```
 //!
 //! ### Device
 //!
 //! ```
 //! git clone https://github.com/shimunn/fido2luks.git && cd fido2luks
 //!
 //! # Alternativly cargo build --release && sudo cp target/release/fido2luks /usr/bin/
 //! sudo -E cargo install -f --path . --root /usr
 //!
 //! # Copy template
 //! cp dracut/96luks-2fa/fido2luks.conf /etc/
 //! # Name is optional but useful if your authenticator has a display
 //! echo FIDO2LUKS_CREDENTIAL_ID=$(fido2luks credential [NAME]) >> /etc/fido2luks.conf
 //!
 //! # Load config into env
 //! set -a
 //! . /etc/fido2luks.conf
 //!
 //! # Repeat for each luks volume
 //! # You can also use the `--token` flag when using LUKS2 which will then store the credential in the LUKS header,
 //! # enabling you to use `fido2luks open-token` without passing a credential as parameter
 //! sudo -E fido2luks -i add-key /dev/disk/by-uuid/<DISK_UUID>
 //!
 //! # Test(only works if the luks container isn't active)
 //! sudo -E fido2luks -i open /dev/disk/by-uuid/<DISK_UUID> luks-<DISK_UUID>
 //!
 //! ```
 //!
 //! ### Dracut
 //!
 //! ```
 //! cd dracut
 //!
 //! sudo make install
 //! ```
 //!
 //! ### Grub
 //!
 //! Add `rd.luks.2fa=<CREDENTIAL_ID>:<DISK_UUID>` to `GRUB_CMDLINE_LINUX` in /etc/default/grub
 //!
 //! Note: This is only required for your root disk, systemd will try to unlock all other LUKS partions using the same key if you added it using `fido2luks add-key`
 //!
 //! ```
 //! grub2-mkconfig > /boot/grub2/grub.cfg
 //! ```
 //!
 //! I'd also recommend to copy the executable onto /boot so that it is accessible in case you have to access your disk from a rescue system
 //!
 //! ```
 //! mkdir /boot/fido2luks/
 //! cp /usr/bin/fido2luks /boot/fido2luks/
 //! cp /etc/fido2luks.conf /boot/fido2luks/
 //! ```
 //!
 //! ## Test
 //!
 //! Just reboot and see if it works, if that's the case you should remove your old less secure password from your LUKS header:
 //!
 //! ```
 //! # Recommend in case you lose your authenticator, store this backupfile somewhere safe
 //! cryptsetup luksHeaderBackup /dev/disk/by-uuid/<DISK_UUID> --header-backup-file luks_backup_<DISK_UUID>
 //! # There is no turning back if you mess this up, make sure you made a backup
 //! # You can also pass `--token` if you're using LUKS2 which will then store the credential in the LUKS header,
 //! # which will enable you to use `fido2luks open-token` without passing a credential as parameter
 //! fido2luks -i add-key --exclusive /dev/disk/by-uuid/<DISK_UUID>
 //! ```
 //!
 //! ## Addtional settings
 //!
 //! ### Password less
 //!
 //! Remove your previous secret as described in the next section, in case you've already added one.
 //!
 //! Open `/etc/fido2luks.conf` and replace `FIDO2LUKS_SALT=Ask` with `FIDO2LUKS_SALT=string:<YOUR_RANDOM_STRING>`
 //! but be warned that this password will be included to into your initramfs.
 //!
 //! Import the new config into env:
 //!
 //! ```
 //! set -a
 //! . /etc/fido2luks.conf
 //! ```
 //!
 //! Then add the new secret to each device and update dracut afterwards `dracut -f`
 //!
 //! ## Removal
 //!
 //! Remove `rd.luks.2fa` from `GRUB_CMDLINE_LINUX` in /etc/default/grub
 //!
 //! ```
 //! set -a
 //! . fido2luks.conf
 //! sudo -E fido2luks -i replace-key /dev/disk/by-uuid/<DISK_UUID>
 //!
 //! sudo rm -rf /usr/lib/dracut/modules.d/96luks-2fa /etc/dracut.conf.d/luks-2fa.conf /etc/fido2luks.conf
 //!```
 #[macro_use]
 extern crate failure;
 extern crate ctap_hmac as ctap;
 #[macro_use]
 extern crate serde_derive;
 use crate::cli::*;
 use crate::config::*;
 use crate::device::*;
Author	SHA1	Message	Date
shimun	0749ae640a	generate README from docs Some checks failed continuous-integration/drone/push Build is failing Details switch to license compatible with all dependencies	2020-07-26 20:47:29 +02:00
shimun	840868468b	cargo-deb meta All checks were successful continuous-integration/drone/push Build is passing Details	2020-07-04 21:32:21 +02:00
shimun	97880e4f41	refuse removal while crypttab depends on keyscript All checks were successful continuous-integration/drone/push Build is passing Details	2020-07-03 16:21:35 +02:00
shimun	e798ba5c70	remove keyscript aswell All checks were successful continuous-integration/drone/push Build is passing Details	2020-07-03 15:59:12 +02:00
shimun	298e05fed7	initramfs-tools All checks were successful continuous-integration/drone/push Build is passing Details	2020-07-03 15:55:23 +02:00
shimun	a498e1416f	automate cargo publish Some checks failed continuous-integration/drone/push Build is passing Details continuous-integration/drone/tag Build is failing Details	2020-06-23 23:55:07 +02:00
shimun	92e413de50	refactored luks operations All checks were successful continuous-integration/drone/push Build is passing Details	2020-06-22 20:47:19 +00:00
shimun	023399bb14	use unstable cryptsetup Some checks failed continuous-integration/drone/push Build is failing Details	2020-06-22 18:17:10 +02:00
shimun	a53a430c23	update drone Some checks failed continuous-integration/drone/push Build is failing Details	2020-06-21 22:16:45 +02:00
shimun	5f107cd337	add non existing token Some checks failed continuous-integration/drone/push Build is failing Details	2020-06-19 20:09:36 +02:00
shimun	ddfd24a098	ensure replace_key uses the same slot	2020-06-19 20:05:05 +02:00
shimun	743edf668a	document --token	2020-06-13 14:35:46 +02:00
shimun	4507107fac	update libcryptsetup-rs	2020-06-10 13:50:28 +02:00
shimun	a8482c50a2	handle tokens when replacing	2020-06-08 19:22:19 +02:00
shimun	09be5ef551	assemble secret in correct order	2020-06-08 18:08:24 +02:00
shimun	6f6c84ddba	skip luks2 check until underlying issue is fixed	2020-06-07 14:14:51 +02:00
shimun	5a05cad695	more precise description	2020-06-06 23:39:23 +02:00
shimun	d8d24b40f5	Merge branch 'cli_reorg'	2020-06-06 23:37:22 +02:00
shimun	c1a82b9ae6	update libcryptsetup_rs to 0.4.0	2020-06-06 22:43:18 +02:00
shimun	f774580c9c	update to current api	2020-05-05 23:28:44 +02:00
shimun	0b19760175	hint slots	2020-04-28 19:09:53 +02:00
shimun	2ec8679c47	open token	2020-04-28 14:27:14 +02:00
shimun	65e1dead8b	remove token	2020-04-27 22:07:00 +02:00
shimun	478fb5e036	store luks token	2020-04-27 19:26:21 +02:00
shimun	1547f5e199	get format	2020-04-27 18:12:06 +02:00