protect fido2luks.conf from being overwritten

.drone.yml

@@ -3,32 +3,27 @@ name: default
 
 steps:
  - name: fmt
-   image: rust:1.37.0
+   image: rust:1.43.0
    commands:
      -  rustup component add rustfmt
      -  cargo fmt --all -- --check
  - name: test
-   image: rust:1.37.0
+   image: rust:1.43.0
    commands:
-    - apt update && apt install -y libcryptsetup-dev libkeyutils-dev
+    - apt update && apt install -y libkeyutils-dev libclang-dev clang pkg-config  
+    - echo 'deb http://http.us.debian.org/debian unstable main non-free contrib' >> /etc/apt/sources.list.d/unstable.list && apt update && apt install -y libcryptsetup-dev
     - cargo test
 
- - name: build
-   image: rust:1.37.0
-   commands:
-    - apt update && apt install -y libcryptsetup-dev libkeyutils-dev
-    - cargo install -f --path . --root .
-   when:
-    event: tag
  - name: publish
-   image: plugins/github-release
+   image: rust:1.43.0
-   settings:
+   environment:
-     api_key:
+    CARGO_REGISTRY_TOKEN:
-      from_secret: github_release
+     from_secret: cargo_tkn
-     files:
+   commands:
-      - bin/fido2luks
+    - grep -E 'version ?= ?"${DRONE_TAG}"' -i Cargo.toml || (printf "incorrect crate/tag version" && exit 1)
-     checksum:
+    - apt update && apt install -y libkeyutils-dev libclang-dev clang pkg-config  
-      - md5
+    - echo 'deb http://http.us.debian.org/debian unstable main non-free contrib' >> /etc/apt/sources.list.d/unstable.list && apt update && apt install -y libcryptsetup-dev
-      - sha256
+    - cargo package --all-features
+    - cargo publish --all-features
    when:
     event: tag

Cargo.lock

@@ -1,10 +1,25 @@
 # This file is automatically @generated by Cargo.
 # It is not intended for manual editing.
 [[package]]
-name = "aho-corasick"
+name = "addr2line"
-version = "0.7.10"
+version = "0.13.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8716408b8bc624ed7f65d223ddb9ac2d044c0547b6fa4b0d554f3a9540496ada"
+checksum = "1b6a2d3371669ab3ca9797670853d61402b03d0b4b9ebf33d677dfa720203072"
+dependencies = [
+ "gimli",
+]
+
+[[package]]
+name = "adler"
+version = "0.2.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ee2a4ec343196209d6594e19543ae87a39f96d5534d7174822a3ad825dd6ed7e"
+
+[[package]]
+name = "aho-corasick"
+version = "0.7.13"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "043164d8ba5c4c3035fec9bbee8647c0261d788f3474306f93bb65901cae0e86"
 dependencies = [
  "memchr",
 ]
@@ -43,31 +58,23 @@ checksum = "f8aac770f1885fd7e387acedd76065302551364496e46b3dd00860b2f8359b9d"
 
 [[package]]
 name = "backtrace"
-version = "0.3.46"
+version = "0.3.50"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b1e692897359247cc6bb902933361652380af0f1b7651ae5c5013407f30e109e"
+checksum = "46254cf2fdcdf1badb5934448c1bcbe046a56537b3987d96c51a7afc5d03f293"
 dependencies = [
- "backtrace-sys",
+ "addr2line",
  "cfg-if",
  "libc",
+ "miniz_oxide",
+ "object",
  "rustc-demangle",
 ]
 
-[[package]]
-name = "backtrace-sys"
-version = "0.1.35"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7de8aba10a69c8e8d7622c5710229485ec32e9d55fdad160ea559c086fdcd118"
-dependencies = [
- "cc",
- "libc",
-]
-
 [[package]]
 name = "bindgen"
-version = "0.53.2"
+version = "0.54.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6bb26d6a69a335b8cb0e7c7e9775cd5666611dc50a37177c3f2cedcfc040e8c8"
+checksum = "f4d49b80beb70d76cdac92f5681e666f9a697c737c4f4117a67229a0386dc736"
 dependencies = [
  "bitflags",
  "cexpr",
@@ -79,8 +86,8 @@ dependencies = [
  "lazycell",
  "log",
  "peeking_take_while",
- "proc-macro2 1.0.10",
+ "proc-macro2 1.0.19",
- "quote 1.0.3",
+ "quote 1.0.7",
  "regex",
  "rustc-hash",
  "shlex",
@@ -111,9 +118,9 @@ dependencies = [
 
 [[package]]
 name = "cc"
-version = "1.0.50"
+version = "1.0.58"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "95e28fa049fda1c330bcf9d723be7663a899c4679724b34c81e9f5a326aab8cd"
+checksum = "f9a06fb2e53271d7c279ec1efea6ab691c35a2ae67ec0d91d7acec0caf13b518"
 
 [[package]]
 name = "cexpr"
@@ -143,9 +150,9 @@ dependencies = [
 
 [[package]]
 name = "clap"
-version = "2.33.0"
+version = "2.33.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5067f5bb2d80ef5d68b4c87db81601f0b75bca627bc2ef76b141d7b846a3c6d9"
+checksum = "10040cdf04294b565d9e0319955430099ec3813a64c952b86a41200ad714ae48"
 dependencies = [
  "ansi_term",
  "atty",
@@ -181,12 +188,12 @@ dependencies = [
 
 [[package]]
 name = "crossbeam-channel"
-version = "0.4.2"
+version = "0.4.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cced8691919c02aac3cb0a1bc2e9b73d89e832bf9a06fc579d4e71b68a2da061"
+checksum = "09ee0cc8804d5393478d743b035099520087a5186f3b93fa58cec08fa62407b6"
 dependencies = [
+ "cfg-if",
  "crossbeam-utils",
- "maybe-uninit",
 ]
 
 [[package]]
@@ -217,12 +224,13 @@ dependencies = [
 
 [[package]]
 name = "crossbeam-queue"
-version = "0.2.1"
+version = "0.2.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c695eeca1e7173472a32221542ae469b3e9aac3a4fc81f7696bcad82029493db"
+checksum = "774ba60a54c213d409d5353bda12d49cd68d14e45036a285234c8d6f91f92570"
 dependencies = [
  "cfg-if",
  "crossbeam-utils",
+ "maybe-uninit",
 ]
 
 [[package]]
@@ -284,10 +292,10 @@ checksum = "f0c960ae2da4de88a91b2d920c2a7233b400bc33cb28453a2987822d8392519b"
 dependencies = [
  "fnv",
  "ident_case",
- "proc-macro2 1.0.10",
+ "proc-macro2 1.0.19",
- "quote 1.0.3",
+ "quote 1.0.7",
  "strsim 0.9.3",
- "syn 1.0.17",
+ "syn 1.0.38",
 ]
 
 [[package]]
@@ -297,8 +305,8 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d9b5a2f4ac4969822c62224815d069952656cadc7084fdca9751e6d959189b72"
 dependencies = [
  "darling_core",
- "quote 1.0.3",
+ "quote 1.0.7",
- "syn 1.0.17",
+ "syn 1.0.38",
 ]
 
 [[package]]
@@ -309,9 +317,9 @@ checksum = "a2658621297f2cf68762a6f7dc0bb7e1ff2cfd6583daef8ee0fed6f7ec468ec0"
 dependencies = [
  "darling",
  "derive_builder_core",
- "proc-macro2 1.0.10",
+ "proc-macro2 1.0.19",
- "quote 1.0.3",
+ "quote 1.0.7",
- "syn 1.0.17",
+ "syn 1.0.38",
 ]
 
 [[package]]
@@ -321,16 +329,16 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2791ea3e372c8495c0bc2033991d76b512cd799d07491fbd6890124db9458bef"
 dependencies = [
  "darling",
- "proc-macro2 1.0.10",
+ "proc-macro2 1.0.19",
- "quote 1.0.3",
+ "quote 1.0.7",
- "syn 1.0.17",
+ "syn 1.0.38",
 ]
 
 [[package]]
 name = "either"
-version = "1.5.3"
+version = "1.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bb1f6b1ce1c140482ea30ddd3335fc0024ac7ee112895426e0a629a6c20adfe3"
+checksum = "cd56b59865bce947ac5958779cfa508f6c3b9497cc762b7e24a12d11ccde2c4f"
 
 [[package]]
 name = "env_logger"
@@ -347,9 +355,9 @@ dependencies = [
 
 [[package]]
 name = "failure"
-version = "0.1.7"
+version = "0.1.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b8529c2421efa3066a5cbd8063d2244603824daccb6936b079010bb2aa89464b"
+checksum = "d32e9bd16cc02eae7db7ef620b392808b89f6a5e16bb3497d159c6b92a0f4f86"
 dependencies = [
  "backtrace",
  "failure_derive",
@@ -357,19 +365,19 @@ dependencies = [
 
 [[package]]
 name = "failure_derive"
-version = "0.1.7"
+version = "0.1.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "030a733c8287d6213886dd487564ff5c8f6aae10278b3588ed177f9d18f8d231"
+checksum = "aa4da3c766cd7a0db8242e326e9e4e081edd567072893ed320008189715366a4"
 dependencies = [
- "proc-macro2 1.0.10",
+ "proc-macro2 1.0.19",
- "quote 1.0.3",
+ "quote 1.0.7",
- "syn 1.0.17",
+ "syn 1.0.38",
  "synstructure",
 ]
 
 [[package]]
 name = "fido2luks"
-version = "0.2.7"
+version = "0.2.10"
 dependencies = [
  "ctap_hmac",
  "failure",
@@ -377,14 +385,17 @@ dependencies = [
  "libcryptsetup-rs",
  "ring",
  "rpassword",
+ "serde",
+ "serde_derive",
+ "serde_json",
  "structopt",
 ]
 
 [[package]]
 name = "fnv"
-version = "1.0.6"
+version = "1.0.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2fad85553e09a6f881f739c29f0b00b0f01357c743266d478b68951ce23285f3"
+checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1"
 
 [[package]]
 name = "fuchsia-cprng"
@@ -398,6 +409,12 @@ version = "0.3.55"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8f5f3913fa0bfe7ee1fd8248b6b9f42a5af4b9d65ec2dd2c3c26132b950ecfc2"
 
+[[package]]
+name = "gimli"
+version = "0.22.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "aaf91faf136cb47367fa430cd46e37a788775e7fa104f8b4bcb3861dc389b724"
+
 [[package]]
 name = "glob"
 version = "0.3.0"
@@ -415,9 +432,9 @@ dependencies = [
 
 [[package]]
 name = "hermit-abi"
-version = "0.1.10"
+version = "0.1.15"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "725cf19794cf90aa94e65050cb4191ff5d8fa87a498383774c47b332e3af952e"
+checksum = "3deed196b6e7f9e44a2ae8d94225d80302d81208b1bb673fd21fe634645c85a9"
 dependencies = [
  "libc",
 ]
@@ -445,9 +462,9 @@ checksum = "b9e0384b61958566e926dc50660321d12159025e767c18e043daf26b70104c39"
 
 [[package]]
 name = "itoa"
-version = "0.4.5"
+version = "0.4.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b8b7a7c0c47db5545ed3fef7468ee7bb5b74691498139e4b3f6a20685dc6dd8e"
+checksum = "dc6f3ad7b9d11a0c00842ff8de1b60ee58661048eb8049ed33c73594f359d7e6"
 
 [[package]]
 name = "lazy_static"
@@ -463,29 +480,30 @@ checksum = "b294d6fa9ee409a054354afc4352b0b9ef7ca222c69b8812cbea9e7d2bf3783f"
 
 [[package]]
 name = "libc"
-version = "0.2.68"
+version = "0.2.74"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dea0c0405123bba743ee3f91f49b1c7cfb684eef0da0a50110f758ccf24cdff0"
+checksum = "a2f02823cf78b754822df5f7f268fb59822e7296276d3e069d8e8cb26a14bd10"
 
 [[package]]
 name = "libcryptsetup-rs"
-version = "0.2.0"
+version = "0.4.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c0177fd0ec022a5adb247e13e3238309913c28102a811227ad5de6a55697f152"
+checksum = "b9042dbf4b7e4309494949696496e230c9052af64559d3441627d639898c172c"
 dependencies = [
  "either",
  "libc",
  "libcryptsetup-rs-sys",
  "pkg-config",
+ "semver",
  "serde_json",
  "uuid",
 ]
 
 [[package]]
 name = "libcryptsetup-rs-sys"
-version = "0.1.2"
+version = "0.1.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0c605998e81e2a99c1f4c5d0be45ea1df6f1dc45dc64f5ca2847b0dbebf49ae7"
+checksum = "4b75a2b946509fb39fdb4b232c973166da14be373d09a43eb36b82f775d8244e"
 dependencies = [
  "bindgen",
  "cc",
@@ -505,9 +523,9 @@ dependencies = [
 
 [[package]]
 name = "log"
-version = "0.4.8"
+version = "0.4.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "14b6052be84e6b71ab17edffc2eeabf5c2c3ae1fdb464aae35ac50c67a44e1f7"
+checksum = "4fabed175da42fed1fa0746b0ea71f412aa9d35e76e95e59b192c64b9dc2bf8b"
 dependencies = [
  "cfg-if",
 ]
@@ -526,18 +544,27 @@ checksum = "3728d817d99e5ac407411fa471ff9800a778d88a24685968b36824eaf4bee400"
 
 [[package]]
 name = "memoffset"
-version = "0.5.4"
+version = "0.5.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b4fc2c02a7e374099d4ee95a193111f72d2110197fe200272371758f6c3643d8"
+checksum = "c198b026e1bbf08a937e94c6c60f9ec4a2267f5b0d2eec9c1b21b061ce2be55f"
 dependencies = [
  "autocfg 1.0.0",
 ]
 
 [[package]]
-name = "nom"
+name = "miniz_oxide"
-version = "5.1.1"
+version = "0.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0b471253da97532da4b61552249c521e01e736071f71c1a4f7ebbfbf0a06aad6"
+checksum = "be0f75932c1f6cfae3c04000e40114adf955636e19040f9c0a2c380702aa1c7f"
+dependencies = [
+ "adler",
+]
+
+[[package]]
+name = "nom"
+version = "5.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ffb4262d26ed83a1c0a33a38fe2bb15797329c85770da05e6b828ddb782627af"
 dependencies = [
  "memchr",
  "version_check",
@@ -556,13 +583,19 @@ dependencies = [
 
 [[package]]
 name = "num-traits"
-version = "0.2.11"
+version = "0.2.12"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c62be47e61d1842b9170f0fdeec8eba98e60e90e5446449a0545e5152acd7096"
+checksum = "ac267bcc07f48ee5f8935ab0d24f316fb722d7a1292e2913f0cc196b29ffd611"
 dependencies = [
  "autocfg 1.0.0",
 ]
 
+[[package]]
+name = "object"
+version = "0.20.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1ab52be62400ca80aa00285d25253d7f7c437b7375c4de678f5405d3afe82ca5"
+
 [[package]]
 name = "peeking_take_while"
 version = "0.1.2"
@@ -571,33 +604,31 @@ checksum = "19b17cddbe7ec3f8bc800887bab5e717348c95ea2ca0b1bf0837fb964dc67099"
 
 [[package]]
 name = "pkg-config"
-version = "0.3.17"
+version = "0.3.18"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "05da548ad6865900e60eaba7f589cc0783590a92e940c26953ff81ddbab2d677"
+checksum = "d36492546b6af1463394d46f0c834346f31548646f6ba10849802c9c9a27ac33"
 
 [[package]]
 name = "proc-macro-error"
-version = "0.4.12"
+version = "1.0.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "18f33027081eba0a6d8aba6d1b1c3a3be58cbb12106341c2d5759fcd9b5277e7"
+checksum = "da25490ff9892aab3fcf7c36f08cfb902dd3e71ca0f9f9517bea02a73a5ce38c"
 dependencies = [
  "proc-macro-error-attr",
- "proc-macro2 1.0.10",
+ "proc-macro2 1.0.19",
- "quote 1.0.3",
+ "quote 1.0.7",
- "syn 1.0.17",
+ "syn 1.0.38",
  "version_check",
 ]
 
 [[package]]
 name = "proc-macro-error-attr"
-version = "0.4.12"
+version = "1.0.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8a5b4b77fdb63c1eca72173d68d24501c54ab1269409f6b672c85deb18af69de"
+checksum = "a1be40180e52ecc98ad80b184934baf3d0d29f979574e439af5a55274b35f869"
 dependencies = [
- "proc-macro2 1.0.10",
+ "proc-macro2 1.0.19",
- "quote 1.0.3",
+ "quote 1.0.7",
- "syn 1.0.17",
- "syn-mid",
  "version_check",
 ]
 
@@ -612,11 +643,11 @@ dependencies = [
 
 [[package]]
 name = "proc-macro2"
-version = "1.0.10"
+version = "1.0.19"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "df246d292ff63439fea9bc8c0a270bed0e390d5ebd4db4ba15aba81111b5abe3"
+checksum = "04f5f085b5d71e2188cb8271e5da0161ad52c3f227a661a3c135fdf28e258b12"
 dependencies = [
- "unicode-xid 0.2.0",
+ "unicode-xid 0.2.1",
 ]
 
 [[package]]
@@ -636,11 +667,11 @@ dependencies = [
 
 [[package]]
 name = "quote"
-version = "1.0.3"
+version = "1.0.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2bdc6c187c65bca4260c9011c9e3132efe4909da44726bad24cf7572ae338d7f"
+checksum = "aa563d17ecb180e500da1cfd2b028310ac758de548efdd203e18f283af693f37"
 dependencies = [
- "proc-macro2 1.0.10",
+ "proc-macro2 1.0.19",
 ]
 
 [[package]]
@@ -781,17 +812,11 @@ dependencies = [
  "rand_core 0.3.1",
 ]
 
-[[package]]
-name = "redox_syscall"
-version = "0.1.56"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2439c63f3f6139d1b57529d16bc3b8bb855230c8efcc5d3a896c8bea7c3b1e84"
-
 [[package]]
 name = "regex"
-version = "1.3.6"
+version = "1.3.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7f6946991529684867e47d86474e3a6d0c0ab9b82d5821e314b1ede31fa3a4b3"
+checksum = "9c3780fcf44b193bc4d09f36d2a3c87b251da4a046c87795a0d35f4f927ad8e6"
 dependencies = [
  "aho-corasick",
  "memchr",
@@ -801,9 +826,9 @@ dependencies = [
 
 [[package]]
 name = "regex-syntax"
-version = "0.6.17"
+version = "0.6.18"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7fe5bd57d1d7414c6b5ed48563a2c855d995ff777729dcd91c369ec7fea395ae"
+checksum = "26412eb97c6b088a6997e05f69403a802a92d520de2f8e63c2b65f9e0f47c4e8"
 
 [[package]]
 name = "ring"
@@ -860,9 +885,9 @@ checksum = "dcf128d1287d2ea9d80910b5f1120d0b8eede3fbf1abe91c40d39ea7d51e6fda"
 
 [[package]]
 name = "ryu"
-version = "1.0.3"
+version = "1.0.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "535622e6be132bccd223f4bb2b8ac8d53cda3c7a6394944d3b2b33fb974f9d76"
+checksum = "71d301d4193d031abdd79ff7e3dd721168a9572ef3fe51a1517aba235bd8f86e"
 
 [[package]]
 name = "scopeguard"
@@ -887,15 +912,26 @@ checksum = "388a1df253eca08550bef6c72392cfe7c30914bf41df5269b68cbd6ff8f570a3"
 
 [[package]]
 name = "serde"
-version = "1.0.106"
+version = "1.0.115"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "36df6ac6412072f67cf767ebbde4133a5b2e88e76dc6187fa7104cd16f783399"
+checksum = "e54c9a88f2da7238af84b5101443f0c0d0a3bbdc455e34a5c9497b1903ed55d5"
+
+[[package]]
+name = "serde_derive"
+version = "1.0.115"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "609feed1d0a73cc36a0182a840a9b37b4a82f0b1150369f0536a9e3f2a31dc48"
+dependencies = [
+ "proc-macro2 1.0.19",
+ "quote 1.0.7",
+ "syn 1.0.38",
+]
 
 [[package]]
 name = "serde_json"
-version = "1.0.51"
+version = "1.0.57"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "da07b57ee2623368351e9a0488bb0b261322a15a6e0ae53e243cbdc0f4208da9"
+checksum = "164eacbdb13512ec2745fb09d51fd5b22b0d65ed294a1dcf7285a360c80a675c"
 dependencies = [
  "itoa",
  "ryu",
@@ -922,9 +958,9 @@ checksum = "6446ced80d6c486436db5c078dde11a9f73d42b57fb273121e160b84f63d894c"
 
 [[package]]
 name = "structopt"
-version = "0.3.12"
+version = "0.3.16"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c8faa2719539bbe9d77869bfb15d4ee769f99525e707931452c97b693b3f159d"
+checksum = "de5472fb24d7e80ae84a7801b7978f95a19ec32cb1876faea59ab711eb901976"
 dependencies = [
  "clap",
  "lazy_static",
@@ -933,15 +969,15 @@ dependencies = [
 
 [[package]]
 name = "structopt-derive"
-version = "0.4.5"
+version = "0.4.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3f88b8e18c69496aad6f9ddf4630dd7d585bcaf765786cb415b9aec2fe5a0430"
+checksum = "1e0eb37335aeeebe51be42e2dc07f031163fbabfa6ac67d7ea68b5c2f68d5f99"
 dependencies = [
  "heck",
  "proc-macro-error",
- "proc-macro2 1.0.10",
+ "proc-macro2 1.0.19",
- "quote 1.0.3",
+ "quote 1.0.7",
- "syn 1.0.17",
+ "syn 1.0.38",
 ]
 
 [[package]]
@@ -957,36 +993,25 @@ dependencies = [
 
 [[package]]
 name = "syn"
-version = "1.0.17"
+version = "1.0.38"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0df0eb663f387145cab623dea85b09c2c5b4b0aef44e945d928e682fce71bb03"
+checksum = "e69abc24912995b3038597a7a593be5053eb0fb44f3cc5beec0deb421790c1f4"
 dependencies = [
- "proc-macro2 1.0.10",
+ "proc-macro2 1.0.19",
- "quote 1.0.3",
+ "quote 1.0.7",
- "unicode-xid 0.2.0",
+ "unicode-xid 0.2.1",
-]
-
-[[package]]
-name = "syn-mid"
-version = "0.5.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7be3539f6c128a931cf19dcee741c1af532c7fd387baa739c03dd2e96479338a"
-dependencies = [
- "proc-macro2 1.0.10",
- "quote 1.0.3",
- "syn 1.0.17",
 ]
 
 [[package]]
 name = "synstructure"
-version = "0.12.3"
+version = "0.12.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "67656ea1dc1b41b1451851562ea232ec2e5a80242139f7e679ceccfb5d61f545"
+checksum = "b834f2d66f734cb897113e34aaff2f1ab4719ca946f9a7358dba8f8064148701"
 dependencies = [
- "proc-macro2 1.0.10",
+ "proc-macro2 1.0.19",
- "quote 1.0.3",
+ "quote 1.0.7",
- "syn 1.0.17",
+ "syn 1.0.38",
- "unicode-xid 0.2.0",
+ "unicode-xid 0.2.1",
 ]
 
 [[package]]
@@ -1018,12 +1043,11 @@ dependencies = [
 
 [[package]]
 name = "time"
-version = "0.1.42"
+version = "0.1.43"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "db8dcfca086c1143c9270ac42a2bbd8a7ee477b78ac8e45b19abfb0cbede4b6f"
+checksum = "ca8a50ef2360fbd1eeb0ecd46795a87a19024eb4b53c5dc916ca1fd95fe62438"
 dependencies = [
  "libc",
- "redox_syscall",
  "winapi",
 ]
 
@@ -1035,9 +1059,9 @@ checksum = "e83e153d1053cbb5a118eeff7fd5be06ed99153f00dbcd8ae310c5fb2b22edc0"
 
 [[package]]
 name = "unicode-width"
-version = "0.1.7"
+version = "0.1.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "caaa9d531767d1ff2150b9332433f32a24622147e5ebb1f26409d5da67afd479"
+checksum = "9337591893a19b88d8d87f2cec1e73fad5cdfd10e5a6f349f498ad6ea2ffb1e3"
 
 [[package]]
 name = "unicode-xid"
@@ -1047,9 +1071,9 @@ checksum = "fc72304796d0818e357ead4e000d19c9c174ab23dc11093ac919054d20a6a7fc"
 
 [[package]]
 name = "unicode-xid"
-version = "0.2.0"
+version = "0.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "826e7639553986605ec5979c7dd957c7895e93eabed50ab2ffa7f6128a75097c"
+checksum = "f7fe0bb3479651439c9112f72b6c505038574c9fbb575ed1bf3b797fa39dd564"
 
 [[package]]
 name = "untrusted"
@@ -1068,15 +1092,15 @@ dependencies = [
 
 [[package]]
 name = "vec_map"
-version = "0.8.1"
+version = "0.8.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "05c78687fb1a80548ae3250346c3db86a80a7cdd77bda190189f2d0a0987c81a"
+checksum = "f1bddf1187be692e79c5ffeab891132dfb0f236ed36a43c7ed39f1165ee20191"
 
 [[package]]
 name = "version_check"
-version = "0.9.1"
+version = "0.9.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "078775d0255232fb988e6fccf26ddc9d1ac274299aaedcedce21c6f72cc533ce"
+checksum = "b5a972e5669d67ba988ce3dc826706fb0a8b01471c088cb0b6110b805cc36aed"
 
 [[package]]
 name = "which"
@@ -1089,9 +1113,9 @@ dependencies = [
 
 [[package]]
 name = "winapi"
-version = "0.3.8"
+version = "0.3.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8093091eeb260906a183e6ae1abdba2ef5ef2257a21801128899c3fc699229c6"
+checksum = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419"
 dependencies = [
  "winapi-i686-pc-windows-gnu",
  "winapi-x86_64-pc-windows-gnu",
@@ -1105,9 +1129,9 @@ checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6"
 
 [[package]]
 name = "winapi-util"
-version = "0.1.4"
+version = "0.1.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fa515c5163a99cc82bab70fd3bfdd36d827be85de63737b40fcef2ce084a436e"
+checksum = "70ec6ce85bb158151cae5e5c87f95a8e97d2c0c4b001223f33a334e3ce5de178"
 dependencies = [
  "winapi",
 ]

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "fido2luks"
-version = "0.2.7"
+version = "0.2.10"
 authors = ["shimunn <shimun@shimun.net>"]
 edition = "2018"
 
@@ -11,7 +11,7 @@ repository = "https://github.com/shimunn/fido2luks"
 readme = "README.md"
 keywords = ["luks", "fido2", "u2f"]
 categories = ["command-line-utilities"]
-license-file = "LICENSE"
+license = "MPL-2.0"
 
 [dependencies]
 ctap_hmac = { version="0.4.2", features = ["request_multiple"] }
@@ -20,7 +20,10 @@ ring = "0.13.5"
 failure = "0.1.5"
 rpassword = "4.0.1"
 structopt = "0.3.2"
-libcryptsetup-rs = "0.2.0"
+libcryptsetup-rs = "0.4.1"
+serde_json = "1.0.51"
+serde_derive = "1.0.106"
+serde = "1.0.106"
 
 [profile.release]
 lto = true
@@ -28,3 +31,15 @@ opt-level = 'z'
 panic = 'abort'
 incremental = false
 overflow-checks = false
+
+[package.metadata.deb]
+depends = "$auto, cryptsetup"
+build-depends = "libclang-dev, libcryptsetup-dev"
+extended-description = "Decrypt your LUKS partition using a FIDO2 compatible authenticator"
+assets = [
+    ["target/release/fido2luks", "usr/bin/", "755"],
+    ["initramfs-tools/keyscript.sh", "/lib/cryptsetup/scripts/fido2luks", "755" ],
+    ["initramfs-tools/hook/fido2luks.sh", "etc/initramfs-tools/hooks/", "755" ],
+    ["initramfs-tools/fido2luks.conf", "etc/", "644"],
+]
+conf-files = ["/etc/fido2luks.conf"]

README.md

@@ -2,7 +2,7 @@
 
 This will allow you to unlock your luks encrypted disk with an fido2 compatible key
 
-Note: This has only been tested under Fedora 31 using a Solo Key, Trezor Model T
+Note: This has only been tested under Fedora 31, [Ubuntu 20.04](initramfs-tools/), [NixOS](https://nixos.org/nixos/manual/#sec-luks-file-systems-fido2) using a Solo Key, Trezor Model T
 
 ## Setup
 
@@ -30,6 +30,8 @@ set -a
 . /etc/fido2luks.conf
 
 # Repeat for each luks volume
+# You can also use the `--token` flag when using LUKS2 which will then store the credential in the LUKS header,
+# enabling you to use `fido2luks open-token` without passing a credential as parameter
 sudo -E fido2luks -i add-key /dev/disk/by-uuid/<DISK_UUID>
 
 # Test(only works if the luks container isn't active)
@@ -71,6 +73,8 @@ Just reboot and see if it works, if that's the case you should remove your old l
 # Recommend in case you lose your authenticator, store this backupfile somewhere safe
 cryptsetup luksHeaderBackup /dev/disk/by-uuid/<DISK_UUID> --header-backup-file luks_backup_<DISK_UUID>
 # There is no turning back if you mess this up, make sure you made a backup
+# You can also pass `--token` if you're using LUKS2 which will then store the credential in the LUKS header,
+# which will enable you to use `fido2luks open-token` without passing a credential as parameter
 fido2luks -i add-key --exclusive /dev/disk/by-uuid/<DISK_UUID>
 ```
 
@@ -103,3 +107,17 @@ sudo -E fido2luks -i replace-key /dev/disk/by-uuid/<DISK_UUID>
 
 sudo rm -rf /usr/lib/dracut/modules.d/96luks-2fa /etc/dracut.conf.d/luks-2fa.conf /etc/fido2luks.conf
 ```
+
+## License
+
+Licensed under
+
+ * Mozilla Public License 2.0, ([LICENSE-MPL](LICENSE-MPL) or https://www.mozilla.org/en-US/MPL/2.0/)
+
+### Contribution
+
+Unless you explicitly state otherwise, any contribution intentionally
+submitted for inclusion in the work by you, as defined in the MPL 2.0
+license, shall be licensed as above, without any additional terms or
+conditions.
+

initramfs-tools/Makefile

@@ -0,0 +1,11 @@
+.PHONY: install
+install:
+	chmod +x hook/fido2luks.sh keyscript.sh
+	cp -f hook/fido2luks.sh /etc/initramfs-tools/hooks/
+	mkdir -p /usr/share/fido2luks
+	cp -f keyscript.sh /lib/cryptsetup/scripts/fido2luks
+	update-initramfs -u
+remove:
+	sh -c "grep 'keyscript=fido2luks' -i /etc/crypttab && ( echo 'ERROR: your system is still setup to use fido2luks during boot' && exit 1) || exit 0"
+	rm /etc/initramfs-tools/hooks/fido2luks.sh /lib/cryptsetup/scripts/fido2luks
+	update-initramfs -u

initramfs-tools/README.md

@@ -0,0 +1,13 @@
+## Initramfs-tools based systems(Ubuntu and derivatives)
+
+After installation generate your credentials and add keys to your disk as described in the top-level README
+then add `initramfs,keyscript=fido2luks` to your `/etc/crypttab`
+
+Example:
+```
+sda6_crypt UUID=9793d81a-4cfb-4712-85f3-c7a8d715112c none luks,discard,initramfs,keyscript=fido2luks
+```
+
+But don't forget to run `make install` which will install all necessary scripts and regenerate your intrid.
+
+[Recording showing part of the setup](https://shimun.net/fido2luks/setup.svg)

initramfs-tools/fido2luks.conf

@@ -0,0 +1,3 @@
+FIDO2LUKS_SALT=Ask
+#FIDO2LUKS_PASSWORD_HELPER="/usr/bin/plymouth ask-for-password --promt 'FIDO2 password salt'"
+FIDO2LUKS_CREDENTIAL_ID=

initramfs-tools/hook/fido2luks.sh

@@ -0,0 +1,14 @@
+#!/bin/sh
+
+case "$1" in
+prereqs)
+	echo ""
+	exit 0
+	;;
+
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+copy_file config /etc/fido2luks.conf /etc/fido2luks.conf
+copy_exec /usr/bin/fido2luks
+exit 0

initramfs-tools/keyscript.sh

@@ -0,0 +1,11 @@
+#!/bin/sh
+set -a
+. /etc/fido2luks.conf
+
+if [ -z "$FIDO2LUKS_PASSWORD_HELPER" ]; then
+	MSG="FIDO2 password salt for $CRYPTTAB_NAME"
+	export FIDO2LUKS_PASSWORD_HELPER="plymouth ask-for-password --promt '$MSG'"
+	plymouth message --text "$MSG"
+fi
+
+fido2luks print-secret --bin

src/cli.rs

@@ -1,5 +1,4 @@
 use crate::error::*;
-use crate::luks;
 use crate::*;
 
 use structopt::StructOpt;
@@ -12,7 +11,10 @@ use std::io::Write;
 use std::process::exit;
 use std::thread;
 
+use crate::luks::{Fido2LuksToken, LuksDevice};
 use crate::util::sha256;
+use std::borrow::Cow;
+use std::collections::HashSet;
 use std::time::SystemTime;
 
 #[derive(Debug, Eq, PartialEq, Clone)]
@@ -24,6 +26,12 @@ impl Display for HexEncoded {
     }
 }
 
+impl AsRef<[u8]> for HexEncoded {
+    fn as_ref(&self) -> &[u8] {
+        &self.0[..]
+    }
+}
+
 impl FromStr for HexEncoded {
     type Err = hex::FromHexError;
 
@@ -58,7 +66,7 @@ impl<T: Display + FromStr> FromStr for CommaSeparated<T> {
 
 #[derive(Debug, StructOpt)]
 pub struct Credentials {
-    /// FIDO credential ids, seperated by ',' generate using fido2luks credential
+    /// FIDO credential ids, separated by ',' generate using fido2luks credential
     #[structopt(name = "credential-id", env = "FIDO2LUKS_CREDENTIAL_ID")]
     pub ids: CommaSeparated<HexEncoded>,
 }
@@ -126,7 +134,7 @@ fn derive_secret(
     salt: &[u8; 32],
     timeout: u64,
     pin: Option<&str>,
-) -> Fido2LuksResult<[u8; 32]> {
+) -> Fido2LuksResult<([u8; 32], FidoCredential)> {
     let timeout = Duration::from_secs(timeout);
     let start = SystemTime::now();
 
@@ -143,23 +151,18 @@ fn derive_secret(
         thread::sleep(Duration::from_millis(500));
     }
 
-    Ok(sha256(&[
+    let credentials = credentials
-        &perform_challenge(
-            &credentials
         .iter()
         .map(|hex| FidoCredential {
             id: hex.0.clone(),
             public_key: None,
         })
-                .collect::<Vec<_>>()
+        .collect::<Vec<_>>();
-                .iter()
+    let credentials = credentials.iter().collect::<Vec<_>>();
-                .collect::<Vec<_>>()[..],
+    let (unsalted, cred) =
-            salt,
+        perform_challenge(&credentials, salt, timeout - start.elapsed().unwrap(), pin)?;
-            timeout - start.elapsed().unwrap(),
+
-            pin,
+    Ok((sha256(&[salt, &unsalted[..]]), cred.clone()))
-        )?[..],
-        salt,
-    ]))
 }
 
 fn read_pin() -> Fido2LuksResult<String> {
@@ -214,6 +217,9 @@ pub enum Command {
         /// Will wipe all other keys
         #[structopt(short = "e", long = "exclusive")]
         exclusive: bool,
+        /// Will add an token to your LUKS 2 header, including the credential id
+        #[structopt(short = "t", long = "token")]
+        token: bool,
         #[structopt(flatten)]
         existing_secret: OtherSecret,
         #[structopt(flatten)]
@@ -233,6 +239,9 @@ pub enum Command {
         /// Add the password and keep the key
         #[structopt(short = "a", long = "add-password")]
         add_password: bool,
+        /// Will add an token to your LUKS 2 header, including the credential id
+        #[structopt(short = "t", long = "token")]
+        token: bool,
         #[structopt(flatten)]
         replacement: OtherSecret,
         #[structopt(flatten)]
@@ -251,7 +260,20 @@ pub enum Command {
         authenticator: AuthenticatorParameters,
         #[structopt(flatten)]
         secret: SecretParameters,
-
+        #[structopt(short = "r", long = "max-retries", default_value = "0")]
+        retries: i32,
+    },
+    /// Open the LUKS device using credentials embedded in the LUKS 2 header
+    #[structopt(name = "open-token")]
+    OpenToken {
+        #[structopt(flatten)]
+        luks: LuksParameters,
+        #[structopt(env = "FIDO2LUKS_MAPPER_NAME")]
+        name: String,
+        #[structopt(flatten)]
+        authenticator: AuthenticatorParameters,
+        #[structopt(flatten)]
+        secret: SecretParameters,
         #[structopt(short = "r", long = "max-retries", default_value = "0")]
         retries: i32,
     },
@@ -267,6 +289,45 @@ pub enum Command {
     /// Check if an authenticator is connected
     #[structopt(name = "connected")]
     Connected,
+    Token(TokenCommand),
+}
+
+///LUKS2 token related operations
+#[derive(Debug, StructOpt)]
+pub enum TokenCommand {
+    /// List all tokens associated with the specified device
+    List {
+        #[structopt(env = "FIDO2LUKS_DEVICE")]
+        device: PathBuf,
+        /// Dump all credentials as CSV
+        #[structopt(long = "csv")]
+        csv: bool,
+    },
+    /// Add credential to a keyslot
+    Add {
+        #[structopt(env = "FIDO2LUKS_DEVICE")]
+        device: PathBuf,
+        #[structopt(flatten)]
+        credentials: Credentials,
+        /// Slot to which the credentials will be added
+        #[structopt(long = "slot", env = "FIDO2LUKS_DEVICE_SLOT")]
+        slot: u32,
+    },
+    /// Remove credentials from token(s)
+    Remove {
+        #[structopt(env = "FIDO2LUKS_DEVICE")]
+        device: PathBuf,
+        #[structopt(flatten)]
+        credentials: Credentials,
+        /// Token from which the credentials will be removed
+        #[structopt(long = "token")]
+        token_id: Option<u32>,
+    },
+    /// Remove all unassigned tokens
+    GC {
+        #[structopt(env = "FIDO2LUKS_DEVICE")]
+        device: PathBuf,
+    },
 }
 
 pub fn parse_cmdline() -> Args {
@@ -311,7 +372,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
             } else {
                 secret.salt.obtain(&secret.password_helper)
             }?;
-            let secret = derive_secret(
+            let (secret, _cred) = derive_secret(
                 credentials.ids.0.as_slice(),
                 &salt,
                 authenticator.await_time,
@@ -331,6 +392,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
             secret,
             luks_mod,
             existing_secret: other_secret,
+            token,
             ..
         }
         | Command::ReplaceKey {
@@ -340,6 +402,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
             secret,
             luks_mod,
             replacement: other_secret,
+            token,
             ..
         } => {
             let pin = if authenticator.pin {
@@ -354,12 +417,14 @@ pub fn run_cli() -> Fido2LuksResult<()> {
                     secret.salt.obtain(&secret.password_helper)
                 }
             };
-            let other_secret = |salt_q: &str, verify: bool| -> Fido2LuksResult<Vec<u8>> {
+            let other_secret = |salt_q: &str,
+                                verify: bool|
+             -> Fido2LuksResult<(Vec<u8>, Option<FidoCredential>)> {
                 match other_secret {
                     OtherSecret {
                         keyfile: Some(file),
                         ..
-                    } => util::read_keyfile(file),
+                    } => Ok((util::read_keyfile(file)?, None)),
                     OtherSecret {
                         fido_device: true, ..
                     } => Ok(derive_secret(
@@ -367,12 +432,15 @@ pub fn run_cli() -> Fido2LuksResult<()> {
                         &salt(salt_q, verify)?,
                         authenticator.await_time,
                         pin.as_deref(),
-                    )?[..]
+                    )
-                        .to_vec()),
+                    .map(|(secret, cred)| (secret[..].to_vec(), Some(cred)))?),
-                    _ => Ok(util::read_password(salt_q, verify)?.as_bytes().to_vec()),
+                    _ => Ok((
+                        util::read_password(salt_q, verify)?.as_bytes().to_vec(),
+                        None,
+                    )),
                 }
             };
-            let secret = |verify: bool| -> Fido2LuksResult<[u8; 32]> {
+            let secret = |verify: bool| -> Fido2LuksResult<([u8; 32], FidoCredential)> {
                 derive_secret(
                     &credentials.ids.0,
                     &salt("Password", verify)?,
@@ -380,19 +448,20 @@ pub fn run_cli() -> Fido2LuksResult<()> {
                     pin.as_deref(),
                 )
             };
+            let mut luks_dev = LuksDevice::load(&luks.device)?;
             // Non overlap
             match &args.command {
                 Command::AddKey { exclusive, .. } => {
-                    let existing_secret = other_secret("Current password", false)?;
+                    let (existing_secret, _) = other_secret("Current password", false)?;
-                    let new_secret = secret(true)?;
+                    let (new_secret, cred) = secret(true)?;
-                    let added_slot = luks::add_key(
+                    let added_slot = luks_dev.add_key(
-                        &luks.device,
                         &new_secret,
                         &existing_secret[..],
                         luks_mod.kdf_time.or(Some(10)),
+                        Some(&cred.id[..]).filter(|_| *token),
                     )?;
                     if *exclusive {
-                        let destroyed = luks::remove_keyslots(&luks.device, &[added_slot])?;
+                        let destroyed = luks_dev.remove_keyslots(&[added_slot])?;
                         println!(
                             "Added to key to device {}, slot: {}\nRemoved {} old keys",
                             luks.device.display(),
@@ -409,21 +478,21 @@ pub fn run_cli() -> Fido2LuksResult<()> {
                     Ok(())
                 }
                 Command::ReplaceKey { add_password, .. } => {
-                    let existing_secret = secret(false)?;
+                    let (existing_secret, _) = secret(false)?;
-                    let replacement_secret = other_secret("Replacement password", true)?;
+                    let (replacement_secret, cred) = other_secret("Replacement password", true)?;
                     let slot = if *add_password {
-                        luks::add_key(
+                        luks_dev.add_key(
-                            &luks.device,
                             &replacement_secret[..],
                             &existing_secret,
                             luks_mod.kdf_time,
+                            cred.as_ref().filter(|_| *token).map(|cred| &cred.id[..]),
                         )
                     } else {
-                        luks::replace_key(
+                        luks_dev.replace_key(
-                            &luks.device,
                             &replacement_secret[..],
                             &existing_secret,
                             luks_mod.kdf_time,
+                            cred.as_ref().filter(|_| *token).map(|cred| &cred.id[..]),
                         )
                     }?;
                     println!(
@@ -439,7 +508,14 @@ pub fn run_cli() -> Fido2LuksResult<()> {
         Command::Open {
             luks,
             authenticator,
-            credentials,
+            secret,
+            name,
+            retries,
+            ..
+        }
+        | Command::OpenToken {
+            luks,
+            authenticator,
             secret,
             name,
             retries,
@@ -458,16 +534,38 @@ pub fn run_cli() -> Fido2LuksResult<()> {
                     secret.salt.obtain(&secret.password_helper)
                 }
             };
-            let mut retries = *retries;
+
-            loop {
+            // Cow shouldn't be necessary
-                match derive_secret(
+            let secret = |credentials: Cow<'_, Vec<HexEncoded>>| {
-                    &credentials.ids.0,
+                derive_secret(
+                    credentials.as_ref(),
                     &salt("Password", false)?,
                     authenticator.await_time,
                     pin,
                 )
-                .and_then(|secret| luks::open_container(&luks.device, &name, &secret, luks.slot))
+            };
-                {
+
+            let mut retries = *retries;
+            let mut luks_dev = LuksDevice::load(&luks.device)?;
+            loop {
+                let secret = match &args.command {
+                    Command::Open { credentials, .. } => secret(Cow::Borrowed(&credentials.ids.0))
+                        .and_then(|(secret, _cred)| luks_dev.activate(&name, &secret, luks.slot)),
+                    Command::OpenToken { .. } => luks_dev.activate_token(
+                        &name,
+                        Box::new(|credentials: Vec<String>| {
+                            let creds = credentials
+                                .into_iter()
+                                .flat_map(|cred| HexEncoded::from_str(cred.as_ref()).ok())
+                                .collect::<Vec<_>>();
+                            secret(Cow::Owned(creds))
+                                .map(|(secret, cred)| (secret, hex::encode(&cred.id)))
+                        }),
+                        luks.slot,
+                    ),
+                    _ => unreachable!(),
+                };
+                match secret {
                     Err(e) => {
                         match e {
                             Fido2LuksError::WrongSecret if retries > 0 => {}
@@ -479,7 +577,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
                         retries -= 1;
                         eprintln!("{}", e);
                     }
-                    res => break res,
+                    res => break res.map(|_| ()),
                 }
             }
         }
@@ -490,5 +588,129 @@ pub fn run_cli() -> Fido2LuksResult<()> {
             }
             _ => exit(1),
         },
+        Command::Token(cmd) => match cmd {
+            TokenCommand::List {
+                device,
+                csv: dump_credentials,
+            } => {
+                let mut dev = LuksDevice::load(device)?;
+                let mut creds = Vec::new();
+                for token in dev.tokens()? {
+                    let (id, token) = token?;
+                    for cred in token.credential.iter() {
+                        if !creds.contains(cred) {
+                            creds.push(cred.clone());
+                            if *dump_credentials {
+                                print!("{}{}", if creds.len() == 1 { "" } else { "," }, cred);
+                            }
+                        }
+                    }
+                    if *dump_credentials {
+                        continue;
+                    }
+                    println!(
+                        "{}:\n\tSlots: {}\n\tCredentials: {}",
+                        id,
+                        if token.keyslots.is_empty() {
+                            "None".into()
+                        } else {
+                            token.keyslots.iter().cloned().collect::<Vec<_>>().join(",")
+                        },
+                        token
+                            .credential
+                            .iter()
+                            .map(|cred| format!(
+                                "{} ({})",
+                                cred,
+                                creds.iter().position(|c| c == cred).unwrap().to_string()
+                            ))
+                            .collect::<Vec<_>>()
+                            .join(",")
+                    );
+                }
+                if *dump_credentials {
+                    println!();
+                }
+                Ok(())
+            }
+            TokenCommand::Add {
+                device,
+                credentials,
+                slot,
+            } => {
+                let mut dev = LuksDevice::load(device)?;
+                let mut tokens = Vec::new();
+                for token in dev.tokens()? {
+                    let (id, token) = token?;
+                    if token.keyslots.contains(&slot.to_string()) {
+                        tokens.push((id, token));
+                    }
+                }
+                let count = if tokens.is_empty() {
+                    dev.add_token(&Fido2LuksToken::with_credentials(&credentials.ids.0, *slot))?;
+                    1
+                } else {
+                    tokens.len()
+                };
+                for (id, mut token) in tokens {
+                    token
+                        .credential
+                        .extend(credentials.ids.0.iter().map(|h| h.to_string()));
+                    dev.update_token(id, &token)?;
+                }
+                println!("Updated {} tokens", count);
+                Ok(())
+            }
+            TokenCommand::Remove {
+                device,
+                credentials,
+                token_id,
+            } => {
+                let mut dev = LuksDevice::load(device)?;
+                let mut tokens = Vec::new();
+                for token in dev.tokens()? {
+                    let (id, token) = token?;
+                    if let Some(token_id) = token_id {
+                        if id == *token_id {
+                            tokens.push((id, token));
+                        }
+                    } else {
+                        tokens.push((id, token));
+                    }
+                }
+                let count = tokens.len();
+                for (id, mut token) in tokens {
+                    token.credential = token
+                        .credential
+                        .into_iter()
+                        .filter(|cred| !credentials.ids.0.iter().any(|h| &h.to_string() == cred))
+                        .collect();
+                    dev.update_token(id, &token)?;
+                }
+                println!("Updated {} tokens", count);
+                Ok(())
+            }
+            TokenCommand::GC { device } => {
+                let mut dev = LuksDevice::load(device)?;
+                let mut creds: HashSet<String> = HashSet::new();
+                let mut remove = Vec::new();
+                for token in dev.tokens()? {
+                    let (id, token) = token?;
+                    if token.keyslots.is_empty() || token.credential.is_empty() {
+                        creds.extend(token.credential);
+                        remove.push(id);
+                    }
+                }
+                for id in remove.iter().rev() {
+                    dev.remove_token(*id)?;
+                }
+                println!(
+                    "Removed {} tokens, affected credentials: {}",
+                    remove.len(),
+                    creds.into_iter().collect::<Vec<_>>().join(",")
+                );
+                Ok(())
+            }
+        },
     }
 }

src/device.rs

@@ -32,12 +32,12 @@ pub fn make_credential_id(
     )?)
 }
 
-pub fn perform_challenge(
+pub fn perform_challenge<'a>(
-    credentials: &[&FidoCredential],
+    credentials: &'a [&'a FidoCredential],
     salt: &[u8; 32],
     timeout: Duration,
     pin: Option<&str>,
-) -> Fido2LuksResult<[u8; 32]> {
+) -> Fido2LuksResult<([u8; 32], &'a FidoCredential)> {
     let request = FidoAssertionRequestBuilder::default()
         .rp_id(RP_ID)
         .credentials(credentials)
@@ -49,13 +49,13 @@ pub fn perform_challenge(
         }
         device.get_hmac_assertion(&request, &util::sha256(&[&salt[..]]), None)
     };
-    let (_, (secret, _)) = request_multiple_devices(
+    let (credential, (secret, _)) = request_multiple_devices(
         get_devices()?
             .iter_mut()
             .map(|device| (device, &get_assertion)),
         Some(timeout),
     )?;
-    Ok(secret)
+    Ok((secret, credential))
 }
 
 pub fn get_devices() -> Fido2LuksResult<Vec<FidoDevice>> {

src/error.rs

@@ -13,11 +13,13 @@ pub enum Fido2LuksError {
     AuthenticatorError { cause: ctap::FidoError },
     #[fail(display = "no authenticator found, please ensure your device is plugged in")]
     NoAuthenticatorError,
-    #[fail(display = "luks err")]
+    #[fail(display = " {}", cause)]
-    LuksError {
+    CryptsetupError {
         cause: libcryptsetup_rs::LibcryptErr,
     },
-    #[fail(display = "no authenticator found, please ensure your device is plugged in")]
+    #[fail(display = "{}", cause)]
+    LuksError { cause: LuksError },
+    #[fail(display = "{}", cause)]
     IoError { cause: io::Error },
     #[fail(display = "supplied secret isn't valid for this device")]
     WrongSecret,
@@ -46,7 +48,41 @@ pub enum AskPassError {
     Mismatch,
 }
 
+#[derive(Debug, Fail)]
+pub enum LuksError {
+    #[fail(display = "This feature requires to the LUKS device to be formatted as LUKS 2")]
+    Luks2Required,
+    #[fail(display = "Invalid token: {}", _0)]
+    InvalidToken(String),
+    #[fail(display = "No token found")]
+    NoToken,
+    #[fail(display = "The device already exists")]
+    DeviceExists,
+}
+
+impl LuksError {
+    pub fn activate(e: LibcryptErr) -> Fido2LuksError {
+        match e {
+            LibcryptErr::IOError(ref io) => match io.raw_os_error() {
+                Some(1) if io.kind() == ErrorKind::PermissionDenied => Fido2LuksError::WrongSecret,
+                Some(17) => Fido2LuksError::LuksError {
+                    cause: LuksError::DeviceExists,
+                },
+                _ => return Fido2LuksError::CryptsetupError { cause: e },
+            },
+            _ => Fido2LuksError::CryptsetupError { cause: e },
+        }
+    }
+}
+
+impl From<LuksError> for Fido2LuksError {
+    fn from(e: LuksError) -> Self {
+        Fido2LuksError::LuksError { cause: e }
+    }
+}
+
 use libcryptsetup_rs::LibcryptErr;
+use std::io::ErrorKind;
 use std::string::FromUtf8Error;
 use Fido2LuksError::*;
 
@@ -62,7 +98,7 @@ impl From<LibcryptErr> for Fido2LuksError {
             LibcryptErr::IOError(e) if e.raw_os_error().iter().any(|code| code == &1i32) => {
                 WrongSecret
             }
-            _ => LuksError { cause: e },
+            _ => CryptsetupError { cause: e },
         }
     }
 }

src/luks.rs

@@ -1,82 +1,327 @@
 use crate::error::*;
 
-use libcryptsetup_rs::{CryptActivateFlags, CryptDevice, CryptInit, EncryptionFormat, KeyslotInfo};
+use libcryptsetup_rs::{
+    CryptActivateFlags, CryptDevice, CryptInit, CryptTokenInfo, EncryptionFormat, KeyslotInfo,
+    TokenInput,
+};
+use std::collections::{HashMap, HashSet};
 use std::path::Path;
 
-fn load_device_handle<P: AsRef<Path>>(path: P) -> Fido2LuksResult<CryptDevice> {
+pub struct LuksDevice {
+    device: CryptDevice,
+    luks2: Option<bool>,
+}
+
+impl LuksDevice {
+    pub fn load<P: AsRef<Path>>(path: P) -> Fido2LuksResult<LuksDevice> {
         let mut device = CryptInit::init(path.as_ref())?;
-    //TODO: determine luks version some way other way than just trying
+        device.context_handle().load::<()>(None, None)?;
-    let mut load = |format| device.context_handle().load::<()>(format, None).map(|_| ());
+        Ok(Self {
-    vec![EncryptionFormat::Luks2, EncryptionFormat::Luks1]
+            device,
-        .into_iter()
+            luks2: None,
-        .fold(None, |res, format| match res {
-            Some(Ok(())) => res,
-            Some(e) => Some(e.or_else(|_| load(format))),
-            None => Some(load(format)),
         })
-        .unwrap()?;
+    }
-    Ok(device)
-}
 
-pub fn open_container<P: AsRef<Path>>(path: P, name: &str, secret: &[u8], slot_hint: Option<u32>) -> Fido2LuksResult<()> {
+    pub fn is_luks2(&mut self) -> Fido2LuksResult<bool> {
-    let mut device = load_device_handle(path)?;
+        if let Some(luks2) = self.luks2 {
-    device
+            Ok(luks2)
-        .activate_handle()
+        } else {
-        .activate_by_passphrase(Some(name), slot_hint, secret, CryptActivateFlags::empty())
+            self.luks2 = Some(match self.device.format_handle().get_type()? {
-        .map(|_slot| ())
+                EncryptionFormat::Luks2 => true,
-        .map_err(|_e| Fido2LuksError::WrongSecret)
+                _ => false,
-}
+            });
+            self.is_luks2()
+        }
+    }
 
-pub fn add_key<P: AsRef<Path>>(
+    fn require_luks2(&mut self) -> Fido2LuksResult<()> {
-    path: P,
+        if !self.is_luks2()? {
+            return Err(LuksError::Luks2Required.into());
+        }
+        Ok(())
+    }
+
+    pub fn tokens<'a>(
+        &'a mut self,
+    ) -> Fido2LuksResult<Box<dyn Iterator<Item = Fido2LuksResult<(u32, Fido2LuksToken)>> + 'a>>
+    {
+        self.require_luks2()?;
+        Ok(Box::new(
+            (0..32)
+                .map(move |i| {
+                    let status = match self.device.token_handle().status(i) {
+                        Ok(status) => status,
+                        Err(err) => return Some(Err(Fido2LuksError::from(err))),
+                    };
+                    match status {
+                        CryptTokenInfo::Inactive => return None,
+                        CryptTokenInfo::Internal(s)
+                        | CryptTokenInfo::InternalUnknown(s)
+                        | CryptTokenInfo::ExternalUnknown(s)
+                        | CryptTokenInfo::External(s)
+                            if &s != Fido2LuksToken::default_type() =>
+                        {
+                            return None
+                        }
+                        _ => (),
+                    };
+                    let json = match self.device.token_handle().json_get(i) {
+                        Ok(json) => json,
+                        Err(err) => return Some(Err(Fido2LuksError::from(err))),
+                    };
+                    let info: Fido2LuksToken =
+                        match serde_json::from_value(json.clone()).map_err(|_| {
+                            Fido2LuksError::LuksError {
+                                cause: LuksError::InvalidToken(json.to_string()),
+                            }
+                        }) {
+                            Ok(info) => info,
+                            Err(err) => return Some(Err(Fido2LuksError::from(err))),
+                        };
+                    Some(Ok((i, info)))
+                })
+                .filter_map(|o| o),
+        ))
+    }
+
+    pub fn find_token(&mut self, slot: u32) -> Fido2LuksResult<Option<(u32, Fido2LuksToken)>> {
+        let slot_str = slot.to_string();
+        for token in self.tokens()? {
+            let (id, token) = token?;
+            if token.keyslots.contains(&slot_str) {
+                return Ok(Some((id, token)));
+            }
+        }
+        Ok(None)
+    }
+
+    pub fn add_token(&mut self, data: &Fido2LuksToken) -> Fido2LuksResult<()> {
+        self.require_luks2()?;
+        self.device
+            .token_handle()
+            .json_set(TokenInput::AddToken(&serde_json::to_value(&data).unwrap()))?;
+        Ok(())
+    }
+
+    pub fn remove_token(&mut self, token: u32) -> Fido2LuksResult<()> {
+        self.require_luks2()?;
+        self.device
+            .token_handle()
+            .json_set(TokenInput::RemoveToken(token))?;
+        Ok(())
+    }
+
+    pub fn update_token(&mut self, token: u32, data: &Fido2LuksToken) -> Fido2LuksResult<()> {
+        self.require_luks2()?;
+        self.device
+            .token_handle()
+            .json_set(TokenInput::ReplaceToken(
+                token,
+                &serde_json::to_value(&data).unwrap(),
+            ))?;
+        Ok(())
+    }
+
+    pub fn add_key(
+        &mut self,
         secret: &[u8],
         old_secret: &[u8],
         iteration_time: Option<u64>,
-) -> Fido2LuksResult<u32> {
+        credential_id: Option<&[u8]>,
-    let mut device = load_device_handle(path)?;
+    ) -> Fido2LuksResult<u32> {
         if let Some(millis) = iteration_time {
-        device.settings_handle().set_iteration_time(millis)
+            self.device.settings_handle().set_iteration_time(millis)
+        }
+        let slot = self
+            .device
+            .keyslot_handle()
+            .add_by_passphrase(None, old_secret, secret)?;
+        if let Some(id) = credential_id {
+            self.device.token_handle().json_set(TokenInput::AddToken(
+                &serde_json::to_value(&Fido2LuksToken::new(id, slot)).unwrap(),
+            ))?;
         }
-    let slot = device
-        .keyslot_handle(None)
-        .add_by_passphrase(old_secret, secret)?;
-    Ok(slot)
-}
 
-pub fn remove_keyslots<P: AsRef<Path>>(path: P, exclude: &[u32]) -> Fido2LuksResult<u32> {
+        Ok(slot)
-    let mut device = load_device_handle(path)?;
+    }
-    let mut handle;
+
+    pub fn remove_keyslots(&mut self, exclude: &[u32]) -> Fido2LuksResult<u32> {
         let mut destroyed = 0;
-    //TODO: detect how many keyslots there are instead of trying within a given range
+        let mut tokens = Vec::new();
-    for slot in 0..1024 {
+        for slot in 0..256 {
-        handle = device.keyslot_handle(Some(slot));
+            match self.device.keyslot_handle().status(slot)? {
-        match handle.status()? {
                 KeyslotInfo::Inactive => continue,
-            KeyslotInfo::Active if !exclude.contains(&slot) => {
+                KeyslotInfo::Active | KeyslotInfo::ActiveLast if !exclude.contains(&slot) => {
-                handle.destroy()?;
+                    if self.is_luks2()? {
+                        if let Some((id, _token)) = self.find_token(slot)? {
+                            tokens.push(id);
+                        }
+                    }
+                    self.device.keyslot_handle().destroy(slot)?;
                     destroyed += 1;
                 }
+                KeyslotInfo::ActiveLast => break,
                 _ => (),
             }
-        if let KeyslotInfo::ActiveLast = handle.status()? {
+            if self.device.keyslot_handle().status(slot)? == KeyslotInfo::ActiveLast {
                 break;
             }
         }
+        // Ensure indices stay valid
+        tokens.sort();
+        for token in tokens.iter().rev() {
+            self.remove_token(*token)?;
+        }
         Ok(destroyed)
-}
+    }
 
-pub fn replace_key<P: AsRef<Path>>(
+    pub fn replace_key(
-    path: P,
+        &mut self,
         secret: &[u8],
         old_secret: &[u8],
         iteration_time: Option<u64>,
-) -> Fido2LuksResult<u32> {
+        credential_id: Option<&[u8]>,
-    let mut device = load_device_handle(path)?;
+    ) -> Fido2LuksResult<u32> {
-    // Set iteration time not sure wether this applies to luks2 as well
         if let Some(millis) = iteration_time {
-        device.settings_handle().set_iteration_time(millis)
+            self.device.settings_handle().set_iteration_time(millis)
+        }
+        // Use activate dry-run to locate keyslot
+        let slot = self.device.activate_handle().activate_by_passphrase(
+            None,
+            None,
+            old_secret,
+            CryptActivateFlags::empty(),
+        )?;
+        self.device.keyslot_handle().change_by_passphrase(
+            Some(slot),
+            Some(slot),
+            old_secret,
+            secret,
+        )? as u32;
+        if let Some(id) = credential_id {
+            if self.is_luks2()? {
+                let token = self.find_token(slot)?.map(|(t, _)| t);
+                let json = serde_json::to_value(&Fido2LuksToken::new(id, slot)).unwrap();
+                if let Some(token) = token {
+                    self.device
+                        .token_handle()
+                        .json_set(TokenInput::ReplaceToken(token, &json))?;
+                } else {
+                    self.device
+                        .token_handle()
+                        .json_set(TokenInput::AddToken(&json))?;
+                }
+            }
+        }
+        Ok(slot)
+    }
+
+    pub fn activate(
+        &mut self,
+        name: &str,
+        secret: &[u8],
+        slot_hint: Option<u32>,
+    ) -> Fido2LuksResult<u32> {
+        self.device
+            .activate_handle()
+            .activate_by_passphrase(Some(name), slot_hint, secret, CryptActivateFlags::empty())
+            .map_err(LuksError::activate)
+    }
+
+    pub fn activate_token(
+        &mut self,
+        name: &str,
+        secret: impl Fn(Vec<String>) -> Fido2LuksResult<([u8; 32], String)>,
+        slot_hint: Option<u32>,
+    ) -> Fido2LuksResult<u32> {
+        if !self.is_luks2()? {
+            return Err(LuksError::Luks2Required.into());
+        }
+        let mut creds: HashMap<String, HashSet<u32>> = HashMap::new();
+        for token in self.tokens()? {
+            let token = match token {
+                Ok((_id, t)) => t,
+                _ => continue, // An corrupted token should't lock the user out
+            };
+            let slots = || {
+                token
+                    .keyslots
+                    .iter()
+                    .filter_map(|slot| slot.parse::<u32>().ok())
+            };
+            for cred in token.credential.iter() {
+                creds
+                    .entry(cred.clone())
+                    .or_insert_with(|| slots().collect::<HashSet<u32>>())
+                    .extend(slots());
+            }
+        }
+        if creds.is_empty() {
+            return Err(Fido2LuksError::LuksError {
+                cause: LuksError::NoToken,
+            });
+        }
+        let (secret, credential) = secret(creds.keys().cloned().collect())?;
+        let empty;
+        let slots = if let Some(slots) = creds.get(&credential) {
+            slots
+        } else {
+            empty = HashSet::new();
+            &empty
+        };
+        //Try slots associated with the credential used
+        let slots = slots.iter().cloned().map(Option::Some).chain(
+            std::iter::once(slot_hint) // Try slot hint if there is one
+                .take(slot_hint.is_some() as usize)
+                .chain(std::iter::once(None).take(slots.is_empty() as usize)), // Try all slots as last resort
+        );
+        for slot in slots {
+            match self.activate(name, &secret, slot) {
+                Err(Fido2LuksError::WrongSecret) => (),
+                res => return res,
+            }
+        }
+        Err(Fido2LuksError::WrongSecret)
+    }
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct Fido2LuksToken {
+    #[serde(rename = "type")]
+    pub type_: String,
+    pub credential: HashSet<String>,
+    pub keyslots: HashSet<String>,
+}
+
+impl Fido2LuksToken {
+    pub fn new(credential_id: impl AsRef<[u8]>, slot: u32) -> Self {
+        Self::with_credentials(std::iter::once(credential_id), slot)
+    }
+
+    pub fn with_credentials<I: IntoIterator<Item = B>, B: AsRef<[u8]>>(
+        credentials: I,
+        slot: u32,
+    ) -> Self {
+        Self {
+            credential: credentials
+                .into_iter()
+                .map(|cred| hex::encode(cred.as_ref()))
+                .collect(),
+            keyslots: vec![slot.to_string()].into_iter().collect(),
+            ..Default::default()
+        }
+    }
+    pub fn default_type() -> &'static str {
+        "fido2luks"
+    }
+}
+
+impl Default for Fido2LuksToken {
+    fn default() -> Self {
+        Self {
+            type_: Self::default_type().into(),
+            credential: HashSet::new(),
+            keyslots: HashSet::new(),
+        }
     }
-    Ok(device
-        .keyslot_handle(None)
-        .change_by_passphrase(None, None, old_secret, secret)? as u32)
 }

src/main.rs

@@ -1,6 +1,8 @@
 #[macro_use]
 extern crate failure;
 extern crate ctap_hmac as ctap;
+#[macro_use]
+extern crate serde_derive;
 use crate::cli::*;
 use crate::config::*;
 use crate::device::*;