update to 0.2.2

match rp_id to fido2luks

.drone.yml

@@ -12,3 +12,23 @@ steps:
    commands:
     - apt update && apt install -y libcryptsetup-dev libkeyutils-dev
     - cargo test
+
+ - name: build
+   image: rust:1.37.0
+   commands:
+    - apt update && apt install -y libcryptsetup-dev libkeyutils-dev
+    - cargo install -f --path . --root .
+   when:
+    event: tag
+ - name: publish
+   image: plugins/github-release
+   settings:
+     api_key:
+      from_secret: github_release
+     files:
+      - bin/fido2luks
+     checksum:
+      - md5
+      - sha256
+   when:
+    event: tag    

Cargo.lock

@@ -24,11 +24,11 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 
 [[package]]
 name = "backtrace"
-version = "0.3.37"
+version = "0.3.38"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 dependencies = [
  "backtrace-sys 0.1.31 (registry+https://github.com/rust-lang/crates.io-index)",
- "cfg-if 0.1.9 (registry+https://github.com/rust-lang/crates.io-index)",
+ "cfg-if 0.1.10 (registry+https://github.com/rust-lang/crates.io-index)",
  "libc 0.2.62 (registry+https://github.com/rust-lang/crates.io-index)",
  "rustc-demangle 0.1.16 (registry+https://github.com/rust-lang/crates.io-index)",
 ]
@@ -44,16 +44,16 @@ dependencies = [
 
 [[package]]
 name = "bitflags"
-version = "1.1.0"
+version = "1.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 
 [[package]]
 name = "blkid-rs"
-version = "0.1.1"
-source = "git+https://github.com/shimunn/cryptsetup-rs.git?branch=destroy#2f3e0e20a4619e09750e759c96286f32c2baa2fa"
+version = "0.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
 dependencies = [
  "byteorder 1.3.2 (registry+https://github.com/rust-lang/crates.io-index)",
- "uuid 0.6.5 (registry+https://github.com/rust-lang/crates.io-index)",
+ "uuid 0.7.4 (registry+https://github.com/rust-lang/crates.io-index)",
 ]
 
 [[package]]
@@ -77,7 +77,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 
 [[package]]
 name = "cfg-if"
-version = "0.1.9"
+version = "0.1.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 
 [[package]]
@@ -87,7 +87,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 dependencies = [
  "ansi_term 0.11.0 (registry+https://github.com/rust-lang/crates.io-index)",
  "atty 0.2.13 (registry+https://github.com/rust-lang/crates.io-index)",
- "bitflags 1.1.0 (registry+https://github.com/rust-lang/crates.io-index)",
+ "bitflags 1.2.0 (registry+https://github.com/rust-lang/crates.io-index)",
  "strsim 0.8.0 (registry+https://github.com/rust-lang/crates.io-index)",
  "textwrap 0.11.0 (registry+https://github.com/rust-lang/crates.io-index)",
  "unicode-width 0.1.6 (registry+https://github.com/rust-lang/crates.io-index)",
@@ -99,31 +99,41 @@ name = "cloudabi"
 version = "0.0.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 dependencies = [
- "bitflags 1.1.0 (registry+https://github.com/rust-lang/crates.io-index)",
+ "bitflags 1.2.0 (registry+https://github.com/rust-lang/crates.io-index)",
 ]
 
 [[package]]
 name = "cryptsetup-rs"
-version = "0.2.0"
-source = "git+https://github.com/shimunn/cryptsetup-rs.git?branch=destroy#2f3e0e20a4619e09750e759c96286f32c2baa2fa"
+version = "0.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
 dependencies = [
- "blkid-rs 0.1.1 (git+https://github.com/shimunn/cryptsetup-rs.git?branch=destroy)",
+ "blkid-rs 0.1.2 (registry+https://github.com/rust-lang/crates.io-index)",
  "errno 0.2.4 (registry+https://github.com/rust-lang/crates.io-index)",
  "libc 0.2.62 (registry+https://github.com/rust-lang/crates.io-index)",
- "libcryptsetup-sys 0.1.1 (git+https://github.com/shimunn/cryptsetup-rs.git?branch=destroy)",
+ "libcryptsetup-sys 0.1.2 (registry+https://github.com/rust-lang/crates.io-index)",
  "log 0.4.8 (registry+https://github.com/rust-lang/crates.io-index)",
- "uuid 0.6.5 (registry+https://github.com/rust-lang/crates.io-index)",
+ "uuid 0.7.4 (registry+https://github.com/rust-lang/crates.io-index)",
 ]
 
 [[package]]
-name = "ctap"
-version = "0.1.0"
-source = "git+https://github.com/shimunn/ctap.git?branch=hmac_ext#3d3679d5b9a8c8cc90edb969c0f187740a3f2480"
+name = "csv-core"
+version = "0.1.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+dependencies = [
+ "memchr 2.2.1 (registry+https://github.com/rust-lang/crates.io-index)",
+]
+
+[[package]]
+name = "ctap_hmac"
+version = "0.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
 dependencies = [
  "byteorder 1.3.2 (registry+https://github.com/rust-lang/crates.io-index)",
  "cbor-codec 0.7.1 (registry+https://github.com/rust-lang/crates.io-index)",
+ "csv-core 0.1.6 (registry+https://github.com/rust-lang/crates.io-index)",
  "failure 0.1.5 (registry+https://github.com/rust-lang/crates.io-index)",
  "failure_derive 0.1.5 (registry+https://github.com/rust-lang/crates.io-index)",
+ "hex 0.4.0 (registry+https://github.com/rust-lang/crates.io-index)",
  "num-derive 0.2.5 (registry+https://github.com/rust-lang/crates.io-index)",
  "num-traits 0.2.8 (registry+https://github.com/rust-lang/crates.io-index)",
  "rand 0.6.5 (registry+https://github.com/rust-lang/crates.io-index)",
@@ -156,7 +166,7 @@ name = "failure"
 version = "0.1.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 dependencies = [
- "backtrace 0.3.37 (registry+https://github.com/rust-lang/crates.io-index)",
+ "backtrace 0.3.38 (registry+https://github.com/rust-lang/crates.io-index)",
  "failure_derive 0.1.5 (registry+https://github.com/rust-lang/crates.io-index)",
 ]
 
@@ -173,15 +183,15 @@ dependencies = [
 
 [[package]]
 name = "fido2luks"
-version = "0.1.0"
+version = "0.2.2"
 dependencies = [
- "cryptsetup-rs 0.2.0 (git+https://github.com/shimunn/cryptsetup-rs.git?branch=destroy)",
- "ctap 0.1.0 (git+https://github.com/shimunn/ctap.git?branch=hmac_ext)",
+ "cryptsetup-rs 0.2.1 (registry+https://github.com/rust-lang/crates.io-index)",
+ "ctap_hmac 0.2.1 (registry+https://github.com/rust-lang/crates.io-index)",
  "failure 0.1.5 (registry+https://github.com/rust-lang/crates.io-index)",
  "hex 0.3.2 (registry+https://github.com/rust-lang/crates.io-index)",
- "libcryptsetup-sys 0.1.1 (git+https://github.com/shimunn/cryptsetup-rs.git?branch=destroy)",
+ "libcryptsetup-sys 0.1.2 (registry+https://github.com/rust-lang/crates.io-index)",
+ "ring 0.13.5 (registry+https://github.com/rust-lang/crates.io-index)",
  "rpassword 4.0.1 (registry+https://github.com/rust-lang/crates.io-index)",
- "rust-crypto 0.2.36 (registry+https://github.com/rust-lang/crates.io-index)",
  "structopt 0.3.2 (registry+https://github.com/rust-lang/crates.io-index)",
 ]
 
@@ -208,6 +218,11 @@ name = "hex"
 version = "0.3.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 
+[[package]]
+name = "hex"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+
 [[package]]
 name = "lazy_static"
 version = "1.4.0"
@@ -220,8 +235,8 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 
 [[package]]
 name = "libcryptsetup-sys"
-version = "0.1.1"
-source = "git+https://github.com/shimunn/cryptsetup-rs.git?branch=destroy#2f3e0e20a4619e09750e759c96286f32c2baa2fa"
+version = "0.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
 dependencies = [
  "libc 0.2.62 (registry+https://github.com/rust-lang/crates.io-index)",
  "pkg-config 0.3.16 (registry+https://github.com/rust-lang/crates.io-index)",
@@ -232,7 +247,15 @@ name = "log"
 version = "0.4.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 dependencies = [
- "cfg-if 0.1.9 (registry+https://github.com/rust-lang/crates.io-index)",
+ "cfg-if 0.1.10 (registry+https://github.com/rust-lang/crates.io-index)",
+]
+
+[[package]]
+name = "memchr"
+version = "2.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+dependencies = [
+ "libc 0.2.62 (registry+https://github.com/rust-lang/crates.io-index)",
 ]
 
 [[package]]
@@ -263,7 +286,7 @@ name = "proc-macro-error"
 version = "0.2.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 dependencies = [
- "proc-macro2 1.0.3 (registry+https://github.com/rust-lang/crates.io-index)",
+ "proc-macro2 1.0.5 (registry+https://github.com/rust-lang/crates.io-index)",
  "quote 1.0.2 (registry+https://github.com/rust-lang/crates.io-index)",
  "syn 1.0.5 (registry+https://github.com/rust-lang/crates.io-index)",
 ]
@@ -278,7 +301,7 @@ dependencies = [
 
 [[package]]
 name = "proc-macro2"
-version = "1.0.3"
+version = "1.0.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 dependencies = [
  "unicode-xid 0.2.0 (registry+https://github.com/rust-lang/crates.io-index)",
@@ -297,7 +320,7 @@ name = "quote"
 version = "1.0.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 dependencies = [
- "proc-macro2 1.0.3 (registry+https://github.com/rust-lang/crates.io-index)",
+ "proc-macro2 1.0.5 (registry+https://github.com/rust-lang/crates.io-index)",
 ]
 
 [[package]]
@@ -493,7 +516,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 dependencies = [
  "heck 0.3.1 (registry+https://github.com/rust-lang/crates.io-index)",
  "proc-macro-error 0.2.6 (registry+https://github.com/rust-lang/crates.io-index)",
- "proc-macro2 1.0.3 (registry+https://github.com/rust-lang/crates.io-index)",
+ "proc-macro2 1.0.5 (registry+https://github.com/rust-lang/crates.io-index)",
  "quote 1.0.2 (registry+https://github.com/rust-lang/crates.io-index)",
  "syn 1.0.5 (registry+https://github.com/rust-lang/crates.io-index)",
 ]
@@ -513,7 +536,7 @@ name = "syn"
 version = "1.0.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 dependencies = [
- "proc-macro2 1.0.3 (registry+https://github.com/rust-lang/crates.io-index)",
+ "proc-macro2 1.0.5 (registry+https://github.com/rust-lang/crates.io-index)",
  "quote 1.0.2 (registry+https://github.com/rust-lang/crates.io-index)",
  "unicode-xid 0.2.0 (registry+https://github.com/rust-lang/crates.io-index)",
 ]
@@ -574,11 +597,10 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 
 [[package]]
 name = "uuid"
-version = "0.6.5"
+version = "0.7.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 dependencies = [
- "cfg-if 0.1.9 (registry+https://github.com/rust-lang/crates.io-index)",
- "rand 0.4.6 (registry+https://github.com/rust-lang/crates.io-index)",
+ "rand 0.6.5 (registry+https://github.com/rust-lang/crates.io-index)",
 ]
 
 [[package]]
@@ -609,18 +631,19 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 "checksum ansi_term 0.11.0 (registry+https://github.com/rust-lang/crates.io-index)" = "ee49baf6cb617b853aa8d93bf420db2383fab46d314482ca2803b40d5fde979b"
 "checksum atty 0.2.13 (registry+https://github.com/rust-lang/crates.io-index)" = "1803c647a3ec87095e7ae7acfca019e98de5ec9a7d01343f611cf3152ed71a90"
 "checksum autocfg 0.1.6 (registry+https://github.com/rust-lang/crates.io-index)" = "b671c8fb71b457dd4ae18c4ba1e59aa81793daacc361d82fcd410cef0d491875"
-"checksum backtrace 0.3.37 (registry+https://github.com/rust-lang/crates.io-index)" = "5180c5a20655b14a819b652fd2378fa5f1697b6c9ddad3e695c2f9cedf6df4e2"
+"checksum backtrace 0.3.38 (registry+https://github.com/rust-lang/crates.io-index)" = "690a62be8920ccf773ee00ef0968649b0e724cda8bd5b12286302b4ae955fdf5"
 "checksum backtrace-sys 0.1.31 (registry+https://github.com/rust-lang/crates.io-index)" = "82a830b4ef2d1124a711c71d263c5abdc710ef8e907bd508c88be475cebc422b"
-"checksum bitflags 1.1.0 (registry+https://github.com/rust-lang/crates.io-index)" = "3d155346769a6855b86399e9bc3814ab343cd3d62c7e985113d46a0ec3c281fd"
-"checksum blkid-rs 0.1.1 (git+https://github.com/shimunn/cryptsetup-rs.git?branch=destroy)" = "<none>"
+"checksum bitflags 1.2.0 (registry+https://github.com/rust-lang/crates.io-index)" = "8a606a02debe2813760609f57a64a2ffd27d9fdf5b2f133eaca0b248dd92cdd2"
+"checksum blkid-rs 0.1.2 (registry+https://github.com/rust-lang/crates.io-index)" = "5056e517a69878f709dadf9f311a8f4519e67446d1a748001ec7226ea1e71dd0"
 "checksum byteorder 1.3.2 (registry+https://github.com/rust-lang/crates.io-index)" = "a7c3dd8985a7111efc5c80b44e23ecdd8c007de8ade3b96595387e812b957cf5"
 "checksum cbor-codec 0.7.1 (registry+https://github.com/rust-lang/crates.io-index)" = "e083a023562b37c52837e850131a51b1154cceb9d149f41ee3d386737b140f46"
 "checksum cc 1.0.45 (registry+https://github.com/rust-lang/crates.io-index)" = "4fc9a35e1f4290eb9e5fc54ba6cf40671ed2a2514c3eeb2b2a908dda2ea5a1be"
-"checksum cfg-if 0.1.9 (registry+https://github.com/rust-lang/crates.io-index)" = "b486ce3ccf7ffd79fdeb678eac06a9e6c09fc88d33836340becb8fffe87c5e33"
+"checksum cfg-if 0.1.10 (registry+https://github.com/rust-lang/crates.io-index)" = "4785bdd1c96b2a846b2bd7cc02e86b6b3dbf14e7e53446c4f54c92a361040822"
 "checksum clap 2.33.0 (registry+https://github.com/rust-lang/crates.io-index)" = "5067f5bb2d80ef5d68b4c87db81601f0b75bca627bc2ef76b141d7b846a3c6d9"
 "checksum cloudabi 0.0.3 (registry+https://github.com/rust-lang/crates.io-index)" = "ddfc5b9aa5d4507acaf872de71051dfd0e309860e88966e1051e462a077aac4f"
-"checksum cryptsetup-rs 0.2.0 (git+https://github.com/shimunn/cryptsetup-rs.git?branch=destroy)" = "<none>"
-"checksum ctap 0.1.0 (git+https://github.com/shimunn/ctap.git?branch=hmac_ext)" = "<none>"
+"checksum cryptsetup-rs 0.2.1 (registry+https://github.com/rust-lang/crates.io-index)" = "8b1eb6abff80fdc7b52c37b3e58f5a4cbda78bffc01ac7b02c1296552a07028a"
+"checksum csv-core 0.1.6 (registry+https://github.com/rust-lang/crates.io-index)" = "9b5cadb6b25c77aeff80ba701712494213f4a8418fcda2ee11b6560c3ad0bf4c"
+"checksum ctap_hmac 0.2.1 (registry+https://github.com/rust-lang/crates.io-index)" = "4d57004228e303ed0d161f081020240d969ce18b623c3f4503645e1a06b42ae7"
 "checksum errno 0.2.4 (registry+https://github.com/rust-lang/crates.io-index)" = "c2a071601ed01b988f896ab14b95e67335d1eeb50190932a1320f7fe3cadc84e"
 "checksum errno-dragonfly 0.1.1 (registry+https://github.com/rust-lang/crates.io-index)" = "14ca354e36190500e1e1fb267c647932382b54053c50b14970856c0b00a35067"
 "checksum failure 0.1.5 (registry+https://github.com/rust-lang/crates.io-index)" = "795bd83d3abeb9220f257e597aa0080a508b27533824adf336529648f6abf7e2"
@@ -629,16 +652,18 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 "checksum gcc 0.3.55 (registry+https://github.com/rust-lang/crates.io-index)" = "8f5f3913fa0bfe7ee1fd8248b6b9f42a5af4b9d65ec2dd2c3c26132b950ecfc2"
 "checksum heck 0.3.1 (registry+https://github.com/rust-lang/crates.io-index)" = "20564e78d53d2bb135c343b3f47714a56af2061f1c928fdb541dc7b9fdd94205"
 "checksum hex 0.3.2 (registry+https://github.com/rust-lang/crates.io-index)" = "805026a5d0141ffc30abb3be3173848ad46a1b1664fe632428479619a3644d77"
+"checksum hex 0.4.0 (registry+https://github.com/rust-lang/crates.io-index)" = "023b39be39e3a2da62a94feb433e91e8bcd37676fbc8bea371daf52b7a769a3e"
 "checksum lazy_static 1.4.0 (registry+https://github.com/rust-lang/crates.io-index)" = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646"
 "checksum libc 0.2.62 (registry+https://github.com/rust-lang/crates.io-index)" = "34fcd2c08d2f832f376f4173a231990fa5aef4e99fb569867318a227ef4c06ba"
-"checksum libcryptsetup-sys 0.1.1 (git+https://github.com/shimunn/cryptsetup-rs.git?branch=destroy)" = "<none>"
+"checksum libcryptsetup-sys 0.1.2 (registry+https://github.com/rust-lang/crates.io-index)" = "f8cab37dfc7316ea263a42ffa51b4b75c9022538576350d7a416de697384f596"
 "checksum log 0.4.8 (registry+https://github.com/rust-lang/crates.io-index)" = "14b6052be84e6b71ab17edffc2eeabf5c2c3ae1fdb464aae35ac50c67a44e1f7"
+"checksum memchr 2.2.1 (registry+https://github.com/rust-lang/crates.io-index)" = "88579771288728879b57485cc7d6b07d648c9f0141eb955f8ab7f9d45394468e"
 "checksum num-derive 0.2.5 (registry+https://github.com/rust-lang/crates.io-index)" = "eafd0b45c5537c3ba526f79d3e75120036502bebacbb3f3220914067ce39dbf2"
 "checksum num-traits 0.2.8 (registry+https://github.com/rust-lang/crates.io-index)" = "6ba9a427cfca2be13aa6f6403b0b7e7368fe982bfa16fccc450ce74c46cd9b32"
 "checksum pkg-config 0.3.16 (registry+https://github.com/rust-lang/crates.io-index)" = "72d5370d90f49f70bd033c3d75e87fc529fbfff9d6f7cccef07d6170079d91ea"
 "checksum proc-macro-error 0.2.6 (registry+https://github.com/rust-lang/crates.io-index)" = "aeccfe4d5d8ea175d5f0e4a2ad0637e0f4121d63bd99d356fb1f39ab2e7c6097"
 "checksum proc-macro2 0.4.30 (registry+https://github.com/rust-lang/crates.io-index)" = "cf3d2011ab5c909338f7887f4fc896d35932e29146c12c8d01da6b22a80ba759"
-"checksum proc-macro2 1.0.3 (registry+https://github.com/rust-lang/crates.io-index)" = "e98a83a9f9b331f54b924e68a66acb1bb35cb01fb0a23645139967abefb697e8"
+"checksum proc-macro2 1.0.5 (registry+https://github.com/rust-lang/crates.io-index)" = "90cf5f418035b98e655e9cdb225047638296b862b42411c4e45bb88d700f7fc0"
 "checksum quote 0.6.13 (registry+https://github.com/rust-lang/crates.io-index)" = "6ce23b6b870e8f94f81fb0a363d65d86675884b34a09043c81e5562f11c1f8e1"
 "checksum quote 1.0.2 (registry+https://github.com/rust-lang/crates.io-index)" = "053a8c8bcc71fcce321828dc897a98ab9760bef03a4fc36693c231e5b3216cfe"
 "checksum rand 0.3.23 (registry+https://github.com/rust-lang/crates.io-index)" = "64ac302d8f83c0c1974bf758f6b041c6c8ada916fbb44a609158ca8b064cc76c"
@@ -673,7 +698,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 "checksum unicode-xid 0.1.0 (registry+https://github.com/rust-lang/crates.io-index)" = "fc72304796d0818e357ead4e000d19c9c174ab23dc11093ac919054d20a6a7fc"
 "checksum unicode-xid 0.2.0 (registry+https://github.com/rust-lang/crates.io-index)" = "826e7639553986605ec5979c7dd957c7895e93eabed50ab2ffa7f6128a75097c"
 "checksum untrusted 0.6.2 (registry+https://github.com/rust-lang/crates.io-index)" = "55cd1f4b4e96b46aeb8d4855db4a7a9bd96eeeb5c6a1ab54593328761642ce2f"
-"checksum uuid 0.6.5 (registry+https://github.com/rust-lang/crates.io-index)" = "e1436e58182935dcd9ce0add9ea0b558e8a87befe01c1a301e6020aeb0876363"
+"checksum uuid 0.7.4 (registry+https://github.com/rust-lang/crates.io-index)" = "90dbc611eb48397705a6b0f6e917da23ae517e4d127123d2cf7674206627d32a"
 "checksum vec_map 0.8.1 (registry+https://github.com/rust-lang/crates.io-index)" = "05c78687fb1a80548ae3250346c3db86a80a7cdd77bda190189f2d0a0987c81a"
 "checksum winapi 0.3.8 (registry+https://github.com/rust-lang/crates.io-index)" = "8093091eeb260906a183e6ae1abdba2ef5ef2257a21801128899c3fc699229c6"
 "checksum winapi-i686-pc-windows-gnu 0.4.0 (registry+https://github.com/rust-lang/crates.io-index)" = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6"

Cargo.toml

@@ -1,17 +1,27 @@
 [package]
 name = "fido2luks"
-version = "0.1.0"
+version = "0.2.2"
 authors = ["shimunn <shimun@shimun.net>"]
 edition = "2018"
 
+description = "Decrypt your LUKS partition using a FIDO2 compatible authenticator"
+documentation = "https://github.com/shimunn/fido2luks/blob/master/README.md"
+homepage = "https://github.com/shimunn/fido2luks"
+repository = "https://github.com/shimunn/fido2luks"
+readme = "README.md"
+keywords = ["luks", "fido2", "u2f"]
+categories = ["command-line-utilities"]
+license-file = "LICENSE"
+
 [dependencies]
-ctap = { git = "https://github.com/shimunn/ctap.git", branch = "hmac_ext" }
-#cryptsetup-rs = "0.2.0"
-cryptsetup-rs = { git = "https://github.com/shimunn/cryptsetup-rs.git", branch = "destroy" }
-libcryptsetup-sys = { git = "https://github.com/shimunn/cryptsetup-rs.git", branch = "destroy" }
+#ctap = "0.1.0"
+ctap_hmac = "0.2.1"
+cryptsetup-rs = "0.2.1"
+libcryptsetup-sys = "0.1.2"
+
 
 hex = "0.3.2"
-rust-crypto = "0.2.36"
+ring = "0.13.5"
 failure = "0.1.5"
 rpassword = "4.0.1"
 structopt = "0.3.2"

README.md

@@ -1,8 +1,8 @@
-# fido2luks
+# fido2luks [![Crates.io Version](https://img.shields.io/crates/v/fido2luks.svg)](https://crates.io/crates/fido2luks)
 
-This will allow you to unlock your luks encrypted disk with an fido2 compatable key
+This will allow you to unlock your luks encrypted disk with an fido2 compatible key
 
-Note: This has only been tested under Fedora 30 using a Solo Key
+Note: This has only been tested under Fedora 31 using a Solo Key, Trezor Model T
 
 ## Setup
 
@@ -20,13 +20,13 @@ git clone https://github.com/shimunn/fido2luks.git && cd fido2luks
 #Alternativly cargo build --release && sudo cp target/release/fido2luks /usr/bin/
 CARGO_INSTALL_ROOT=/usr sudo -E cargo install -f --path .
 
-echo FIDO2LUKS_CREDENTIAL_ID=$(fido2luks credential) >> fido2luks.conf
+echo FIDO2LUKS_CREDENTIAL_ID=$(fido2luks credential) >> dracut/96luks-2fa/fido2luks.conf
 
 set -a
-. fido2luks.conf
+. dracut/96luks-2fa/fido2luks.conf
 
 #Repeat for each luks volume
-sudo -E fido2luks -i addkey /dev/disk/by-uuid/<DISK_UUID>
+sudo -E fido2luks -i add-key /dev/disk/by-uuid/<DISK_UUID>
 
 #Test(only works if the luks container isn't active)
 sudo -E fido2luks -i open /dev/disk/by-uuid/<DISK_UUID> luks-<DISK_UUID>
@@ -43,14 +43,22 @@ sudo make install
 
 ### Grub
 
-Add `rd.luks.2fa=<CREDENTIAL_ID>:<DISK_UUID>` to `GRUB_CMDLINE_LINUX`
+Add `rd.luks.2fa=<CREDENTIAL_ID>:<DISK_UUID>` to `GRUB_CMDLINE_LINUX` in /etc/default/grub
 
-Note: This is only required for your root disk, systemd will try to unlock all other luks partions using the same key if you added it using `fido2luks addkey`
+Note: This is only required for your root disk, systemd will try to unlock all other luks partions using the same key if you added it using `fido2luks add-key`
 
 ```
 grub2-mkconfig > /boot/grub2/grub.cfg
 ```
 
+I'd also recommend to copy the executable onto /boot so that it is accessible in case you have to access your disk from a live system
+
+```
+mkdir /boot/fido2luks/
+cp /usr/bin/fido2luks /boot/fido2luks/
+cp /etc/fido2luks.conf /boot/fido2luks/
+```
+
 ## Test
 
 Just reboot and see if it works, if thats the case you should remove your old less secure password from your luks header:
@@ -61,3 +69,32 @@ cryptsetup luksHeaderBackup /dev/disk/by-uuid/<DISK_UUID> --header-backup-file l
 #There is no turning back if you mess this up, make sure you made a backup
 fido2luks -i add-key --exclusive /dev/disk/by-uuid/<DISK_UUID>
 ```
+
+## Addtional settings
+
+### Password less
+
+Remove your previous secret as described in the next section, incase you already added one.
+
+Open `/etc/fido2luks.conf` and replace `FIDO2LUKS_SALT=Ask` with `FIDO2LUKS_SALT=string:<YOUR_RANDOM_STRING>`
+
+Import the new config into env:
+
+```
+set -a
+. /etc/fido2luks.conf
+```
+
+Then add the new secret to each device and update dracut afterwards `dracut -f`
+
+## Removal
+
+Remove `rd.luks.2fa` from `GRUB_CMDLINE_LINUX` in /etc/default/grub
+
+```
+set -a
+. fido2luks.conf
+sudo -E fido2luks -i replace-key /dev/disk/by-uuid/<DISK_UUID>
+
+sudo rm -rf /usr/lib/dracut/modules.d/96luks-2fa /etc/dracut.conf.d/luks-2fa.conf
+```

dracut/96luks-2fa/fido2luks.conf

@@ -0,0 +1,3 @@
+FIDO2LUKS_SALT=Ask
+FIDO2LUKS_PASSWORD_HELPER=/usr/bin/systemd-ask-password Please enter second factor for LUKS disk encryption
+

dracut/96luks-2fa/luks-2fa-generator.sh

@@ -1,11 +1,10 @@
 #!/bin/bash
 
-NORMAL_DIR="/tmp//run/systemd/system"
+NORMAL_DIR="/run/systemd/system"
 LUKS_2FA_WANTS="/etc/systemd/system/luks-2fa.target.wants"
 
 CRYPTSETUP="/usr/lib/systemd/systemd-cryptsetup"
 FIDO2LUKS="/usr/bin/fido2luks"
-XXD="/usr/bin/xxd"
 MOUNT=$(command -v mount)
 UMOUNT=$(command -v umount)
 
@@ -33,13 +32,12 @@ generate_service () {
                 printf -- "\n\n[Service]"
                 printf -- "\nType=oneshot"
                 printf -- "\nRemainAfterExit=yes"
+                printf -- "\nEnvironmentFile=%s" "/etc/fido2luks.conf"
                 printf -- "\nEnvironment=FIDO2LUKS_CREDENTIAL_ID='%s'" "$credential_id"
-                printf -- "\nEnvironment=FIDO2LUKS_SALT='%s'" "Ask"
-                printf -- "\nEnvironment=FIDO2LUKS_PASSWORD_HELPER='%s'" "/usr/bin/systemd-ask-password \"Disk 2fa password\""
                 printf -- "\nKeyringMode=%s" "shared"
-		printf -- "\nExecStartPre=-/usr/bin/plymouth display-message --text ${CON_MSG}"
+		            printf -- "\nExecStartPre=-/usr/bin/plymouth display-message --text \"${CON_MSG}\""
 		            printf -- "\nExecStartPre=-/bin/bash -c \"while ! ${FIDO2LUKS} connected; do /usr/bin/sleep 1; done\""
-		printf -- "\nExecStartPre=-/usr/bin/plymouth hide-message --text ${CON_MSG}"
+		            printf -- "\nExecStartPre=-/usr/bin/plymouth hide-message --text \"${CON_MSG}\""
                 printf -- "\nExecStart=/bin/bash -c \"${FIDO2LUKS} print-secret --bin | ${CRYPTSETUP} attach 'luks-%s' '/dev/disk/by-uuid/%s' '/dev/stdin'\"" "$target_uuid" "$target_uuid"
                 printf -- "\nExecStop=${CRYPTSETUP} detach 'luks-%s'" "$target_uuid"
         } > "$sd_service"
@@ -50,7 +48,7 @@ generate_service () {
                 printf -- "\nConditionPathExists=!/dev/mapper/luks-%s" "$target_uuid"
         } > "${sd_dir}/${crypto_target_service}.d/drop-in.conf"
 
-       # ln -sf "$sd_service" "${LUKS_2FA_WANTS}/"
+        ln -sf "$sd_service" "${LUKS_2FA_WANTS}/"
 }
 
 parse_cmdline () {
@@ -81,5 +79,4 @@ generate_from_cmdline () {
         done
 }
 
-#generate_from_cmdline
-generate_service CRED UUID $timeout
+generate_from_cmdline

dracut/96luks-2fa/module-setup.sh

@@ -18,6 +18,7 @@ depends () {
 install () {
         inst "$moddir/luks-2fa-generator.sh" "/etc/systemd/system-generators/luks-2fa-generator.sh"
         inst_simple "/usr/bin/fido2luks" "/usr/bin/fido2luks"
+        inst_simple "/etc/fido2luks.conf" "/etc/fido2luks.conf"
         inst "$systemdutildir/systemd-cryptsetup"
         mkdir -p "$initdir/luks-2fa"
 

dracut/Makefile

@@ -15,6 +15,7 @@ help:
 install:
 	cp ${MODULE_CONF_D}/${MODULE_CONF} ${DRACUT_CONF_D}/
 	cp -r ${MODULE_DIR} ${DRACUT_MODULES_D}/
+	cp ${MODULE_DIR}/fido2luks.conf /etc/fido2luks.conf
 	dracut -fv
 clean:
 	rm ${DRACUT_CONF_D}/${MODULE_CONF}

src/cli.rs

@@ -8,11 +8,15 @@ use cryptsetup_rs::{CryptDevice, Luks1CryptDevice};
 use libcryptsetup_sys::crypt_keyslot_info;
 use structopt::StructOpt;
 
-use std::fs::File;
-use std::io::{Read, Write};
+use std::io::Write;
 use std::process::exit;
 
-pub fn add_key_to_luks(device: PathBuf, secret: &[u8; 32], exclusive: bool) -> Fido2LuksResult<u8> {
+pub fn add_key_to_luks(
+    device: PathBuf,
+    secret: &[u8; 32],
+    old_secret: Box<dyn Fn() -> Fido2LuksResult<Vec<u8>>>,
+    exclusive: bool,
+) -> Fido2LuksResult<u8> {
     fn offer_format(
         _dev: CryptDeviceOpenBuilder,
     ) -> Fido2LuksResult<CryptDeviceHandle<Luks1Params>> {
@@ -21,20 +25,7 @@ pub fn add_key_to_luks(device: PathBuf, secret: &[u8; 32], exclusive: bool) -> F
     let dev =
         || -> luks::device::Result<CryptDeviceOpenBuilder> { luks::open(&device.canonicalize()?) };
 
-    let prev_key_info = rpassword::read_password_from_tty(Some(
-        "Please enter your current password or path to a keyfile in order to add a new key: ",
-    ))?;
-
-    let prev_key = match prev_key_info.as_ref() {
-        "" => None,
-        keyfile if PathBuf::from(keyfile).exists() => {
-            let mut f = File::open(keyfile)?;
-            let mut key = Vec::new();
-            f.read_to_end(&mut key)?;
-            Some(key)
-        }
-        password => Some(Vec::from(password.as_bytes())),
-    };
+    let prev_key = old_secret()?;
 
     let mut handle = match dev()?.luks1() {
         Ok(handle) => handle,
@@ -47,7 +38,7 @@ pub fn add_key_to_luks(device: PathBuf, secret: &[u8; 32], exclusive: bool) -> F
         err => err?,
     };
     handle.set_iteration_time(50);
-    let slot = handle.add_keyslot(secret, prev_key.as_ref().map(|b| b.as_slice()), None)?;
+    let slot = handle.add_keyslot(secret, Some(prev_key.as_slice()), None)?;
     if exclusive {
         for old_slot in 0..8u8 {
             if old_slot != slot
@@ -62,8 +53,21 @@ pub fn add_key_to_luks(device: PathBuf, secret: &[u8; 32], exclusive: bool) -> F
     Ok(slot)
 }
 
-pub fn authenticator_connected() -> Fido2LuksResult<bool> {
-    Ok(!device::get_devices()?.is_empty())
+pub fn add_password_to_luks(
+    device: PathBuf,
+    secret: &[u8; 32],
+    new_secret: Box<dyn Fn() -> Fido2LuksResult<Vec<u8>>>,
+    add_password: bool,
+) -> Fido2LuksResult<u8> {
+    let dev = luks::open(&device.canonicalize()?)?;
+    let mut handle = dev.luks1()?;
+    let prev_slot = if add_password {
+        Some(handle.add_keyslot(&secret[..], Some(&secret[..]), None)?)
+    } else {
+        None
+    };
+    let slot = handle.update_keyslot(&new_secret()?[..], &secret[..], prev_slot)?;
+    Ok(slot)
 }
 
 #[derive(Debug, StructOpt)]
@@ -80,14 +84,24 @@ pub struct SecretGeneration {
     /// FIDO credential id, generate using fido2luks credential
     #[structopt(name = "credential-id", env = "FIDO2LUKS_CREDENTIAL_ID")]
     pub credential_id: String,
-    /// Salt for secret generation, defaults to Password
-    #[structopt(name = "salt", env = "FIDO2LUKS_SALT", default_value = "Ask")]
+    /// Salt for secret generation, defaults to 'ask'
+    ///
+    /// Options:{n}
+    ///  - ask              : Promt user using password helper{n}
+    ///  - file:<PATH>      : Will read <FILE>{n}
+    ///  - string:<STRING>  : Will use <STRING>, which will be handled like a password provided to the 'ask' option{n}
+    #[structopt(
+        name = "salt",
+        long = "salt",
+        env = "FIDO2LUKS_SALT",
+        default_value = "ask"
+    )]
     pub salt: InputSalt,
     /// Script used to obtain passwords, overridden by --interactive flag
     #[structopt(
         name = "password-helper",
         env = "FIDO2LUKS_PASSWORD_HELPER",
-        default_value = "/usr/bin/systemd-ask-password 'Please enter second factor for LUKS disk encryption!'"
+        default_value = "/usr/bin/env systemd-ask-password 'Please enter second factor for LUKS disk encryption!'"
     )]
     pub password_helper: PasswordHelper,
 }
@@ -128,6 +142,24 @@ pub enum Command {
         /// Will wipe all other keys
         #[structopt(short = "e", long = "exclusive")]
         exclusive: bool,
+        /// Use a keyfile instead of a password
+        #[structopt(short = "d", long = "keyfile")]
+        keyfile: Option<PathBuf>,
+        #[structopt(flatten)]
+        secret_gen: SecretGeneration,
+    },
+
+    /// Replace a previously added key with a password
+    #[structopt(name = "replace-key")]
+    ReplaceKey {
+        #[structopt(env = "FIDO2LUKS_DEVICE")]
+        device: PathBuf,
+        /// Add the password and keep the key
+        #[structopt(short = "a", long = "add-password")]
+        add_password: bool,
+        /// Use a keyfile instead of a password
+        #[structopt(short = "d", long = "keyfile")]
+        keyfile: Option<PathBuf>,
         #[structopt(flatten)]
         secret_gen: SecretGeneration,
     },
@@ -138,12 +170,18 @@ pub enum Command {
         device: PathBuf,
         #[structopt(env = "FIDO2LUKS_MAPPER_NAME")]
         name: String,
+        #[structopt(short = "r", long = "max-retries", default_value = "0")]
+        retries: i32,
         #[structopt(flatten)]
         secret_gen: SecretGeneration,
     },
     /// Generate a new FIDO credential
     #[structopt(name = "credential")]
-    Credential,
+    Credential {
+        /// Name to be displayed on the authenticator if it has a display
+        #[structopt(env = "FIDO2LUKS_CREDENTIAL_NAME")]
+        name: Option<String>,
+    },
     /// Check if an authenticator is connected
     #[structopt(name = "connected")]
     Connected,
@@ -157,8 +195,8 @@ pub fn run_cli() -> Fido2LuksResult<()> {
     let mut stdout = io::stdout();
     let args = parse_cmdline();
     match &args.command {
-        Command::Credential => {
-            let cred = make_credential_id()?;
+        Command::Credential { name } => {
+            let cred = make_credential_id(name.as_ref().map(|n| n.as_ref()))?;
             println!("{}", hex::encode(&cred.id));
             Ok(())
         }
@@ -177,10 +215,22 @@ pub fn run_cli() -> Fido2LuksResult<()> {
         Command::AddKey {
             device,
             exclusive,
+            keyfile,
             ref secret_gen,
         } => {
             let secret = secret_gen.patch(&args).obtain_secret()?;
-            let slot = add_key_to_luks(device.clone(), &secret, *exclusive)?;
+            let slot = add_key_to_luks(
+                device.clone(),
+                &secret,
+                if let Some(keyfile) = keyfile.clone() {
+                    Box::new(move || util::read_keyfile(keyfile.clone()))
+                } else {
+                    Box::new(|| {
+                        util::read_password("Old password", true).map(|p| p.as_bytes().to_vec())
+                    })
+                },
+                *exclusive,
+            )?;
             println!(
                 "Added to key to device {}, slot: {}",
                 device.display(),
@@ -188,13 +238,53 @@ pub fn run_cli() -> Fido2LuksResult<()> {
             );
             Ok(())
         }
+        Command::ReplaceKey {
+            device,
+            add_password,
+            keyfile,
+            ref secret_gen,
+        } => {
+            let secret = secret_gen.patch(&args).obtain_secret()?;
+            let slot = add_password_to_luks(
+                device.clone(),
+                &secret,
+                if let Some(keyfile) = keyfile.clone() {
+                    Box::new(move || util::read_keyfile(keyfile.clone()))
+                } else {
+                    Box::new(|| {
+                        util::read_password("Password to add", true).map(|p| p.as_bytes().to_vec())
+                    })
+                },
+                *add_password,
+            )?;
+            println!(
+                "Added to password to device {}, slot: {}",
+                device.display(),
+                slot
+            );
+            Ok(())
+        }
         Command::Open {
             device,
             name,
+            retries,
             ref secret_gen,
         } => {
+            let mut retries = *retries;
+            loop {
                 let secret = secret_gen.patch(&args).obtain_secret()?;
-            open_container(&device, &name, &secret)
+                match open_container(&device, &name, &secret) {
+                    Err(e) => match e {
+                        Fido2LuksError::WrongSecret if retries > 0 => {
+                            retries -= 1;
+                            eprintln!("{}", e);
+                            continue;
+                        }
+                        e => Err(e)?,
+                    },
+                    res => break res,
+                }
+            }
         }
         Command::Connected => match get_devices() {
             Ok(ref devs) if !devs.is_empty() => {

src/config.rs

@@ -1,7 +1,6 @@
 use crate::error::*;
 use crate::*;
-use crypto::digest::Digest;
-use crypto::sha2::Sha256;
+use ring::digest;
 
 use std::fmt;
 use std::fs::File;
@@ -10,11 +9,11 @@ use std::path::PathBuf;
 use std::process::Command;
 use std::str::FromStr;
 
-#[derive(Debug, Clone)]
+#[derive(Debug, Clone, PartialEq)]
 pub enum InputSalt {
     AskPassword,
+    String(String),
     File { path: PathBuf },
-    Both { path: PathBuf },
 }
 
 impl Default for InputSalt {
@@ -25,10 +24,14 @@ impl Default for InputSalt {
 
 impl From<&str> for InputSalt {
     fn from(s: &str) -> Self {
-        if PathBuf::from(s).exists() && s != "Ask" {
-            InputSalt::File { path: s.into() }
-        } else {
-            InputSalt::AskPassword
+        let mut parts = s.split(":").into_iter();
+        match parts.next() {
+            Some("ask") | Some("Ask") => InputSalt::AskPassword,
+            Some("file") => InputSalt::File {
+                path: parts.collect::<Vec<_>>().join(":").into(),
+            },
+            Some("string") => InputSalt::String(parts.collect::<Vec<_>>().join(":")),
+            _ => Self::default(),
         }
     }
 }
@@ -45,15 +48,15 @@ impl fmt::Display for InputSalt {
     fn fmt(&self, f: &mut fmt::Formatter<'_>) -> Result<(), fmt::Error> {
         f.write_str(&match self {
             InputSalt::AskPassword => "ask".to_string(),
-            InputSalt::File { path } => path.display().to_string(),
-            InputSalt::Both { path } => ["ask", path.display().to_string().as_str()].join(" + "),
+            InputSalt::String(s) => ["string", s].join(":"),
+            InputSalt::File { path } => ["file", path.display().to_string().as_str()].join(":"),
         })
     }
 }
 
 impl InputSalt {
     pub fn obtain(&self, password_helper: &PasswordHelper) -> Fido2LuksResult<[u8; 32]> {
-        let mut digest = Sha256::new();
+        let mut digest = digest::Context::new(&digest::SHA256);
         match self {
             InputSalt::File { path } => {
                 let mut do_io = || {
@@ -61,7 +64,7 @@ impl InputSalt {
                     let mut buf = [0u8; 512];
                     loop {
                         let red = reader.read(&mut buf)?;
-                        digest.input(&buf[0..red]);
+                        digest.update(&buf[0..red]);
                         if red == 0 {
                             break;
                         }
@@ -71,15 +74,12 @@ impl InputSalt {
                 do_io().map_err(|cause| Fido2LuksError::KeyfileError { cause })?;
             }
             InputSalt::AskPassword => {
-                digest.input(password_helper.obtain()?.as_bytes());
-            }
-            InputSalt::Both { path } => {
-                digest.input(&InputSalt::AskPassword.obtain(password_helper)?);
-                digest.input(&InputSalt::File { path: path.clone() }.obtain(password_helper)?)
+                digest.update(password_helper.obtain()?.as_bytes());
             }
+            InputSalt::String(s) => digest.update(s.as_bytes()),
         }
         let mut salt = [0u8; 32];
-        digest.result(&mut salt);
+        salt.as_mut().copy_from_slice(digest.finish().as_ref());
         Ok(salt)
     }
 }
@@ -94,7 +94,7 @@ pub enum PasswordHelper {
 impl Default for PasswordHelper {
     fn default() -> Self {
         PasswordHelper::Script(
-            "/usr/bin/systemd-ask-password 'Please enter second factor for LUKS disk encryption!'"
+            "/usr/bin/env systemd-ask-password 'Please enter second factor for LUKS disk encryption!'"
                 .into(),
         )
     }
@@ -132,23 +132,7 @@ impl PasswordHelper {
         use PasswordHelper::*;
         match self {
             Systemd => unimplemented!(),
-            Stdin => Ok(rpassword::read_password_from_tty(Some("Password: "))
-                .map_err(|e| Fido2LuksError::AskPassError {
-                    cause: AskPassError::IO(e),
-                })
-                .and_then(|pass| {
-                    match rpassword::read_password_from_tty(Some("Password again: ")).map_err(|e| {
-                        Fido2LuksError::AskPassError {
-                            cause: AskPassError::IO(e),
-                        }
-                    }) {
-                        Ok(ref pass2) if &pass == pass2 => Ok(pass),
-                        Ok(_) => Err(Fido2LuksError::AskPassError {
-                            cause: error::AskPassError::Mismatch,
-                        }),
-                        e => e,
-                    }
-                })?),
+            Stdin => Ok(util::read_password("Password", true)?),
             Script(password_helper) => {
                 let mut helper_parts = password_helper.split(" ");
 
@@ -164,3 +148,38 @@ impl PasswordHelper {
         }
     }
 }
+
+#[cfg(test)]
+mod test {
+
+    use super::*;
+
+    #[test]
+    fn input_salt_from_str() {
+        assert_eq!(
+            "file:/tmp/abc".parse::<InputSalt>().unwrap(),
+            InputSalt::File {
+                path: "/tmp/abc".into()
+            }
+        );
+        assert_eq!(
+            "string:abc".parse::<InputSalt>().unwrap(),
+            InputSalt::String("abc".into())
+        );
+        assert_eq!("ask".parse::<InputSalt>().unwrap(), InputSalt::AskPassword);
+        assert_eq!("lol".parse::<InputSalt>().unwrap(), InputSalt::default());
+    }
+
+    #[test]
+    fn input_salt_obtain() {
+        assert_eq!(
+            InputSalt::String("abc".into())
+                .obtain(&PasswordHelper::Stdin)
+                .unwrap(),
+            [
+                186, 120, 22, 191, 143, 1, 207, 234, 65, 65, 64, 222, 93, 174, 34, 35, 176, 3, 97,
+                163, 150, 23, 122, 156, 180, 16, 255, 97, 242, 0, 21, 173
+            ]
+        )
+    }
+}

src/device.rs

@@ -1,16 +1,56 @@
 use crate::error::*;
+use crate::util::sha256;
 
-use ctap;
-use ctap::extensions::hmac::{FidoHmacCredential, HmacExtension};
-use ctap::{FidoDevice, FidoError, FidoErrorKind};
+use ctap::{
+    self,
+    extensions::hmac::{FidoHmacCredential, HmacExtension},
+    AuthenticatorOptions, FidoDevice, FidoError, FidoErrorKind, PublicKeyCredentialRpEntity,
+    PublicKeyCredentialUserEntity,
+};
 
-pub fn make_credential_id() -> Fido2LuksResult<FidoHmacCredential> {
+const RP_ID: &'static str = "fido2luks";
+
+fn authenticator_options() -> Option<AuthenticatorOptions> {
+    Some(AuthenticatorOptions {
+        uv: false, //TODO: should get this from config
+        rk: true,
+    })
+}
+
+fn authenticator_rp() -> PublicKeyCredentialRpEntity<'static> {
+    PublicKeyCredentialRpEntity {
+        id: RP_ID,
+        name: None,
+        icon: None,
+    }
+}
+
+fn authenticator_user(name: Option<&str>) -> PublicKeyCredentialUserEntity {
+    PublicKeyCredentialUserEntity {
+        id: &[0u8],
+        name: name.unwrap_or(""),
+        icon: None,
+        display_name: name,
+    }
+}
+
+pub fn make_credential_id(name: Option<&str>) -> Fido2LuksResult<FidoHmacCredential> {
     let mut errs = Vec::new();
     match get_devices()? {
         ref devs if devs.is_empty() => Err(Fido2LuksError::NoAuthenticatorError)?,
         devs => {
             for mut dev in devs.into_iter() {
-                match dev.make_hmac_credential() {
+                match dev
+                    .make_hmac_credential_full(
+                        authenticator_rp(),
+                        authenticator_user(name),
+                        &[0u8; 32],
+                        &[],
+                        authenticator_options(),
+                    )
+                    .map(|cred| cred.into())
+                {
+                    //TODO: make credentials device specific
                     Ok(cred) => {
                         return Ok(cred);
                     }
@@ -27,16 +67,16 @@ pub fn make_credential_id() -> Fido2LuksResult<FidoHmacCredential> {
 pub fn perform_challenge(credential_id: &str, salt: &[u8; 32]) -> Fido2LuksResult<[u8; 32]> {
     let cred = FidoHmacCredential {
         id: hex::decode(credential_id).unwrap(),
-        rp_id: "hmac".to_string(),
+        rp_id: RP_ID.to_string(),
     };
     let mut errs = Vec::new();
     match get_devices()? {
         ref devs if devs.is_empty() => Err(Fido2LuksError::NoAuthenticatorError)?,
         devs => {
             for mut dev in devs.into_iter() {
-                match dev.hmac_challange(&cred, &salt[..]) {
+                match dev.get_hmac_assertion(&cred, &sha256(&[&salt[..]]), None, None) {
                     Ok(secret) => {
-                        return Ok(secret);
+                        return Ok(secret.0);
                     }
                     Err(e) => {
                         errs.push(e);

src/error.rs

@@ -17,12 +17,25 @@ pub enum Fido2LuksError {
     LuksError { cause: cryptsetup_rs::device::Error },
     #[fail(display = "no authenticator found, please ensure you device is plugged in")]
     IoError { cause: io::Error },
-    #[fail(display = "failed to parse config, please check formatting and contents")]
+    #[fail(display = "supplied secret isn't valid for this device")]
     WrongSecret,
     #[fail(display = "not an utf8 string")]
     StringEncodingError { cause: FromUtf8Error },
 }
 
+impl Fido2LuksError {
+    pub fn exit_code(&self) -> i32 {
+        use Fido2LuksError::*;
+        match self {
+            AskPassError { .. } | KeyfileError { .. } => 2,
+            AuthenticatorError { .. } => 3,
+            NoAuthenticatorError => 4,
+            WrongSecret => 5,
+            _ => 1,
+        }
+    }
+}
+
 #[derive(Debug, Fail)]
 pub enum AskPassError {
     #[fail(display = "unable to retrieve password: {}", _0)]
@@ -42,7 +55,12 @@ impl From<FidoError> for Fido2LuksError {
 
 impl From<cryptsetup_rs::device::Error> for Fido2LuksError {
     fn from(e: cryptsetup_rs::device::Error) -> Self {
-        LuksError { cause: e }
+        match e {
+            cryptsetup_rs::device::Error::CryptsetupError(error_no) if error_no.0 == 1i32 => {
+                WrongSecret
+            }
+            e => LuksError { cause: e },
+        }
     }
 }
 

src/main.rs

@@ -1,23 +1,22 @@
 #[macro_use]
 extern crate failure;
+extern crate ctap_hmac as ctap;
 use crate::cli::*;
 use crate::config::*;
 use crate::device::*;
 use crate::error::*;
-use crypto::digest::Digest;
-use crypto::sha2::Sha256;
 use cryptsetup_rs as luks;
-
 use cryptsetup_rs::Luks1CryptDevice;
-use ctap;
 
-use std::io::{self};
+use std::io;
 use std::path::PathBuf;
+use std::process::exit;
 
 mod cli;
 mod config;
 mod device;
 mod error;
+mod util;
 
 fn open_container(device: &PathBuf, name: &str, secret: &[u8; 32]) -> Fido2LuksResult<()> {
     let mut handle = luks::open(device.canonicalize()?)?.luks1()?;
@@ -26,14 +25,35 @@ fn open_container(device: &PathBuf, name: &str, secret: &[u8; 32]) -> Fido2LuksR
 }
 
 fn assemble_secret(hmac_result: &[u8], salt: &[u8]) -> [u8; 32] {
-    let mut digest = Sha256::new();
-    digest.input(salt);
-    digest.input(hmac_result);
-    let mut secret = [0u8; 32];
-    digest.result(&mut secret);
-    secret
+    util::sha256(&[salt, hmac_result])
 }
 
 fn main() -> Fido2LuksResult<()> {
-    run_cli()
+    match run_cli() {
+        Err(e) => {
+            #[cfg(debug_assertions)]
+            eprintln!("{:?}", e);
+            #[cfg(not(debug_assertions))]
+            eprintln!("{}", e);
+            exit(e.exit_code())
+        }
+        _ => exit(0),
+    }
+}
+
+#[cfg(test)]
+mod test {
+
+    use super::*;
+
+    #[test]
+    fn test_assemble_secret() {
+        assert_eq!(
+            assemble_secret(b"abc", b"def"),
+            [
+                46, 82, 82, 140, 142, 159, 249, 196, 227, 160, 142, 72, 151, 77, 59, 62, 180, 36,
+                33, 47, 241, 94, 17, 232, 133, 103, 247, 32, 152, 253, 43, 19
+            ]
+        )
+    }
 }

src/util.rs

@@ -0,0 +1,37 @@
+use crate::error::*;
+use ring::digest;
+use std::fs::File;
+use std::io::Read;
+use std::path::PathBuf;
+
+pub fn sha256<'a>(messages: &[&[u8]]) -> [u8; 32] {
+    let mut digest = digest::Context::new(&digest::SHA256);
+    for m in messages.iter() {
+        digest.update(m);
+    }
+    let mut secret = [0u8; 32];
+    secret.as_mut().copy_from_slice(digest.finish().as_ref());
+    secret
+}
+
+pub fn read_password(q: &str, verify: bool) -> Fido2LuksResult<String> {
+    match rpassword::read_password_from_tty(Some(&[q, ": "].join("")))? {
+        ref pass
+            if verify
+                && &rpassword::read_password_from_tty(Some(&[q, "(again): "].join(" ")))?
+                    != pass =>
+        {
+            Err(Fido2LuksError::AskPassError {
+                cause: AskPassError::Mismatch,
+            })?
+        }
+        pass => Ok(pass),
+    }
+}
+
+pub fn read_keyfile<P: Into<PathBuf>>(path: P) -> Fido2LuksResult<Vec<u8>> {
+    let mut file = File::open(path.into())?;
+    let mut key = Vec::new();
+    file.read_to_end(&mut key)?;
+    Ok(key)
+}