update libcryptsetup_rs to 0.4.0

error.rs: typo

.drone.yml

@@ -12,3 +12,23 @@ steps:
    commands:
     - apt update && apt install -y libcryptsetup-dev libkeyutils-dev
     - cargo test
+
+ - name: build
+   image: rust:1.37.0
+   commands:
+    - apt update && apt install -y libcryptsetup-dev libkeyutils-dev
+    - cargo install -f --path . --root .
+   when:
+    event: tag
+ - name: publish
+   image: plugins/github-release
+   settings:
+     api_key:
+      from_secret: github_release
+     files:
+      - bin/fido2luks
+     checksum:
+      - md5
+      - sha256
+   when:
+    event: tag    

Cargo.toml

@@ -1,24 +1,33 @@
 [package]
 name = "fido2luks"
-version = "0.1.0"
+version = "0.2.8"
 authors = ["shimunn <shimun@shimun.net>"]
 edition = "2018"
 
-[dependencies]
-ctap = { git = "https://github.com/shimunn/ctap.git", branch = "hmac_ext" }
-cryptsetup-rs = "0.2.0"
-hex = "0.3.2"
-rust-crypto = "0.2.36"
-failure = "0.1.5"
-serde_derive = "1.0.100"
-serde = "1.0.100"
-serde_json = "1.0.40"
-keyutils = "0.2.1"
-rpassword = "4.0.1"
-envy = "0.4.0"
+description = "Decrypt your LUKS partition using a FIDO2 compatible authenticator"
+documentation = "https://github.com/shimunn/fido2luks/blob/master/README.md"
+homepage = "https://github.com/shimunn/fido2luks"
+repository = "https://github.com/shimunn/fido2luks"
+readme = "README.md"
+keywords = ["luks", "fido2", "u2f"]
+categories = ["command-line-utilities"]
+license-file = "LICENSE"
 
+[dependencies]
+ctap_hmac = { version="0.4.2", features = ["request_multiple"] }
+hex = "0.3.2"
+ring = "0.13.5"
+failure = "0.1.5"
+rpassword = "4.0.1"
+structopt = "0.3.2"
+libcryptsetup-rs = "0.4.0"
+serde_json = "1.0.51"
+serde_derive = "1.0.106"
+serde = "1.0.106"
 
 [profile.release]
 lto = true
 opt-level = 'z'
 panic = 'abort'
+incremental = false
+overflow-checks = false

README.md

@@ -1,33 +1,43 @@
-# fido2luks
+# fido2luks [![Crates.io Version](https://img.shields.io/crates/v/fido2luks.svg)](https://crates.io/crates/fido2luks)
 
-This will allow you to unlock your luks encrypted disk with an fido2 compatable key
+This will allow you to unlock your luks encrypted disk with an fido2 compatible key
 
-Note: This has only been tested under Fedora 30 using a Solo Key
+Note: This has only been tested under Fedora 31 using a Solo Key, Trezor Model T
 
 ## Setup
 
-## Device
+### Prerequisites
+
+```
+dnf install clang cargo cryptsetup-devel -y
+```
+
+### Device
 
 ```
 git clone https://github.com/shimunn/fido2luks.git && cd fido2luks
 
-#Alternativly cargo build --release && sudo cp target/release/fido2luks /usr/bin/
-CARGO_INSTALL_ROOT=/usr sudo -E cargo install -f --path .
+# Alternativly cargo build --release && sudo cp target/release/fido2luks /usr/bin/
+sudo -E cargo install -f --path . --root /usr
 
-echo FIDO2LUKS_CREDENTIAL_ID=$(fido2luks credential) >> fido2luks.conf
+# Copy template
+cp dracut/96luks-2fa/fido2luks.conf /etc/
+# Name is optional but useful if your authenticator has a display
+echo FIDO2LUKS_CREDENTIAL_ID=$(fido2luks credential [NAME]) >> /etc/fido2luks.conf
 
+# Load config into env
 set -a
-. fido2luks.conf
+. /etc/fido2luks.conf
 
-#Repeat for each luks volume
-FIDO2LUKS_PASSWORD_HELPER=stdin sudo -E fido2luks addkey /dev/disk/by-uuid/<DISK_UUID>
+# Repeat for each luks volume
+sudo -E fido2luks -i add-key /dev/disk/by-uuid/<DISK_UUID>
 
-#Test(only works if the luks container isn't active)
-FIDO2LUKS_PASSWORD_HELPER=stdin sudo -E fido2luks open /dev/disk/by-uuid/<DISK_UUID> luks-<DISK_UUID>
+# Test(only works if the luks container isn't active)
+sudo -E fido2luks -i open /dev/disk/by-uuid/<DISK_UUID> luks-<DISK_UUID>
 
 ```
 
-## Dracut
+### Dracut
 
 ```
 cd dracut
@@ -35,24 +45,61 @@ cd dracut
 sudo make install
 ```
 
-## Grub
+### Grub
 
-Add `rd.luks.2fa=<CREDENTIAL_ID>:<DISK_UUID>` to `GRUB_CMDLINE_LINUX`
+Add `rd.luks.2fa=<CREDENTIAL_ID>:<DISK_UUID>` to `GRUB_CMDLINE_LINUX` in /etc/default/grub
 
-Note: This is only required for your root disk, systemd will try to unlock all other luks partions using the same key if you added it using `fido2luks addkey`
+Note: This is only required for your root disk, systemd will try to unlock all other LUKS partions using the same key if you added it using `fido2luks add-key`
 
 ```
 grub2-mkconfig > /boot/grub2/grub.cfg
 ```
 
+I'd also recommend to copy the executable onto /boot so that it is accessible in case you have to access your disk from a rescue system
+
+```
+mkdir /boot/fido2luks/
+cp /usr/bin/fido2luks /boot/fido2luks/
+cp /etc/fido2luks.conf /boot/fido2luks/
+```
+
 ## Test
 
-Just reboot and see if it works, if thats the case you should remove your old less secure password from your luks header:
+Just reboot and see if it works, if that's the case you should remove your old less secure password from your LUKS header:
 
 ```
-#Recommend in case you lose your authenticator, store this backupfile somewhere safe
+# Recommend in case you lose your authenticator, store this backupfile somewhere safe
 cryptsetup luksHeaderBackup /dev/disk/by-uuid/<DISK_UUID> --header-backup-file luks_backup_<DISK_UUID>
-#Slot should be 0 if you only had one previous password otherwise consult cryptsetup luksDump
-#There is no turning back if you mess this up, make sure you made a backup
-cryptsetup luksKillSlot /dev/disk/by-uuid/<DISK_UUID> <SLOT>
+# There is no turning back if you mess this up, make sure you made a backup
+fido2luks -i add-key --exclusive /dev/disk/by-uuid/<DISK_UUID>
+```
+
+## Addtional settings
+
+### Password less
+
+Remove your previous secret as described in the next section, in case you've already added one.
+
+Open `/etc/fido2luks.conf` and replace `FIDO2LUKS_SALT=Ask` with `FIDO2LUKS_SALT=string:<YOUR_RANDOM_STRING>`
+but be warned that this password will be included to into your initramfs.
+
+Import the new config into env:
+
+```
+set -a
+. /etc/fido2luks.conf
+```
+
+Then add the new secret to each device and update dracut afterwards `dracut -f`
+
+## Removal
+
+Remove `rd.luks.2fa` from `GRUB_CMDLINE_LINUX` in /etc/default/grub
+
+```
+set -a
+. fido2luks.conf
+sudo -E fido2luks -i replace-key /dev/disk/by-uuid/<DISK_UUID>
+
+sudo rm -rf /usr/lib/dracut/modules.d/96luks-2fa /etc/dracut.conf.d/luks-2fa.conf /etc/fido2luks.conf
 ```

dracut/96luks-2fa/fido2luks.conf

@@ -0,0 +1,3 @@
+FIDO2LUKS_SALT=Ask
+FIDO2LUKS_PASSWORD_HELPER=/usr/bin/systemd-ask-password Please enter second factor for LUKS disk encryption
+

dracut/96luks-2fa/luks-2fa-generator.sh

@@ -5,11 +5,11 @@ LUKS_2FA_WANTS="/etc/systemd/system/luks-2fa.target.wants"
 
 CRYPTSETUP="/usr/lib/systemd/systemd-cryptsetup"
 FIDO2LUKS="/usr/bin/fido2luks"
-XXD="/usr/bin/xxd"
 MOUNT=$(command -v mount)
 UMOUNT=$(command -v umount)
 
-TIMEOUT=30
+TIMEOUT=120
+CON_MSG="Please connect your authenticator"
 
 generate_service () {
         local credential_id=$1 target_uuid=$2 timeout=$3 sd_dir=${4:-$NORMAL_DIR}
@@ -19,28 +19,27 @@ generate_service () {
 
         local crypto_target_service="systemd-cryptsetup@luks\x2d${sd_target_uuid}.service"
         local sd_service="${sd_dir}/luks-2fa@luks\x2d${sd_target_uuid}.service"
+        local fido2luks_args="--bin"
+        if [ ! -z "$timeout" ]; then
+          fido2luks_args="$fido2luks_args --await-dev ${timeout}"
+        fi
         {
                 printf -- "[Unit]"
                 printf -- "\nDescription=%s" "2fa for luks"
                 printf -- "\nBindsTo=%s" "$target_dev"
-                printf -- "\nAfter=%s cryptsetup-pre.target systemd-journald.socket" "$target_dev" #TODO: create service to wait or authenicator
+                printf -- "\nAfter=%s cryptsetup-pre.target systemd-journald.socket" "$target_dev"
                 printf -- "\nBefore=%s umount.target luks-2fa.target" "$crypto_target_service"
                 printf -- "\nConflicts=umount.target"
                 printf -- "\nDefaultDependencies=no"
-                printf -- "\nJobTimeoutSec=%s" "$timeout"
-
+                [ ! -z "$timeout" ] && printf -- "\nJobTimeoutSec=%s" "$timeout"
                 printf -- "\n\n[Service]"
                 printf -- "\nType=oneshot"
                 printf -- "\nRemainAfterExit=yes"
-                printf -- "\nEnvironment=FIDO2LUKS_CREDENTIAL_ID='%s'" "$credential_id"
-                printf -- "\nEnvironment=FIDO2LUKS_SALT='%s'" "Ask"
-                printf -- "\nEnvironment=FIDO2LUKS_PASSWORD_HELPER='%s'" "/usr/bin/systemd-ask-password \"Disk 2fa password\""
+                printf -- "\nEnvironmentFile=%s" "/etc/fido2luks.conf"
+                [ ! -z "$credential_id" ] && printf -- "\nEnvironment=FIDO2LUKS_CREDENTIAL_ID='%s'" "$credential_id"
                 printf -- "\nKeyringMode=%s" "shared"
-                #printf -- "\nExecStart=${CRYPTSETUP} attach 'luks-%s' '/dev/disk/by-uuid/%s' 'none'" "$keyfile_uuid" "$keyfile_uuid"   #LUKS on USB
-                #printf -- "\nExecStart=${MOUNT} '/dev/mapper/luks-%s' %s" "$keyfile_uuid" "$keyfile_mountpoint"                        #Mount keyfile
-                printf -- "\nExecStart=/bin/bash -c \"${FIDO2LUKS} print-secret | ${XXD} -r -p - | ${CRYPTSETUP} attach 'luks-%s' '/dev/disk/by-uuid/%s' '/dev/stdin'\"" "$target_uuid" "$target_uuid"
-                #printf -- "\nExecStart=${UMOUNT} '%s'" "$keyfile_mountpoint"
-                #printf -- "\nExecStart=${CRYPTSETUP} detach 'luks-%s'" "$keyfile_uuid"
+		            printf -- "\nExecStartPre=-/usr/bin/plymouth display-message --text \"${CON_MSG}\""
+                printf -- "\nExecStart=/bin/bash -c \"${FIDO2LUKS} print-secret $fido2luks_args | ${CRYPTSETUP} attach 'luks-%s' '/dev/disk/by-uuid/%s' '/dev/stdin'\"" "$target_uuid" "$target_uuid"
                 printf -- "\nExecStop=${CRYPTSETUP} detach 'luks-%s'" "$target_uuid"
         } > "$sd_service"
 

dracut/96luks-2fa/module-setup.sh

@@ -17,8 +17,8 @@ depends () {
 
 install () {
         inst "$moddir/luks-2fa-generator.sh" "/etc/systemd/system-generators/luks-2fa-generator.sh"
-        inst_simple "/usr/bin/xxd" "/usr/bin/xxd"
         inst_simple "/usr/bin/fido2luks" "/usr/bin/fido2luks"
+        inst_simple "/etc/fido2luks.conf" "/etc/fido2luks.conf"
         inst "$systemdutildir/systemd-cryptsetup"
         mkdir -p "$initdir/luks-2fa"
 

dracut/Makefile

@@ -15,6 +15,7 @@ help:
 install:
 	cp ${MODULE_CONF_D}/${MODULE_CONF} ${DRACUT_CONF_D}/
 	cp -r ${MODULE_DIR} ${DRACUT_MODULES_D}/
+	cp ${MODULE_DIR}/fido2luks.conf /etc/fido2luks.conf
 	dracut -fv
 clean:
 	rm ${DRACUT_CONF_D}/${MODULE_CONF}

src/cli.rs

@@ -1,121 +1,449 @@
 use crate::error::*;
+use crate::luks;
 use crate::*;
 
-use cryptsetup_rs as luks;
-use cryptsetup_rs::api::{CryptDeviceHandle, CryptDeviceOpenBuilder, Luks1Params};
-use cryptsetup_rs::Luks1CryptDevice;
-use ctap;
-use ctap::extensions::hmac::{FidoHmacCredential, HmacExtension};
-use ctap::FidoDevice;
+use structopt::StructOpt;
 
-use std::fs::File;
-use std::io::{Read, Write};
-use std::path::Path;
+use ctap::{FidoCredential, FidoErrorKind};
+use failure::_core::fmt::{Display, Error, Formatter};
+use failure::_core::str::FromStr;
+use failure::_core::time::Duration;
+use std::io::Write;
+use std::process::exit;
 use std::thread;
-use std::time::Duration;
 
-pub fn setup() -> Fido2LuksResult<()> {
-    while !authenticator_connected()? {
-        eprintln!("Please connect your authenticator");
-        for _ in 0..3 {
-            thread::sleep(Duration::from_secs(1));
-            if authenticator_connected()? {
-                break;
+use crate::util::read_password;
+use std::time::SystemTime;
+
+#[derive(Debug, Eq, PartialEq, Clone)]
+pub struct HexEncoded(pub Vec<u8>);
+
+impl Display for HexEncoded {
+    fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error> {
+        f.write_str(&hex::encode(&self.0))
+    }
+}
+
+impl FromStr for HexEncoded {
+    type Err = hex::FromHexError;
+
+    fn from_str(s: &str) -> Result<Self, Self::Err> {
+        Ok(HexEncoded(hex::decode(s)?))
+    }
+}
+
+#[derive(Debug, Eq, PartialEq, Clone)]
+pub struct CommaSeparated<T: FromStr + Display>(pub Vec<T>);
+
+impl<T: Display + FromStr> Display for CommaSeparated<T> {
+    fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error> {
+        for i in &self.0 {
+            f.write_str(&i.to_string())?;
+            f.write_str(",")?;
+        }
+        Ok(())
+    }
+}
+
+impl<T: Display + FromStr> FromStr for CommaSeparated<T> {
+    type Err = <T as FromStr>::Err;
+    fn from_str(s: &str) -> Result<Self, Self::Err> {
+        Ok(CommaSeparated(
+            s.split(',')
+                .map(|part| <T as FromStr>::from_str(part))
+                .collect::<Result<Vec<_>, _>>()?,
+        ))
+    }
+}
+
+#[derive(Debug, StructOpt)]
+pub struct Args {
+    /// Request passwords via Stdin instead of using the password helper
+    #[structopt(short = "i", long = "interactive")]
+    pub interactive: bool,
+    #[structopt(subcommand)]
+    pub command: Command,
+}
+
+#[derive(Debug, StructOpt, Clone)]
+pub struct SecretGeneration {
+    /// FIDO credential ids, seperated by ',' generate using fido2luks credential
+    #[structopt(name = "credential-id", env = "FIDO2LUKS_CREDENTIAL_ID")]
+    pub credential_ids: CommaSeparated<HexEncoded>,
+    /// Salt for secret generation, defaults to 'ask'
+    ///
+    /// Options:{n}
+    ///  - ask              : Prompt user using password helper{n}
+    ///  - file:<PATH>      : Will read <FILE>{n}
+    ///  - string:<STRING>  : Will use <STRING>, which will be handled like a password provided to the 'ask' option{n}
+    #[structopt(
+        name = "salt",
+        long = "salt",
+        env = "FIDO2LUKS_SALT",
+        default_value = "ask"
+    )]
+    pub salt: InputSalt,
+    /// Script used to obtain passwords, overridden by --interactive flag
+    #[structopt(
+        name = "password-helper",
+        env = "FIDO2LUKS_PASSWORD_HELPER",
+        default_value = "/usr/bin/env systemd-ask-password 'Please enter second factor for LUKS disk encryption!'"
+    )]
+    pub password_helper: PasswordHelper,
+
+    /// Await for an authenticator to be connected, timeout after n seconds
+    #[structopt(
+        long = "await-dev",
+        name = "await-dev",
+        env = "FIDO2LUKS_DEVICE_AWAIT",
+        default_value = "15"
+    )]
+    pub await_authenticator: u64,
+
+    /// Request the password twice to ensure it being correct
+    #[structopt(
+        long = "verify-password",
+        env = "FIDO2LUKS_VERIFY_PASSWORD",
+        hidden = true
+    )]
+    pub verify_password: Option<bool>,
+}
+
+impl SecretGeneration {
+    pub fn patch(&self, args: &Args, verify_password: Option<bool>) -> Self {
+        let mut me = self.clone();
+        if args.interactive {
+            me.password_helper = PasswordHelper::Stdin;
+        }
+        me.verify_password = me.verify_password.or(verify_password);
+        me
+    }
+
+    pub fn obtain_secret(&self, password_query: &str) -> Fido2LuksResult<[u8; 32]> {
+        self.obtain_secret_and_credential(password_query)
+            .map(|(secret, _)| secret)
+    }
+
+    pub fn obtain_secret_and_credential(
+        &self,
+        password_query: &str,
+    ) -> Fido2LuksResult<([u8; 32], FidoCredential)> {
+        let mut salt = [0u8; 32];
+        match self.password_helper {
+            PasswordHelper::Stdin if !self.verify_password.unwrap_or(true) => {
+                salt.copy_from_slice(&util::sha256(&[&read_password(
+                    password_query,
+                    self.verify_password.unwrap_or(true),
+                )?
+                .as_bytes()[..]]));
+            }
+            _ => {
+                salt = self.salt.obtain(&self.password_helper)?;
             }
         }
-    }
+        let timeout = Duration::from_secs(self.await_authenticator);
+        let start = SystemTime::now();
 
-    let mut config = Config::default();
-
-    let save_config = |c: &Config| {
-        File::create("fido2luks.json")
-            .expect("Failed to save config")
-            .write_all(serde_json::to_string_pretty(c).unwrap().as_bytes())
-            .expect("Failed to save config");
-    };
-
-    fn ask_bool(q: &str) -> bool {
-        ask_str(&format!("{} (y/n)", q)).expect("Failed to read from stdin") == "y"
-    }
-
-    println!("1. Generating a credential");
-    let mut ccred: Option<FidoHmacCredential> = None;
-    for di in ctap::get_devices().expect("Failed to query USB for 2fa devices") {
-        let mut dev = FidoDevice::new(&di).expect("Failed to open 2fa device");
-        match dev.make_hmac_credential() {
-            Ok(cred) => {
-                ccred = Some(cred);
+        while let Ok(el) = start.elapsed() {
+            if el > timeout {
+                return Err(error::Fido2LuksError::NoAuthenticatorError);
+            }
+            if get_devices()
+                .map(|devices| !devices.is_empty())
+                .unwrap_or(false)
+            {
                 break;
             }
-            Err(_e) => println!("Failed to to obtain credential trying next device(if applicable)"),
+            thread::sleep(Duration::from_millis(500));
         }
+        let credentials = &self
+            .credential_ids
+            .0
+            .iter()
+            .map(|HexEncoded(id)| FidoCredential {
+                id: id.to_vec(),
+                public_key: None,
+            })
+            .collect::<Vec<_>>();
+        let credentials = credentials.iter().collect::<Vec<_>>();
+        let (secret, credential) =
+            perform_challenge(&credentials[..], &salt, timeout - start.elapsed().unwrap())?;
+        Ok((assemble_secret(&secret, &salt), credential.clone()))
     }
-    config.credential_id = hex::encode(ccred.expect("No credential could be obtained").id);
-    save_config(&config);
-
-    loop {
-        let device = ask_str("Path to your luks device: ").expect("Failed to read from stdin");;
-        if Path::new(&device).exists()
-            || ask_bool(&format!("{} does not exist, save anyway?", device))
-        {
-            config.device = device.into();
-            break;
-        }
-    }
-
-    save_config(&config);
-
-    config.mapper_name = ask_str("Name for decrypted disk: ").expect("Failed to read from stdin");;
-
-    save_config(&config);
-
-    println!("Config saved to: fido2luks.json");
-
-    //let slot = add_key_to_luks(&config).expect("Failed to add key to device");
-
-    //println!("Added key to slot: {}", slot);
-
-    Ok(())
 }
 
-pub fn add_key_to_luks(device: PathBuf, secret: &[u8; 32]) -> Fido2LuksResult<u8> {
-    fn offer_format(
-        _dev: CryptDeviceOpenBuilder,
-    ) -> Fido2LuksResult<CryptDeviceHandle<Luks1Params>> {
-        unimplemented!()
-    }
-    let dev =
-        || -> luks::device::Result<CryptDeviceOpenBuilder> { luks::open(&device.canonicalize()?) };
+#[derive(Debug, StructOpt, Clone)]
+pub struct LuksSettings {
+    /// Number of milliseconds required to derive the volume decryption key
+    /// Defaults to 10ms when using an authenticator or the default by cryptsetup when using a password
+    #[structopt(long = "kdf-time", name = "kdf-time")]
+    kdf_time: Option<u64>,
+}
 
-    let prev_key_info = rpassword::read_password_from_tty(Some(
-        "Please enter your current password or path to a keyfile in order to add a new key: ",
-    ))?;
+#[derive(Debug, StructOpt, Clone)]
+pub struct OtherSecret {
+    /// Use a keyfile instead of a password
+    #[structopt(short = "d", long = "keyfile", conflicts_with = "fido_device")]
+    keyfile: Option<PathBuf>,
+    /// Use another fido device instead of a password
+    /// Note: this requires for the credential fot the other device to be passed as argument as well
+    #[structopt(short = "f", long = "fido-device", conflicts_with = "keyfile")]
+    fido_device: bool,
+}
 
-    let prev_key = match prev_key_info.as_ref() {
-        "" => None,
-        keyfile if PathBuf::from(keyfile).exists() => {
-            let mut f = File::open(keyfile)?;
-            let mut key = Vec::new();
-            f.read_to_end(&mut key)?;
-            Some(key)
+impl OtherSecret {
+    pub fn obtain(
+        &self,
+        secret_gen: &SecretGeneration,
+        verify_password: bool,
+        password_question: &str,
+    ) -> Fido2LuksResult<Vec<u8>> {
+        match &self.keyfile {
+            Some(keyfile) => util::read_keyfile(keyfile.clone()),
+            None if self.fido_device => {
+                Ok(Vec::from(&secret_gen.obtain_secret(password_question)?[..]))
+            }
+            None => util::read_password(password_question, verify_password)
+                .map(|p| p.as_bytes().to_vec()),
         }
-        password => Some(Vec::from(password.as_bytes())),
-    };
-
-    let mut handle = match dev()?.luks1() {
-        Ok(handle) => handle,
-        Err(luks::device::Error::BlkidError(_)) => offer_format(dev()?)?,
-        Err(luks::device::Error::CryptsetupError(errno)) => {
-            //if i32::from(errno) == 555
-            dbg!(errno);
-            offer_format(dev()?)?
-        } //TODO: find correct errorno and offer to format as luks
-        err => err?,
-    };
-    let slot = handle.add_keyslot(secret, prev_key.as_ref().map(|b| b.as_slice()), None)?;
-    Ok(slot)
+    }
 }
 
-pub fn authenticator_connected() -> Fido2LuksResult<bool> {
-    Ok(!device::get_devices()?.is_empty())
+#[derive(Debug, StructOpt)]
+pub enum Command {
+    #[structopt(name = "print-secret")]
+    PrintSecret {
+        /// Prints the secret as binary instead of hex encoded
+        #[structopt(short = "b", long = "bin")]
+        binary: bool,
+        #[structopt(flatten)]
+        secret_gen: SecretGeneration,
+    },
+    /// Adds a generated key to the specified LUKS device
+    #[structopt(name = "add-key")]
+    AddKey {
+        #[structopt(env = "FIDO2LUKS_DEVICE")]
+        device: PathBuf,
+        /// Will wipe all other keys
+        #[structopt(short = "e", long = "exclusive")]
+        exclusive: bool,
+        /// Will add an token to your LUKS 2 header, including the credential id
+        #[structopt(short = "t", long = "token")]
+        token: bool,
+        #[structopt(flatten)]
+        existing_secret: OtherSecret,
+        #[structopt(flatten)]
+        secret_gen: SecretGeneration,
+        #[structopt(flatten)]
+        luks_settings: LuksSettings,
+    },
+    /// Replace a previously added key with a password
+    #[structopt(name = "replace-key")]
+    ReplaceKey {
+        #[structopt(env = "FIDO2LUKS_DEVICE")]
+        device: PathBuf,
+        /// Add the password and keep the key
+        #[structopt(short = "a", long = "add-password")]
+        add_password: bool,
+        // /// Will add an token to your LUKS 2 header, including the credential id
+        // #[structopt(short = "t", long = "token")]
+        //  token: bool,
+        #[structopt(flatten)]
+        replacement: OtherSecret,
+        #[structopt(flatten)]
+        secret_gen: SecretGeneration,
+        #[structopt(flatten)]
+        luks_settings: LuksSettings,
+    },
+    /// Open the LUKS device
+    #[structopt(name = "open")]
+    Open {
+        #[structopt(env = "FIDO2LUKS_DEVICE")]
+        device: PathBuf,
+        #[structopt(env = "FIDO2LUKS_MAPPER_NAME")]
+        name: String,
+        #[structopt(short = "r", long = "max-retries", default_value = "0")]
+        retries: i32,
+        #[structopt(flatten)]
+        secret_gen: SecretGeneration,
+    },
+    /// Open the LUKS device using information embedded into the LUKS 2 header
+    #[structopt(name = "open-token")]
+    OpenToken {
+        #[structopt(env = "FIDO2LUKS_DEVICE")]
+        device: PathBuf,
+        #[structopt(env = "FIDO2LUKS_MAPPER_NAME")]
+        name: String,
+        salt: String,
+    },
+    /// Generate a new FIDO credential
+    #[structopt(name = "credential")]
+    Credential {
+        /// Name to be displayed on the authenticator if it has a display
+        #[structopt(env = "FIDO2LUKS_CREDENTIAL_NAME")]
+        name: Option<String>,
+    },
+    /// Check if an authenticator is connected
+    #[structopt(name = "connected")]
+    Connected,
+}
+
+pub fn parse_cmdline() -> Args {
+    Args::from_args()
+}
+
+pub fn run_cli() -> Fido2LuksResult<()> {
+    let mut stdout = io::stdout();
+    let args = parse_cmdline();
+    match &args.command {
+        Command::Credential { name } => {
+            let cred = make_credential_id(name.as_ref().map(|n| n.as_ref()))?;
+            println!("{}", hex::encode(&cred.id));
+            Ok(())
+        }
+        Command::PrintSecret {
+            binary,
+            ref secret_gen,
+        } => {
+            let secret = secret_gen
+                .patch(&args, Some(false))
+                .obtain_secret("Password")?;
+            if *binary {
+                stdout.write_all(&secret[..])?;
+            } else {
+                stdout.write_all(hex::encode(&secret[..]).as_bytes())?;
+            }
+            Ok(stdout.flush()?)
+        }
+        Command::AddKey {
+            device,
+            exclusive,
+            token,
+            existing_secret,
+            ref secret_gen,
+            luks_settings,
+        } => {
+            let secret_gen = secret_gen.patch(&args, None);
+            let old_secret = existing_secret.obtain(&secret_gen, false, "Existing password")?;
+            let (secret, credential) = secret_gen.obtain_secret_and_credential("Password")?;
+            let added_slot = luks::add_key(
+                device.clone(),
+                &secret,
+                &old_secret[..],
+                luks_settings.kdf_time.or(Some(10)),
+                Some(&credential.id[..]).filter(|_| *token),
+            )?;
+            if *exclusive {
+                let destroyed = luks::remove_keyslots(&device, &[added_slot])?;
+                println!(
+                    "Added to key to device {}, slot: {}\nRemoved {} old keys",
+                    device.display(),
+                    added_slot,
+                    destroyed
+                );
+            } else {
+                println!(
+                    "Added to key to device {}, slot: {}",
+                    device.display(),
+                    added_slot
+                );
+            }
+            Ok(())
+        }
+        Command::ReplaceKey {
+            device,
+            add_password,
+            //token,
+            replacement,
+            ref secret_gen,
+            luks_settings,
+        } => {
+            let secret_gen = secret_gen.patch(&args, Some(false));
+            let secret = secret_gen.obtain_secret("Password")?;
+            let new_secret = replacement.obtain(&secret_gen, true, "Replacement password")?;
+            let slot = if *add_password {
+                luks::add_key(
+                    device,
+                    &new_secret[..],
+                    &secret,
+                    luks_settings.kdf_time,
+                    None,
+                )
+            } else {
+                luks::replace_key(
+                    device,
+                    &new_secret[..],
+                    &secret,
+                    luks_settings.kdf_time,
+                    None,
+                )
+            }?;
+            println!(
+                "Added to password to device {}, slot: {}",
+                device.display(),
+                slot
+            );
+            Ok(())
+        }
+        Command::Open {
+            device,
+            name,
+            retries,
+            ref secret_gen,
+        } => {
+            let mut retries = *retries;
+            loop {
+                match secret_gen
+                    .patch(&args, Some(false))
+                    .obtain_secret("Password")
+                    .and_then(|secret| luks::open_container(&device, &name, &secret))
+                {
+                    Err(e) => {
+                        match e {
+                            Fido2LuksError::WrongSecret if retries > 0 => {}
+                            Fido2LuksError::AuthenticatorError { ref cause }
+                                if cause.kind() == FidoErrorKind::Timeout && retries > 0 => {}
+
+                            e => return Err(e),
+                        }
+                        retries -= 1;
+                        eprintln!("{}", e);
+                    }
+                    res => break res,
+                }
+            }
+        }
+        // TODO: utilise salt
+        Command::OpenToken {
+            device,
+            name,
+            salt: _,
+        } => luks::open_container_token(
+            device,
+            &name[..],
+            Box::new(|creds| {
+                let (secret, cred) = SecretGeneration {
+                    credential_ids: CommaSeparated(
+                        creds
+                            .iter()
+                            .map(|c| HexEncoded::from_str(&c[..]).unwrap())
+                            .collect(),
+                    ),
+                    salt: InputSalt::String("".into()),
+                    password_helper: Default::default(),
+                    await_authenticator: 100,
+                    verify_password: None,
+                }
+                .obtain_secret_and_credential("Password")?;
+                Ok((secret, hex::encode(cred.id)))
+            }),
+        ),
+        Command::Connected => match get_devices() {
+            Ok(ref devs) if !devs.is_empty() => {
+                println!("Found {} devices", devs.len());
+                Ok(())
+            }
+            _ => exit(1),
+        },
+    }
 }

src/config.rs

@@ -1,94 +1,19 @@
 use crate::error::*;
 use crate::*;
-use crypto::digest::Digest;
-use crypto::sha2::Sha256;
+use ring::digest;
 
-use serde_derive::{Deserialize, Serialize};
-use std::collections::HashMap;
-use std::convert::TryInto;
-use std::env;
+use std::fmt;
 use std::fs::File;
 use std::io::Read;
-use std::path::{Path, PathBuf};
+use std::path::PathBuf;
 use std::process::Command;
+use std::str::FromStr;
 
-#[derive(Debug, Deserialize, Serialize)]
-pub struct EnvConfig {
-    pub credential_id: String,
-    pub device: Option<String>,
-    pub salt: String,
-    pub mapper_name: Option<String>,
-    pub password_helper: String,
-}
-
-impl TryInto<Config> for EnvConfig {
-    type Error = Fido2LuksError;
-
-    fn try_into(self) -> Fido2LuksResult<Config> {
-        Ok(Config {
-            credential_id: self.credential_id,
-            device: self
-                .device
-                .ok_or(Fido2LuksError::ConfigurationError {
-                    cause: ConfigurationError::MissingField("DEVICE".into()),
-                })?
-                .into(),
-            mapper_name: self.mapper_name.ok_or(Fido2LuksError::ConfigurationError {
-                cause: ConfigurationError::MissingField("DEVICE_MAPPER".into()),
-            })?,
-            password_helper: PasswordHelper::Script(self.password_helper),
-            input_salt: self.salt.as_str().into(),
-        })
-    }
-}
-
-#[derive(Debug, Deserialize, Serialize)]
-pub struct Config {
-    pub credential_id: String,
-    pub input_salt: InputSalt,
-    pub device: PathBuf,
-    pub mapper_name: String,
-    pub password_helper: PasswordHelper,
-}
-
-impl Config {
-    pub fn load_default_location() -> Fido2LuksResult<Config> {
-        Self::load_config(
-            &mut File::open(
-                env::vars()
-                    .collect::<HashMap<_, _>>()
-                    .get("FIDO2LUKS_CONFIG")
-                    .unwrap_or(&"/etc/fido2luks.json".to_owned()),
-            )
-            .or(File::open("fido2luks.json"))?,
-        )
-    }
-
-    pub fn load_config(reader: &mut dyn Read) -> Fido2LuksResult<Config> {
-        let mut conf_str = String::new();
-        reader.read_to_string(&mut conf_str)?;
-
-        Ok(serde_json::from_str(&conf_str)?)
-    }
-}
-
-impl Default for Config {
-    fn default() -> Self {
-        Config {
-            credential_id: "<required>".into(),
-            input_salt: Default::default(),
-            device: "/dev/some-vg/<volume>".into(),
-            mapper_name: "2fa-secured-luks".into(),
-            password_helper: PasswordHelper::default(),
-        }
-    }
-}
-
-#[derive(Debug, Deserialize, Serialize)]
+#[derive(Debug, Clone, PartialEq)]
 pub enum InputSalt {
     AskPassword,
+    String(String),
     File { path: PathBuf },
-    Both { path: PathBuf },
 }
 
 impl Default for InputSalt {
@@ -99,17 +24,39 @@ impl Default for InputSalt {
 
 impl From<&str> for InputSalt {
     fn from(s: &str) -> Self {
-        if PathBuf::from(s).exists() && s != "Ask" {
-            InputSalt::File { path: s.into() }
-        } else {
-            InputSalt::AskPassword
+        let mut parts = s.split(':');
+        match parts.next() {
+            Some("ask") | Some("Ask") => InputSalt::AskPassword,
+            Some("file") => InputSalt::File {
+                path: parts.collect::<Vec<_>>().join(":").into(),
+            },
+            Some("string") => InputSalt::String(parts.collect::<Vec<_>>().join(":")),
+            _ => Self::default(),
         }
     }
 }
 
+impl FromStr for InputSalt {
+    type Err = Fido2LuksError;
+
+    fn from_str(s: &str) -> Result<Self, Self::Err> {
+        Ok(Self::from(s))
+    }
+}
+
+impl fmt::Display for InputSalt {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> Result<(), fmt::Error> {
+        f.write_str(&match self {
+            InputSalt::AskPassword => "ask".to_string(),
+            InputSalt::String(s) => ["string", s].join(":"),
+            InputSalt::File { path } => ["file", path.display().to_string().as_str()].join(":"),
+        })
+    }
+}
+
 impl InputSalt {
     pub fn obtain(&self, password_helper: &PasswordHelper) -> Fido2LuksResult<[u8; 32]> {
-        let mut digest = Sha256::new();
+        let mut digest = digest::Context::new(&digest::SHA256);
         match self {
             InputSalt::File { path } => {
                 let mut do_io = || {
@@ -117,7 +64,7 @@ impl InputSalt {
                     let mut buf = [0u8; 512];
                     loop {
                         let red = reader.read(&mut buf)?;
-                        digest.input(&buf[0..red]);
+                        digest.update(&buf[0..red]);
                         if red == 0 {
                             break;
                         }
@@ -127,29 +74,30 @@ impl InputSalt {
                 do_io().map_err(|cause| Fido2LuksError::KeyfileError { cause })?;
             }
             InputSalt::AskPassword => {
-                digest.input(password_helper.obtain()?.as_bytes());
-            }
-            InputSalt::Both { path } => {
-                digest.input(&InputSalt::AskPassword.obtain(password_helper)?);
-                digest.input(&InputSalt::File { path: path.clone() }.obtain(password_helper)?)
+                digest.update(password_helper.obtain()?.as_bytes());
             }
+            InputSalt::String(s) => digest.update(s.as_bytes()),
         }
         let mut salt = [0u8; 32];
-        digest.result(&mut salt);
+        salt.as_mut().copy_from_slice(digest.finish().as_ref());
         Ok(salt)
     }
 }
 
-#[derive(Debug, Deserialize, Serialize)]
+#[derive(Debug, Clone)]
 pub enum PasswordHelper {
     Script(String),
+    #[allow(dead_code)]
     Systemd,
     Stdin,
 }
 
 impl Default for PasswordHelper {
     fn default() -> Self {
-        PasswordHelper::Script("/usr/bin/systemd-ask-password --no-tty 'Please enter second factor for LUKS disk encryption!'".into())
+        PasswordHelper::Script(
+            "/usr/bin/env systemd-ask-password 'Please enter second factor for LUKS disk encryption!'"
+                .into(),
+        )
     }
 }
 
@@ -162,22 +110,77 @@ impl From<&str> for PasswordHelper {
     }
 }
 
+impl FromStr for PasswordHelper {
+    type Err = Fido2LuksError;
+
+    fn from_str(s: &str) -> Result<Self, Self::Err> {
+        Ok(Self::from(s))
+    }
+}
+
+impl fmt::Display for PasswordHelper {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> Result<(), fmt::Error> {
+        f.write_str(&match self {
+            PasswordHelper::Stdin => "stdin".to_string(),
+            PasswordHelper::Systemd => "systemd".to_string(),
+            PasswordHelper::Script(path) => path.clone(),
+        })
+    }
+}
+
 impl PasswordHelper {
     pub fn obtain(&self) -> Fido2LuksResult<String> {
         use PasswordHelper::*;
         match self {
             Systemd => unimplemented!(),
-            Stdin => Ok(rpassword::read_password_from_tty(Some("Password: "))?),
+            Stdin => Ok(util::read_password("Password", true)?),
             Script(password_helper) => {
-                let mut helper_parts = password_helper.split(" ");
+                let mut helper_parts = password_helper.split(' ');
 
                 let password = Command::new((&mut helper_parts).next().unwrap())
                     .args(helper_parts)
                     .output()
-                    .map_err(|e| Fido2LuksError::AskPassError { cause: e })?
+                    .map_err(|e| Fido2LuksError::AskPassError {
+                        cause: error::AskPassError::IO(e),
+                    })?
                     .stdout;
                 Ok(String::from_utf8(password)?.trim().to_owned())
             }
         }
     }
 }
+
+#[cfg(test)]
+mod test {
+
+    use super::*;
+
+    #[test]
+    fn input_salt_from_str() {
+        assert_eq!(
+            "file:/tmp/abc".parse::<InputSalt>().unwrap(),
+            InputSalt::File {
+                path: "/tmp/abc".into()
+            }
+        );
+        assert_eq!(
+            "string:abc".parse::<InputSalt>().unwrap(),
+            InputSalt::String("abc".into())
+        );
+        assert_eq!("ask".parse::<InputSalt>().unwrap(), InputSalt::AskPassword);
+        assert_eq!("lol".parse::<InputSalt>().unwrap(), InputSalt::default());
+    }
+
+    #[test]
+    fn input_salt_obtain() {
+        assert_eq!(
+            InputSalt::String("abc".into())
+                .obtain(&PasswordHelper::Stdin)
+                .unwrap(),
+            [
+                186, 120, 22, 191, 143, 1, 207, 234, 65, 65, 64, 222, 93, 174, 34, 35, 176, 3, 97,
+                163, 150, 23, 122, 156, 180, 16, 255, 97, 242, 0, 21, 173
+            ]
+        )
+    }
+}

src/device.rs

@@ -1,51 +1,49 @@
 use crate::error::*;
 
-use ctap;
-use ctap::extensions::hmac::{FidoHmacCredential, HmacExtension};
-use ctap::{FidoDevice, FidoError, FidoErrorKind};
+use crate::util;
+use ctap::{
+    self, extensions::hmac::HmacExtension, request_multiple_devices, FidoAssertionRequestBuilder,
+    FidoCredential, FidoCredentialRequestBuilder, FidoDevice, FidoError, FidoErrorKind,
+};
+use std::time::Duration;
 
-pub fn make_credential_id() -> Fido2LuksResult<FidoHmacCredential> {
-    let mut errs = Vec::new();
-    match get_devices()? {
-        ref devs if devs.is_empty() => Err(Fido2LuksError::NoAuthenticatorError)?,
-        devs => {
-            for mut dev in devs.into_iter() {
-                match dev.make_hmac_credential() {
-                    Ok(cred) => {
-                        return Ok(cred);
-                    }
-                    Err(e) => {
-                        errs.push(e);
-                    }
-                }
-            }
-        }
+const RP_ID: &str = "fido2luks";
+
+pub fn make_credential_id(name: Option<&str>) -> Fido2LuksResult<FidoCredential> {
+    let mut request = FidoCredentialRequestBuilder::default().rp_id(RP_ID);
+    if let Some(user_name) = name {
+        request = request.user_name(user_name);
     }
-    Err(errs.pop().ok_or(Fido2LuksError::NoAuthenticatorError)?)?
+    let request = request.build().unwrap();
+    let make_credential = |device: &mut FidoDevice| device.make_hmac_credential(&request);
+    Ok(request_multiple_devices(
+        get_devices()?
+            .iter_mut()
+            .map(|device| (device, &make_credential)),
+        None,
+    )?)
 }
 
-pub fn perform_challenge(credential_id: &str, salt: &[u8; 32]) -> Fido2LuksResult<[u8; 32]> {
-    let cred = FidoHmacCredential {
-        id: hex::decode(credential_id).unwrap(),
-        rp_id: "hmac".to_string(),
+pub fn perform_challenge<'a>(
+    credentials: &'a [&'a FidoCredential],
+    salt: &[u8; 32],
+    timeout: Duration,
+) -> Fido2LuksResult<([u8; 32], &'a FidoCredential)> {
+    let request = FidoAssertionRequestBuilder::default()
+        .rp_id(RP_ID)
+        .credentials(credentials)
+        .build()
+        .unwrap();
+    let get_assertion = |device: &mut FidoDevice| {
+        device.get_hmac_assertion(&request, &util::sha256(&[&salt[..]]), None)
     };
-    let mut errs = Vec::new();
-    match get_devices()? {
-        ref devs if devs.is_empty() => Err(Fido2LuksError::NoAuthenticatorError)?,
-        devs => {
-            for mut dev in devs.into_iter() {
-                match dev.hmac_challange(&cred, &salt[..]) {
-                    Ok(secret) => {
-                        return Ok(secret);
-                    }
-                    Err(e) => {
-                        errs.push(e);
-                    }
-                }
-            }
-        }
-    }
-    Err(errs.pop().ok_or(Fido2LuksError::NoAuthenticatorError)?)?
+    let (credential, (secret, _)) = request_multiple_devices(
+        get_devices()?
+            .iter_mut()
+            .map(|device| (device, &get_assertion)),
+        Some(timeout),
+    )?;
+    Ok((secret, credential))
 }
 
 pub fn get_devices() -> Fido2LuksResult<Vec<FidoDevice>> {
@@ -54,7 +52,7 @@ pub fn get_devices() -> Fido2LuksResult<Vec<FidoDevice>> {
         match FidoDevice::new(&di) {
             Err(e) => match e.kind() {
                 FidoErrorKind::ParseCtap | FidoErrorKind::DeviceUnsupported => (),
-                err => Err(FidoError::from(err))?,
+                err => return Err(FidoError::from(err).into()),
             },
             Ok(dev) => devices.push(dev),
         }

src/error.rs

@@ -6,48 +6,77 @@ pub type Fido2LuksResult<T> = Result<T, Fido2LuksError>;
 #[derive(Debug, Fail)]
 pub enum Fido2LuksError {
     #[fail(display = "unable to retrieve password: {}", cause)]
-    AskPassError { cause: io::Error },
+    AskPassError { cause: AskPassError },
     #[fail(display = "unable to read keyfile: {}", cause)]
     KeyfileError { cause: io::Error },
     #[fail(display = "authenticator error: {}", cause)]
     AuthenticatorError { cause: ctap::FidoError },
-    #[fail(display = "no authenticator found, please ensure you device is plugged in")]
+    #[fail(display = "no authenticator found, please ensure your device is plugged in")]
     NoAuthenticatorError,
-    #[fail(display = "luks err")]
-    LuksError { cause: cryptsetup_rs::device::Error },
-    #[fail(display = "no authenticator found, please ensure you device is plugged in")]
+    #[fail(display = " {}", cause)]
+    CryptsetupError {
+        cause: libcryptsetup_rs::LibcryptErr,
+    },
+    #[fail(display = "{}", cause)]
+    LuksError { cause: LuksError },
+    #[fail(display = "{}", cause)]
     IoError { cause: io::Error },
-    #[fail(display = "failed to parse config, please check formatting and contents")]
-    ConfigurationError { cause: ConfigurationError },
-    #[fail(display = "the submitted secret is not applicable to this luks device")]
+    #[fail(display = "supplied secret isn't valid for this device")]
     WrongSecret,
     #[fail(display = "not an utf8 string")]
     StringEncodingError { cause: FromUtf8Error },
 }
 
-#[derive(Debug)]
-pub enum ConfigurationError {
-    Json(serde_json::error::Error),
-    Env(envy::Error),
-    MissingField(String),
-}
-
-impl From<serde_json::error::Error> for Fido2LuksError {
-    fn from(e: serde_json::error::Error) -> Self {
-        Fido2LuksError::ConfigurationError {
-            cause: ConfigurationError::Json(e),
+impl Fido2LuksError {
+    pub fn exit_code(&self) -> i32 {
+        use Fido2LuksError::*;
+        match self {
+            AskPassError { .. } | KeyfileError { .. } => 2,
+            AuthenticatorError { .. } => 3,
+            NoAuthenticatorError => 4,
+            WrongSecret => 5,
+            _ => 1,
         }
     }
 }
 
-impl From<envy::Error> for Fido2LuksError {
-    fn from(e: envy::Error) -> Self {
-        Fido2LuksError::ConfigurationError {
-            cause: ConfigurationError::Env(e),
+#[derive(Debug, Fail)]
+pub enum AskPassError {
+    #[fail(display = "unable to retrieve password: {}", _0)]
+    IO(io::Error),
+    #[fail(display = "provided passwords don't match")]
+    Mismatch,
+}
+
+#[derive(Debug, Fail)]
+pub enum LuksError {
+    #[fail(display = "This feature requires to the LUKS device to be formatted as LUKS 2")]
+    Luks2Required,
+    #[fail(display = "Invalid token: {}", _0)]
+    InvalidToken(String),
+    #[fail(display = "No token found")]
+    NoToken,
+    #[fail(display = "The device already exists")]
+    DeviceExists,
+}
+
+impl LuksError {
+    pub fn activate(e: LibcryptErr) -> Fido2LuksError {
+        match e {
+            LibcryptErr::IOError(ref io) => match io.raw_os_error() {
+                Some(1) if io.kind() == ErrorKind::PermissionDenied => Fido2LuksError::WrongSecret,
+                Some(17) => Fido2LuksError::LuksError {
+                    cause: LuksError::DeviceExists,
+                },
+                _ => return Fido2LuksError::CryptsetupError { cause: e },
+            },
+            _ => Fido2LuksError::CryptsetupError { cause: e },
         }
     }
 }
 
+use libcryptsetup_rs::LibcryptErr;
+use std::io::ErrorKind;
 use std::string::FromUtf8Error;
 use Fido2LuksError::*;
 
@@ -57,12 +86,16 @@ impl From<FidoError> for Fido2LuksError {
     }
 }
 
-impl From<cryptsetup_rs::device::Error> for Fido2LuksError {
-    fn from(e: cryptsetup_rs::device::Error) -> Self {
-        LuksError { cause: e }
+impl From<LibcryptErr> for Fido2LuksError {
+    fn from(e: LibcryptErr) -> Self {
+        match e {
+            LibcryptErr::IOError(e) if e.raw_os_error().iter().any(|code| code == &1i32) => {
+                WrongSecret
+            }
+            _ => CryptsetupError { cause: e },
+        }
     }
 }
-
 impl From<io::Error> for Fido2LuksError {
     fn from(e: io::Error) -> Self {
         IoError { cause: e }

src/keystore.rs

@@ -1,17 +0,0 @@
-use keyutils::Keyring;
-
-fn get_passphrase() -> Vec<u8> {
-    Keyring::request("user")
-        .unwrap()
-        .request_key("fido2luks")
-        .unwrap()
-        .read()
-        .unwrap()
-}
-
-fn add_secret(secret: &[u8]) {
-    Keyring::request("session")
-        .unwrap()
-        .add_key("cryptsetup", secret)
-        .unwrap();
-}

src/luks.rs

@@ -0,0 +1,234 @@
+use crate::error::*;
+
+use libcryptsetup_rs::{
+    CryptActivateFlags, CryptDevice, CryptInit, CryptTokenInfo, EncryptionFormat, KeyslotInfo,
+    TokenInput,
+};
+use std::collections::{HashMap, HashSet};
+use std::path::Path;
+
+fn load_device_handle<P: AsRef<Path>>(path: P) -> Fido2LuksResult<CryptDevice> {
+    let mut device = CryptInit::init(path.as_ref())?;
+    device.context_handle().load::<()>(None, None)?;
+    Ok(device)
+}
+
+fn check_luks2(device: &mut CryptDevice) -> Fido2LuksResult<()> {
+    match device.format_handle().get_type()? {
+        EncryptionFormat::Luks2 => Ok(()),
+        _ => Err(Fido2LuksError::LuksError {
+            cause: LuksError::Luks2Required,
+        }),
+    }
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+struct Fido2LuksToken {
+    #[serde(rename = "type")]
+    type_: String,
+    credential: Vec<String>,
+    keyslots: Vec<String>,
+}
+
+impl Fido2LuksToken {
+    fn new(credential_id: impl AsRef<[u8]>, slot: u32) -> Self {
+        Self {
+            type_: "fido2luks\0".into(), // Doubles as c style string
+            credential: vec![hex::encode(credential_id)],
+            keyslots: vec![slot.to_string()],
+        }
+    }
+}
+
+pub fn open_container<P: AsRef<Path>>(path: P, name: &str, secret: &[u8]) -> Fido2LuksResult<()> {
+    let mut device = load_device_handle(path)?;
+    device
+        .activate_handle()
+        .activate_by_passphrase(Some(name), None, secret, CryptActivateFlags::empty())
+        .map(|_slot| ())
+        .map_err(|_e| Fido2LuksError::WrongSecret)
+}
+
+pub fn open_container_token<P: AsRef<Path>>(
+    path: P,
+    name: &str,
+    secret: Box<dyn Fn(Vec<String>) -> Fido2LuksResult<([u8; 32], String)>>,
+) -> Fido2LuksResult<()> {
+    let mut device = load_device_handle(path)?;
+    check_luks2(&mut device)?;
+
+    let mut creds = HashMap::new();
+    for i in 0..256 {
+        let status = device.token_handle().status(i)?;
+        match status {
+            CryptTokenInfo::Inactive => break,
+            CryptTokenInfo::Internal(s)
+            | CryptTokenInfo::InternalUnknown(s)
+            | CryptTokenInfo::ExternalUnknown(s)
+            | CryptTokenInfo::External(s)
+                if &s != "fido2luks" =>
+            {
+                continue
+            }
+            _ => (),
+        };
+        let json = device.token_handle().json_get(i)?;
+        let info: Fido2LuksToken =
+            serde_json::from_value(json.clone()).map_err(|_| Fido2LuksError::LuksError {
+                cause: LuksError::InvalidToken(json.to_string()),
+            })?;
+        let slots = || {
+            info.keyslots
+                .iter()
+                .filter_map(|slot| slot.parse::<u32>().ok())
+        };
+        for cred in info.credential.iter().cloned() {
+            creds
+                .entry(cred)
+                .or_insert_with(|| slots().collect::<HashSet<u32>>())
+                .extend(slots());
+        }
+    }
+    if creds.is_empty() {
+        return Err(Fido2LuksError::LuksError {
+            cause: LuksError::NoToken,
+        });
+    }
+    let (secret, credential) = secret(creds.keys().cloned().collect())?;
+    let slots = creds.get(&credential).unwrap();
+    let slots = slots
+        .iter()
+        .cloned()
+        .map(Option::Some)
+        .chain(std::iter::once(None).take(slots.is_empty() as usize));
+    for slot in slots {
+        match device
+            .activate_handle()
+            .activate_by_passphrase(Some(name), slot, &secret, CryptActivateFlags::empty())
+            .map(|_slot| ())
+            .map_err(LuksError::activate)
+        {
+            Err(Fido2LuksError::WrongSecret) => (),
+            res => return res,
+        }
+    }
+    Err(Fido2LuksError::WrongSecret)
+}
+
+pub fn add_key<P: AsRef<Path>>(
+    path: P,
+    secret: &[u8],
+    old_secret: &[u8],
+    iteration_time: Option<u64>,
+    credential_id: Option<&[u8]>,
+) -> Fido2LuksResult<u32> {
+    let mut device = load_device_handle(path)?;
+    if let Some(millis) = iteration_time {
+        device.settings_handle().set_iteration_time(millis)
+    }
+    let slot = device
+        .keyslot_handle()
+        .add_by_passphrase(None, old_secret, secret)?;
+    if let Some(id) = credential_id {
+        /*  if let e @ Err(_) = check_luks2(&mut device) {
+            //rollback
+            device.keyslot_handle(Some(slot)).destroy()?;
+            return e.map(|_| 0u32);
+        }*/
+        device.token_handle().json_set(TokenInput::AddToken(
+            &serde_json::to_value(&Fido2LuksToken::new(id, slot)).unwrap(),
+        ))?;
+    }
+
+    Ok(slot)
+}
+
+fn find_token(
+    device: &mut CryptDevice,
+    slot: u32,
+) -> Fido2LuksResult<Option<(u32, Fido2LuksToken)>> {
+    for i in 0..256 {
+        let status = device.token_handle().status(i)?;
+        match status {
+            CryptTokenInfo::Inactive => break,
+            CryptTokenInfo::Internal(s)
+            | CryptTokenInfo::InternalUnknown(s)
+            | CryptTokenInfo::ExternalUnknown(s)
+            | CryptTokenInfo::External(s)
+                if &s != "fido2luks" =>
+            {
+                continue
+            }
+            _ => (),
+        };
+        let json = device.token_handle().json_get(i)?;
+        let info: Fido2LuksToken =
+            serde_json::from_value(json.clone()).map_err(|_| Fido2LuksError::LuksError {
+                cause: LuksError::InvalidToken(json.to_string()),
+            })?;
+        if info.keyslots.contains(&slot.to_string()) {
+            return Ok(Some((i, info)));
+        }
+    }
+    Ok(None)
+}
+
+pub fn remove_keyslots<P: AsRef<Path>>(path: P, exclude: &[u32]) -> Fido2LuksResult<u32> {
+    let mut device = load_device_handle(path)?;
+    let mut destroyed = 0;
+    let mut tokens = Vec::new();
+    for slot in 0..256 {
+        match device.keyslot_handle().status(slot)? {
+            KeyslotInfo::Inactive => continue,
+            KeyslotInfo::Active | KeyslotInfo::ActiveLast if !exclude.contains(&slot) => {
+                if let Ok(_) = check_luks2(&mut device) {
+                    if let Some((token, _)) = dbg!(find_token(&mut device, slot))? {
+                        tokens.push(token);
+                    }
+                }
+                device.keyslot_handle().destroy(slot)?;
+                destroyed += 1;
+            }
+            KeyslotInfo::ActiveLast => break,
+            _ => (),
+        }
+        if device.keyslot_handle().status(slot)? == KeyslotInfo::ActiveLast {
+            break;
+        }
+    }
+    for token in tokens.iter() {
+        device
+            .token_handle()
+            .json_set(TokenInput::RemoveToken(*token))?;
+    }
+    Ok(destroyed)
+}
+
+pub fn replace_key<P: AsRef<Path>>(
+    path: P,
+    secret: &[u8],
+    old_secret: &[u8],
+    iteration_time: Option<u64>,
+    credential_id: Option<&[u8]>,
+) -> Fido2LuksResult<u32> {
+    let mut device = load_device_handle(path)?;
+    // Set iteration time not sure wether this applies to luks2 as well
+    if let Some(millis) = iteration_time {
+        device.settings_handle().set_iteration_time(millis)
+    }
+    let slot = device
+        .keyslot_handle()
+        .change_by_passphrase(None, None, old_secret, secret)? as u32;
+    if let Some(id) = credential_id {
+        if check_luks2(&mut device).is_ok() {
+            let token = find_token(&mut device, slot)?.map(|(t, _)| t);
+            if let Some(token) = token {
+                device.token_handle().json_set(TokenInput::ReplaceToken(
+                    token,
+                    &serde_json::to_value(&Fido2LuksToken::new(id, slot)).unwrap(),
+                ))?;
+            }
+        }
+    }
+    Ok(slot)
+}

src/main.rs

@@ -1,24 +1,13 @@
 #[macro_use]
 extern crate failure;
+extern crate ctap_hmac as ctap;
+#[macro_use]
 extern crate serde_derive;
 use crate::cli::*;
 use crate::config::*;
 use crate::device::*;
 use crate::error::*;
-use crypto::digest::Digest;
-use crypto::sha2::Sha256;
-use cryptsetup_rs as luks;
-
-use cryptsetup_rs::Luks1CryptDevice;
-use ctap;
-
-use luks::device::Error::CryptsetupError;
-
-use std::collections::HashMap;
-use std::env;
-
-use std::convert::TryInto;
-use std::io::{self, stdout, Write};
+use std::io;
 use std::path::PathBuf;
 use std::process::exit;
 
@@ -26,195 +15,39 @@ mod cli;
 mod config;
 mod device;
 mod error;
-mod keystore;
-
-fn open_container(device: &PathBuf, name: &str, secret: &[u8; 32]) -> Fido2LuksResult<()> {
-    let mut handle = luks::open(device.canonicalize()?)?.luks1()?;
-    let _slot = handle.activate(name, &secret[..])?;
-    Ok(())
-}
+mod luks;
+mod util;
 
 fn assemble_secret(hmac_result: &[u8], salt: &[u8]) -> [u8; 32] {
-    let mut digest = Sha256::new();
-    digest.input(salt);
-    digest.input(hmac_result);
-    let mut secret = [0u8; 32];
-    digest.result(&mut secret);
-    secret
+    util::sha256(&[salt, hmac_result])
 }
-fn ask_str(q: &str) -> Fido2LuksResult<String> {
-    let stdin = io::stdin();
-    let mut s = String::new();
-    print!("{}", q);
-    io::stdout().flush()?;
-    stdin.read_line(&mut s)?;
-    Ok(s.trim().to_owned())
-}
-
-fn open(conf: &Config, secret: &[u8; 32]) -> Fido2LuksResult<()> {
-    dbg!(hex::encode(&secret));
-    match open_container(&conf.device, &conf.mapper_name, &secret) {
-        Err(Fido2LuksError::LuksError {
-            cause: CryptsetupError(errno),
-        }) if errno.0 == 1 => Err(Fido2LuksError::WrongSecret)?,
-        e => e?,
-    };
-    Ok(())
-}
-
-/*fn package_self() -> Fido2LuksResult<()> {
-    let conf = Config::load_default_location()?;
-    let binary_path: PathBuf = env::args().next().unwrap().into();
-    let mut me = File::open(binary_path)?;
-
-    me.seek(io::SeekFrom::End(("config".as_bytes().len() * -1) as i64 - 4))?;
-
-    let conf_len = me.read_u32()?;
-
-    let mut buf = vec![0u8; 512];
-
-    me.read(&mut buf[0..6])?;
-
-    if String::from_utf8((&buf[0..6]).iter().collect()).map(|s| &s == "config").unwrap_or(false) {
-
-    }
-
-    Ok(())
-}*/
 
 fn main() -> Fido2LuksResult<()> {
-    let args: Vec<_> = env::args().skip(1).collect();
-    fn config_env() -> Fido2LuksResult<EnvConfig> {
-        Ok(envy::prefixed("FIDO2LUKS_").from_env::<EnvConfig>()?)
-    }
-    fn secret_from_env_config(conf: &EnvConfig) -> Fido2LuksResult<[u8; 32]> {
-        let conf = config_env()?;
-        let salt =
-            InputSalt::from(conf.salt.as_str()).obtain(&conf.password_helper.as_str().into())?;
-        Ok(assemble_secret(
-            &perform_challenge(&conf.credential_id, &salt)?,
-            &salt,
-        ))
-    }
-    match &args.iter().map(|s| s.as_str()).collect::<Vec<_>>()[..] {
-        ["print-secret"] => {
-            let conf = config_env()?;
-            io::stdout().write(hex::encode(&secret_from_env_config(&conf)?[..]).as_bytes())?;
-            Ok(io::stdout().flush()?)
-        }
-        ["open"] => {
-            let mut conf = config_env()?;
-            open_container(
-                &conf
-                    .device
-                    .as_ref()
-                    .expect("please specify FIDO2LUKS_DEVICE")
-                    .into(),
-                &conf
-                    .mapper_name
-                    .as_ref()
-                    .expect("please specify FIDO2LUKS_MAPPER_NAME"),
-                &secret_from_env_config(&conf)?,
-            )
-        }
-        ["open", device, mapper_name] => {
-            let mut conf = config_env()?;
-            conf.mapper_name = Some(mapper_name.to_string());
-            conf.device = Some(device.to_string());
-            open_container(
-                &conf
-                    .device
-                    .as_ref()
-                    .expect("please specify FIDO2LUKS_DEVICE")
-                    .into(),
-                &conf
-                    .mapper_name
-                    .as_ref()
-                    .expect("please specify FIDO2LUKS_MAPPER_NAME"),
-                &secret_from_env_config(&conf)?,
-            )
-        }
-        ["credential"] => {
-            let cred = make_credential_id()?;
-            println!("{}", hex::encode(&cred.id));
-            Ok(())
-        }
-        ["addkey", device] => {
-            let mut conf = config_env()?;
-            conf.device = conf.device.or(Some(device.to_string()));
-            let slot = add_key_to_luks(
-                conf.device.as_ref().unwrap().into(),
-                &secret_from_env_config(&conf)?,
-            )?;
-            println!("Added to key to device {}, slot: {}", device, slot);
-            Ok(())
-        }
-        _ => {
-            println!(
-                "Usage:\n
-            fido2luks open <device> [name]\n
-            fido2luks addkey <device>\n\n
-            Environment variables:\n
-            <FIDO2LUKS_CREDENTIAL_ID>\n
-            <FIDO2LUKS_SALT>\n
-            "
-            );
-            Ok(())
+    match run_cli() {
+        Err(e) => {
+            #[cfg(debug_assertions)]
+            eprintln!("{:?}", e);
+            #[cfg(not(debug_assertions))]
+            eprintln!("{}", e);
+            exit(e.exit_code())
         }
+        _ => exit(0),
     }
 }
 
-fn main_old() -> Fido2LuksResult<()> {
-    let args: Vec<_> = env::args().skip(1).collect(); //Ignore program name -> Vec
-    let env = env::vars().collect::<HashMap<_, _>>();
-    let secret = |conf: &Config| -> Fido2LuksResult<[u8; 32]> {
-        let salt = conf.input_salt.obtain(&conf.password_helper)?;
+#[cfg(test)]
+mod test {
 
-        Ok(assemble_secret(
-            &perform_challenge(&conf.credential_id, &salt)?,
-            &salt,
-        ))
-    };
-    if args.is_empty() {
-        let conf = Config::load_default_location()?;
-        if env.contains_key("CRYPTTAB_NAME") {
-            //Indicates that this script is being run as keyscript
-            let mut out = stdout();
-            out.write(&secret(&conf)?)?;
-            Ok(out.flush()?)
-        } else {
-            io::stdout().write(&secret(&conf)?)?;
-            Ok(io::stdout().flush()?)
-        }
-    } else {
-        match args.first().map(|s| s.as_ref()).unwrap() {
-            //"addkey" => add_key_to_luks(&Config::load_default_location()?).map(|_| ()),
-            "setup" => setup(),
-            "open" if args.get(1).map(|a| &*a == "-e").unwrap_or(false) => {
-                let conf = envy::prefixed("FIDO2LUKS_")
-                    .from_env::<EnvConfig>()
-                    .expect("Missing env config values")
-                    .try_into()?;
-                open(&conf, &secret(&conf)?)
-            }
-            "open" => open(
-                &Config::load_default_location()?,
-                &secret(&Config::load_default_location()?)?,
-            ),
-            "connected" => match authenticator_connected()? {
-                false => {
-                    println!("no");
-                    exit(1)
-                }
-                _ => {
-                    println!("yes");
-                    exit(0)
-                }
-            },
-            _ => {
-                eprintln!("Usage: setup | addkey | connected");
-                Ok(())
-            } //"selfcontain" => package_self()
-        }
+    use super::*;
+
+    #[test]
+    fn test_assemble_secret() {
+        assert_eq!(
+            assemble_secret(b"abc", b"def"),
+            [
+                46, 82, 82, 140, 142, 159, 249, 196, 227, 160, 142, 72, 151, 77, 59, 62, 180, 36,
+                33, 47, 241, 94, 17, 232, 133, 103, 247, 32, 152, 253, 43, 19
+            ]
+        )
     }
 }

src/util.rs

@@ -0,0 +1,37 @@
+use crate::error::*;
+use ring::digest;
+use std::fs::File;
+use std::io::Read;
+use std::path::PathBuf;
+
+pub fn sha256(messages: &[&[u8]]) -> [u8; 32] {
+    let mut digest = digest::Context::new(&digest::SHA256);
+    for m in messages.iter() {
+        digest.update(m);
+    }
+    let mut secret = [0u8; 32];
+    secret.as_mut().copy_from_slice(digest.finish().as_ref());
+    secret
+}
+
+pub fn read_password(q: &str, verify: bool) -> Fido2LuksResult<String> {
+    match rpassword::read_password_from_tty(Some(&[q, ": "].join("")))? {
+        ref pass
+            if verify
+                && &rpassword::read_password_from_tty(Some(&[q, "(again): "].join(" ")))?
+                    != pass =>
+        {
+            Err(Fido2LuksError::AskPassError {
+                cause: AskPassError::Mismatch,
+            })
+        }
+        pass => Ok(pass),
+    }
+}
+
+pub fn read_keyfile<P: Into<PathBuf>>(path: P) -> Fido2LuksResult<Vec<u8>> {
+    let mut file = File::open(path.into())?;
+    let mut key = Vec::new();
+    file.read_to_end(&mut key)?;
+    Ok(key)
+}