move config into etc

authenicator already prevents bruteforce, no need to slow down the
unlock process any further

.drone.yml

@@ -12,3 +12,23 @@ steps:
    commands:
     - apt update && apt install -y libcryptsetup-dev libkeyutils-dev
     - cargo test
+
+ - name: build
+   image: rust:1.37.0
+   commands:
+    - apt update && apt install -y libcryptsetup-dev libkeyutils-dev
+    - cargo install -f --path . --root .
+   when:
+    event: tag
+ - name: publish
+   image: plugins/github-release
+   settings:
+     api_key:
+      from_secret: github_release
+     files:
+      - bin/fido2luks
+     checksum:
+      - md5
+      - sha256
+   when:
+    event: tag    

Cargo.lock

@@ -1,5 +1,22 @@
 # This file is automatically @generated by Cargo.
 # It is not intended for manual editing.
+[[package]]
+name = "ansi_term"
+version = "0.11.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+dependencies = [
+ "winapi 0.3.8 (registry+https://github.com/rust-lang/crates.io-index)",
+]
+
+[[package]]
+name = "atty"
+version = "0.2.13"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+dependencies = [
+ "libc 0.2.62 (registry+https://github.com/rust-lang/crates.io-index)",
+ "winapi 0.3.8 (registry+https://github.com/rust-lang/crates.io-index)",
+]
+
 [[package]]
 name = "autocfg"
 version = "0.1.6"
@@ -25,11 +42,6 @@ dependencies = [
  "libc 0.2.62 (registry+https://github.com/rust-lang/crates.io-index)",
 ]
 
-[[package]]
-name = "bitflags"
-version = "0.3.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-
 [[package]]
 name = "bitflags"
 version = "1.1.0"
@@ -37,8 +49,8 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 
 [[package]]
 name = "blkid-rs"
-version = "0.2.0"
+version = "0.1.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
+source = "git+https://github.com/shimunn/cryptsetup-rs.git?branch=update_keyslot#09189246eac5b930d13a4e0d78d75157bf07c832"
 dependencies = [
  "byteorder 1.3.2 (registry+https://github.com/rust-lang/crates.io-index)",
  "uuid 0.6.5 (registry+https://github.com/rust-lang/crates.io-index)",
@@ -68,6 +80,20 @@ name = "cfg-if"
 version = "0.1.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 
+[[package]]
+name = "clap"
+version = "2.33.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+dependencies = [
+ "ansi_term 0.11.0 (registry+https://github.com/rust-lang/crates.io-index)",
+ "atty 0.2.13 (registry+https://github.com/rust-lang/crates.io-index)",
+ "bitflags 1.1.0 (registry+https://github.com/rust-lang/crates.io-index)",
+ "strsim 0.8.0 (registry+https://github.com/rust-lang/crates.io-index)",
+ "textwrap 0.11.0 (registry+https://github.com/rust-lang/crates.io-index)",
+ "unicode-width 0.1.6 (registry+https://github.com/rust-lang/crates.io-index)",
+ "vec_map 0.8.1 (registry+https://github.com/rust-lang/crates.io-index)",
+]
+
 [[package]]
 name = "cloudabi"
 version = "0.0.3"
@@ -79,12 +105,12 @@ dependencies = [
 [[package]]
 name = "cryptsetup-rs"
 version = "0.2.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
+source = "git+https://github.com/shimunn/cryptsetup-rs.git?branch=update_keyslot#09189246eac5b930d13a4e0d78d75157bf07c832"
 dependencies = [
- "blkid-rs 0.2.0 (registry+https://github.com/rust-lang/crates.io-index)",
+ "blkid-rs 0.1.1 (git+https://github.com/shimunn/cryptsetup-rs.git?branch=update_keyslot)",
  "errno 0.2.4 (registry+https://github.com/rust-lang/crates.io-index)",
  "libc 0.2.62 (registry+https://github.com/rust-lang/crates.io-index)",
- "libcryptsetup-sys 0.2.0 (registry+https://github.com/rust-lang/crates.io-index)",
+ "libcryptsetup-sys 0.1.1 (git+https://github.com/shimunn/cryptsetup-rs.git?branch=update_keyslot)",
  "log 0.4.8 (registry+https://github.com/rust-lang/crates.io-index)",
  "uuid 0.6.5 (registry+https://github.com/rust-lang/crates.io-index)",
 ]
@@ -106,24 +132,6 @@ dependencies = [
  "untrusted 0.6.2 (registry+https://github.com/rust-lang/crates.io-index)",
 ]
 
-[[package]]
-name = "envy"
-version = "0.4.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-dependencies = [
- "serde 1.0.100 (registry+https://github.com/rust-lang/crates.io-index)",
-]
-
-[[package]]
-name = "errno"
-version = "0.1.8"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-dependencies = [
- "kernel32-sys 0.2.2 (registry+https://github.com/rust-lang/crates.io-index)",
- "libc 0.2.62 (registry+https://github.com/rust-lang/crates.io-index)",
- "winapi 0.2.8 (registry+https://github.com/rust-lang/crates.io-index)",
-]
-
 [[package]]
 name = "errno"
 version = "0.2.4"
@@ -167,17 +175,14 @@ dependencies = [
 name = "fido2luks"
 version = "0.1.0"
 dependencies = [
- "cryptsetup-rs 0.2.0 (registry+https://github.com/rust-lang/crates.io-index)",
+ "cryptsetup-rs 0.2.0 (git+https://github.com/shimunn/cryptsetup-rs.git?branch=update_keyslot)",
  "ctap 0.1.0 (git+https://github.com/shimunn/ctap.git?branch=hmac_ext)",
- "envy 0.4.0 (registry+https://github.com/rust-lang/crates.io-index)",
  "failure 0.1.5 (registry+https://github.com/rust-lang/crates.io-index)",
  "hex 0.3.2 (registry+https://github.com/rust-lang/crates.io-index)",
- "keyutils 0.2.1 (registry+https://github.com/rust-lang/crates.io-index)",
+ "libcryptsetup-sys 0.1.1 (git+https://github.com/shimunn/cryptsetup-rs.git?branch=update_keyslot)",
  "rpassword 4.0.1 (registry+https://github.com/rust-lang/crates.io-index)",
  "rust-crypto 0.2.36 (registry+https://github.com/rust-lang/crates.io-index)",
- "serde 1.0.100 (registry+https://github.com/rust-lang/crates.io-index)",
+ "structopt 0.3.2 (registry+https://github.com/rust-lang/crates.io-index)",
- "serde_derive 1.0.100 (registry+https://github.com/rust-lang/crates.io-index)",
- "serde_json 1.0.40 (registry+https://github.com/rust-lang/crates.io-index)",
 ]
 
 [[package]]
@@ -190,35 +195,19 @@ name = "gcc"
 version = "0.3.55"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 
+[[package]]
+name = "heck"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+dependencies = [
+ "unicode-segmentation 1.3.0 (registry+https://github.com/rust-lang/crates.io-index)",
+]
+
 [[package]]
 name = "hex"
 version = "0.3.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 
-[[package]]
-name = "itoa"
-version = "0.4.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-
-[[package]]
-name = "kernel32-sys"
-version = "0.2.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-dependencies = [
- "winapi 0.2.8 (registry+https://github.com/rust-lang/crates.io-index)",
- "winapi-build 0.1.1 (registry+https://github.com/rust-lang/crates.io-index)",
-]
-
-[[package]]
-name = "keyutils"
-version = "0.2.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-dependencies = [
- "bitflags 0.3.3 (registry+https://github.com/rust-lang/crates.io-index)",
- "errno 0.1.8 (registry+https://github.com/rust-lang/crates.io-index)",
- "libc 0.2.62 (registry+https://github.com/rust-lang/crates.io-index)",
-]
-
 [[package]]
 name = "lazy_static"
 version = "1.4.0"
@@ -231,8 +220,8 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 
 [[package]]
 name = "libcryptsetup-sys"
-version = "0.2.0"
+version = "0.1.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
+source = "git+https://github.com/shimunn/cryptsetup-rs.git?branch=update_keyslot#09189246eac5b930d13a4e0d78d75157bf07c832"
 dependencies = [
  "libc 0.2.62 (registry+https://github.com/rust-lang/crates.io-index)",
  "pkg-config 0.3.16 (registry+https://github.com/rust-lang/crates.io-index)",
@@ -269,6 +258,16 @@ name = "pkg-config"
 version = "0.3.16"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 
+[[package]]
+name = "proc-macro-error"
+version = "0.2.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+dependencies = [
+ "proc-macro2 1.0.3 (registry+https://github.com/rust-lang/crates.io-index)",
+ "quote 1.0.2 (registry+https://github.com/rust-lang/crates.io-index)",
+ "syn 1.0.5 (registry+https://github.com/rust-lang/crates.io-index)",
+]
+
 [[package]]
 name = "proc-macro2"
 version = "0.4.30"
@@ -474,33 +473,29 @@ version = "0.3.24"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 
 [[package]]
-name = "ryu"
+name = "strsim"
-version = "1.0.0"
+version = "0.8.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 
 [[package]]
-name = "serde"
+name = "structopt"
-version = "1.0.100"
+version = "0.3.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-
-[[package]]
-name = "serde_derive"
-version = "1.0.100"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 dependencies = [
- "proc-macro2 1.0.3 (registry+https://github.com/rust-lang/crates.io-index)",
+ "clap 2.33.0 (registry+https://github.com/rust-lang/crates.io-index)",
- "quote 1.0.2 (registry+https://github.com/rust-lang/crates.io-index)",
+ "structopt-derive 0.3.2 (registry+https://github.com/rust-lang/crates.io-index)",
- "syn 1.0.5 (registry+https://github.com/rust-lang/crates.io-index)",
 ]
 
 [[package]]
-name = "serde_json"
+name = "structopt-derive"
-version = "1.0.40"
+version = "0.3.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 dependencies = [
- "itoa 0.4.4 (registry+https://github.com/rust-lang/crates.io-index)",
+ "heck 0.3.1 (registry+https://github.com/rust-lang/crates.io-index)",
- "ryu 1.0.0 (registry+https://github.com/rust-lang/crates.io-index)",
+ "proc-macro-error 0.2.6 (registry+https://github.com/rust-lang/crates.io-index)",
- "serde 1.0.100 (registry+https://github.com/rust-lang/crates.io-index)",
+ "proc-macro2 1.0.3 (registry+https://github.com/rust-lang/crates.io-index)",
+ "quote 1.0.2 (registry+https://github.com/rust-lang/crates.io-index)",
+ "syn 1.0.5 (registry+https://github.com/rust-lang/crates.io-index)",
 ]
 
 [[package]]
@@ -534,6 +529,14 @@ dependencies = [
  "unicode-xid 0.1.0 (registry+https://github.com/rust-lang/crates.io-index)",
 ]
 
+[[package]]
+name = "textwrap"
+version = "0.11.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+dependencies = [
+ "unicode-width 0.1.6 (registry+https://github.com/rust-lang/crates.io-index)",
+]
+
 [[package]]
 name = "time"
 version = "0.1.42"
@@ -544,6 +547,16 @@ dependencies = [
  "winapi 0.3.8 (registry+https://github.com/rust-lang/crates.io-index)",
 ]
 
+[[package]]
+name = "unicode-segmentation"
+version = "1.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+
+[[package]]
+name = "unicode-width"
+version = "0.1.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+
 [[package]]
 name = "unicode-xid"
 version = "0.1.0"
@@ -569,8 +582,8 @@ dependencies = [
 ]
 
 [[package]]
-name = "winapi"
+name = "vec_map"
-version = "0.2.8"
+version = "0.8.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 
 [[package]]
@@ -582,11 +595,6 @@ dependencies = [
  "winapi-x86_64-pc-windows-gnu 0.4.0 (registry+https://github.com/rust-lang/crates.io-index)",
 ]
 
-[[package]]
-name = "winapi-build"
-version = "0.1.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-
 [[package]]
 name = "winapi-i686-pc-windows-gnu"
 version = "0.4.0"
@@ -598,38 +606,37 @@ version = "0.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 
 [metadata]
+"checksum ansi_term 0.11.0 (registry+https://github.com/rust-lang/crates.io-index)" = "ee49baf6cb617b853aa8d93bf420db2383fab46d314482ca2803b40d5fde979b"
+"checksum atty 0.2.13 (registry+https://github.com/rust-lang/crates.io-index)" = "1803c647a3ec87095e7ae7acfca019e98de5ec9a7d01343f611cf3152ed71a90"
 "checksum autocfg 0.1.6 (registry+https://github.com/rust-lang/crates.io-index)" = "b671c8fb71b457dd4ae18c4ba1e59aa81793daacc361d82fcd410cef0d491875"
 "checksum backtrace 0.3.37 (registry+https://github.com/rust-lang/crates.io-index)" = "5180c5a20655b14a819b652fd2378fa5f1697b6c9ddad3e695c2f9cedf6df4e2"
 "checksum backtrace-sys 0.1.31 (registry+https://github.com/rust-lang/crates.io-index)" = "82a830b4ef2d1124a711c71d263c5abdc710ef8e907bd508c88be475cebc422b"
-"checksum bitflags 0.3.3 (registry+https://github.com/rust-lang/crates.io-index)" = "32866f4d103c4e438b1db1158aa1b1a80ee078e5d77a59a2f906fd62a577389c"
 "checksum bitflags 1.1.0 (registry+https://github.com/rust-lang/crates.io-index)" = "3d155346769a6855b86399e9bc3814ab343cd3d62c7e985113d46a0ec3c281fd"
-"checksum blkid-rs 0.2.0 (registry+https://github.com/rust-lang/crates.io-index)" = "9bc207ca2ccb5bdf3b3e43be52a4afa0eca780851fb80733d28bd3688bead5c6"
+"checksum blkid-rs 0.1.1 (git+https://github.com/shimunn/cryptsetup-rs.git?branch=update_keyslot)" = "<none>"
 "checksum byteorder 1.3.2 (registry+https://github.com/rust-lang/crates.io-index)" = "a7c3dd8985a7111efc5c80b44e23ecdd8c007de8ade3b96595387e812b957cf5"
 "checksum cbor-codec 0.7.1 (registry+https://github.com/rust-lang/crates.io-index)" = "e083a023562b37c52837e850131a51b1154cceb9d149f41ee3d386737b140f46"
 "checksum cc 1.0.45 (registry+https://github.com/rust-lang/crates.io-index)" = "4fc9a35e1f4290eb9e5fc54ba6cf40671ed2a2514c3eeb2b2a908dda2ea5a1be"
 "checksum cfg-if 0.1.9 (registry+https://github.com/rust-lang/crates.io-index)" = "b486ce3ccf7ffd79fdeb678eac06a9e6c09fc88d33836340becb8fffe87c5e33"
+"checksum clap 2.33.0 (registry+https://github.com/rust-lang/crates.io-index)" = "5067f5bb2d80ef5d68b4c87db81601f0b75bca627bc2ef76b141d7b846a3c6d9"
 "checksum cloudabi 0.0.3 (registry+https://github.com/rust-lang/crates.io-index)" = "ddfc5b9aa5d4507acaf872de71051dfd0e309860e88966e1051e462a077aac4f"
-"checksum cryptsetup-rs 0.2.0 (registry+https://github.com/rust-lang/crates.io-index)" = "9da293bc97d0ccf0f53e440537dc2dd945eaa79642997685a1c0664062ef0a29"
+"checksum cryptsetup-rs 0.2.0 (git+https://github.com/shimunn/cryptsetup-rs.git?branch=update_keyslot)" = "<none>"
 "checksum ctap 0.1.0 (git+https://github.com/shimunn/ctap.git?branch=hmac_ext)" = "<none>"
-"checksum envy 0.4.0 (registry+https://github.com/rust-lang/crates.io-index)" = "261b836bcf13f42a01c70351f56bd7b66db6e6fb58352bd214cb77e9269a34b4"
-"checksum errno 0.1.8 (registry+https://github.com/rust-lang/crates.io-index)" = "1e2b2decb0484e15560df3210cf0d78654bb0864b2c138977c07e377a1bae0e2"
 "checksum errno 0.2.4 (registry+https://github.com/rust-lang/crates.io-index)" = "c2a071601ed01b988f896ab14b95e67335d1eeb50190932a1320f7fe3cadc84e"
 "checksum errno-dragonfly 0.1.1 (registry+https://github.com/rust-lang/crates.io-index)" = "14ca354e36190500e1e1fb267c647932382b54053c50b14970856c0b00a35067"
 "checksum failure 0.1.5 (registry+https://github.com/rust-lang/crates.io-index)" = "795bd83d3abeb9220f257e597aa0080a508b27533824adf336529648f6abf7e2"
 "checksum failure_derive 0.1.5 (registry+https://github.com/rust-lang/crates.io-index)" = "ea1063915fd7ef4309e222a5a07cf9c319fb9c7836b1f89b85458672dbb127e1"
 "checksum fuchsia-cprng 0.1.1 (registry+https://github.com/rust-lang/crates.io-index)" = "a06f77d526c1a601b7c4cdd98f54b5eaabffc14d5f2f0296febdc7f357c6d3ba"
 "checksum gcc 0.3.55 (registry+https://github.com/rust-lang/crates.io-index)" = "8f5f3913fa0bfe7ee1fd8248b6b9f42a5af4b9d65ec2dd2c3c26132b950ecfc2"
+"checksum heck 0.3.1 (registry+https://github.com/rust-lang/crates.io-index)" = "20564e78d53d2bb135c343b3f47714a56af2061f1c928fdb541dc7b9fdd94205"
 "checksum hex 0.3.2 (registry+https://github.com/rust-lang/crates.io-index)" = "805026a5d0141ffc30abb3be3173848ad46a1b1664fe632428479619a3644d77"
-"checksum itoa 0.4.4 (registry+https://github.com/rust-lang/crates.io-index)" = "501266b7edd0174f8530248f87f99c88fbe60ca4ef3dd486835b8d8d53136f7f"
-"checksum kernel32-sys 0.2.2 (registry+https://github.com/rust-lang/crates.io-index)" = "7507624b29483431c0ba2d82aece8ca6cdba9382bff4ddd0f7490560c056098d"
-"checksum keyutils 0.2.1 (registry+https://github.com/rust-lang/crates.io-index)" = "cbdbe7849bedbbb4f1437a790f6029372d8c400d1ca2d9ead8fb2d3057ccb2cc"
 "checksum lazy_static 1.4.0 (registry+https://github.com/rust-lang/crates.io-index)" = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646"
 "checksum libc 0.2.62 (registry+https://github.com/rust-lang/crates.io-index)" = "34fcd2c08d2f832f376f4173a231990fa5aef4e99fb569867318a227ef4c06ba"
-"checksum libcryptsetup-sys 0.2.0 (registry+https://github.com/rust-lang/crates.io-index)" = "321aea95b53514a18b523f544cdb7bc785adec1f0a7e207df611677f9b934ddd"
+"checksum libcryptsetup-sys 0.1.1 (git+https://github.com/shimunn/cryptsetup-rs.git?branch=update_keyslot)" = "<none>"
 "checksum log 0.4.8 (registry+https://github.com/rust-lang/crates.io-index)" = "14b6052be84e6b71ab17edffc2eeabf5c2c3ae1fdb464aae35ac50c67a44e1f7"
 "checksum num-derive 0.2.5 (registry+https://github.com/rust-lang/crates.io-index)" = "eafd0b45c5537c3ba526f79d3e75120036502bebacbb3f3220914067ce39dbf2"
 "checksum num-traits 0.2.8 (registry+https://github.com/rust-lang/crates.io-index)" = "6ba9a427cfca2be13aa6f6403b0b7e7368fe982bfa16fccc450ce74c46cd9b32"
 "checksum pkg-config 0.3.16 (registry+https://github.com/rust-lang/crates.io-index)" = "72d5370d90f49f70bd033c3d75e87fc529fbfff9d6f7cccef07d6170079d91ea"
+"checksum proc-macro-error 0.2.6 (registry+https://github.com/rust-lang/crates.io-index)" = "aeccfe4d5d8ea175d5f0e4a2ad0637e0f4121d63bd99d356fb1f39ab2e7c6097"
 "checksum proc-macro2 0.4.30 (registry+https://github.com/rust-lang/crates.io-index)" = "cf3d2011ab5c909338f7887f4fc896d35932e29146c12c8d01da6b22a80ba759"
 "checksum proc-macro2 1.0.3 (registry+https://github.com/rust-lang/crates.io-index)" = "e98a83a9f9b331f54b924e68a66acb1bb35cb01fb0a23645139967abefb697e8"
 "checksum quote 0.6.13 (registry+https://github.com/rust-lang/crates.io-index)" = "6ce23b6b870e8f94f81fb0a363d65d86675884b34a09043c81e5562f11c1f8e1"
@@ -653,20 +660,21 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 "checksum rust-crypto 0.2.36 (registry+https://github.com/rust-lang/crates.io-index)" = "f76d05d3993fd5f4af9434e8e436db163a12a9d40e1a58a726f27a01dfd12a2a"
 "checksum rustc-demangle 0.1.16 (registry+https://github.com/rust-lang/crates.io-index)" = "4c691c0e608126e00913e33f0ccf3727d5fc84573623b8d65b2df340b5201783"
 "checksum rustc-serialize 0.3.24 (registry+https://github.com/rust-lang/crates.io-index)" = "dcf128d1287d2ea9d80910b5f1120d0b8eede3fbf1abe91c40d39ea7d51e6fda"
-"checksum ryu 1.0.0 (registry+https://github.com/rust-lang/crates.io-index)" = "c92464b447c0ee8c4fb3824ecc8383b81717b9f1e74ba2e72540aef7b9f82997"
+"checksum strsim 0.8.0 (registry+https://github.com/rust-lang/crates.io-index)" = "8ea5119cdb4c55b55d432abb513a0429384878c15dde60cc77b1c99de1a95a6a"
-"checksum serde 1.0.100 (registry+https://github.com/rust-lang/crates.io-index)" = "f4473e8506b213730ff2061073b48fa51dcc66349219e2e7c5608f0296a1d95a"
+"checksum structopt 0.3.2 (registry+https://github.com/rust-lang/crates.io-index)" = "3fe8d3289b63ef2f196d89e7701f986583c0895e764b78f052a55b9b5d34d84a"
-"checksum serde_derive 1.0.100 (registry+https://github.com/rust-lang/crates.io-index)" = "11e410fde43e157d789fc290d26bc940778ad0fdd47836426fbac36573710dbb"
+"checksum structopt-derive 0.3.2 (registry+https://github.com/rust-lang/crates.io-index)" = "f3add731f5b4fb85931d362a3c92deb1ad7113649a8d51701fb257673705f122"
-"checksum serde_json 1.0.40 (registry+https://github.com/rust-lang/crates.io-index)" = "051c49229f282f7c6f3813f8286cc1e3323e8051823fce42c7ea80fe13521704"
 "checksum syn 0.15.44 (registry+https://github.com/rust-lang/crates.io-index)" = "9ca4b3b69a77cbe1ffc9e198781b7acb0c7365a883670e8f1c1bc66fba79a5c5"
 "checksum syn 1.0.5 (registry+https://github.com/rust-lang/crates.io-index)" = "66850e97125af79138385e9b88339cbcd037e3f28ceab8c5ad98e64f0f1f80bf"
 "checksum synstructure 0.10.2 (registry+https://github.com/rust-lang/crates.io-index)" = "02353edf96d6e4dc81aea2d8490a7e9db177bf8acb0e951c24940bf866cb313f"
+"checksum textwrap 0.11.0 (registry+https://github.com/rust-lang/crates.io-index)" = "d326610f408c7a4eb6f51c37c330e496b08506c9457c9d34287ecc38809fb060"
 "checksum time 0.1.42 (registry+https://github.com/rust-lang/crates.io-index)" = "db8dcfca086c1143c9270ac42a2bbd8a7ee477b78ac8e45b19abfb0cbede4b6f"
+"checksum unicode-segmentation 1.3.0 (registry+https://github.com/rust-lang/crates.io-index)" = "1967f4cdfc355b37fd76d2a954fb2ed3871034eb4f26d60537d88795cfc332a9"
+"checksum unicode-width 0.1.6 (registry+https://github.com/rust-lang/crates.io-index)" = "7007dbd421b92cc6e28410fe7362e2e0a2503394908f417b68ec8d1c364c4e20"
 "checksum unicode-xid 0.1.0 (registry+https://github.com/rust-lang/crates.io-index)" = "fc72304796d0818e357ead4e000d19c9c174ab23dc11093ac919054d20a6a7fc"
 "checksum unicode-xid 0.2.0 (registry+https://github.com/rust-lang/crates.io-index)" = "826e7639553986605ec5979c7dd957c7895e93eabed50ab2ffa7f6128a75097c"
 "checksum untrusted 0.6.2 (registry+https://github.com/rust-lang/crates.io-index)" = "55cd1f4b4e96b46aeb8d4855db4a7a9bd96eeeb5c6a1ab54593328761642ce2f"
 "checksum uuid 0.6.5 (registry+https://github.com/rust-lang/crates.io-index)" = "e1436e58182935dcd9ce0add9ea0b558e8a87befe01c1a301e6020aeb0876363"
-"checksum winapi 0.2.8 (registry+https://github.com/rust-lang/crates.io-index)" = "167dc9d6949a9b857f3451275e911c3f44255842c1f7a76f33c55103a909087a"
+"checksum vec_map 0.8.1 (registry+https://github.com/rust-lang/crates.io-index)" = "05c78687fb1a80548ae3250346c3db86a80a7cdd77bda190189f2d0a0987c81a"
 "checksum winapi 0.3.8 (registry+https://github.com/rust-lang/crates.io-index)" = "8093091eeb260906a183e6ae1abdba2ef5ef2257a21801128899c3fc699229c6"
-"checksum winapi-build 0.1.1 (registry+https://github.com/rust-lang/crates.io-index)" = "2d315eee3b34aca4797b2da6b13ed88266e6d612562a0c46390af8299fc699bc"
 "checksum winapi-i686-pc-windows-gnu 0.4.0 (registry+https://github.com/rust-lang/crates.io-index)" = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6"
 "checksum winapi-x86_64-pc-windows-gnu 0.4.0 (registry+https://github.com/rust-lang/crates.io-index)" = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f"

Cargo.toml

@@ -1,24 +1,24 @@
 [package]
 name = "fido2luks"
-version = "0.1.0"
+version = "0.2.0"
 authors = ["shimunn <shimun@shimun.net>"]
 edition = "2018"
 
 [dependencies]
 ctap = { git = "https://github.com/shimunn/ctap.git", branch = "hmac_ext" }
-cryptsetup-rs = "0.2.0"
+#cryptsetup-rs = "0.2.0"
+cryptsetup-rs = { git = "https://github.com/shimunn/cryptsetup-rs.git", branch = "update_keyslot" }
+libcryptsetup-sys = { git = "https://github.com/shimunn/cryptsetup-rs.git", branch = "update_keyslot" }
+
 hex = "0.3.2"
 rust-crypto = "0.2.36"
 failure = "0.1.5"
-serde_derive = "1.0.100"
-serde = "1.0.100"
-serde_json = "1.0.40"
-keyutils = "0.2.1"
 rpassword = "4.0.1"
-envy = "0.4.0"
+structopt = "0.3.2"
-
 
 [profile.release]
 lto = true
 opt-level = 'z'
 panic = 'abort'
+incremental = false
+overflow-checks = false

README.md

@@ -1,12 +1,18 @@
 # fido2luks
 
-This will allow you to unlock your luks encrypted disk with an fido2 compatable key
+This will allow you to unlock your luks encrypted disk with an fido2 compatible key
 
 Note: This has only been tested under Fedora 30 using a Solo Key
 
 ## Setup
 
-## Device
+### Prerequisites
+
+```
+dnf install cargo cryptsetup-devel -y
+```
+
+### Device
 
 ```
 git clone https://github.com/shimunn/fido2luks.git && cd fido2luks
@@ -14,20 +20,20 @@ git clone https://github.com/shimunn/fido2luks.git && cd fido2luks
 #Alternativly cargo build --release && sudo cp target/release/fido2luks /usr/bin/
 CARGO_INSTALL_ROOT=/usr sudo -E cargo install -f --path .
 
-echo FIDO2LUKS_CREDENTIAL_ID=$(fido2luks credential) >> fido2luks.conf
+echo FIDO2LUKS_CREDENTIAL_ID=$(fido2luks credential) >> dracut/96luks-2fa/fido2luks.conf
 
 set -a
-. fido2luks.conf
+. dracut/96luks-2fa/fido2luks.conf
 
 #Repeat for each luks volume
-FIDO2LUKS_PASSWORD_HELPER=stdin sudo -E fido2luks addkey /dev/disk/by-uuid/<DISK_UUID>
+sudo -E fido2luks -i add-key /dev/disk/by-uuid/<DISK_UUID>
 
 #Test(only works if the luks container isn't active)
-FIDO2LUKS_PASSWORD_HELPER=stdin sudo -E fido2luks open /dev/disk/by-uuid/<DISK_UUID> luks-<DISK_UUID>
+sudo -E fido2luks -i open /dev/disk/by-uuid/<DISK_UUID> luks-<DISK_UUID>
 
 ```
 
-## Dracut
+### Dracut
 
 ```
 cd dracut
@@ -35,16 +41,24 @@ cd dracut
 sudo make install
 ```
 
-## Grub
+### Grub
 
-Add `rd.luks.2fa=<CREDENTIAL_ID>:<DISK_UUID>` to `GRUB_CMDLINE_LINUX`
+Add `rd.luks.2fa=<CREDENTIAL_ID>:<DISK_UUID>` to `GRUB_CMDLINE_LINUX` in /etc/default/grub
 
-Note: This is only required for your root disk, systemd will try to unlock all other luks partions using the same key if you added it using `fido2luks addkey`
+Note: This is only required for your root disk, systemd will try to unlock all other luks partions using the same key if you added it using `fido2luks add-key`
 
 ```
 grub2-mkconfig > /boot/grub2/grub.cfg
 ```
 
+I'd also recommend to copy the executable onto /boot so that it is accessible in case you have to access your disk from a live system
+
+```
+mkdir /boot/fido2luks/
+cp /usr/bin/fido2luks /boot/fido2luks/
+cp /etc/fido2luks.conf /boot/fido2luks/
+```
+
 ## Test
 
 Just reboot and see if it works, if thats the case you should remove your old less secure password from your luks header:
@@ -52,7 +66,18 @@ Just reboot and see if it works, if thats the case you should remove your old le
 ```
 #Recommend in case you lose your authenticator, store this backupfile somewhere safe
 cryptsetup luksHeaderBackup /dev/disk/by-uuid/<DISK_UUID> --header-backup-file luks_backup_<DISK_UUID>
-#Slot should be 0 if you only had one previous password otherwise consult cryptsetup luksDump
 #There is no turning back if you mess this up, make sure you made a backup
-cryptsetup luksKillSlot /dev/disk/by-uuid/<DISK_UUID> <SLOT>
+fido2luks -i add-key --exclusive /dev/disk/by-uuid/<DISK_UUID>
+```
+
+## Removal
+
+Remove `rd.luks.2fa` from `GRUB_CMDLINE_LINUX` in /etc/default/grub
+
+```
+set -a
+. fido2luks.conf
+sudo -E fido2luks -i replace-key /dev/disk/by-uuid/<DISK_UUID>
+
+sudo rm -rf /usr/lib/dracut/modules.d/96luks-2fa /etc/dracut.conf.d/luks-2fa.conf
 ```

dracut/96luks-2fa/fido2luks.conf

@@ -0,0 +1,3 @@
+FIDO2LUKS_SALT=Ask
+FIDO2LUKS_PASSWORD_HELPER=/usr/bin/systemd-ask-password Please enter second factor for LUKS disk encryption
+

dracut/96luks-2fa/luks-2fa-generator.sh

@@ -5,11 +5,11 @@ LUKS_2FA_WANTS="/etc/systemd/system/luks-2fa.target.wants"
 
 CRYPTSETUP="/usr/lib/systemd/systemd-cryptsetup"
 FIDO2LUKS="/usr/bin/fido2luks"
-XXD="/usr/bin/xxd"
 MOUNT=$(command -v mount)
 UMOUNT=$(command -v umount)
 
-TIMEOUT=30
+TIMEOUT=120
+CON_MSG="Please connect your authenicator"
 
 generate_service () {
         local credential_id=$1 target_uuid=$2 timeout=$3 sd_dir=${4:-$NORMAL_DIR}
@@ -23,7 +23,7 @@ generate_service () {
                 printf -- "[Unit]"
                 printf -- "\nDescription=%s" "2fa for luks"
                 printf -- "\nBindsTo=%s" "$target_dev"
-                printf -- "\nAfter=%s cryptsetup-pre.target systemd-journald.socket" "$target_dev" #TODO: create service to wait or authenicator
+                printf -- "\nAfter=%s cryptsetup-pre.target systemd-journald.socket" "$target_dev"
                 printf -- "\nBefore=%s umount.target luks-2fa.target" "$crypto_target_service"
                 printf -- "\nConflicts=umount.target"
                 printf -- "\nDefaultDependencies=no"
@@ -32,15 +32,13 @@ generate_service () {
                 printf -- "\n\n[Service]"
                 printf -- "\nType=oneshot"
                 printf -- "\nRemainAfterExit=yes"
+                printf -- "\nEnvironmentFile=%s" "/etc/fido2luks.conf"
                 printf -- "\nEnvironment=FIDO2LUKS_CREDENTIAL_ID='%s'" "$credential_id"
-                printf -- "\nEnvironment=FIDO2LUKS_SALT='%s'" "Ask"
-                printf -- "\nEnvironment=FIDO2LUKS_PASSWORD_HELPER='%s'" "/usr/bin/systemd-ask-password \"Disk 2fa password\""
                 printf -- "\nKeyringMode=%s" "shared"
-                #printf -- "\nExecStart=${CRYPTSETUP} attach 'luks-%s' '/dev/disk/by-uuid/%s' 'none'" "$keyfile_uuid" "$keyfile_uuid"   #LUKS on USB
+		            printf -- "\nExecStartPre=-/usr/bin/plymouth display-message --text \"${CON_MSG}\""
-                #printf -- "\nExecStart=${MOUNT} '/dev/mapper/luks-%s' %s" "$keyfile_uuid" "$keyfile_mountpoint"                        #Mount keyfile
+		            printf -- "\nExecStartPre=-/bin/bash -c \"while ! ${FIDO2LUKS} connected; do /usr/bin/sleep 1; done\""
-                printf -- "\nExecStart=/bin/bash -c \"${FIDO2LUKS} print-secret | ${XXD} -r -p - | ${CRYPTSETUP} attach 'luks-%s' '/dev/disk/by-uuid/%s' '/dev/stdin'\"" "$target_uuid" "$target_uuid"
+		            printf -- "\nExecStartPre=-/usr/bin/plymouth hide-message --text \"${CON_MSG}\""
-                #printf -- "\nExecStart=${UMOUNT} '%s'" "$keyfile_mountpoint"
+                printf -- "\nExecStart=/bin/bash -c \"${FIDO2LUKS} print-secret --bin | ${CRYPTSETUP} attach 'luks-%s' '/dev/disk/by-uuid/%s' '/dev/stdin'\"" "$target_uuid" "$target_uuid"
-                #printf -- "\nExecStart=${CRYPTSETUP} detach 'luks-%s'" "$keyfile_uuid"
                 printf -- "\nExecStop=${CRYPTSETUP} detach 'luks-%s'" "$target_uuid"
         } > "$sd_service"
 

dracut/96luks-2fa/module-setup.sh

@@ -17,8 +17,8 @@ depends () {
 
 install () {
         inst "$moddir/luks-2fa-generator.sh" "/etc/systemd/system-generators/luks-2fa-generator.sh"
-        inst_simple "/usr/bin/xxd" "/usr/bin/xxd"
         inst_simple "/usr/bin/fido2luks" "/usr/bin/fido2luks"
+        inst_simple "/etc/fido2luks.conf" "/etc/fido2luks.conf"
         inst "$systemdutildir/systemd-cryptsetup"
         mkdir -p "$initdir/luks-2fa"
 

dracut/Makefile

@@ -15,6 +15,7 @@ help:
 install:
 	cp ${MODULE_CONF_D}/${MODULE_CONF} ${DRACUT_CONF_D}/
 	cp -r ${MODULE_DIR} ${DRACUT_MODULES_D}/
+	cp ${MODULE_DIR}/fido2luks.conf /etc/fido2luks.conf
 	dracut -fv
 clean:
 	rm ${DRACUT_CONF_D}/${MODULE_CONF}

src/cli.rs

@@ -3,82 +3,20 @@ use crate::*;
 
 use cryptsetup_rs as luks;
 use cryptsetup_rs::api::{CryptDeviceHandle, CryptDeviceOpenBuilder, Luks1Params};
-use cryptsetup_rs::Luks1CryptDevice;
+use cryptsetup_rs::{CryptDevice, Luks1CryptDevice};
-use ctap;
-use ctap::extensions::hmac::{FidoHmacCredential, HmacExtension};
-use ctap::FidoDevice;
 
-use std::fs::File;
+use libcryptsetup_sys::crypt_keyslot_info;
-use std::io::{Read, Write};
+use structopt::StructOpt;
-use std::path::Path;
-use std::thread;
-use std::time::Duration;
 
-pub fn setup() -> Fido2LuksResult<()> {
+use std::io::Write;
-    while !authenticator_connected()? {
+use std::process::exit;
-        eprintln!("Please connect your authenticator");
-        for _ in 0..3 {
-            thread::sleep(Duration::from_secs(1));
-            if authenticator_connected()? {
-                break;
-            }
-        }
-    }
 
-    let mut config = Config::default();
+pub fn add_key_to_luks(
-
+    device: PathBuf,
-    let save_config = |c: &Config| {
+    secret: &[u8; 32],
-        File::create("fido2luks.json")
+    old_secret: Box<dyn Fn() -> Fido2LuksResult<Vec<u8>>>,
-            .expect("Failed to save config")
+    exclusive: bool,
-            .write_all(serde_json::to_string_pretty(c).unwrap().as_bytes())
+) -> Fido2LuksResult<u8> {
-            .expect("Failed to save config");
-    };
-
-    fn ask_bool(q: &str) -> bool {
-        ask_str(&format!("{} (y/n)", q)).expect("Failed to read from stdin") == "y"
-    }
-
-    println!("1. Generating a credential");
-    let mut ccred: Option<FidoHmacCredential> = None;
-    for di in ctap::get_devices().expect("Failed to query USB for 2fa devices") {
-        let mut dev = FidoDevice::new(&di).expect("Failed to open 2fa device");
-        match dev.make_hmac_credential() {
-            Ok(cred) => {
-                ccred = Some(cred);
-                break;
-            }
-            Err(_e) => println!("Failed to to obtain credential trying next device(if applicable)"),
-        }
-    }
-    config.credential_id = hex::encode(ccred.expect("No credential could be obtained").id);
-    save_config(&config);
-
-    loop {
-        let device = ask_str("Path to your luks device: ").expect("Failed to read from stdin");;
-        if Path::new(&device).exists()
-            || ask_bool(&format!("{} does not exist, save anyway?", device))
-        {
-            config.device = device.into();
-            break;
-        }
-    }
-
-    save_config(&config);
-
-    config.mapper_name = ask_str("Name for decrypted disk: ").expect("Failed to read from stdin");;
-
-    save_config(&config);
-
-    println!("Config saved to: fido2luks.json");
-
-    //let slot = add_key_to_luks(&config).expect("Failed to add key to device");
-
-    //println!("Added key to slot: {}", slot);
-
-    Ok(())
-}
-
-pub fn add_key_to_luks(device: PathBuf, secret: &[u8; 32]) -> Fido2LuksResult<u8> {
     fn offer_format(
         _dev: CryptDeviceOpenBuilder,
     ) -> Fido2LuksResult<CryptDeviceHandle<Luks1Params>> {
@@ -87,20 +25,7 @@ pub fn add_key_to_luks(device: PathBuf, secret: &[u8; 32]) -> Fido2LuksResult<u8
     let dev =
         || -> luks::device::Result<CryptDeviceOpenBuilder> { luks::open(&device.canonicalize()?) };
 
-    let prev_key_info = rpassword::read_password_from_tty(Some(
+    let prev_key = old_secret()?;
-        "Please enter your current password or path to a keyfile in order to add a new key: ",
-    ))?;
-
-    let prev_key = match prev_key_info.as_ref() {
-        "" => None,
-        keyfile if PathBuf::from(keyfile).exists() => {
-            let mut f = File::open(keyfile)?;
-            let mut key = Vec::new();
-            f.read_to_end(&mut key)?;
-            Some(key)
-        }
-        password => Some(Vec::from(password.as_bytes())),
-    };
 
     let mut handle = match dev()?.luks1() {
         Ok(handle) => handle,
@@ -112,10 +37,245 @@ pub fn add_key_to_luks(device: PathBuf, secret: &[u8; 32]) -> Fido2LuksResult<u8
         } //TODO: find correct errorno and offer to format as luks
         err => err?,
     };
-    let slot = handle.add_keyslot(secret, prev_key.as_ref().map(|b| b.as_slice()), None)?;
+    handle.set_iteration_time(50);
+    let slot = handle.add_keyslot(secret, Some(prev_key.as_slice()), None)?;
+    if exclusive {
+        for old_slot in 0..8u8 {
+            if old_slot != slot
+                && (handle.keyslot_status(old_slot.into()) == crypt_keyslot_info::CRYPT_SLOT_ACTIVE
+                    || handle.keyslot_status(old_slot.into())
+                        == crypt_keyslot_info::CRYPT_SLOT_ACTIVE_LAST)
+            {
+                handle.destroy_keyslot(old_slot)?;
+            }
+        }
+    }
+    Ok(slot)
+}
+
+pub fn add_password_to_luks(
+    device: PathBuf,
+    secret: &[u8; 32],
+    new_secret: Box<dyn Fn() -> Fido2LuksResult<Vec<u8>>>,
+    add_password: bool,
+) -> Fido2LuksResult<u8> {
+    let dev = luks::open(&device.canonicalize()?)?;
+    let mut handle = dev.luks1()?;
+    let prev_slot = if add_password {
+        Some(handle.add_keyslot(&secret[..], Some(&secret[..]), None)?)
+    } else {
+        None
+    };
+    let slot = handle.update_keyslot(&new_secret()?[..], &secret[..], prev_slot)?;
     Ok(slot)
 }
 
 pub fn authenticator_connected() -> Fido2LuksResult<bool> {
     Ok(!device::get_devices()?.is_empty())
 }
+
+#[derive(Debug, StructOpt)]
+pub struct Args {
+    /// Request passwords via Stdin instead of using the password helper
+    #[structopt(short = "i", long = "interactive")]
+    pub interactive: bool,
+    #[structopt(subcommand)]
+    pub command: Command,
+}
+
+#[derive(Debug, StructOpt, Clone)]
+pub struct SecretGeneration {
+    /// FIDO credential id, generate using fido2luks credential
+    #[structopt(name = "credential-id", env = "FIDO2LUKS_CREDENTIAL_ID")]
+    pub credential_id: String,
+    /// Salt for secret generation, defaults to 'ask'
+    ///
+    /// Options:{n}
+    ///  - ask              : Promt user using password helper{n}
+    ///  - file:<PATH>      : Will read <FILE>{n}
+    ///  - string:<STRING>  : Will use <STRING>, which will be handled like a password provided to the 'ask' option{n}
+    #[structopt(
+        name = "salt",
+        long = "salt",
+        env = "FIDO2LUKS_SALT",
+        default_value = "ask"
+    )]
+    pub salt: InputSalt,
+    /// Script used to obtain passwords, overridden by --interactive flag
+    #[structopt(
+        name = "password-helper",
+        env = "FIDO2LUKS_PASSWORD_HELPER",
+        default_value = "/usr/bin/systemd-ask-password 'Please enter second factor for LUKS disk encryption!'"
+    )]
+    pub password_helper: PasswordHelper,
+}
+
+impl SecretGeneration {
+    pub fn patch(&self, args: &Args) -> Self {
+        let mut me = self.clone();
+        if args.interactive {
+            me.password_helper = PasswordHelper::Stdin;
+        }
+        me
+    }
+
+    pub fn obtain_secret(&self) -> Fido2LuksResult<[u8; 32]> {
+        let salt = self.salt.obtain(&self.password_helper)?;
+        Ok(assemble_secret(
+            &perform_challenge(&self.credential_id, &salt)?,
+            &salt,
+        ))
+    }
+}
+
+#[derive(Debug, StructOpt)]
+pub enum Command {
+    #[structopt(name = "print-secret")]
+    PrintSecret {
+        /// Prints the secret as binary instead of hex encoded
+        #[structopt(short = "b", long = "bin")]
+        binary: bool,
+        #[structopt(flatten)]
+        secret_gen: SecretGeneration,
+    },
+    /// Adds a generated key to the specified LUKS device
+    #[structopt(name = "add-key")]
+    AddKey {
+        #[structopt(env = "FIDO2LUKS_DEVICE")]
+        device: PathBuf,
+        /// Will wipe all other keys
+        #[structopt(short = "e", long = "exclusive")]
+        exclusive: bool,
+        /// Use a keyfile instead of a password
+        #[structopt(short = "d", long = "keyfile")]
+        keyfile: Option<PathBuf>,
+        #[structopt(flatten)]
+        secret_gen: SecretGeneration,
+    },
+
+    /// Replace a previously added key with a password
+    #[structopt(name = "replace-key")]
+    ReplaceKey {
+        #[structopt(env = "FIDO2LUKS_DEVICE")]
+        device: PathBuf,
+        /// Add the password and keep the key
+        #[structopt(short = "a", long = "add-password")]
+        add_password: bool,
+        /// Use a keyfile instead of a password
+        #[structopt(short = "d", long = "keyfile")]
+        keyfile: Option<PathBuf>,
+        #[structopt(flatten)]
+        secret_gen: SecretGeneration,
+    },
+    /// Open the LUKS device
+    #[structopt(name = "open")]
+    Open {
+        #[structopt(env = "FIDO2LUKS_DEVICE")]
+        device: PathBuf,
+        #[structopt(env = "FIDO2LUKS_MAPPER_NAME")]
+        name: String,
+        #[structopt(flatten)]
+        secret_gen: SecretGeneration,
+    },
+    /// Generate a new FIDO credential
+    #[structopt(name = "credential")]
+    Credential,
+    /// Check if an authenticator is connected
+    #[structopt(name = "connected")]
+    Connected,
+}
+
+pub fn parse_cmdline() -> Args {
+    Args::from_args()
+}
+
+pub fn run_cli() -> Fido2LuksResult<()> {
+    let mut stdout = io::stdout();
+    let args = parse_cmdline();
+    match &args.command {
+        Command::Credential => {
+            let cred = make_credential_id()?;
+            println!("{}", hex::encode(&cred.id));
+            Ok(())
+        }
+        Command::PrintSecret {
+            binary,
+            ref secret_gen,
+        } => {
+            let secret = secret_gen.patch(&args).obtain_secret()?;
+            if *binary {
+                stdout.write(&secret[..])?;
+            } else {
+                stdout.write(hex::encode(&secret[..]).as_bytes())?;
+            }
+            Ok(stdout.flush()?)
+        }
+        Command::AddKey {
+            device,
+            exclusive,
+            keyfile,
+            ref secret_gen,
+        } => {
+            let secret = secret_gen.patch(&args).obtain_secret()?;
+            let slot = add_key_to_luks(
+                device.clone(),
+                &secret,
+                if let Some(keyfile) = keyfile.clone() {
+                    Box::new(move || util::read_keyfile(keyfile.clone()))
+                } else {
+                    Box::new(|| {
+                        util::read_password("Old password", true).map(|p| p.as_bytes().to_vec())
+                    })
+                },
+                *exclusive,
+            )?;
+            println!(
+                "Added to key to device {}, slot: {}",
+                device.display(),
+                slot
+            );
+            Ok(())
+        }
+        Command::ReplaceKey {
+            device,
+            add_password,
+            keyfile,
+            ref secret_gen,
+        } => {
+            let secret = secret_gen.patch(&args).obtain_secret()?;
+            let slot = add_password_to_luks(
+                device.clone(),
+                &secret,
+                if let Some(keyfile) = keyfile.clone() {
+                    Box::new(move || util::read_keyfile(keyfile.clone()))
+                } else {
+                    Box::new(|| {
+                        util::read_password("Password to add", true).map(|p| p.as_bytes().to_vec())
+                    })
+                },
+                *add_password,
+            )?;
+            println!(
+                "Added to password to device {}, slot: {}",
+                device.display(),
+                slot
+            );
+            Ok(())
+        }
+        Command::Open {
+            device,
+            name,
+            ref secret_gen,
+        } => {
+            let secret = secret_gen.patch(&args).obtain_secret()?;
+            open_container(&device, &name, &secret)
+        }
+        Command::Connected => match get_devices() {
+            Ok(ref devs) if !devs.is_empty() => {
+                println!("Found {} devices", devs.len());
+                Ok(())
+            }
+            _ => exit(1),
+        },
+    }
+}

src/config.rs

@@ -3,92 +3,18 @@ use crate::*;
 use crypto::digest::Digest;
 use crypto::sha2::Sha256;
 
-use serde_derive::{Deserialize, Serialize};
+use std::fmt;
-use std::collections::HashMap;
-use std::convert::TryInto;
-use std::env;
 use std::fs::File;
 use std::io::Read;
-use std::path::{Path, PathBuf};
+use std::path::PathBuf;
 use std::process::Command;
+use std::str::FromStr;
 
-#[derive(Debug, Deserialize, Serialize)]
+#[derive(Debug, Clone, PartialEq)]
-pub struct EnvConfig {
-    pub credential_id: String,
-    pub device: Option<String>,
-    pub salt: String,
-    pub mapper_name: Option<String>,
-    pub password_helper: String,
-}
-
-impl TryInto<Config> for EnvConfig {
-    type Error = Fido2LuksError;
-
-    fn try_into(self) -> Fido2LuksResult<Config> {
-        Ok(Config {
-            credential_id: self.credential_id,
-            device: self
-                .device
-                .ok_or(Fido2LuksError::ConfigurationError {
-                    cause: ConfigurationError::MissingField("DEVICE".into()),
-                })?
-                .into(),
-            mapper_name: self.mapper_name.ok_or(Fido2LuksError::ConfigurationError {
-                cause: ConfigurationError::MissingField("DEVICE_MAPPER".into()),
-            })?,
-            password_helper: PasswordHelper::Script(self.password_helper),
-            input_salt: self.salt.as_str().into(),
-        })
-    }
-}
-
-#[derive(Debug, Deserialize, Serialize)]
-pub struct Config {
-    pub credential_id: String,
-    pub input_salt: InputSalt,
-    pub device: PathBuf,
-    pub mapper_name: String,
-    pub password_helper: PasswordHelper,
-}
-
-impl Config {
-    pub fn load_default_location() -> Fido2LuksResult<Config> {
-        Self::load_config(
-            &mut File::open(
-                env::vars()
-                    .collect::<HashMap<_, _>>()
-                    .get("FIDO2LUKS_CONFIG")
-                    .unwrap_or(&"/etc/fido2luks.json".to_owned()),
-            )
-            .or(File::open("fido2luks.json"))?,
-        )
-    }
-
-    pub fn load_config(reader: &mut dyn Read) -> Fido2LuksResult<Config> {
-        let mut conf_str = String::new();
-        reader.read_to_string(&mut conf_str)?;
-
-        Ok(serde_json::from_str(&conf_str)?)
-    }
-}
-
-impl Default for Config {
-    fn default() -> Self {
-        Config {
-            credential_id: "<required>".into(),
-            input_salt: Default::default(),
-            device: "/dev/some-vg/<volume>".into(),
-            mapper_name: "2fa-secured-luks".into(),
-            password_helper: PasswordHelper::default(),
-        }
-    }
-}
-
-#[derive(Debug, Deserialize, Serialize)]
 pub enum InputSalt {
     AskPassword,
+    String(String),
     File { path: PathBuf },
-    Both { path: PathBuf },
 }
 
 impl Default for InputSalt {
@@ -99,14 +25,36 @@ impl Default for InputSalt {
 
 impl From<&str> for InputSalt {
     fn from(s: &str) -> Self {
-        if PathBuf::from(s).exists() && s != "Ask" {
+        let mut parts = s.split(":").into_iter();
-            InputSalt::File { path: s.into() }
+        match parts.next() {
-        } else {
+            Some("ask") | Some("Ask") => InputSalt::AskPassword,
-            InputSalt::AskPassword
+            Some("file") => InputSalt::File {
+                path: parts.collect::<Vec<_>>().join(":").into(),
+            },
+            Some("string") => InputSalt::String(parts.collect::<Vec<_>>().join(":")),
+            _ => Self::default(),
         }
     }
 }
 
+impl FromStr for InputSalt {
+    type Err = Fido2LuksError;
+
+    fn from_str(s: &str) -> Result<Self, Self::Err> {
+        Ok(Self::from(s))
+    }
+}
+
+impl fmt::Display for InputSalt {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> Result<(), fmt::Error> {
+        f.write_str(&match self {
+            InputSalt::AskPassword => "ask".to_string(),
+            InputSalt::String(s) => ["string", s].join(":"),
+            InputSalt::File { path } => ["file", path.display().to_string().as_str()].join(":"),
+        })
+    }
+}
+
 impl InputSalt {
     pub fn obtain(&self, password_helper: &PasswordHelper) -> Fido2LuksResult<[u8; 32]> {
         let mut digest = Sha256::new();
@@ -129,10 +77,7 @@ impl InputSalt {
             InputSalt::AskPassword => {
                 digest.input(password_helper.obtain()?.as_bytes());
             }
-            InputSalt::Both { path } => {
+            InputSalt::String(s) => digest.input(s.as_bytes()),
-                digest.input(&InputSalt::AskPassword.obtain(password_helper)?);
-                digest.input(&InputSalt::File { path: path.clone() }.obtain(password_helper)?)
-            }
         }
         let mut salt = [0u8; 32];
         digest.result(&mut salt);
@@ -140,7 +85,7 @@ impl InputSalt {
     }
 }
 
-#[derive(Debug, Deserialize, Serialize)]
+#[derive(Debug, Clone)]
 pub enum PasswordHelper {
     Script(String),
     Systemd,
@@ -149,7 +94,10 @@ pub enum PasswordHelper {
 
 impl Default for PasswordHelper {
     fn default() -> Self {
-        PasswordHelper::Script("/usr/bin/systemd-ask-password --no-tty 'Please enter second factor for LUKS disk encryption!'".into())
+        PasswordHelper::Script(
+            "/usr/bin/systemd-ask-password 'Please enter second factor for LUKS disk encryption!'"
+                .into(),
+        )
     }
 }
 
@@ -162,22 +110,64 @@ impl From<&str> for PasswordHelper {
     }
 }
 
+impl FromStr for PasswordHelper {
+    type Err = Fido2LuksError;
+
+    fn from_str(s: &str) -> Result<Self, Self::Err> {
+        Ok(Self::from(s))
+    }
+}
+
+impl fmt::Display for PasswordHelper {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> Result<(), fmt::Error> {
+        f.write_str(&match self {
+            PasswordHelper::Stdin => "stdin".to_string(),
+            PasswordHelper::Systemd => "systemd".to_string(),
+            PasswordHelper::Script(path) => path.clone(),
+        })
+    }
+}
+
 impl PasswordHelper {
     pub fn obtain(&self) -> Fido2LuksResult<String> {
         use PasswordHelper::*;
         match self {
             Systemd => unimplemented!(),
-            Stdin => Ok(rpassword::read_password_from_tty(Some("Password: "))?),
+            Stdin => Ok(util::read_password("Password", true)?),
             Script(password_helper) => {
                 let mut helper_parts = password_helper.split(" ");
 
                 let password = Command::new((&mut helper_parts).next().unwrap())
                     .args(helper_parts)
                     .output()
-                    .map_err(|e| Fido2LuksError::AskPassError { cause: e })?
+                    .map_err(|e| Fido2LuksError::AskPassError {
+                        cause: error::AskPassError::IO(e),
+                    })?
                     .stdout;
                 Ok(String::from_utf8(password)?.trim().to_owned())
             }
         }
     }
 }
+
+#[cfg(test)]
+mod test {
+
+    use super::*;
+
+    #[test]
+    fn input_salt_from_str() {
+        assert_eq!(
+            "file:/tmp/abc".parse::<InputSalt>().unwrap(),
+            InputSalt::File {
+                path: "/tmp/abc".into()
+            }
+        );
+        assert_eq!(
+            "string:abc".parse::<InputSalt>().unwrap(),
+            InputSalt::String("abc".into())
+        );
+        assert_eq!("ask".parse::<InputSalt>().unwrap(), InputSalt::AskPassword);
+        assert_eq!("lol".parse::<InputSalt>().unwrap(), InputSalt::default());
+    }
+}

src/error.rs

@@ -6,7 +6,7 @@ pub type Fido2LuksResult<T> = Result<T, Fido2LuksError>;
 #[derive(Debug, Fail)]
 pub enum Fido2LuksError {
     #[fail(display = "unable to retrieve password: {}", cause)]
-    AskPassError { cause: io::Error },
+    AskPassError { cause: AskPassError },
     #[fail(display = "unable to read keyfile: {}", cause)]
     KeyfileError { cause: io::Error },
     #[fail(display = "authenticator error: {}", cause)]
@@ -17,35 +17,18 @@ pub enum Fido2LuksError {
     LuksError { cause: cryptsetup_rs::device::Error },
     #[fail(display = "no authenticator found, please ensure you device is plugged in")]
     IoError { cause: io::Error },
-    #[fail(display = "failed to parse config, please check formatting and contents")]
+    #[fail(display = "supplied secret isn't valid for this device")]
-    ConfigurationError { cause: ConfigurationError },
-    #[fail(display = "the submitted secret is not applicable to this luks device")]
     WrongSecret,
     #[fail(display = "not an utf8 string")]
     StringEncodingError { cause: FromUtf8Error },
 }
 
-#[derive(Debug)]
+#[derive(Debug, Fail)]
-pub enum ConfigurationError {
+pub enum AskPassError {
-    Json(serde_json::error::Error),
+    #[fail(display = "unable to retrieve password: {}", _0)]
-    Env(envy::Error),
+    IO(io::Error),
-    MissingField(String),
+    #[fail(display = "provided passwords don't match")]
-}
+    Mismatch,
-
-impl From<serde_json::error::Error> for Fido2LuksError {
-    fn from(e: serde_json::error::Error) -> Self {
-        Fido2LuksError::ConfigurationError {
-            cause: ConfigurationError::Json(e),
-        }
-    }
-}
-
-impl From<envy::Error> for Fido2LuksError {
-    fn from(e: envy::Error) -> Self {
-        Fido2LuksError::ConfigurationError {
-            cause: ConfigurationError::Env(e),
-        }
-    }
 }
 
 use std::string::FromUtf8Error;
@@ -59,7 +42,12 @@ impl From<FidoError> for Fido2LuksError {
 
 impl From<cryptsetup_rs::device::Error> for Fido2LuksError {
     fn from(e: cryptsetup_rs::device::Error) -> Self {
-        LuksError { cause: e }
+        match e {
+            cryptsetup_rs::device::Error::CryptsetupError(error_no) if error_no.0 == 1i32 => {
+                WrongSecret
+            }
+            e => LuksError { cause: e },
+        }
     }
 }
 

src/keystore.rs

@@ -1,17 +0,0 @@
-use keyutils::Keyring;
-
-fn get_passphrase() -> Vec<u8> {
-    Keyring::request("user")
-        .unwrap()
-        .request_key("fido2luks")
-        .unwrap()
-        .read()
-        .unwrap()
-}
-
-fn add_secret(secret: &[u8]) {
-    Keyring::request("session")
-        .unwrap()
-        .add_key("cryptsetup", secret)
-        .unwrap();
-}

src/main.rs

@@ -1,6 +1,5 @@
 #[macro_use]
 extern crate failure;
-extern crate serde_derive;
 use crate::cli::*;
 use crate::config::*;
 use crate::device::*;
@@ -8,25 +7,16 @@ use crate::error::*;
 use crypto::digest::Digest;
 use crypto::sha2::Sha256;
 use cryptsetup_rs as luks;
-
 use cryptsetup_rs::Luks1CryptDevice;
-use ctap;
 
-use luks::device::Error::CryptsetupError;
+use std::io::{self};
-
-use std::collections::HashMap;
-use std::env;
-
-use std::convert::TryInto;
-use std::io::{self, stdout, Write};
 use std::path::PathBuf;
-use std::process::exit;
 
 mod cli;
 mod config;
 mod device;
 mod error;
-mod keystore;
+mod util;
 
 fn open_container(device: &PathBuf, name: &str, secret: &[u8; 32]) -> Fido2LuksResult<()> {
     let mut handle = luks::open(device.canonicalize()?)?.luks1()?;
@@ -42,179 +32,7 @@ fn assemble_secret(hmac_result: &[u8], salt: &[u8]) -> [u8; 32] {
     digest.result(&mut secret);
     secret
 }
-fn ask_str(q: &str) -> Fido2LuksResult<String> {
-    let stdin = io::stdin();
-    let mut s = String::new();
-    print!("{}", q);
-    io::stdout().flush()?;
-    stdin.read_line(&mut s)?;
-    Ok(s.trim().to_owned())
-}
-
-fn open(conf: &Config, secret: &[u8; 32]) -> Fido2LuksResult<()> {
-    dbg!(hex::encode(&secret));
-    match open_container(&conf.device, &conf.mapper_name, &secret) {
-        Err(Fido2LuksError::LuksError {
-            cause: CryptsetupError(errno),
-        }) if errno.0 == 1 => Err(Fido2LuksError::WrongSecret)?,
-        e => e?,
-    };
-    Ok(())
-}
-
-/*fn package_self() -> Fido2LuksResult<()> {
-    let conf = Config::load_default_location()?;
-    let binary_path: PathBuf = env::args().next().unwrap().into();
-    let mut me = File::open(binary_path)?;
-
-    me.seek(io::SeekFrom::End(("config".as_bytes().len() * -1) as i64 - 4))?;
-
-    let conf_len = me.read_u32()?;
-
-    let mut buf = vec![0u8; 512];
-
-    me.read(&mut buf[0..6])?;
-
-    if String::from_utf8((&buf[0..6]).iter().collect()).map(|s| &s == "config").unwrap_or(false) {
-
-    }
-
-    Ok(())
-}*/
 
 fn main() -> Fido2LuksResult<()> {
-    let args: Vec<_> = env::args().skip(1).collect();
+    run_cli()
-    fn config_env() -> Fido2LuksResult<EnvConfig> {
-        Ok(envy::prefixed("FIDO2LUKS_").from_env::<EnvConfig>()?)
-    }
-    fn secret_from_env_config(conf: &EnvConfig) -> Fido2LuksResult<[u8; 32]> {
-        let conf = config_env()?;
-        let salt =
-            InputSalt::from(conf.salt.as_str()).obtain(&conf.password_helper.as_str().into())?;
-        Ok(assemble_secret(
-            &perform_challenge(&conf.credential_id, &salt)?,
-            &salt,
-        ))
-    }
-    match &args.iter().map(|s| s.as_str()).collect::<Vec<_>>()[..] {
-        ["print-secret"] => {
-            let conf = config_env()?;
-            io::stdout().write(hex::encode(&secret_from_env_config(&conf)?[..]).as_bytes())?;
-            Ok(io::stdout().flush()?)
-        }
-        ["open"] => {
-            let mut conf = config_env()?;
-            open_container(
-                &conf
-                    .device
-                    .as_ref()
-                    .expect("please specify FIDO2LUKS_DEVICE")
-                    .into(),
-                &conf
-                    .mapper_name
-                    .as_ref()
-                    .expect("please specify FIDO2LUKS_MAPPER_NAME"),
-                &secret_from_env_config(&conf)?,
-            )
-        }
-        ["open", device, mapper_name] => {
-            let mut conf = config_env()?;
-            conf.mapper_name = Some(mapper_name.to_string());
-            conf.device = Some(device.to_string());
-            open_container(
-                &conf
-                    .device
-                    .as_ref()
-                    .expect("please specify FIDO2LUKS_DEVICE")
-                    .into(),
-                &conf
-                    .mapper_name
-                    .as_ref()
-                    .expect("please specify FIDO2LUKS_MAPPER_NAME"),
-                &secret_from_env_config(&conf)?,
-            )
-        }
-        ["credential"] => {
-            let cred = make_credential_id()?;
-            println!("{}", hex::encode(&cred.id));
-            Ok(())
-        }
-        ["addkey", device] => {
-            let mut conf = config_env()?;
-            conf.device = conf.device.or(Some(device.to_string()));
-            let slot = add_key_to_luks(
-                conf.device.as_ref().unwrap().into(),
-                &secret_from_env_config(&conf)?,
-            )?;
-            println!("Added to key to device {}, slot: {}", device, slot);
-            Ok(())
-        }
-        _ => {
-            println!(
-                "Usage:\n
-            fido2luks open <device> [name]\n
-            fido2luks addkey <device>\n\n
-            Environment variables:\n
-            <FIDO2LUKS_CREDENTIAL_ID>\n
-            <FIDO2LUKS_SALT>\n
-            "
-            );
-            Ok(())
-        }
-    }
-}
-
-fn main_old() -> Fido2LuksResult<()> {
-    let args: Vec<_> = env::args().skip(1).collect(); //Ignore program name -> Vec
-    let env = env::vars().collect::<HashMap<_, _>>();
-    let secret = |conf: &Config| -> Fido2LuksResult<[u8; 32]> {
-        let salt = conf.input_salt.obtain(&conf.password_helper)?;
-
-        Ok(assemble_secret(
-            &perform_challenge(&conf.credential_id, &salt)?,
-            &salt,
-        ))
-    };
-    if args.is_empty() {
-        let conf = Config::load_default_location()?;
-        if env.contains_key("CRYPTTAB_NAME") {
-            //Indicates that this script is being run as keyscript
-            let mut out = stdout();
-            out.write(&secret(&conf)?)?;
-            Ok(out.flush()?)
-        } else {
-            io::stdout().write(&secret(&conf)?)?;
-            Ok(io::stdout().flush()?)
-        }
-    } else {
-        match args.first().map(|s| s.as_ref()).unwrap() {
-            //"addkey" => add_key_to_luks(&Config::load_default_location()?).map(|_| ()),
-            "setup" => setup(),
-            "open" if args.get(1).map(|a| &*a == "-e").unwrap_or(false) => {
-                let conf = envy::prefixed("FIDO2LUKS_")
-                    .from_env::<EnvConfig>()
-                    .expect("Missing env config values")
-                    .try_into()?;
-                open(&conf, &secret(&conf)?)
-            }
-            "open" => open(
-                &Config::load_default_location()?,
-                &secret(&Config::load_default_location()?)?,
-            ),
-            "connected" => match authenticator_connected()? {
-                false => {
-                    println!("no");
-                    exit(1)
-                }
-                _ => {
-                    println!("yes");
-                    exit(0)
-                }
-            },
-            _ => {
-                eprintln!("Usage: setup | addkey | connected");
-                Ok(())
-            } //"selfcontain" => package_self()
-        }
-    }
 }

src/util.rs

@@ -0,0 +1,26 @@
+use crate::error::*;
+use std::fs::File;
+use std::io::Read;
+use std::path::PathBuf;
+
+pub fn read_password(q: &str, verify: bool) -> Fido2LuksResult<String> {
+    match rpassword::read_password_from_tty(Some(&[q, ": "].join("")))? {
+        ref pass
+            if verify
+                && &rpassword::read_password_from_tty(Some(&[q, "(again): "].join(" ")))?
+                    != pass =>
+        {
+            Err(Fido2LuksError::AskPassError {
+                cause: AskPassError::Mismatch,
+            })?
+        }
+        pass => Ok(pass),
+    }
+}
+
+pub fn read_keyfile<P: Into<PathBuf>>(path: P) -> Fido2LuksResult<Vec<u8>> {
+    let mut file = File::open(path.into())?;
+    let mut key = Vec::new();
+    file.read_to_end(&mut key)?;
+    Ok(key)
+}