protect fido2luks.conf from being overwritten

get plymouth to display a message
relicense to MPL
2020-08-11 23:08:12 +02:00 · 2020-08-11 22:41:21 +02:00 · 2020-07-27 09:22:02 +02:00 · 2020-07-26 21:11:03 +02:00 · 2020-07-04 21:32:21 +02:00 · 2020-07-03 16:21:35 +02:00
14 changed files with 1456 additions and 1084 deletions
--- a/.drone.yml
+++ b/.drone.yml
@@ -3,32 +3,27 @@ name: default
 steps:
 - name: fmt
-   image: rust:1.37.0
+   image: rust:1.43.0
   commands:
     -  rustup component add rustfmt
     -  cargo fmt --all -- --check
 - name: test
-   image: rust:1.37.0
+   image: rust:1.43.0
   commands:
-    - apt update && apt install -y libcryptsetup-dev libkeyutils-dev
+    - apt update && apt install -y libkeyutils-dev libclang-dev clang pkg-config  
    - echo 'deb http://http.us.debian.org/debian unstable main non-free contrib' >> /etc/apt/sources.list.d/unstable.list && apt update && apt install -y libcryptsetup-dev
    - cargo test
 - name: build
   image: rust:1.37.0
   commands:
    - apt update && apt install -y libcryptsetup-dev libkeyutils-dev
    - cargo install -f --path . --root .
   when:
    event: tag
 - name: publish
-   image: plugins/github-release
+   image: rust:1.43.0
-   settings:
+   environment:
-     api_key:
+    CARGO_REGISTRY_TOKEN:
-      from_secret: github_release
+     from_secret: cargo_tkn
-     files:
+   commands:
-      - bin/fido2luks
+    - grep -E 'version ?= ?"${DRONE_TAG}"' -i Cargo.toml || (printf "incorrect crate/tag version" && exit 1)
-     checksum:
+    - apt update && apt install -y libkeyutils-dev libclang-dev clang pkg-config  
-      - md5
+    - echo 'deb http://http.us.debian.org/debian unstable main non-free contrib' >> /etc/apt/sources.list.d/unstable.list && apt update && apt install -y libcryptsetup-dev
-      - sha256
+    - cargo package --all-features
    - cargo publish --all-features
   when:
    event: tag
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1,10 +1,25 @@
 # This file is automatically @generated by Cargo.
 # It is not intended for manual editing.
 [[package]]
-name = "aho-corasick"
+name = "addr2line"
-version = "0.7.10"
+version = "0.13.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8716408b8bc624ed7f65d223ddb9ac2d044c0547b6fa4b0d554f3a9540496ada"
+checksum = "1b6a2d3371669ab3ca9797670853d61402b03d0b4b9ebf33d677dfa720203072"
 dependencies = [
 "gimli",
 ]
 [[package]]
 name = "adler"
 version = "0.2.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ee2a4ec343196209d6594e19543ae87a39f96d5534d7174822a3ad825dd6ed7e"
 [[package]]
 name = "aho-corasick"
 version = "0.7.13"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "043164d8ba5c4c3035fec9bbee8647c0261d788f3474306f93bb65901cae0e86"
 dependencies = [
 "memchr",
 ]
@@ -43,31 +58,23 @@ checksum = "f8aac770f1885fd7e387acedd76065302551364496e46b3dd00860b2f8359b9d"
 [[package]]
 name = "backtrace"
-version = "0.3.46"
+version = "0.3.50"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b1e692897359247cc6bb902933361652380af0f1b7651ae5c5013407f30e109e"
+checksum = "46254cf2fdcdf1badb5934448c1bcbe046a56537b3987d96c51a7afc5d03f293"
 dependencies = [
- "backtrace-sys",
+ "addr2line",
 "cfg-if",
 "libc",
 "miniz_oxide",
 "object",
 "rustc-demangle",
 ]
 [[package]]
 name = "backtrace-sys"
 version = "0.1.36"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "78848718ee1255a2485d1309ad9cdecfc2e7d0362dd11c6829364c6b35ae1bc7"
 dependencies = [
 "cc",
 "libc",
 ]
 [[package]]
 name = "bindgen"
-version = "0.53.2"
+version = "0.54.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6bb26d6a69a335b8cb0e7c7e9775cd5666611dc50a37177c3f2cedcfc040e8c8"
+checksum = "f4d49b80beb70d76cdac92f5681e666f9a697c737c4f4117a67229a0386dc736"
 dependencies = [
 "bitflags",
 "cexpr",
@@ -79,8 +86,8 @@ dependencies = [
 "lazycell",
 "log",
 "peeking_take_while",
- "proc-macro2 1.0.10",
+ "proc-macro2 1.0.19",
- "quote 1.0.3",
+ "quote 1.0.7",
 "regex",
 "rustc-hash",
 "shlex",
@@ -111,9 +118,9 @@ dependencies = [
 [[package]]
 name = "cc"
-version = "1.0.52"
+version = "1.0.58"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c3d87b23d6a92cd03af510a5ade527033f6aa6fa92161e2d5863a907d4c5e31d"
+checksum = "f9a06fb2e53271d7c279ec1efea6ab691c35a2ae67ec0d91d7acec0caf13b518"
 [[package]]
 name = "cexpr"
@@ -143,9 +150,9 @@ dependencies = [
 [[package]]
 name = "clap"
-version = "2.33.0"
+version = "2.33.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5067f5bb2d80ef5d68b4c87db81601f0b75bca627bc2ef76b141d7b846a3c6d9"
+checksum = "10040cdf04294b565d9e0319955430099ec3813a64c952b86a41200ad714ae48"
 dependencies = [
 "ansi_term",
 "atty",
@@ -181,12 +188,12 @@ dependencies = [
 [[package]]
 name = "crossbeam-channel"
-version = "0.4.2"
+version = "0.4.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cced8691919c02aac3cb0a1bc2e9b73d89e832bf9a06fc579d4e71b68a2da061"
+checksum = "09ee0cc8804d5393478d743b035099520087a5186f3b93fa58cec08fa62407b6"
 dependencies = [
 "cfg-if",
 "crossbeam-utils",
 "maybe-uninit",
 ]
 [[package]]
@@ -217,12 +224,13 @@ dependencies = [
 [[package]]
 name = "crossbeam-queue"
-version = "0.2.1"
+version = "0.2.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c695eeca1e7173472a32221542ae469b3e9aac3a4fc81f7696bcad82029493db"
+checksum = "774ba60a54c213d409d5353bda12d49cd68d14e45036a285234c8d6f91f92570"
 dependencies = [
 "cfg-if",
 "crossbeam-utils",
 "maybe-uninit",
 ]
 [[package]]
@@ -284,10 +292,10 @@ checksum = "f0c960ae2da4de88a91b2d920c2a7233b400bc33cb28453a2987822d8392519b"
 dependencies = [
 "fnv",
 "ident_case",
- "proc-macro2 1.0.10",
+ "proc-macro2 1.0.19",
- "quote 1.0.3",
+ "quote 1.0.7",
 "strsim 0.9.3",
- "syn 1.0.18",
+ "syn 1.0.38",
 ]
 [[package]]
@@ -297,8 +305,8 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d9b5a2f4ac4969822c62224815d069952656cadc7084fdca9751e6d959189b72"
 dependencies = [
 "darling_core",
- "quote 1.0.3",
+ "quote 1.0.7",
- "syn 1.0.18",
+ "syn 1.0.38",
 ]
 [[package]]
@@ -309,9 +317,9 @@ checksum = "a2658621297f2cf68762a6f7dc0bb7e1ff2cfd6583daef8ee0fed6f7ec468ec0"
 dependencies = [
 "darling",
 "derive_builder_core",
- "proc-macro2 1.0.10",
+ "proc-macro2 1.0.19",
- "quote 1.0.3",
+ "quote 1.0.7",
- "syn 1.0.18",
+ "syn 1.0.38",
 ]
 [[package]]
@@ -321,16 +329,16 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2791ea3e372c8495c0bc2033991d76b512cd799d07491fbd6890124db9458bef"
 dependencies = [
 "darling",
- "proc-macro2 1.0.10",
+ "proc-macro2 1.0.19",
- "quote 1.0.3",
+ "quote 1.0.7",
- "syn 1.0.18",
+ "syn 1.0.38",
 ]
 [[package]]
 name = "either"
-version = "1.5.3"
+version = "1.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bb1f6b1ce1c140482ea30ddd3335fc0024ac7ee112895426e0a629a6c20adfe3"
+checksum = "cd56b59865bce947ac5958779cfa508f6c3b9497cc762b7e24a12d11ccde2c4f"
 [[package]]
 name = "env_logger"
@@ -347,9 +355,9 @@ dependencies = [
 [[package]]
 name = "failure"
-version = "0.1.7"
+version = "0.1.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b8529c2421efa3066a5cbd8063d2244603824daccb6936b079010bb2aa89464b"
+checksum = "d32e9bd16cc02eae7db7ef620b392808b89f6a5e16bb3497d159c6b92a0f4f86"
 dependencies = [
 "backtrace",
 "failure_derive",
@@ -357,19 +365,19 @@ dependencies = [
 [[package]]
 name = "failure_derive"
-version = "0.1.7"
+version = "0.1.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "030a733c8287d6213886dd487564ff5c8f6aae10278b3588ed177f9d18f8d231"
+checksum = "aa4da3c766cd7a0db8242e326e9e4e081edd567072893ed320008189715366a4"
 dependencies = [
- "proc-macro2 1.0.10",
+ "proc-macro2 1.0.19",
- "quote 1.0.3",
+ "quote 1.0.7",
- "syn 1.0.18",
+ "syn 1.0.38",
 "synstructure",
 ]
 [[package]]
 name = "fido2luks"
-version = "0.2.9"
+version = "0.2.10"
 dependencies = [
 "ctap_hmac",
 "failure",
@@ -385,9 +393,9 @@ dependencies = [
 [[package]]
 name = "fnv"
-version = "1.0.6"
+version = "1.0.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2fad85553e09a6f881f739c29f0b00b0f01357c743266d478b68951ce23285f3"
+checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1"
 [[package]]
 name = "fuchsia-cprng"
@@ -401,6 +409,12 @@ version = "0.3.55"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8f5f3913fa0bfe7ee1fd8248b6b9f42a5af4b9d65ec2dd2c3c26132b950ecfc2"
 [[package]]
 name = "gimli"
 version = "0.22.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "aaf91faf136cb47367fa430cd46e37a788775e7fa104f8b4bcb3861dc389b724"
 [[package]]
 name = "glob"
 version = "0.3.0"
@@ -418,9 +432,9 @@ dependencies = [
 [[package]]
 name = "hermit-abi"
-version = "0.1.12"
+version = "0.1.15"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "61565ff7aaace3525556587bd2dc31d4a07071957be715e63ce7b1eccf51a8f4"
+checksum = "3deed196b6e7f9e44a2ae8d94225d80302d81208b1bb673fd21fe634645c85a9"
 dependencies = [
 "libc",
 ]
@@ -448,9 +462,9 @@ checksum = "b9e0384b61958566e926dc50660321d12159025e767c18e043daf26b70104c39"
 [[package]]
 name = "itoa"
-version = "0.4.5"
+version = "0.4.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b8b7a7c0c47db5545ed3fef7468ee7bb5b74691498139e4b3f6a20685dc6dd8e"
+checksum = "dc6f3ad7b9d11a0c00842ff8de1b60ee58661048eb8049ed33c73594f359d7e6"
 [[package]]
 name = "lazy_static"
@@ -466,15 +480,15 @@ checksum = "b294d6fa9ee409a054354afc4352b0b9ef7ca222c69b8812cbea9e7d2bf3783f"
 [[package]]
 name = "libc"
-version = "0.2.69"
+version = "0.2.74"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "99e85c08494b21a9054e7fe1374a732aeadaff3980b6990b94bfd3a70f690005"
+checksum = "a2f02823cf78b754822df5f7f268fb59822e7296276d3e069d8e8cb26a14bd10"
 [[package]]
 name = "libcryptsetup-rs"
-version = "0.4.1"
+version = "0.4.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "38cd24132ee0239515bc895782f65ab3e382a0f78e7cee30417159e5c6f81b6b"
+checksum = "b9042dbf4b7e4309494949696496e230c9052af64559d3441627d639898c172c"
 dependencies = [
 "either",
 "libc",
@@ -487,9 +501,9 @@ dependencies = [
 [[package]]
 name = "libcryptsetup-rs-sys"
-version = "0.1.2"
+version = "0.1.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0c605998e81e2a99c1f4c5d0be45ea1df6f1dc45dc64f5ca2847b0dbebf49ae7"
+checksum = "4b75a2b946509fb39fdb4b232c973166da14be373d09a43eb36b82f775d8244e"
 dependencies = [
 "bindgen",
 "cc",
@@ -509,9 +523,9 @@ dependencies = [
 [[package]]
 name = "log"
-version = "0.4.8"
+version = "0.4.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "14b6052be84e6b71ab17edffc2eeabf5c2c3ae1fdb464aae35ac50c67a44e1f7"
+checksum = "4fabed175da42fed1fa0746b0ea71f412aa9d35e76e95e59b192c64b9dc2bf8b"
 dependencies = [
 "cfg-if",
 ]
@@ -530,18 +544,27 @@ checksum = "3728d817d99e5ac407411fa471ff9800a778d88a24685968b36824eaf4bee400"
 [[package]]
 name = "memoffset"
-version = "0.5.4"
+version = "0.5.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b4fc2c02a7e374099d4ee95a193111f72d2110197fe200272371758f6c3643d8"
+checksum = "c198b026e1bbf08a937e94c6c60f9ec4a2267f5b0d2eec9c1b21b061ce2be55f"
 dependencies = [
 "autocfg 1.0.0",
 ]
 [[package]]
-name = "nom"
+name = "miniz_oxide"
-version = "5.1.1"
+version = "0.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0b471253da97532da4b61552249c521e01e736071f71c1a4f7ebbfbf0a06aad6"
+checksum = "be0f75932c1f6cfae3c04000e40114adf955636e19040f9c0a2c380702aa1c7f"
 dependencies = [
 "adler",
 ]
 [[package]]
 name = "nom"
 version = "5.1.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ffb4262d26ed83a1c0a33a38fe2bb15797329c85770da05e6b828ddb782627af"
 dependencies = [
 "memchr",
 "version_check",
@@ -560,13 +583,19 @@ dependencies = [
 [[package]]
 name = "num-traits"
-version = "0.2.11"
+version = "0.2.12"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c62be47e61d1842b9170f0fdeec8eba98e60e90e5446449a0545e5152acd7096"
+checksum = "ac267bcc07f48ee5f8935ab0d24f316fb722d7a1292e2913f0cc196b29ffd611"
 dependencies = [
 "autocfg 1.0.0",
 ]
 [[package]]
 name = "object"
 version = "0.20.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1ab52be62400ca80aa00285d25253d7f7c437b7375c4de678f5405d3afe82ca5"
 [[package]]
 name = "peeking_take_while"
 version = "0.1.2"
@@ -575,33 +604,31 @@ checksum = "19b17cddbe7ec3f8bc800887bab5e717348c95ea2ca0b1bf0837fb964dc67099"
 [[package]]
 name = "pkg-config"
-version = "0.3.17"
+version = "0.3.18"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "05da548ad6865900e60eaba7f589cc0783590a92e940c26953ff81ddbab2d677"
+checksum = "d36492546b6af1463394d46f0c834346f31548646f6ba10849802c9c9a27ac33"
 [[package]]
 name = "proc-macro-error"
-version = "1.0.2"
+version = "1.0.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "98e9e4b82e0ef281812565ea4751049f1bdcdfccda7d3f459f2e138a40c08678"
+checksum = "da25490ff9892aab3fcf7c36f08cfb902dd3e71ca0f9f9517bea02a73a5ce38c"
 dependencies = [
 "proc-macro-error-attr",
- "proc-macro2 1.0.10",
+ "proc-macro2 1.0.19",
- "quote 1.0.3",
+ "quote 1.0.7",
- "syn 1.0.18",
+ "syn 1.0.38",
 "version_check",
 ]
 [[package]]
 name = "proc-macro-error-attr"
-version = "1.0.2"
+version = "1.0.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4f5444ead4e9935abd7f27dc51f7e852a0569ac888096d5ec2499470794e2e53"
+checksum = "a1be40180e52ecc98ad80b184934baf3d0d29f979574e439af5a55274b35f869"
 dependencies = [
- "proc-macro2 1.0.10",
+ "proc-macro2 1.0.19",
- "quote 1.0.3",
+ "quote 1.0.7",
 "syn 1.0.18",
 "syn-mid",
 "version_check",
 ]
@@ -616,11 +643,11 @@ dependencies = [
 [[package]]
 name = "proc-macro2"
-version = "1.0.10"
+version = "1.0.19"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "df246d292ff63439fea9bc8c0a270bed0e390d5ebd4db4ba15aba81111b5abe3"
+checksum = "04f5f085b5d71e2188cb8271e5da0161ad52c3f227a661a3c135fdf28e258b12"
 dependencies = [
- "unicode-xid 0.2.0",
+ "unicode-xid 0.2.1",
 ]
 [[package]]
@@ -640,11 +667,11 @@ dependencies = [
 [[package]]
 name = "quote"
-version = "1.0.3"
+version = "1.0.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2bdc6c187c65bca4260c9011c9e3132efe4909da44726bad24cf7572ae338d7f"
+checksum = "aa563d17ecb180e500da1cfd2b028310ac758de548efdd203e18f283af693f37"
 dependencies = [
- "proc-macro2 1.0.10",
+ "proc-macro2 1.0.19",
 ]
 [[package]]
@@ -787,9 +814,9 @@ dependencies = [
 [[package]]
 name = "regex"
-version = "1.3.7"
+version = "1.3.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a6020f034922e3194c711b82a627453881bc4682166cabb07134a10c26ba7692"
+checksum = "9c3780fcf44b193bc4d09f36d2a3c87b251da4a046c87795a0d35f4f927ad8e6"
 dependencies = [
 "aho-corasick",
 "memchr",
@@ -799,9 +826,9 @@ dependencies = [
 [[package]]
 name = "regex-syntax"
-version = "0.6.17"
+version = "0.6.18"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7fe5bd57d1d7414c6b5ed48563a2c855d995ff777729dcd91c369ec7fea395ae"
+checksum = "26412eb97c6b088a6997e05f69403a802a92d520de2f8e63c2b65f9e0f47c4e8"
 [[package]]
 name = "ring"
@@ -858,9 +885,9 @@ checksum = "dcf128d1287d2ea9d80910b5f1120d0b8eede3fbf1abe91c40d39ea7d51e6fda"
 [[package]]
 name = "ryu"
-version = "1.0.4"
+version = "1.0.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ed3d612bc64430efeb3f7ee6ef26d590dce0c43249217bddc62112540c7941e1"
+checksum = "71d301d4193d031abdd79ff7e3dd721168a9572ef3fe51a1517aba235bd8f86e"
 [[package]]
 name = "scopeguard"
@@ -885,26 +912,26 @@ checksum = "388a1df253eca08550bef6c72392cfe7c30914bf41df5269b68cbd6ff8f570a3"
 [[package]]
 name = "serde"
-version = "1.0.106"
+version = "1.0.115"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "36df6ac6412072f67cf767ebbde4133a5b2e88e76dc6187fa7104cd16f783399"
+checksum = "e54c9a88f2da7238af84b5101443f0c0d0a3bbdc455e34a5c9497b1903ed55d5"
 [[package]]
 name = "serde_derive"
-version = "1.0.106"
+version = "1.0.115"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9e549e3abf4fb8621bd1609f11dfc9f5e50320802273b12f3811a67e6716ea6c"
+checksum = "609feed1d0a73cc36a0182a840a9b37b4a82f0b1150369f0536a9e3f2a31dc48"
 dependencies = [
- "proc-macro2 1.0.10",
+ "proc-macro2 1.0.19",
- "quote 1.0.3",
+ "quote 1.0.7",
- "syn 1.0.18",
+ "syn 1.0.38",
 ]
 [[package]]
 name = "serde_json"
-version = "1.0.51"
+version = "1.0.57"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "da07b57ee2623368351e9a0488bb0b261322a15a6e0ae53e243cbdc0f4208da9"
+checksum = "164eacbdb13512ec2745fb09d51fd5b22b0d65ed294a1dcf7285a360c80a675c"
 dependencies = [
 "itoa",
 "ryu",
@@ -931,9 +958,9 @@ checksum = "6446ced80d6c486436db5c078dde11a9f73d42b57fb273121e160b84f63d894c"
 [[package]]
 name = "structopt"
-version = "0.3.14"
+version = "0.3.16"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "863246aaf5ddd0d6928dfeb1a9ca65f505599e4e1b399935ef7e75107516b4ef"
+checksum = "de5472fb24d7e80ae84a7801b7978f95a19ec32cb1876faea59ab711eb901976"
 dependencies = [
 "clap",
 "lazy_static",
@@ -942,15 +969,15 @@ dependencies = [
 [[package]]
 name = "structopt-derive"
-version = "0.4.7"
+version = "0.4.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d239ca4b13aee7a2142e6795cbd69e457665ff8037aed33b3effdc430d2f927a"
+checksum = "1e0eb37335aeeebe51be42e2dc07f031163fbabfa6ac67d7ea68b5c2f68d5f99"
 dependencies = [
 "heck",
 "proc-macro-error",
- "proc-macro2 1.0.10",
+ "proc-macro2 1.0.19",
- "quote 1.0.3",
+ "quote 1.0.7",
- "syn 1.0.18",
+ "syn 1.0.38",
 ]
 [[package]]
@@ -966,36 +993,25 @@ dependencies = [
 [[package]]
 name = "syn"
-version = "1.0.18"
+version = "1.0.38"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "410a7488c0a728c7ceb4ad59b9567eb4053d02e8cc7f5c0e0eeeb39518369213"
+checksum = "e69abc24912995b3038597a7a593be5053eb0fb44f3cc5beec0deb421790c1f4"
 dependencies = [
- "proc-macro2 1.0.10",
+ "proc-macro2 1.0.19",
- "quote 1.0.3",
+ "quote 1.0.7",
- "unicode-xid 0.2.0",
+ "unicode-xid 0.2.1",
 ]
 [[package]]
 name = "syn-mid"
 version = "0.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7be3539f6c128a931cf19dcee741c1af532c7fd387baa739c03dd2e96479338a"
 dependencies = [
 "proc-macro2 1.0.10",
 "quote 1.0.3",
 "syn 1.0.18",
 ]
 [[package]]
 name = "synstructure"
-version = "0.12.3"
+version = "0.12.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "67656ea1dc1b41b1451851562ea232ec2e5a80242139f7e679ceccfb5d61f545"
+checksum = "b834f2d66f734cb897113e34aaff2f1ab4719ca946f9a7358dba8f8064148701"
 dependencies = [
- "proc-macro2 1.0.10",
+ "proc-macro2 1.0.19",
- "quote 1.0.3",
+ "quote 1.0.7",
- "syn 1.0.18",
+ "syn 1.0.38",
- "unicode-xid 0.2.0",
+ "unicode-xid 0.2.1",
 ]
 [[package]]
@@ -1043,9 +1059,9 @@ checksum = "e83e153d1053cbb5a118eeff7fd5be06ed99153f00dbcd8ae310c5fb2b22edc0"
 [[package]]
 name = "unicode-width"
-version = "0.1.7"
+version = "0.1.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "caaa9d531767d1ff2150b9332433f32a24622147e5ebb1f26409d5da67afd479"
+checksum = "9337591893a19b88d8d87f2cec1e73fad5cdfd10e5a6f349f498ad6ea2ffb1e3"
 [[package]]
 name = "unicode-xid"
@@ -1055,9 +1071,9 @@ checksum = "fc72304796d0818e357ead4e000d19c9c174ab23dc11093ac919054d20a6a7fc"
 [[package]]
 name = "unicode-xid"
-version = "0.2.0"
+version = "0.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "826e7639553986605ec5979c7dd957c7895e93eabed50ab2ffa7f6128a75097c"
+checksum = "f7fe0bb3479651439c9112f72b6c505038574c9fbb575ed1bf3b797fa39dd564"
 [[package]]
 name = "untrusted"
@@ -1076,15 +1092,15 @@ dependencies = [
 [[package]]
 name = "vec_map"
-version = "0.8.1"
+version = "0.8.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "05c78687fb1a80548ae3250346c3db86a80a7cdd77bda190189f2d0a0987c81a"
+checksum = "f1bddf1187be692e79c5ffeab891132dfb0f236ed36a43c7ed39f1165ee20191"
 [[package]]
 name = "version_check"
-version = "0.9.1"
+version = "0.9.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "078775d0255232fb988e6fccf26ddc9d1ac274299aaedcedce21c6f72cc533ce"
+checksum = "b5a972e5669d67ba988ce3dc826706fb0a8b01471c088cb0b6110b805cc36aed"
 [[package]]
 name = "which"
@@ -1097,9 +1113,9 @@ dependencies = [
 [[package]]
 name = "winapi"
-version = "0.3.8"
+version = "0.3.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8093091eeb260906a183e6ae1abdba2ef5ef2257a21801128899c3fc699229c6"
+checksum = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419"
 dependencies = [
 "winapi-i686-pc-windows-gnu",
 "winapi-x86_64-pc-windows-gnu",
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "fido2luks"
-version = "0.2.9"
+version = "0.2.10"
 authors = ["shimunn <shimun@shimun.net>"]
 edition = "2018"
@@ -11,7 +11,7 @@ repository = "https://github.com/shimunn/fido2luks"
 readme = "README.md"
 keywords = ["luks", "fido2", "u2f"]
 categories = ["command-line-utilities"]
-license-file = "LICENSE"
+license = "MPL-2.0"
 [dependencies]
 ctap_hmac = { version="0.4.2", features = ["request_multiple"] }
@@ -31,3 +31,15 @@ opt-level = 'z'
 panic = 'abort'
 incremental = false
 overflow-checks = false
 [package.metadata.deb]
 depends = "$auto, cryptsetup"
 build-depends = "libclang-dev, libcryptsetup-dev"
 extended-description = "Decrypt your LUKS partition using a FIDO2 compatible authenticator"
 assets = [
    ["target/release/fido2luks", "usr/bin/", "755"],
    ["initramfs-tools/keyscript.sh", "/lib/cryptsetup/scripts/fido2luks", "755" ],
    ["initramfs-tools/hook/fido2luks.sh", "etc/initramfs-tools/hooks/", "755" ],
    ["initramfs-tools/fido2luks.conf", "etc/", "644"],
 ]
 conf-files = ["/etc/fido2luks.conf"]
--- a/1047
+++ b/1047
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
 This will allow you to unlock your luks encrypted disk with an fido2 compatible key
-Note: This has only been tested under Fedora 31 using a Solo Key, Trezor Model T
+Note: This has only been tested under Fedora 31, [Ubuntu 20.04](initramfs-tools/), [NixOS](https://nixos.org/nixos/manual/#sec-luks-file-systems-fido2) using a Solo Key, Trezor Model T
 ## Setup
@@ -107,3 +107,17 @@ sudo -E fido2luks -i replace-key /dev/disk/by-uuid/<DISK_UUID>
 sudo rm -rf /usr/lib/dracut/modules.d/96luks-2fa /etc/dracut.conf.d/luks-2fa.conf /etc/fido2luks.conf
 ```
 ## License
 Licensed under
 * Mozilla Public License 2.0, ([LICENSE-MPL](LICENSE-MPL) or https://www.mozilla.org/en-US/MPL/2.0/)
 ### Contribution
 Unless you explicitly state otherwise, any contribution intentionally
 submitted for inclusion in the work by you, as defined in the MPL 2.0
 license, shall be licensed as above, without any additional terms or
 conditions.
--- a/initramfs-tools/Makefile
+++ b/initramfs-tools/Makefile
@@ -0,0 +1,11 @@
 .PHONY: install
 install:
 	chmod +x hook/fido2luks.sh keyscript.sh
 	cp -f hook/fido2luks.sh /etc/initramfs-tools/hooks/
 	mkdir -p /usr/share/fido2luks
 	cp -f keyscript.sh /lib/cryptsetup/scripts/fido2luks
 	update-initramfs -u
 remove:
 	sh -c "grep 'keyscript=fido2luks' -i /etc/crypttab && ( echo 'ERROR: your system is still setup to use fido2luks during boot' && exit 1) || exit 0"
 	rm /etc/initramfs-tools/hooks/fido2luks.sh /lib/cryptsetup/scripts/fido2luks
 	update-initramfs -u
--- a/initramfs-tools/README.md
+++ b/initramfs-tools/README.md
@@ -0,0 +1,13 @@
 ## Initramfs-tools based systems(Ubuntu and derivatives)
 After installation generate your credentials and add keys to your disk as described in the top-level README
 then add `initramfs,keyscript=fido2luks` to your `/etc/crypttab`
 Example:
 ```
 sda6_crypt UUID=9793d81a-4cfb-4712-85f3-c7a8d715112c none luks,discard,initramfs,keyscript=fido2luks
 ```
 But don't forget to run `make install` which will install all necessary scripts and regenerate your intrid.
 [Recording showing part of the setup](https://shimun.net/fido2luks/setup.svg)
--- a/initramfs-tools/fido2luks.conf
+++ b/initramfs-tools/fido2luks.conf
@@ -0,0 +1,3 @@
 FIDO2LUKS_SALT=Ask
 #FIDO2LUKS_PASSWORD_HELPER="/usr/bin/plymouth ask-for-password --promt 'FIDO2 password salt'"
 FIDO2LUKS_CREDENTIAL_ID=
--- a/initramfs-tools/hook/fido2luks.sh
+++ b/initramfs-tools/hook/fido2luks.sh
@@ -0,0 +1,14 @@
 #!/bin/sh
 case "$1" in
 prereqs)
 	echo ""
 	exit 0
 	;;
 esac
 . /usr/share/initramfs-tools/hook-functions
 copy_file config /etc/fido2luks.conf /etc/fido2luks.conf
 copy_exec /usr/bin/fido2luks
 exit 0
--- a/initramfs-tools/keyscript.sh
+++ b/initramfs-tools/keyscript.sh
@@ -0,0 +1,11 @@
 #!/bin/sh
 set -a
 . /etc/fido2luks.conf
 if [ -z "$FIDO2LUKS_PASSWORD_HELPER" ]; then
 	MSG="FIDO2 password salt for $CRYPTTAB_NAME"
 	export FIDO2LUKS_PASSWORD_HELPER="plymouth ask-for-password --promt '$MSG'"
 	plymouth message --text "$MSG"
 fi
 fido2luks print-secret --bin
--- a/initramfs-tools/setup.svg
+++ b/initramfs-tools/setup.svg
--- a/src/cli.rs
+++ b/src/cli.rs
@@ -1,5 +1,4 @@
 use crate::error::*;
 use crate::luks;
 use crate::*;
 use structopt::StructOpt;
@@ -12,8 +11,10 @@ use std::io::Write;
 use std::process::exit;
 use std::thread;
 use crate::luks::{Fido2LuksToken, LuksDevice};
 use crate::util::sha256;
 use std::borrow::Cow;
 use std::collections::HashSet;
 use std::time::SystemTime;
 #[derive(Debug, Eq, PartialEq, Clone)]
@@ -25,6 +26,12 @@ impl Display for HexEncoded {
    }
 }
 impl AsRef<[u8]> for HexEncoded {
    fn as_ref(&self) -> &[u8] {
        &self.0[..]
    }
 }
 impl FromStr for HexEncoded {
    type Err = hex::FromHexError;
@@ -59,7 +66,7 @@ impl<T: Display + FromStr> FromStr for CommaSeparated<T> {
 #[derive(Debug, StructOpt)]
 pub struct Credentials {
-    /// FIDO credential ids, seperated by ',' generate using fido2luks credential
+    /// FIDO credential ids, separated by ',' generate using fido2luks credential
    #[structopt(name = "credential-id", env = "FIDO2LUKS_CREDENTIAL_ID")]
    pub ids: CommaSeparated<HexEncoded>,
 }
@@ -282,6 +289,45 @@ pub enum Command {
    /// Check if an authenticator is connected
    #[structopt(name = "connected")]
    Connected,
    Token(TokenCommand),
 }
 ///LUKS2 token related operations
 #[derive(Debug, StructOpt)]
 pub enum TokenCommand {
    /// List all tokens associated with the specified device
    List {
        #[structopt(env = "FIDO2LUKS_DEVICE")]
        device: PathBuf,
        /// Dump all credentials as CSV
        #[structopt(long = "csv")]
        csv: bool,
    },
    /// Add credential to a keyslot
    Add {
        #[structopt(env = "FIDO2LUKS_DEVICE")]
        device: PathBuf,
        #[structopt(flatten)]
        credentials: Credentials,
        /// Slot to which the credentials will be added
        #[structopt(long = "slot", env = "FIDO2LUKS_DEVICE_SLOT")]
        slot: u32,
    },
    /// Remove credentials from token(s)
    Remove {
        #[structopt(env = "FIDO2LUKS_DEVICE")]
        device: PathBuf,
        #[structopt(flatten)]
        credentials: Credentials,
        /// Token from which the credentials will be removed
        #[structopt(long = "token")]
        token_id: Option<u32>,
    },
    /// Remove all unassigned tokens
    GC {
        #[structopt(env = "FIDO2LUKS_DEVICE")]
        device: PathBuf,
    },
 }
 pub fn parse_cmdline() -> Args {
@@ -371,7 +417,9 @@ pub fn run_cli() -> Fido2LuksResult<()> {
                    secret.salt.obtain(&secret.password_helper)
                }
            };
-            let other_secret = |salt_q: &str, verify: bool| -> Fido2LuksResult<(Vec<u8>, Option<FidoCredential>)> {
+            let other_secret = |salt_q: &str,
                                verify: bool|
             -> Fido2LuksResult<(Vec<u8>, Option<FidoCredential>)> {
                match other_secret {
                    OtherSecret {
                        keyfile: Some(file),
@@ -386,7 +434,10 @@ pub fn run_cli() -> Fido2LuksResult<()> {
                        pin.as_deref(),
                    )
                    .map(|(secret, cred)| (secret[..].to_vec(), Some(cred)))?),
-                    _ => Ok((util::read_password(salt_q, verify)?.as_bytes().to_vec(), None)),
+                    _ => Ok((
                        util::read_password(salt_q, verify)?.as_bytes().to_vec(),
                        None,
                    )),
                }
            };
            let secret = |verify: bool| -> Fido2LuksResult<([u8; 32], FidoCredential)> {
@@ -397,22 +448,20 @@ pub fn run_cli() -> Fido2LuksResult<()> {
                    pin.as_deref(),
                )
            };
            let mut luks_dev = LuksDevice::load(&luks.device)?;
            // Non overlap
            match &args.command {
-                Command::AddKey {
+                Command::AddKey { exclusive, .. } => {
                    exclusive,  ..
                } => {
                    let (existing_secret, _) = other_secret("Current password", false)?;
                    let (new_secret, cred) = secret(true)?;
-                    let added_slot = luks::add_key(
+                    let added_slot = luks_dev.add_key(
                        &luks.device,
                        &new_secret,
                        &existing_secret[..],
                        luks_mod.kdf_time.or(Some(10)),
                        Some(&cred.id[..]).filter(|_| *token),
                    )?;
                    if *exclusive {
-                        let destroyed = luks::remove_keyslots(&luks.device, &[added_slot])?;
+                        let destroyed = luks_dev.remove_keyslots(&[added_slot])?;
                        println!(
                            "Added to key to device {}, slot: {}\nRemoved {} old keys",
                            luks.device.display(),
@@ -432,16 +481,14 @@ pub fn run_cli() -> Fido2LuksResult<()> {
                    let (existing_secret, _) = secret(false)?;
                    let (replacement_secret, cred) = other_secret("Replacement password", true)?;
                    let slot = if *add_password {
-                        luks::add_key(
+                        luks_dev.add_key(
                            &luks.device,
                            &replacement_secret[..],
                            &existing_secret,
                            luks_mod.kdf_time,
                            cred.as_ref().filter(|_| *token).map(|cred| &cred.id[..]),
                        )
                    } else {
-                        luks::replace_key(
+                        luks_dev.replace_key(
                            &luks.device,
                            &replacement_secret[..],
                            &existing_secret,
                            luks_mod.kdf_time,
@@ -499,14 +546,12 @@ pub fn run_cli() -> Fido2LuksResult<()> {
            };
            let mut retries = *retries;
            let mut luks_dev = LuksDevice::load(&luks.device)?;
            loop {
                let secret = match &args.command {
                    Command::Open { credentials, .. } => secret(Cow::Borrowed(&credentials.ids.0))
-                        .and_then(|(secret, _cred)| {
+                        .and_then(|(secret, _cred)| luks_dev.activate(&name, &secret, luks.slot)),
-                            luks::open_container(&luks.device, &name, &secret, luks.slot)
+                    Command::OpenToken { .. } => luks_dev.activate_token(
                        }),
                    Command::OpenToken { .. } => luks::open_container_token(
                        &luks.device,
                        &name,
                        Box::new(|credentials: Vec<String>| {
                            let creds = credentials
@@ -516,6 +561,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
                            secret(Cow::Owned(creds))
                                .map(|(secret, cred)| (secret, hex::encode(&cred.id)))
                        }),
                        luks.slot,
                    ),
                    _ => unreachable!(),
                };
@@ -531,7 +577,7 @@ pub fn run_cli() -> Fido2LuksResult<()> {
                        retries -= 1;
                        eprintln!("{}", e);
                    }
-                    res => break res,
+                    res => break res.map(|_| ()),
                }
            }
        }
@@ -542,5 +588,129 @@ pub fn run_cli() -> Fido2LuksResult<()> {
            }
            _ => exit(1),
        },
        Command::Token(cmd) => match cmd {
            TokenCommand::List {
                device,
                csv: dump_credentials,
            } => {
                let mut dev = LuksDevice::load(device)?;
                let mut creds = Vec::new();
                for token in dev.tokens()? {
                    let (id, token) = token?;
                    for cred in token.credential.iter() {
                        if !creds.contains(cred) {
                            creds.push(cred.clone());
                            if *dump_credentials {
                                print!("{}{}", if creds.len() == 1 { "" } else { "," }, cred);
                            }
                        }
                    }
                    if *dump_credentials {
                        continue;
                    }
                    println!(
                        "{}:\n\tSlots: {}\n\tCredentials: {}",
                        id,
                        if token.keyslots.is_empty() {
                            "None".into()
                        } else {
                            token.keyslots.iter().cloned().collect::<Vec<_>>().join(",")
                        },
                        token
                            .credential
                            .iter()
                            .map(|cred| format!(
                                "{} ({})",
                                cred,
                                creds.iter().position(|c| c == cred).unwrap().to_string()
                            ))
                            .collect::<Vec<_>>()
                            .join(",")
                    );
                }
                if *dump_credentials {
                    println!();
                }
                Ok(())
            }
            TokenCommand::Add {
                device,
                credentials,
                slot,
            } => {
                let mut dev = LuksDevice::load(device)?;
                let mut tokens = Vec::new();
                for token in dev.tokens()? {
                    let (id, token) = token?;
                    if token.keyslots.contains(&slot.to_string()) {
                        tokens.push((id, token));
                    }
                }
                let count = if tokens.is_empty() {
                    dev.add_token(&Fido2LuksToken::with_credentials(&credentials.ids.0, *slot))?;
                    1
                } else {
                    tokens.len()
                };
                for (id, mut token) in tokens {
                    token
                        .credential
                        .extend(credentials.ids.0.iter().map(|h| h.to_string()));
                    dev.update_token(id, &token)?;
                }
                println!("Updated {} tokens", count);
                Ok(())
            }
            TokenCommand::Remove {
                device,
                credentials,
                token_id,
            } => {
                let mut dev = LuksDevice::load(device)?;
                let mut tokens = Vec::new();
                for token in dev.tokens()? {
                    let (id, token) = token?;
                    if let Some(token_id) = token_id {
                        if id == *token_id {
                            tokens.push((id, token));
                        }
                    } else {
                        tokens.push((id, token));
                    }
                }
                let count = tokens.len();
                for (id, mut token) in tokens {
                    token.credential = token
                        .credential
                        .into_iter()
                        .filter(|cred| !credentials.ids.0.iter().any(|h| &h.to_string() == cred))
                        .collect();
                    dev.update_token(id, &token)?;
                }
                println!("Updated {} tokens", count);
                Ok(())
            }
            TokenCommand::GC { device } => {
                let mut dev = LuksDevice::load(device)?;
                let mut creds: HashSet<String> = HashSet::new();
                let mut remove = Vec::new();
                for token in dev.tokens()? {
                    let (id, token) = token?;
                    if token.keyslots.is_empty() || token.credential.is_empty() {
                        creds.extend(token.credential);
                        remove.push(id);
                    }
                }
                for id in remove.iter().rev() {
                    dev.remove_token(*id)?;
                }
                println!(
                    "Removed {} tokens, affected credentials: {}",
                    remove.len(),
                    creds.into_iter().collect::<Vec<_>>().join(",")
                );
                Ok(())
            }
        },
    }
 }
--- a/src/error.rs
+++ b/src/error.rs
@@ -75,6 +75,12 @@ impl LuksError {
    }
 }
 impl From<LuksError> for Fido2LuksError {
    fn from(e: LuksError) -> Self {
        Fido2LuksError::LuksError { cause: e }
    }
 }
 use libcryptsetup_rs::LibcryptErr;
 use std::io::ErrorKind;
 use std::string::FromUtf8Error;
--- a/src/luks.rs
+++ b/src/luks.rs
@@ -7,89 +7,251 @@ use libcryptsetup_rs::{
 use std::collections::{HashMap, HashSet};
 use std::path::Path;
-fn load_device_handle<P: AsRef<Path>>(path: P) -> Fido2LuksResult<CryptDevice> {
+pub struct LuksDevice {
    device: CryptDevice,
    luks2: Option<bool>,
 }
 impl LuksDevice {
    pub fn load<P: AsRef<Path>>(path: P) -> Fido2LuksResult<LuksDevice> {
        let mut device = CryptInit::init(path.as_ref())?;
        device.context_handle().load::<()>(None, None)?;
-    Ok(device)
+        Ok(Self {
-}
+            device,
-
+            luks2: None,
-fn check_luks2(device: &mut CryptDevice) -> Fido2LuksResult<()> {
+        })
    match device.format_handle().get_type()? {
        EncryptionFormat::Luks2 => Ok(()),
        _ => Err(Fido2LuksError::LuksError {
            cause: LuksError::Luks2Required,
        }),
    }
 }
-#[derive(Debug, Clone, Serialize, Deserialize)]
+    pub fn is_luks2(&mut self) -> Fido2LuksResult<bool> {
-struct Fido2LuksToken {
+        if let Some(luks2) = self.luks2 {
-    #[serde(rename = "type")]
+            Ok(luks2)
-    type_: String,
+        } else {
-    credential: Vec<String>,
+            self.luks2 = Some(match self.device.format_handle().get_type()? {
-    keyslots: Vec<String>,
+                EncryptionFormat::Luks2 => true,
-}
+                _ => false,
-
+            });
-impl Fido2LuksToken {
+            self.is_luks2()
    fn new(credential_id: impl AsRef<[u8]>, slot: u32) -> Self {
        Self {
            type_: "fido2luks\0".into(), // Doubles as c style string
            credential: vec![hex::encode(credential_id)],
            keyslots: vec![slot.to_string()],
        }
    }
 }
-pub fn open_container<P: AsRef<Path>>(
+    fn require_luks2(&mut self) -> Fido2LuksResult<()> {
-    path: P,
+        if !self.is_luks2()? {
-    name: &str,
+            return Err(LuksError::Luks2Required.into());
-    secret: &[u8],
+        }
-    slot_hint: Option<u32>,
+        Ok(())
-) -> Fido2LuksResult<()> {
+    }
    let mut device = load_device_handle(path)?;
    device
        .activate_handle()
        .activate_by_passphrase(Some(name), slot_hint, secret, CryptActivateFlags::empty())
        .map(|_slot| ())
        .map_err(|_e| Fido2LuksError::WrongSecret)
 }
-pub fn open_container_token<P: AsRef<Path>>(
+    pub fn tokens<'a>(
-    path: P,
+        &'a mut self,
-    name: &str,
+    ) -> Fido2LuksResult<Box<dyn Iterator<Item = Fido2LuksResult<(u32, Fido2LuksToken)>> + 'a>>
-    secret: impl Fn(Vec<String>) -> Fido2LuksResult<([u8; 32], String)>,
+    {
-) -> Fido2LuksResult<()> {
+        self.require_luks2()?;
-    let mut device = load_device_handle(path)?;
+        Ok(Box::new(
-    check_luks2(&mut device)?;
+            (0..32)
-
+                .map(move |i| {
-    let mut creds = HashMap::new();
+                    let status = match self.device.token_handle().status(i) {
-    for i in 0..256 {
+                        Ok(status) => status,
-        let status = device.token_handle().status(i)?;
+                        Err(err) => return Some(Err(Fido2LuksError::from(err))),
                    };
                    match status {
-            CryptTokenInfo::Inactive => break,
+                        CryptTokenInfo::Inactive => return None,
                        CryptTokenInfo::Internal(s)
                        | CryptTokenInfo::InternalUnknown(s)
                        | CryptTokenInfo::ExternalUnknown(s)
                        | CryptTokenInfo::External(s)
-                if &s != "fido2luks" =>
+                            if &s != Fido2LuksToken::default_type() =>
                        {
-                continue
+                            return None
                        }
                        _ => (),
                    };
-        let json = device.token_handle().json_get(i)?;
+                    let json = match self.device.token_handle().json_get(i) {
                        Ok(json) => json,
                        Err(err) => return Some(Err(Fido2LuksError::from(err))),
                    };
                    let info: Fido2LuksToken =
-            serde_json::from_value(json.clone()).map_err(|_| Fido2LuksError::LuksError {
+                        match serde_json::from_value(json.clone()).map_err(|_| {
                            Fido2LuksError::LuksError {
                                cause: LuksError::InvalidToken(json.to_string()),
-            })?;
+                            }
                        }) {
                            Ok(info) => info,
                            Err(err) => return Some(Err(Fido2LuksError::from(err))),
                        };
                    Some(Ok((i, info)))
                })
                .filter_map(|o| o),
        ))
    }
    pub fn find_token(&mut self, slot: u32) -> Fido2LuksResult<Option<(u32, Fido2LuksToken)>> {
        let slot_str = slot.to_string();
        for token in self.tokens()? {
            let (id, token) = token?;
            if token.keyslots.contains(&slot_str) {
                return Ok(Some((id, token)));
            }
        }
        Ok(None)
    }
    pub fn add_token(&mut self, data: &Fido2LuksToken) -> Fido2LuksResult<()> {
        self.require_luks2()?;
        self.device
            .token_handle()
            .json_set(TokenInput::AddToken(&serde_json::to_value(&data).unwrap()))?;
        Ok(())
    }
    pub fn remove_token(&mut self, token: u32) -> Fido2LuksResult<()> {
        self.require_luks2()?;
        self.device
            .token_handle()
            .json_set(TokenInput::RemoveToken(token))?;
        Ok(())
    }
    pub fn update_token(&mut self, token: u32, data: &Fido2LuksToken) -> Fido2LuksResult<()> {
        self.require_luks2()?;
        self.device
            .token_handle()
            .json_set(TokenInput::ReplaceToken(
                token,
                &serde_json::to_value(&data).unwrap(),
            ))?;
        Ok(())
    }
    pub fn add_key(
        &mut self,
        secret: &[u8],
        old_secret: &[u8],
        iteration_time: Option<u64>,
        credential_id: Option<&[u8]>,
    ) -> Fido2LuksResult<u32> {
        if let Some(millis) = iteration_time {
            self.device.settings_handle().set_iteration_time(millis)
        }
        let slot = self
            .device
            .keyslot_handle()
            .add_by_passphrase(None, old_secret, secret)?;
        if let Some(id) = credential_id {
            self.device.token_handle().json_set(TokenInput::AddToken(
                &serde_json::to_value(&Fido2LuksToken::new(id, slot)).unwrap(),
            ))?;
        }
        Ok(slot)
    }
    pub fn remove_keyslots(&mut self, exclude: &[u32]) -> Fido2LuksResult<u32> {
        let mut destroyed = 0;
        let mut tokens = Vec::new();
        for slot in 0..256 {
            match self.device.keyslot_handle().status(slot)? {
                KeyslotInfo::Inactive => continue,
                KeyslotInfo::Active | KeyslotInfo::ActiveLast if !exclude.contains(&slot) => {
                    if self.is_luks2()? {
                        if let Some((id, _token)) = self.find_token(slot)? {
                            tokens.push(id);
                        }
                    }
                    self.device.keyslot_handle().destroy(slot)?;
                    destroyed += 1;
                }
                KeyslotInfo::ActiveLast => break,
                _ => (),
            }
            if self.device.keyslot_handle().status(slot)? == KeyslotInfo::ActiveLast {
                break;
            }
        }
        // Ensure indices stay valid
        tokens.sort();
        for token in tokens.iter().rev() {
            self.remove_token(*token)?;
        }
        Ok(destroyed)
    }
    pub fn replace_key(
        &mut self,
        secret: &[u8],
        old_secret: &[u8],
        iteration_time: Option<u64>,
        credential_id: Option<&[u8]>,
    ) -> Fido2LuksResult<u32> {
        if let Some(millis) = iteration_time {
            self.device.settings_handle().set_iteration_time(millis)
        }
        // Use activate dry-run to locate keyslot
        let slot = self.device.activate_handle().activate_by_passphrase(
            None,
            None,
            old_secret,
            CryptActivateFlags::empty(),
        )?;
        self.device.keyslot_handle().change_by_passphrase(
            Some(slot),
            Some(slot),
            old_secret,
            secret,
        )? as u32;
        if let Some(id) = credential_id {
            if self.is_luks2()? {
                let token = self.find_token(slot)?.map(|(t, _)| t);
                let json = serde_json::to_value(&Fido2LuksToken::new(id, slot)).unwrap();
                if let Some(token) = token {
                    self.device
                        .token_handle()
                        .json_set(TokenInput::ReplaceToken(token, &json))?;
                } else {
                    self.device
                        .token_handle()
                        .json_set(TokenInput::AddToken(&json))?;
                }
            }
        }
        Ok(slot)
    }
    pub fn activate(
        &mut self,
        name: &str,
        secret: &[u8],
        slot_hint: Option<u32>,
    ) -> Fido2LuksResult<u32> {
        self.device
            .activate_handle()
            .activate_by_passphrase(Some(name), slot_hint, secret, CryptActivateFlags::empty())
            .map_err(LuksError::activate)
    }
    pub fn activate_token(
        &mut self,
        name: &str,
        secret: impl Fn(Vec<String>) -> Fido2LuksResult<([u8; 32], String)>,
        slot_hint: Option<u32>,
    ) -> Fido2LuksResult<u32> {
        if !self.is_luks2()? {
            return Err(LuksError::Luks2Required.into());
        }
        let mut creds: HashMap<String, HashSet<u32>> = HashMap::new();
        for token in self.tokens()? {
            let token = match token {
                Ok((_id, t)) => t,
                _ => continue, // An corrupted token should't lock the user out
            };
            let slots = || {
-            info.keyslots
+                token
                    .keyslots
                    .iter()
                    .filter_map(|slot| slot.parse::<u32>().ok())
            };
-        for cred in info.credential.iter().cloned() {
+            for cred in token.credential.iter() {
                creds
-                .entry(cred)
+                    .entry(cred.clone())
                    .or_insert_with(|| slots().collect::<HashSet<u32>>())
                    .extend(slots());
            }
@@ -100,152 +262,66 @@ pub fn open_container_token<P: AsRef<Path>>(
            });
        }
        let (secret, credential) = secret(creds.keys().cloned().collect())?;
-    let slots = creds.get(&credential).unwrap();
+        let empty;
-    let slots = slots
+        let slots = if let Some(slots) = creds.get(&credential) {
-        .iter()
+            slots
-        .cloned()
+        } else {
-        .map(Option::Some)
+            empty = HashSet::new();
-        .chain(std::iter::once(None).take(slots.is_empty() as usize));
+            &empty
        };
        //Try slots associated with the credential used
        let slots = slots.iter().cloned().map(Option::Some).chain(
            std::iter::once(slot_hint) // Try slot hint if there is one
                .take(slot_hint.is_some() as usize)
                .chain(std::iter::once(None).take(slots.is_empty() as usize)), // Try all slots as last resort
        );
        for slot in slots {
-        match device
+            match self.activate(name, &secret, slot) {
            .activate_handle()
            .activate_by_passphrase(Some(name), slot, &secret, CryptActivateFlags::empty())
            .map(|_slot| ())
            .map_err(LuksError::activate)
        {
                Err(Fido2LuksError::WrongSecret) => (),
                res => return res,
            }
        }
        Err(Fido2LuksError::WrongSecret)
    }
 }
-pub fn add_key<P: AsRef<Path>>(
+#[derive(Debug, Clone, Serialize, Deserialize)]
-    path: P,
+pub struct Fido2LuksToken {
-    secret: &[u8],
+    #[serde(rename = "type")]
-    old_secret: &[u8],
+    pub type_: String,
-    iteration_time: Option<u64>,
+    pub credential: HashSet<String>,
-    credential_id: Option<&[u8]>,
+    pub keyslots: HashSet<String>,
 ) -> Fido2LuksResult<u32> {
    let mut device = load_device_handle(path)?;
    if let Some(millis) = iteration_time {
        device.settings_handle().set_iteration_time(millis)
    }
    let slot = device
        .keyslot_handle()
        .add_by_passphrase(None, old_secret, secret)?;
    if let Some(id) = credential_id {
        /*  if let e @ Err(_) = check_luks2(&mut device) {
            //rollback
            device.keyslot_handle(Some(slot)).destroy()?;
            return e.map(|_| 0u32);
        }*/
        device.token_handle().json_set(TokenInput::AddToken(
            &serde_json::to_value(&Fido2LuksToken::new(id, slot)).unwrap(),
        ))?;
    }
    Ok(slot)
 }
-fn find_token(
+impl Fido2LuksToken {
-    device: &mut CryptDevice,
+    pub fn new(credential_id: impl AsRef<[u8]>, slot: u32) -> Self {
        Self::with_credentials(std::iter::once(credential_id), slot)
    }
    pub fn with_credentials<I: IntoIterator<Item = B>, B: AsRef<[u8]>>(
        credentials: I,
        slot: u32,
-) -> Fido2LuksResult<Option<(u32, Fido2LuksToken)>> {
+    ) -> Self {
-    for i in 0..256 {
+        Self {
-        let status = device.token_handle().status(i)?;
+            credential: credentials
-        match status {
+                .into_iter()
-            CryptTokenInfo::Inactive => break,
+                .map(|cred| hex::encode(cred.as_ref()))
-            CryptTokenInfo::Internal(s)
+                .collect(),
-            | CryptTokenInfo::InternalUnknown(s)
+            keyslots: vec![slot.to_string()].into_iter().collect(),
-            | CryptTokenInfo::ExternalUnknown(s)
+            ..Default::default()
            | CryptTokenInfo::External(s)
                if &s != "fido2luks" =>
            {
                continue
            }
            _ => (),
        };
        let json = device.token_handle().json_get(i)?;
        let info: Fido2LuksToken =
            serde_json::from_value(json.clone()).map_err(|_| Fido2LuksError::LuksError {
                cause: LuksError::InvalidToken(json.to_string()),
            })?;
        if info.keyslots.contains(&slot.to_string()) {
            return Ok(Some((i, info)));
        }
    }
-    Ok(None)
+    pub fn default_type() -> &'static str {
        "fido2luks"
    }
 }
-pub fn remove_keyslots<P: AsRef<Path>>(path: P, exclude: &[u32]) -> Fido2LuksResult<u32> {
+impl Default for Fido2LuksToken {
-    let mut device = load_device_handle(path)?;
+    fn default() -> Self {
-    let mut destroyed = 0;
+        Self {
-    let mut tokens = Vec::new();
+            type_: Self::default_type().into(),
-    for slot in 0..256 {
+            credential: HashSet::new(),
-        match device.keyslot_handle().status(slot)? {
+            keyslots: HashSet::new(),
            KeyslotInfo::Inactive => continue,
            KeyslotInfo::Active | KeyslotInfo::ActiveLast if !exclude.contains(&slot) => {
                if let Ok(_) = check_luks2(&mut device) {
                    if let Some((token, _)) = find_token(&mut device, slot)? {
                        tokens.push(token);
        }
    }
                device.keyslot_handle().destroy(slot)?;
                destroyed += 1;
            }
            KeyslotInfo::ActiveLast => break,
            _ => (),
        }
        if device.keyslot_handle().status(slot)? == KeyslotInfo::ActiveLast {
            break;
        }
    }
    // Ensure indices stay valid
    tokens.sort();
    for token in tokens.iter().rev() {
        device
            .token_handle()
            .json_set(TokenInput::RemoveToken(*token))?;
    }
    Ok(destroyed)
 }
 pub fn replace_key<P: AsRef<Path>>(
    path: P,
    secret: &[u8],
    old_secret: &[u8],
    iteration_time: Option<u64>,
    credential_id: Option<&[u8]>,
 ) -> Fido2LuksResult<u32> {
    let mut device = load_device_handle(path)?;
    if let Some(millis) = iteration_time {
        device.settings_handle().set_iteration_time(millis)
    }
    // Use activate dry-run to locate keyslot
    let slot = device.activate_handle().activate_by_passphrase(
        None,
        None,
        old_secret,
        CryptActivateFlags::empty(),
    )?;
    device
        .keyslot_handle()
        .change_by_passphrase(Some(slot), Some(slot), old_secret, secret)? as u32;
    if let Some(id) = credential_id {
        if check_luks2(&mut device).is_ok() {
            let token = find_token(&mut device, slot)?.map(|(t, _)| t);
            let json = serde_json::to_value(&Fido2LuksToken::new(id, slot)).unwrap();
            if let Some(token) = token {
                device
                    .token_handle()
                    .json_set(TokenInput::ReplaceToken(token, &json))?;
            } else {
                device
                    .token_handle()
                    .json_set(TokenInput::AddToken(&json))?;
            }
        }
    }
    Ok(slot)
 }
Author	SHA1	Message	Date
shimun	cd90564f60	protect fido2luks.conf from being overwritten Some checks failed continuous-integration/drone/push Build is failing Details continuous-integration/drone/tag Build is failing Details	2020-08-11 23:08:12 +02:00
shimun	0f6d79a7e4	get plymouth to display a message Some checks failed continuous-integration/drone/push Build is failing Details	2020-08-11 22:41:21 +02:00
shimun	4136b1bfad	relicense to MPL Some checks failed continuous-integration/drone/push Build is failing Details	2020-07-27 09:22:02 +02:00
shimun	81016a1a42	require MPL for new contributions Some checks failed continuous-integration/drone/push Build is failing Details	2020-07-26 21:11:03 +02:00
shimun	840868468b	cargo-deb meta All checks were successful continuous-integration/drone/push Build is passing Details	2020-07-04 21:32:21 +02:00
shimun	97880e4f41	refuse removal while crypttab depends on keyscript All checks were successful continuous-integration/drone/push Build is passing Details	2020-07-03 16:21:35 +02:00
shimun	e798ba5c70	remove keyscript aswell All checks were successful continuous-integration/drone/push Build is passing Details	2020-07-03 15:59:12 +02:00
shimun	298e05fed7	initramfs-tools All checks were successful continuous-integration/drone/push Build is passing Details	2020-07-03 15:55:23 +02:00
shimun	a498e1416f	automate cargo publish Some checks failed continuous-integration/drone/push Build is passing Details continuous-integration/drone/tag Build is failing Details	2020-06-23 23:55:07 +02:00
shimun	92e413de50	refactored luks operations All checks were successful continuous-integration/drone/push Build is passing Details	2020-06-22 20:47:19 +00:00
shimun	023399bb14	use unstable cryptsetup Some checks failed continuous-integration/drone/push Build is failing Details	2020-06-22 18:17:10 +02:00
shimun	a53a430c23	update drone Some checks failed continuous-integration/drone/push Build is failing Details	2020-06-21 22:16:45 +02:00