Add support for FIDO2 tokens

1 files changed, 15 insertions, 1 deletions

diff --git a/main.go b/main.go
index 11e15b2..49e213b 100644
--- a/main.go
+++ b/main.go
@@ -17,6 +17,7 @@ import (
 	"github.com/rfjakob/gocryptfs/internal/configfile"
 	"github.com/rfjakob/gocryptfs/internal/contentenc"
 	"github.com/rfjakob/gocryptfs/internal/exitcodes"
+	"github.com/rfjakob/gocryptfs/internal/fido2"
 	"github.com/rfjakob/gocryptfs/internal/readpassword"
 	"github.com/rfjakob/gocryptfs/internal/speed"
 	"github.com/rfjakob/gocryptfs/internal/stupidgcm"
@@ -50,7 +51,16 @@ func loadConfig(args *argContainer) (masterkey []byte, cf *configfile.ConfFile,
 	if masterkey != nil {
 		return masterkey, cf, nil
 	}
-	pw := readpassword.Once([]string(args.extpass), []string(args.passfile), "")
+	var pw []byte
+	if cf.IsFeatureFlagSet(configfile.FlagFIDO2) {
+		if args.fido2 == "" {
+			tlog.Fatal.Printf("Masterkey encrypted using FIDO2 token; need to use the --fido2 option.")
+			os.Exit(exitcodes.Usage)
+		}
+		pw = fido2.Secret(args.fido2, cf.FIDO2.CredentialID, cf.FIDO2.HMACSalt)
+	} else {
+		pw = readpassword.Once([]string(args.extpass), []string(args.passfile), "")
+	}
 	tlog.Info.Println("Decrypting master key")
 	masterkey, err = cf.DecryptMasterKey(pw)
 	for i := range pw {
@@ -78,6 +88,10 @@ func changePassword(args *argContainer) {
 		if len(masterkey) == 0 {
 			log.Panic("empty masterkey")
 		}
+		if confFile.IsFeatureFlagSet(configfile.FlagFIDO2) {
+			tlog.Fatal.Printf("Password change is not supported on FIDO2-enabled filesystems.")
+			os.Exit(exitcodes.Usage)
+		}
 		tlog.Info.Println("Please enter your new password.")
 		newPw := readpassword.Twice([]string(args.extpass), []string(args.passfile))
 		logN := confFile.ScryptObject.LogN()