summaryrefslogtreecommitdiff
path: root/main.go
diff options
context:
space:
mode:
authorPavol Rusnak2020-09-05 22:42:15 +0200
committerJakob Unterwurzacher2020-09-12 18:06:54 +0200
commit1e624a4cc3aafa57b5fa213c88bcd3689cefd1c3 (patch)
treea6e4f51ecb2dc0bac4276b2f65b39a3b426bc4ee /main.go
parent6a9c49e9cf23c85622dd4b181cdc615abc72d6bb (diff)
Add support for FIDO2 tokens
Diffstat (limited to 'main.go')
-rw-r--r--main.go16
1 files changed, 15 insertions, 1 deletions
diff --git a/main.go b/main.go
index 11e15b2..49e213b 100644
--- a/main.go
+++ b/main.go
@@ -17,6 +17,7 @@ import (
"github.com/rfjakob/gocryptfs/internal/configfile"
"github.com/rfjakob/gocryptfs/internal/contentenc"
"github.com/rfjakob/gocryptfs/internal/exitcodes"
+ "github.com/rfjakob/gocryptfs/internal/fido2"
"github.com/rfjakob/gocryptfs/internal/readpassword"
"github.com/rfjakob/gocryptfs/internal/speed"
"github.com/rfjakob/gocryptfs/internal/stupidgcm"
@@ -50,7 +51,16 @@ func loadConfig(args *argContainer) (masterkey []byte, cf *configfile.ConfFile,
if masterkey != nil {
return masterkey, cf, nil
}
- pw := readpassword.Once([]string(args.extpass), []string(args.passfile), "")
+ var pw []byte
+ if cf.IsFeatureFlagSet(configfile.FlagFIDO2) {
+ if args.fido2 == "" {
+ tlog.Fatal.Printf("Masterkey encrypted using FIDO2 token; need to use the --fido2 option.")
+ os.Exit(exitcodes.Usage)
+ }
+ pw = fido2.Secret(args.fido2, cf.FIDO2.CredentialID, cf.FIDO2.HMACSalt)
+ } else {
+ pw = readpassword.Once([]string(args.extpass), []string(args.passfile), "")
+ }
tlog.Info.Println("Decrypting master key")
masterkey, err = cf.DecryptMasterKey(pw)
for i := range pw {
@@ -78,6 +88,10 @@ func changePassword(args *argContainer) {
if len(masterkey) == 0 {
log.Panic("empty masterkey")
}
+ if confFile.IsFeatureFlagSet(configfile.FlagFIDO2) {
+ tlog.Fatal.Printf("Password change is not supported on FIDO2-enabled filesystems.")
+ os.Exit(exitcodes.Usage)
+ }
tlog.Info.Println("Please enter your new password.")
newPw := readpassword.Twice([]string(args.extpass), []string(args.passfile))
logN := confFile.ScryptObject.LogN()