summaryrefslogtreecommitdiff
path: root/internal/configfile
diff options
context:
space:
mode:
Diffstat (limited to 'internal/configfile')
-rw-r--r--internal/configfile/config_file.go20
-rw-r--r--internal/configfile/config_test.go8
-rw-r--r--internal/configfile/feature_flags.go4
3 files changed, 26 insertions, 6 deletions
diff --git a/internal/configfile/config_file.go b/internal/configfile/config_file.go
index c27ecd4..e4921f7 100644
--- a/internal/configfile/config_file.go
+++ b/internal/configfile/config_file.go
@@ -10,12 +10,13 @@ import (
"log"
"syscall"
+ "os"
+
"github.com/rfjakob/gocryptfs/internal/contentenc"
"github.com/rfjakob/gocryptfs/internal/cryptocore"
"github.com/rfjakob/gocryptfs/internal/exitcodes"
"github.com/rfjakob/gocryptfs/internal/tlog"
)
-import "os"
const (
// ConfDefaultName is the default configuration file name.
@@ -28,6 +29,14 @@ const (
ConfReverseName = ".gocryptfs.reverse.conf"
)
+// FIDO2Params is a structure for storing FIDO2 parameters.
+type FIDO2Params struct {
+ // FIDO2 credential
+ CredentialID []byte
+ // FIDO2 hmac-secret salt
+ HMACSalt []byte
+}
+
// ConfFile is the content of a config file.
type ConfFile struct {
// Creator is the gocryptfs version string.
@@ -46,6 +55,8 @@ type ConfFile struct {
// mounting. This mechanism is analogous to the ext4 feature flags that are
// stored in the superblock.
FeatureFlags []string
+ // FIDO2 parameters
+ FIDO2 FIDO2Params
// Filename is the name of the config file. Not exported to JSON.
filename string
}
@@ -69,7 +80,7 @@ func randBytesDevRandom(n int) []byte {
// "password" and write it to "filename".
// Uses scrypt with cost parameter logN.
func Create(filename string, password []byte, plaintextNames bool,
- logN int, creator string, aessiv bool, devrandom bool) error {
+ logN int, creator string, aessiv bool, devrandom bool, fido2CredentialID []byte, fido2HmacSalt []byte) error {
var cf ConfFile
cf.filename = filename
cf.Creator = creator
@@ -89,6 +100,11 @@ func Create(filename string, password []byte, plaintextNames bool,
if aessiv {
cf.FeatureFlags = append(cf.FeatureFlags, knownFlags[FlagAESSIV])
}
+ if len(fido2CredentialID) > 0 {
+ cf.FeatureFlags = append(cf.FeatureFlags, knownFlags[FlagFIDO2])
+ cf.FIDO2.CredentialID = fido2CredentialID
+ cf.FIDO2.HMACSalt = fido2HmacSalt
+ }
{
// Generate new random master key
var key []byte
diff --git a/internal/configfile/config_test.go b/internal/configfile/config_test.go
index 832867c..ce35531 100644
--- a/internal/configfile/config_test.go
+++ b/internal/configfile/config_test.go
@@ -62,7 +62,7 @@ func TestLoadV2StrangeFeature(t *testing.T) {
}
func TestCreateConfDefault(t *testing.T) {
- err := Create("config_test/tmp.conf", testPw, false, 10, "test", false, false)
+ err := Create("config_test/tmp.conf", testPw, false, 10, "test", false, false, nil, nil)
if err != nil {
t.Fatal(err)
}
@@ -83,14 +83,14 @@ func TestCreateConfDefault(t *testing.T) {
}
func TestCreateConfDevRandom(t *testing.T) {
- err := Create("config_test/tmp.conf", testPw, false, 10, "test", false, true)
+ err := Create("config_test/tmp.conf", testPw, false, 10, "test", false, true, nil, nil)
if err != nil {
t.Fatal(err)
}
}
func TestCreateConfPlaintextnames(t *testing.T) {
- err := Create("config_test/tmp.conf", testPw, true, 10, "test", false, false)
+ err := Create("config_test/tmp.conf", testPw, true, 10, "test", false, false, nil, nil)
if err != nil {
t.Fatal(err)
}
@@ -111,7 +111,7 @@ func TestCreateConfPlaintextnames(t *testing.T) {
// Reverse mode uses AESSIV
func TestCreateConfFileAESSIV(t *testing.T) {
- err := Create("config_test/tmp.conf", testPw, false, 10, "test", true, false)
+ err := Create("config_test/tmp.conf", testPw, false, 10, "test", true, false, nil, nil)
if err != nil {
t.Fatal(err)
}
diff --git a/internal/configfile/feature_flags.go b/internal/configfile/feature_flags.go
index 2d609f2..5964a53 100644
--- a/internal/configfile/feature_flags.go
+++ b/internal/configfile/feature_flags.go
@@ -25,6 +25,9 @@ const (
// Note that this flag does not change the password hashing algorithm
// which always is scrypt.
FlagHKDF
+ // FlagFIDO2 means that "-fido2" was used when creating the filesystem.
+ // The masterkey is protected using a FIDO2 token instead of a password.
+ FlagFIDO2
)
// knownFlags stores the known feature flags and their string representation
@@ -37,6 +40,7 @@ var knownFlags = map[flagIota]string{
FlagAESSIV: "AESSIV",
FlagRaw64: "Raw64",
FlagHKDF: "HKDF",
+ FlagFIDO2: "FIDO2",
}
// Filesystems that do not have these feature flags set are deprecated.