hardcoresushi/libgocryptfs
1
0
Fork 0
Code Issues Pull Requests Releases Activity

fido2: drop -v option (PIN request)

Browse Source 
We used to pass `-v` on `gocryptfs -init` but not for
mount, which seems strange by itself, but more importantly,
`-v` does not work on Yubikeys.

Drop `-v`.

Fixes https://github.com/rfjakob/gocryptfs/issues/571
This commit is contained in:
Jakob Unterwurzacher 2021-06-27 11:17:29 +02:00
parent d6c8d892ff
commit 2a9d70d48f
2 changed files with 8 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
README.md
View File

@ -208,6 +208,9 @@ RM: 2,367
Changelog Changelog
--------- ---------
v2.1 (IN PROGRESS)
* fido2: do not request PIN on `gocryptfs -init` ([#571](https://github.com/rfjakob/gocryptfs/issues/571))
v2.0.1, 2021-06-07 v2.0.1, 2021-06-07
* Fix symlink creation reporting the wrong size, causing git to report it as modified * Fix symlink creation reporting the wrong size, causing git to report it as modified
([#574](https://github.com/rfjakob/gocryptfs/issues/574)) ([#574](https://github.com/rfjakob/gocryptfs/issues/574))

19
internal/fido2/fido2.go
View File

@ -17,9 +17,8 @@ import (
type fidoCommand int type fidoCommand int
const ( const (
cred fidoCommand = iota cred fidoCommand = iota
assert fidoCommand = iota assert fidoCommand = iota
assertWithPIN fidoCommand = iota
) )
// String pretty-prints for debug output // String pretty-prints for debug output
@ -29,8 +28,6 @@ func (fc fidoCommand) String() string {
return "cred" return "cred"
case assert: case assert:
return "assert" return "assert"
case assertWithPIN:
return "assertWithPIN"
default: default:
return fmt.Sprintf("%d", fc) return fmt.Sprintf("%d", fc)
} }
@ -45,8 +42,6 @@ func callFidoCommand(command fidoCommand, device string, stdin []string) ([]stri
cmd = exec.Command("fido2-cred", "-M", "-h", "-v", device) cmd = exec.Command("fido2-cred", "-M", "-h", "-v", device)
case assert: case assert:
cmd = exec.Command("fido2-assert", "-G", "-h", device) cmd = exec.Command("fido2-assert", "-G", "-h", device)
case assertWithPIN:
cmd = exec.Command("fido2-assert", "-G", "-h", "-v", device)
} }
tlog.Debug.Printf("callFidoCommand %s: executing %q with args %q", command, cmd.Path, cmd.Args) tlog.Debug.Printf("callFidoCommand %s: executing %q with args %q", command, cmd.Path, cmd.Args)
cmd.Stderr = os.Stderr cmd.Stderr = os.Stderr
@ -92,15 +87,11 @@ func Secret(device string, credentialID []byte, salt []byte) (secret []byte) {
crid := base64.StdEncoding.EncodeToString(credentialID) crid := base64.StdEncoding.EncodeToString(credentialID)
hmacsalt := base64.StdEncoding.EncodeToString(salt) hmacsalt := base64.StdEncoding.EncodeToString(salt)
stdin := []string{cdh, relyingPartyID, crid, hmacsalt} stdin := []string{cdh, relyingPartyID, crid, hmacsalt}
// try asserting without PIN first // call fido2-assert
out, err := callFidoCommand(assert, device, stdin) out, err := callFidoCommand(assert, device, stdin)
if err != nil { if err != nil {
// if that fails, let's assert with PIN tlog.Fatal.Println(err)
out, err = callFidoCommand(assertWithPIN, device, stdin) os.Exit(exitcodes.FIDO2Error)
if err != nil {
tlog.Fatal.Println(err)
os.Exit(exitcodes.FIDO2Error)
}
} }
secret, err = base64.StdEncoding.DecodeString(out[4]) secret, err = base64.StdEncoding.DecodeString(out[4])
if err != nil { if err != nil {