kairos/kcrypt-challenger
1
0
Fork 0
mirror of https://github.com/kairos-io/kcrypt-challenger.git synced 2025-04-27 19:35:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

Extract method and simplify "if" logic

Browse Source 
Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
This commit is contained in:
Dimitris Karakasilis 2023-01-19 15:46:35 +02:00
parent 83f529b53d
commit eefd5f2c2c
No known key found for this signature in database
GPG Key ID: 286DCAFD2C97DDE3
1 changed files with 28 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
cmd/discovery/client/client.go
View File

@ -89,36 +89,41 @@ func (c *Client) waitPass(p *block.Partition, attempts int) (pass string, err er
return rand, err
}
}
for tries := 0; tries < attempts; tries++ {
var generated bool
pass, generated, err = getPass(challengeEndpoint, p)
if generated {
// Decode what the challenger server gave us
blob, err := base64.RawURLEncoding.DecodeString(pass)
if err != nil {
return "", err
}
// Decrypt and return it to unseal the LUKS volume
opts := []tpm.TPMOption{}
if c.Config.Kcrypt.Challenger.CIndex != "" {
opts = append(opts, tpm.WithIndex(c.Config.Kcrypt.Challenger.CIndex))
}
if c.Config.Kcrypt.Challenger.TPMDevice != "" {
opts = append(opts, tpm.WithDevice(c.Config.Kcrypt.Challenger.TPMDevice))
}
pass, err := tpm.DecodeBlob(blob, opts...)
return string(pass), err
if generated { // passphrase is encrypted
return c.decryptPassphrase(pass)
}
if pass != "" || err == nil {
if err == nil || err == errPartNotFound { // passphrase not encrypted or not available
return
}
if err == errPartNotFound {
return
}
// Otherwise, we might have a generic network error and we retry
time.Sleep(1 * time.Second)
time.Sleep(1 * time.Second) // network errors? retry
}
return
}
// decryptPassphrase decodes (base64) and decrypts the passphrase returned
// by the challenger server.
func (c *Client) decryptPassphrase(pass string) (string, error) {
blob, err := base64.RawURLEncoding.DecodeString(pass)
if err != nil {
return "", err
}
// Decrypt and return it to unseal the LUKS volume
opts := []tpm.TPMOption{}
if c.Config.Kcrypt.Challenger.CIndex != "" {
opts = append(opts, tpm.WithIndex(c.Config.Kcrypt.Challenger.CIndex))
}
if c.Config.Kcrypt.Challenger.TPMDevice != "" {
opts = append(opts, tpm.WithDevice(c.Config.Kcrypt.Challenger.TPMDevice))
}
passBytes, err := tpm.DecodeBlob(blob, opts...)
return string(passBytes), err
}