Don't print message if YubiKey is waiting for touch

The user call-to-action will instead be implemented on the client side,
where it can be done in a more forgiving way (allowing the user some
time to react before prompting them that it is waiting on the plugin).
This commit is contained in:
Jack Grigg
2022-05-01 00:10:12 +00:00
parent 1ad79cb577
commit 345c155bb4
3 changed files with 11 additions and 23 deletions
-2
View File
@@ -164,8 +164,6 @@ plugin-err-pin-too-short = PIN was too short.
plugin-err-pin-too-long = PIN was too long. plugin-err-pin-too-long = PIN was too long.
plugin-err-pin-required = A PIN is required for {-yubikey} with serial {$yubikey_serial} plugin-err-pin-required = A PIN is required for {-yubikey} with serial {$yubikey_serial}
plugin-touch-yk = 👆 Please touch the {-yubikey}
## Errors ## Errors
err-custom-mgmt-key = Custom unprotected management keys are not supported. err-custom-mgmt-key = Custom unprotected management keys are not supported.
+10 -20
View File
@@ -447,26 +447,16 @@ impl Connection {
Ok(Ok(())) Ok(Ok(()))
} }
pub(crate) fn unwrap_file_key<E>( pub(crate) fn unwrap_file_key(&mut self, line: &RecipientLine) -> Result<FileKey, ()> {
&mut self,
line: &RecipientLine,
callbacks: &mut dyn Callbacks<E>,
) -> io::Result<Result<FileKey, ()>> {
assert_eq!(self.tag, line.tag); assert_eq!(self.tag, line.tag);
// If the touch policy requires it, request a touch. // Check if the touch policy requires a touch.
let requested_touch = match ( let needs_touch = match (
self.cached_metadata.as_ref().and_then(|m| m.touch_policy), self.cached_metadata.as_ref().and_then(|m| m.touch_policy),
self.last_touch, self.last_touch,
) { ) {
(Some(TouchPolicy::Always), _) | (Some(TouchPolicy::Cached), None) => { (Some(TouchPolicy::Always), _) | (Some(TouchPolicy::Cached), None) => true,
callbacks.message(&fl!("plugin-touch-yk"))?.unwrap(); (Some(TouchPolicy::Cached), Some(last)) if last.elapsed() >= FIFTEEN_SECONDS => true,
true
}
(Some(TouchPolicy::Cached), Some(last)) if last.elapsed() >= FIFTEEN_SECONDS => {
callbacks.message(&fl!("plugin-touch-yk"))?.unwrap();
true
}
_ => false, _ => false,
}; };
@@ -479,11 +469,11 @@ impl Connection {
SlotId::Retired(self.slot), SlotId::Retired(self.slot),
) { ) {
Ok(res) => res, Ok(res) => res,
Err(_) => return Ok(Err(())), Err(_) => return Err(()),
}; };
// If we requested a touch and reached here, the user touched the YubiKey. // If we requested a touch and reached here, the user touched the YubiKey.
if requested_touch { if needs_touch {
if let Some(TouchPolicy::Cached) = if let Some(TouchPolicy::Cached) =
self.cached_metadata.as_ref().and_then(|m| m.touch_policy) self.cached_metadata.as_ref().and_then(|m| m.touch_policy)
{ {
@@ -500,10 +490,10 @@ impl Connection {
// A failure to decrypt is fatal, because we assume that we won't // A failure to decrypt is fatal, because we assume that we won't
// encounter 32-bit collisions on the key tag embedded in the header. // encounter 32-bit collisions on the key tag embedded in the header.
match aead_decrypt(&enc_key, FILE_KEY_BYTES, &line.encrypted_file_key) { match aead_decrypt(&enc_key, FILE_KEY_BYTES, &line.encrypted_file_key) {
Ok(pt) => Ok(Ok(TryInto::<[u8; FILE_KEY_BYTES]>::try_into(&pt[..]) Ok(pt) => Ok(TryInto::<[u8; FILE_KEY_BYTES]>::try_into(&pt[..])
.unwrap() .unwrap()
.into())), .into()),
Err(_) => Ok(Err(())), Err(_) => Err(()),
} }
} }
} }
+1 -1
View File
@@ -222,7 +222,7 @@ impl IdentityPluginV1 for IdentityPlugin {
} }
for (stanza_index, line) in stanzas.iter().enumerate() { for (stanza_index, line) in stanzas.iter().enumerate() {
match conn.unwrap_file_key(line, &mut callbacks)? { match conn.unwrap_file_key(line) {
Ok(file_key) => { Ok(file_key) => {
// We've managed to decrypt this file! // We've managed to decrypt this file!
file_keys.entry(file_index).or_insert(Ok(file_key)); file_keys.entry(file_index).or_insert(Ok(file_key));