From 119ea0b111c9ca46fda32911c1c8c33b36aad3db Mon Sep 17 00:00:00 2001 From: Szczepan Zalega Date: Tue, 8 Nov 2016 18:58:17 +0100 Subject: Authorization fix: GetHOTP and WriteGeneralConfig + test Signed-off-by: Szczepan Zalega --- command_id.cc | 3 ++ include/stick10_commands_0.8.h | 83 +++++++++++++++++++++++++++++++++++++++++- unittest/test3.cc | 69 ++++++++++++++++++++++++++++++++--- 3 files changed, 149 insertions(+), 6 deletions(-) diff --git a/command_id.cc b/command_id.cc index 9512b7d..a93d05c 100644 --- a/command_id.cc +++ b/command_id.cc @@ -139,6 +139,9 @@ const char *commandid_to_string(CommandID id) { return "DETECT_SC_AES"; case CommandID::NEW_AES_KEY: return "NEW_AES_KEY"; + case CommandID::WRITE_TO_SLOT_2: + return "WRITE_TO_SLOT_2"; + break; } return "UNKNOWN"; } diff --git a/include/stick10_commands_0.8.h b/include/stick10_commands_0.8.h index 037a777..0c6633c 100644 --- a/include/stick10_commands_0.8.h +++ b/include/stick10_commands_0.8.h @@ -12,6 +12,7 @@ #include "inttypes.h" #include "command.h" #include "device_proto.h" +#include "stick10_commands.h" namespace nitrokey { namespace proto { @@ -20,6 +21,8 @@ namespace nitrokey { * Stick10 protocol definition */ namespace stick10_08 { + using stick10::FirstAuthenticate; + using stick10::UserAuthenticate; class EraseSlot : Command { public: @@ -117,20 +120,68 @@ namespace nitrokey { CommandTransaction; }; + class GetHOTP : Command { + public: + struct CommandPayload { + uint8_t temporary_user_password[25]; + uint8_t slot_number; + + bool isValid() const { return (slot_number & 0xF0); } + std::string dissect() const { + std::stringstream ss; + ss << "temporary_user_password:\t" << temporary_user_password << std::endl; + ss << "slot_number:\t" << (int)(slot_number) << std::endl; + return ss.str(); + } + } __packed; + + struct ResponsePayload { + union { + uint8_t whole_response[18]; //14 bytes reserved for config, but used only 1 + struct { + uint32_t code; + union{ + uint8_t _slot_config; + struct{ + bool use_8_digits : 1; + bool use_enter : 1; + bool use_tokenID : 1; + }; + }; + } __packed; + } __packed; + + bool isValid() const { return true; } + std::string dissect() const { + std::stringstream ss; + ss << "code:\t" << (code) << std::endl; + ss << "slot_config:\t" << std::bitset<8>((int)_slot_config) << std::endl; + ss << "\tuse_8_digits(0):\t" << use_8_digits << std::endl; + ss << "\tuse_enter(1):\t" << use_enter << std::endl; + ss << "\tuse_tokenID(2):\t" << use_tokenID << std::endl; + return ss.str(); + } + } __packed; + + typedef Transaction + CommandTransaction; + }; + class GetTOTP : Command { //user auth public: struct CommandPayload { + uint8_t temporary_user_password[25]; uint8_t slot_number; uint64_t challenge; uint64_t last_totp_time; uint8_t last_interval; - uint8_t user_temporary_password[25]; bool isValid() const { return !(slot_number & 0xF0); } std::string dissect() const { std::stringstream ss; + ss << "temporary_user_password:\t" << temporary_user_password << std::endl; ss << "slot_number:\t" << (int)(slot_number) << std::endl; ss << "challenge:\t" << (challenge) << std::endl; ss << "last_totp_time:\t" << (last_totp_time) << std::endl; @@ -172,6 +223,36 @@ namespace nitrokey { }; + class WriteGeneralConfig : Command { + //admin auth + public: + struct CommandPayload { + union{ + uint8_t config[5]; + struct{ + uint8_t numlock; /** 0-1: HOTP slot number from which the code will be get on double press, other value - function disabled */ + uint8_t capslock; /** same as numlock */ + uint8_t scrolllock; /** same as numlock */ + uint8_t enable_user_password; + uint8_t delete_user_password; + }; + }; + uint8_t temporary_admin_password[25]; + + std::string dissect() const { + std::stringstream ss; + ss << "numlock:\t" << (int)numlock << std::endl; + ss << "capslock:\t" << (int)capslock << std::endl; + ss << "scrolllock:\t" << (int)scrolllock << std::endl; + ss << "enable_user_password:\t" << (bool) enable_user_password << std::endl; + ss << "delete_user_password:\t" << (bool) delete_user_password << std::endl; + return ss.str(); + } + } __packed; + + typedef Transaction + CommandTransaction; + }; } } } diff --git a/unittest/test3.cc b/unittest/test3.cc index 6fab862..226e35c 100644 --- a/unittest/test3.cc +++ b/unittest/test3.cc @@ -16,15 +16,13 @@ const char * RFC_SECRET = "12345678901234567890"; #include #include "device_proto.h" #include "log.h" -#include "stick10_commands.h" #include "stick10_commands_0.8.h" //#include "stick20_commands.h" using namespace std; using namespace nitrokey::device; using namespace nitrokey::proto; -//using namespace nitrokey::proto::stick10_08; -using namespace nitrokey::proto::stick10; +using namespace nitrokey::proto::stick10_08; using namespace nitrokey::log; using namespace nitrokey::misc; @@ -39,6 +37,11 @@ void authorize(Stick10 &stick) { strcpy((char *) (authreq.card_password), default_admin_pin); strcpy((char *) (authreq.temporary_password), temporary_password); FirstAuthenticate::CommandTransaction::run(stick, authreq); + + auto user_auth = get_payload(); + strcpyT(user_auth.temporary_password, temporary_password); + strcpyT(user_auth.card_password, default_user_pin); + UserAuthenticate::CommandTransaction::run(stick, user_auth); } TEST_CASE("write slot", "[pronew]"){ @@ -46,7 +49,6 @@ TEST_CASE("write slot", "[pronew]"){ connect_and_setup(stick); auto p = get_payload(); -// p.slot_number = 0 + 0x10; strcpyT(p.slot_secret, RFC_SECRET); strcpyT(p.temporary_admin_password, temporary_password); p.use_8_digits = true; @@ -71,8 +73,65 @@ TEST_CASE("erase slot", "[pronew]"){ connect_and_setup(stick); authorize(stick); + auto p3 = get_payload(); + p3.slot_number = 0 + 0x10; + GetHOTP::CommandTransaction::run(stick, p3); + auto erase_payload = get_payload(); - erase_payload.slot_number = 1 + 0x10; + erase_payload.slot_number = 0 + 0x10; strcpyT(erase_payload.temporary_admin_password, temporary_password); stick10_08::EraseSlot::CommandTransaction::run(stick, erase_payload); + + auto p4 = get_payload(); + p4.slot_number = 0 + 0x10; + REQUIRE_THROWS( + GetHOTP::CommandTransaction::run(stick, p4) + ); +} + +TEST_CASE("write general config", "[pronew]") { + Stick10 stick; + connect_and_setup(stick); + authorize(stick); + + auto p = get_payload(); + p.enable_user_password = 1; + REQUIRE_THROWS( + WriteGeneralConfig::CommandTransaction::run(stick, p); + ); + strcpyT(p.temporary_admin_password, temporary_password); + WriteGeneralConfig::CommandTransaction::run(stick, p); +} + +TEST_CASE("authorize user OTP", "[pronew]") { + Stick10 stick; + connect_and_setup(stick); + authorize(stick); + + auto p = get_payload(); + p.enable_user_password = 1; + strcpyT(p.temporary_admin_password, temporary_password); + WriteGeneralConfig::CommandTransaction::run(stick, p); + + auto pw = get_payload(); + strcpyT(pw.slot_secret, RFC_SECRET); + strcpyT(pw.temporary_admin_password, temporary_password); + pw.use_8_digits = true; + WriteToHOTPSlot::CommandTransaction::run(stick, pw); + + auto pw2 = get_payload(); + strcpyT(pw2.temporary_admin_password, temporary_password); + pw2.slot_number = 0 + 0x10; + pw2.slot_counter = 0; + strcpyT(pw2.slot_name, "test name aaa"); + WriteToHOTPSlot_2::CommandTransaction::run(stick, pw2); + + auto p3 = get_payload(); + p3.slot_number = 0 + 0x10; + REQUIRE_THROWS( + GetHOTP::CommandTransaction::run(stick, p3); + ); + strcpyT(p3.temporary_user_password, temporary_password); + GetHOTP::CommandTransaction::run(stick, p3); + } \ No newline at end of file -- cgit v1.2.1