From 4e6d39e9aae54658eb68a739d9eff55ab797c204 Mon Sep 17 00:00:00 2001 From: Szczepan Zalega Date: Fri, 23 Feb 2018 09:37:31 +0100 Subject: Divide unencrypted volume ro/rw commands for backward compatibility Unencrypted volume ro/rw: rename user_admin_pin -> admin_pin to be consistent with latest API. Update description. Document PIN requirements in C++ API Extract pin type function Add C API for separate unencrypted volume read write handling Use correct commands to set ro/rw mode of unencrypted volume Signed-off-by: Szczepan Zalega --- NK_C_API.cc | 22 +++++++++++++---- NK_C_API.h | 43 ++++++++++++++++++++++++++------- NitrokeyManager.cc | 60 +++++++++++++++++++++++++++++++++++++---------- include/NitrokeyManager.h | 55 +++++++++++++++++++++++++++++++++++++++---- 4 files changed, 149 insertions(+), 31 deletions(-) diff --git a/NK_C_API.cc b/NK_C_API.cc index 8ce318f..f881caf 100644 --- a/NK_C_API.cc +++ b/NK_C_API.cc @@ -495,17 +495,31 @@ extern "C" { }); } - NK_C_API int NK_set_unencrypted_read_only(const char* user_admin_pin) { + NK_C_API int NK_set_unencrypted_read_only(const char *user_pin) { auto m = NitrokeyManager::instance(); return get_without_result([&]() { - m->set_unencrypted_read_only(user_admin_pin); + m->set_unencrypted_read_only(user_pin); }); } - NK_C_API int NK_set_unencrypted_read_write(const char* user_admin_pin) { + NK_C_API int NK_set_unencrypted_read_write(const char *user_pin) { auto m = NitrokeyManager::instance(); return get_without_result([&]() { - m->set_unencrypted_read_write(user_admin_pin); + m->set_unencrypted_read_write(user_pin); + }); + } + + NK_C_API int NK_set_unencrypted_read_only_admin(const char *admin_pin) { + auto m = NitrokeyManager::instance(); + return get_without_result([&]() { + m->set_unencrypted_read_only_admin(admin_pin); + }); + } + + NK_C_API int NK_set_unencrypted_read_write_admin(const char *admin_pin) { + auto m = NitrokeyManager::instance(); + return get_without_result([&]() { + m->set_unencrypted_read_write_admin(admin_pin); }); } diff --git a/NK_C_API.h b/NK_C_API.h index 9ab29b5..73022b2 100644 --- a/NK_C_API.h +++ b/NK_C_API.h @@ -428,28 +428,55 @@ extern "C" { * Make unencrypted volume read-only. * Device hides unencrypted volume for a second therefore make sure * buffers are flushed before running. - * Accepts: User PIN for Storage v0.48 and below, Admin PIN for Storage v0.49+ + * Does nothing if firmware version is not matched + * Firmware range: Storage v0.50, v0.48 and below * Storage only - * @param user_admin_pin 20 characters + * @param user_pin 20 characters User PIN * @return command processing error code */ - NK_C_API int NK_set_unencrypted_read_only(const char* user_admin_pin); + NK_C_API int NK_set_unencrypted_read_only(const char *user_pin); /** * Make unencrypted volume read-write. * Device hides unencrypted volume for a second therefore make sure * buffers are flushed before running. - * Accepts: User PIN for Storage v0.48 and below, Admin PIN for Storage v0.49+ + * Does nothing if firmware version is not matched + * Firmware range: Storage v0.50, v0.48 and below * Storage only - * @param user_admin_pin 20 characters + * @param user_pin 20 characters User PIN * @return command processing error code */ - NK_C_API int NK_set_unencrypted_read_write(const char* user_admin_pin); + NK_C_API int NK_set_unencrypted_read_write(const char *user_pin); + + /** + * Make unencrypted volume read-only. + * Device hides unencrypted volume for a second therefore make sure + * buffers are flushed before running. + * Does nothing if firmware version is not matched + * Firmware range: Storage v0.49, v0.51+ + * Storage only + * @param admin_pin 20 characters Admin PIN + * @return command processing error code + */ + NK_C_API int NK_set_unencrypted_read_only_admin(const char* admin_pin); + + /** + * Make unencrypted volume read-write. + * Device hides unencrypted volume for a second therefore make sure + * buffers are flushed before running. + * Does nothing if firmware version is not matched + * Firmware range: Storage v0.49, v0.51+ + * Storage only + * @param admin_pin 20 characters Admin PIN + * @return command processing error code + */ + NK_C_API int NK_set_unencrypted_read_write_admin(const char* admin_pin); /** * Make encrypted volume read-only. * Device hides encrypted volume for a second therefore make sure * buffers are flushed before running. + * Firmware range: v0.49 only, future (see firmware release notes) * Storage only * @param admin_pin 20 characters * @return command processing error code @@ -460,15 +487,13 @@ extern "C" { * Make encrypted volume read-write. * Device hides encrypted volume for a second therefore make sure * buffers are flushed before running. + * Firmware range: v0.49 only, future (see firmware release notes) * Storage only * @param admin_pin 20 characters * @return command processing error code */ NK_C_API int NK_set_encrypted_read_write(const char* admin_pin); - - - /** * Exports device's firmware to unencrypted volume. * Storage only diff --git a/NitrokeyManager.cc b/NitrokeyManager.cc index fff5d64..f912c7c 100644 --- a/NitrokeyManager.cc +++ b/NitrokeyManager.cc @@ -771,6 +771,8 @@ using nitrokey::misc::strcpyT; case DeviceModel::STORAGE:{ auto status = stick20::GetDeviceStatus::CommandTransaction::run(device); auto test_firmware = status.data().versionInfo.build_iteration != 0; + if (test_firmware) + LOG("Development firmware detected. Increasing minor version number.", nitrokey::log::Loglevel::WARNING); return status.data().versionInfo.minor + (test_firmware? 1 : 0); } } @@ -834,23 +836,55 @@ using nitrokey::misc::strcpyT; stick20::SetupHiddenVolume::CommandTransaction::run(device, p); } - void NitrokeyManager::set_unencrypted_read_only(const char* user_admin_pin) { - //until 0.48 User PIN was sufficient, from 0.49 it needs Admin PIN - if (get_minor_firmware_version()<=48) - misc::execute_password_command(device, user_admin_pin); - else - misc::execute_password_command(device, user_admin_pin); + void NitrokeyManager::set_unencrypted_read_only_admin(const char* admin_pin) { + //from v0.49, v0.51+ it needs Admin PIN + if (set_unencrypted_volume_rorw_pin_type_user(get_minor_firmware_version())){ + LOG("set_unencrypted_read_only_admin is not supported for this version of Storage device. " + "Please update firmware to v0.51+", nitrokey::log::Loglevel::WARNING); + return; + } + misc::execute_password_command(device, admin_pin); + } + + void NitrokeyManager::set_unencrypted_read_only(const char *user_pin) { + //until v0.48 (incl. v0.50) User PIN was sufficient + LOG("set_unencrypted_read_only is deprecated. Use set_unencrypted_read_only_admin instead.", + nitrokey::log::Loglevel::WARNING); + if (!set_unencrypted_volume_rorw_pin_type_user(get_minor_firmware_version())){ + LOG("set_unencrypted_read_only is not supported for this version of Storage device. Doing nothing.", + nitrokey::log::Loglevel::WARNING); + return; + } + misc::execute_password_command(device, user_pin); + } + + void NitrokeyManager::set_unencrypted_read_write_admin(const char* admin_pin) { + //from v0.49, v0.51+ it needs Admin PIN + if (set_unencrypted_volume_rorw_pin_type_user(get_minor_firmware_version())){ + LOG("set_unencrypted_read_write_admin is not supported for this version of Storage device. " + "Please update firmware to v0.51+.", nitrokey::log::Loglevel::WARNING); + return; + } + misc::execute_password_command(device, admin_pin); + } + + void NitrokeyManager::set_unencrypted_read_write(const char *user_pin) { + //until v0.48 (incl. v0.50) User PIN was sufficient + LOG("set_unencrypted_read_write is deprecated. Use set_unencrypted_read_write_admin instead.", + nitrokey::log::Loglevel::WARNING); + if (!set_unencrypted_volume_rorw_pin_type_user(get_minor_firmware_version())){ + LOG("set_unencrypted_read_write is not supported for this version of Storage device. Doing nothing.", + nitrokey::log::Loglevel::WARNING); + return; + } + misc::execute_password_command(device, user_pin); } - void NitrokeyManager::set_unencrypted_read_write(const char* user_admin_pin) { - //until 0.48 User PIN was sufficient, from 0.49 it needs Admin PIN - if (get_minor_firmware_version()<=48) - misc::execute_password_command(device, user_admin_pin); - else - misc::execute_password_command(device, user_admin_pin); + bool NitrokeyManager::set_unencrypted_volume_rorw_pin_type_user(const int minor_firmware_version) const { + return minor_firmware_version <= 48 || minor_firmware_version == 50; } - void NitrokeyManager::export_firmware(const char* admin_pin) { + void NitrokeyManager::export_firmware(const char* admin_pin) { misc::execute_password_command(device, admin_pin); } diff --git a/include/NitrokeyManager.h b/include/NitrokeyManager.h index 12aae0d..08da8ba 100644 --- a/include/NitrokeyManager.h +++ b/include/NitrokeyManager.h @@ -126,9 +126,37 @@ char * strndup(const char* str, size_t maxlen); void unlock_hidden_volume(const char *hidden_volume_password); void lock_hidden_volume(); - void set_unencrypted_read_only(const char *user_admin_pin); - - void set_unencrypted_read_write(const char *user_admin_pin); + /** + * Sets unencrypted volume read-only. + * Works until v0.48 (incl. v0.50), where User PIN was sufficient + * Does nothing otherwise. + * @param user_pin User PIN + */ + void set_unencrypted_read_only(const char *user_pin); + + /** + * Sets unencrypted volume read-only. + * Works from v0.49 (except v0.50) accepts Admin PIN + * Does nothing otherwise. + * @param admin_pin Admin PIN + */ + void set_unencrypted_read_only_admin(const char *admin_pin); + + /** + * Sets unencrypted volume read-write. + * Works until v0.48 (incl. v0.50), where User PIN was sufficient + * Does nothing otherwise. + * @param user_pin User PIN + */ + void set_unencrypted_read_write(const char *user_pin); + + /** + * Sets unencrypted volume read-write. + * Works from v0.49 (except v0.50) accepts Admin PIN + * Does nothing otherwise. + * @param admin_pin Admin PIN + */ + void set_unencrypted_read_write_admin(const char *admin_pin); void export_firmware(const char *admin_pin); void enable_firmware_update(const char *firmware_pin); @@ -203,13 +231,30 @@ char * strndup(const char* str, size_t maxlen); void set_loglevel(int loglevel); - void set_encrypted_volume_read_only(const char *admin_pin); + /** + * Sets encrypted volume read-only. + * Supported from future versions of Storage. + * @param admin_pin Admin PIN + */ + void set_encrypted_volume_read_only(const char *admin_pin); - void set_encrypted_volume_read_write(const char *admin_pin); + /** + * Sets encrypted volume read-write. + * Supported from future versions of Storage. + * @param admin_pin Admin PIN + */ + void set_encrypted_volume_read_write(const char *admin_pin); int get_major_firmware_version(); bool is_smartcard_in_use(); + + /** + * Function to determine unencrypted volume PIN type + * @param minor_firmware_version + * @return Returns true, if set unencrypted volume ro/rw pin type is User, false otherwise. + */ + bool set_unencrypted_volume_rorw_pin_type_user(int minor_firmware_version) const; }; } -- cgit v1.2.1