From 59ae52487d142fb2b13407419351255c667faa14 Mon Sep 17 00:00:00 2001 From: Szczepan Zalega Date: Sat, 13 May 2017 01:15:26 +0200 Subject: Do not log volatile data Signed-off-by: Szczepan Zalega --- include/stick10_commands.h | 73 +++++++++++++++++++++++----------------------- 1 file changed, 37 insertions(+), 36 deletions(-) (limited to 'include/stick10_commands.h') diff --git a/include/stick10_commands.h b/include/stick10_commands.h index 74b73a8..af8d2bd 100644 --- a/include/stick10_commands.h +++ b/include/stick10_commands.h @@ -119,8 +119,7 @@ class WriteToHOTPSlot : Command { std::stringstream ss; ss << "slot_number:\t" << (int)(slot_number) << std::endl; ss << "slot_name:\t" << slot_name << std::endl; - ss << "slot_secret:" << std::endl - << ::nitrokey::misc::hexdump((const char *)(&slot_secret), sizeof slot_secret); + print_to_ss_volatile(slot_secret); ss << "slot_config:\t" << std::bitset<8>((int)_slot_config) << std::endl; ss << "\tuse_8_digits(0):\t" << use_8_digits << std::endl; ss << "\tuse_enter(1):\t" << use_enter << std::endl; @@ -171,7 +170,7 @@ class WriteToTOTPSlot : Command { std::stringstream ss; ss << "slot_number:\t" << (int)(slot_number) << std::endl; ss << "slot_name:\t" << slot_name << std::endl; - ss << "slot_secret:\t" << slot_secret << std::endl; + print_to_ss_volatile(slot_secret); ss << "slot_config:\t" << std::bitset<8>((int)_slot_config) << std::endl; ss << "slot_token_id:\t"; for (auto i : slot_token_id) @@ -505,7 +504,7 @@ class GetPasswordSafeSlotPassword bool isValid() const { return true; } std::string dissect() const { std::stringstream ss; - ss << " slot_password\t" << (const char*) slot_password << std::endl; + print_to_ss_volatile(slot_password); return ss.str(); } } __packed; @@ -534,7 +533,7 @@ class GetPasswordSafeSlotLogin bool isValid() const { return true; } std::string dissect() const { std::stringstream ss; - ss << " slot_login\t" << (const char*) slot_login << std::endl; + print_to_ss_volatile(slot_login); return ss.str(); } } __packed; @@ -555,7 +554,7 @@ class SetPasswordSafeSlotData : Command { std::stringstream ss; ss << " slot_number\t" << (int)slot_number << std::endl; ss << " slot_name\t" << (const char*) slot_name << std::endl; - ss << " slot_password\t" << (const char*) slot_password << std::endl; + print_to_ss_volatile(slot_password); return ss.str(); } } __packed; @@ -572,10 +571,10 @@ class SetPasswordSafeSlotData2 : Command { bool isValid() const { return !(slot_number & 0xF0); } std::string dissect() const { - std::stringstream ss; - ss << " slot_number\t" << (int)slot_number << std::endl; - ss << " slot_login_name\t" << (const char*) slot_login_name << std::endl; - return ss.str(); + std::stringstream ss; + ss << " slot_number\t" << (int)slot_number << std::endl; + print_to_ss_volatile(slot_login_name); + return ss.str(); } } __packed; @@ -609,7 +608,7 @@ class EnablePasswordSafe : Command { bool isValid() const { return true; } std::string dissect() const { std::stringstream ss; - ss << " user_password\t" << (const char*) user_password << std::endl; + print_to_ss_volatile(user_password); return ss.str(); } } __packed; @@ -683,7 +682,7 @@ class FirstAuthenticate : Command { std::string dissect() const { std::stringstream ss; - ss << "card_password:\t" << card_password << std::endl; + print_to_ss_volatile(card_password); ss << "temporary_password:\t" << temporary_password << std::endl; return ss.str(); } @@ -701,10 +700,10 @@ class UserAuthenticate : Command { bool isValid() const { return true; } std::string dissect() const { - std::stringstream ss; - ss << "card_password:\t" << card_password << std::endl; - ss << "temporary_password:\t" << temporary_password << std::endl; - return ss.str(); + std::stringstream ss; + print_to_ss_volatile(card_password); + ss << "temporary_password:\t" << temporary_password << std::endl; + return ss.str(); } } __packed; @@ -753,9 +752,10 @@ class UnlockUserPassword : Command { uint8_t admin_password[25]; uint8_t user_new_password[25]; std::string dissect() const { - std::stringstream ss; - ss << " admin_password:\t" << admin_password<< std::endl; - return ss.str(); + std::stringstream ss; + print_to_ss_volatile(admin_password); + print_to_ss_volatile(user_new_password); + return ss.str(); } } __packed; @@ -769,10 +769,10 @@ class ChangeUserPin : Command { uint8_t old_pin[25]; uint8_t new_pin[25]; std::string dissect() const { - std::stringstream ss; - ss << " old_pin:\t" << old_pin<< std::endl; - ss << " new_pin:\t" << new_pin<< std::endl; - return ss.str(); + std::stringstream ss; + print_to_ss_volatile(old_pin); + print_to_ss_volatile(new_pin); + return ss.str(); } } __packed; @@ -785,9 +785,9 @@ class IsAESSupported : Command { struct CommandPayload { uint8_t user_password[20]; std::string dissect() const { - std::stringstream ss; - ss << " user_password:\t" << user_password<< std::endl; - return ss.str(); + std::stringstream ss; + print_to_ss_volatile(user_password); + return ss.str(); } } __packed; @@ -795,16 +795,17 @@ class IsAESSupported : Command { CommandTransaction; }; + class ChangeAdminPin : Command { public: struct CommandPayload { uint8_t old_pin[25]; uint8_t new_pin[25]; std::string dissect() const { - std::stringstream ss; - ss << " old_pin:\t" << old_pin<< std::endl; - ss << " new_pin:\t" << new_pin<< std::endl; - return ss.str(); + std::stringstream ss; + print_to_ss_volatile(old_pin); + print_to_ss_volatile(new_pin); + return ss.str(); } } __packed; @@ -823,9 +824,9 @@ class FactoryReset : Command { struct CommandPayload { uint8_t admin_password[20]; std::string dissect() const { - std::stringstream ss; - ss << " admin_password:\t" << admin_password<< std::endl; - return ss.str(); + std::stringstream ss; + print_to_ss_volatile(admin_password); + return ss.str(); } } __packed; @@ -838,9 +839,9 @@ class BuildAESKey : Command { struct CommandPayload { uint8_t admin_password[20]; std::string dissect() const { - std::stringstream ss; - ss << " admin_password:\t" << admin_password<< std::endl; - return ss.str(); + std::stringstream ss; + print_to_ss_volatile(admin_password); + return ss.str(); } } __packed; -- cgit v1.2.3 From 79b616830381d0ea5f89e920b55f154d2e7e06ce Mon Sep 17 00:00:00 2001 From: Szczepan Zalega Date: Sat, 13 May 2017 10:09:02 +0200 Subject: Assume slot_names are volatile data Signed-off-by: Szczepan Zalega --- include/stick10_commands.h | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) (limited to 'include/stick10_commands.h') diff --git a/include/stick10_commands.h b/include/stick10_commands.h index af8d2bd..b38ea06 100644 --- a/include/stick10_commands.h +++ b/include/stick10_commands.h @@ -39,9 +39,9 @@ class GetSlotName : public Command { bool isValid() const { return true; } std::string dissect() const { - std::stringstream ss; - ss << "slot_name:\t" << slot_name << std::endl; - return ss.str(); + std::stringstream ss; + print_to_ss_volatile(slot_name); + return ss.str(); } } __packed; @@ -118,7 +118,7 @@ class WriteToHOTPSlot : Command { std::string dissect() const { std::stringstream ss; ss << "slot_number:\t" << (int)(slot_number) << std::endl; - ss << "slot_name:\t" << slot_name << std::endl; + print_to_ss_volatile(slot_name); print_to_ss_volatile(slot_secret); ss << "slot_config:\t" << std::bitset<8>((int)_slot_config) << std::endl; ss << "\tuse_8_digits(0):\t" << use_8_digits << std::endl; @@ -169,7 +169,7 @@ class WriteToTOTPSlot : Command { std::string dissect() const { std::stringstream ss; ss << "slot_number:\t" << (int)(slot_number) << std::endl; - ss << "slot_name:\t" << slot_name << std::endl; + print_to_ss_volatile(slot_name); print_to_ss_volatile(slot_secret); ss << "slot_config:\t" << std::bitset<8>((int)_slot_config) << std::endl; ss << "slot_token_id:\t"; @@ -323,7 +323,7 @@ class ReadSlot : Command { std::string dissect() const { std::stringstream ss; - ss << "slot_name:\t" << slot_name << std::endl; + print_to_ss_volatile(slot_name); ss << "slot_config:\t" << std::bitset<8>((int)_slot_config) << std::endl; ss << "\tuse_8_digits(0):\t" << use_8_digits << std::endl; ss << "\tuse_enter(1):\t" << use_enter << std::endl; @@ -475,7 +475,7 @@ class GetPasswordSafeSlotName : Command { bool isValid() const { return true; } std::string dissect() const { std::stringstream ss; - ss << " slot_name\t" << (const char*) slot_name << std::endl; + print_to_ss_volatile(slot_name); return ss.str(); } } __packed; @@ -553,7 +553,7 @@ class SetPasswordSafeSlotData : Command { std::string dissect() const { std::stringstream ss; ss << " slot_number\t" << (int)slot_number << std::endl; - ss << " slot_name\t" << (const char*) slot_name << std::endl; + print_to_ss_volatile(slot_name); print_to_ss_volatile(slot_password); return ss.str(); } -- cgit v1.2.3 From 1634bddb91323753546e6fe475d70d41dd79faee Mon Sep 17 00:00:00 2001 From: Szczepan Zalega Date: Sat, 13 May 2017 14:20:40 +0200 Subject: Log temporary password as hexdump instead of string representation Signed-off-by: Szczepan Zalega --- include/command.h | 4 +++- include/stick10_commands.h | 8 ++++---- include/stick10_commands_0.8.h | 12 +++++++----- 3 files changed, 14 insertions(+), 10 deletions(-) (limited to 'include/stick10_commands.h') diff --git a/include/command.h b/include/command.h index bf3cb4e..3f711c0 100644 --- a/include/command.h +++ b/include/command.h @@ -6,10 +6,12 @@ #define print_to_ss(x) ( ss << " " << (#x) <<":\t" << (x) << std::endl ); #ifdef LOG_VOLATILE_DATA -#define print_to_ss_volatile(x) ( ss << " " << (#x) <<":\t" << (x) << std::endl ); +#define print_to_ss_volatile(x) print_to_ss(x); #else #define print_to_ss_volatile(x) ( ss << " " << (#x) <<":\t" << "***********" << std::endl ); #endif +#define hexdump_to_ss(x) (ss << #x":\n"\ + << ::nitrokey::misc::hexdump((const char *) (&x), sizeof x, false)); namespace nitrokey { namespace proto { diff --git a/include/stick10_commands.h b/include/stick10_commands.h index b38ea06..e863328 100644 --- a/include/stick10_commands.h +++ b/include/stick10_commands.h @@ -683,7 +683,7 @@ class FirstAuthenticate : Command { std::string dissect() const { std::stringstream ss; print_to_ss_volatile(card_password); - ss << "temporary_password:\t" << temporary_password << std::endl; + hexdump_to_ss(temporary_password); return ss.str(); } } __packed; @@ -702,7 +702,7 @@ class UserAuthenticate : Command { std::string dissect() const { std::stringstream ss; print_to_ss_volatile(card_password); - ss << "temporary_password:\t" << temporary_password << std::endl; + hexdump_to_ss(temporary_password); return ss.str(); } } __packed; @@ -720,7 +720,7 @@ class Authorize : Command { std::string dissect() const { std::stringstream ss; ss << " crc_to_authorize:\t" << std::hex << std::setw(2) << std::setfill('0') << crc_to_authorize<< std::endl; - ss << " temporary_password:\t" << temporary_password<< std::endl; + hexdump_to_ss(temporary_password); return ss.str(); } } __packed; @@ -737,7 +737,7 @@ class UserAuthorize : Command { std::string dissect() const { std::stringstream ss; ss << " crc_to_authorize:\t" << crc_to_authorize<< std::endl; - ss << " temporary_password:\t" << temporary_password<< std::endl; + hexdump_to_ss(temporary_password); return ss.str(); } } __packed; diff --git a/include/stick10_commands_0.8.h b/include/stick10_commands_0.8.h index 3aa60e3..4209380 100644 --- a/include/stick10_commands_0.8.h +++ b/include/stick10_commands_0.8.h @@ -9,13 +9,14 @@ #include #include #include -#include +#include #include "command.h" #include "device_proto.h" #include "stick10_commands.h" #pragma pack (push,1) + namespace nitrokey { namespace proto { @@ -59,6 +60,7 @@ namespace nitrokey { std::string dissect() const { std::stringstream ss; ss << "slot_number:\t" << (int)(slot_number) << std::endl; + hexdump_to_ss(temporary_admin_password); return ss.str(); } } __packed; @@ -87,7 +89,7 @@ namespace nitrokey { std::string dissect() const { std::stringstream ss; - ss << "temporary_admin_password:\t" << temporary_admin_password << std::endl; + hexdump_to_ss(temporary_admin_password); ss << "type:\t" << type << std::endl; ss << "id:\t" << (int)id << std::endl; #ifdef LOG_VOLATILE_DATA @@ -156,7 +158,7 @@ namespace nitrokey { std::string dissect() const { std::stringstream ss; - ss << "temporary_admin_password:\t" << temporary_admin_password << std::endl; + hexdump_to_ss(temporary_admin_password); ss << "slot_config:\t" << std::bitset<8>((int) _slot_config) << std::endl; ss << "\tuse_8_digits(0):\t" << use_8_digits << std::endl; ss << "\tuse_enter(1):\t" << use_enter << std::endl; @@ -192,7 +194,7 @@ namespace nitrokey { bool isValid() const { return (slot_number & 0xF0); } std::string dissect() const { std::stringstream ss; - ss << "temporary_user_password:\t" << temporary_user_password << std::endl; + hexdump_to_ss(temporary_user_password); ss << "slot_number:\t" << (int)(slot_number) << std::endl; return ss.str(); } @@ -244,7 +246,7 @@ namespace nitrokey { bool isValid() const { return !(slot_number & 0xF0); } std::string dissect() const { std::stringstream ss; - ss << "temporary_user_password:\t" << temporary_user_password << std::endl; + hexdump_to_ss(temporary_user_password); ss << "slot_number:\t" << (int)(slot_number) << std::endl; ss << "challenge:\t" << (challenge) << std::endl; ss << "last_totp_time:\t" << (last_totp_time) << std::endl; -- cgit v1.2.3