|  | Commit message (Collapse) | Author | Age | 
|---|
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| | This change removes the explicit change of the global allocator to the
system allocator that we introduced a while back.
The reason this was needed in the past was due to Rust's use of jemalloc
in the default configuration, which increases binary size quite
significantly. However, with Rust issue #36963 fixed, jemalloc is now an
explicit opt-in and the system allocator is the default choice --
rendering our explicit change rather pointless. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | When the gpg-connect-agent binary is not available on the system we
report an error that is really only hinting at the problem and without
knowing internals it is hard to guess what may be wrong:
  $ nitrocli pws get 0
  > IO error: No such file or directory (os error 2)
This change adjusts the code to make the error less ambiguous and more
to the point. | 
| | 
| 
| 
| 
| 
| 
| | This change adds support for changing the read-write mode of the
unencrypted volume. To do so, we introduce a new top-level command,
unencrypted, with a new subcommand, set, that accepts the new mode of
the volume. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| | This change rewords the error message that is emitted if the lock
command fails. The old message was incorrectly stating a problem with
the retrieval of the device's status.
While at it, also slightly rephrase the description for the hidden
command to be more in line with that of the other storage commands, and
replace lowercase 'nitrokey' with a capitalized one in a few comments. | 
| | 
| 
| 
| 
| 
| 
| | The --ascii option of the otp set subcommand has been deprecated a while
in favor of --format. As the next release is slated to be a major one
breaking backwards compatibility, this change removes this option for
good. | 
| | 
| 
| 
| 
| 
| 
| 
| | This change is the last step in the process of restructuring the storage
command. In particular, now that functionality pertaining hidden volumes
has been moved out into a dedicated top-level command, it renames said
command to encrypted, because dealing with the encrypted volume is the
only functionality it provides. | 
| | 
| 
| 
| 
| 
| | This patch marks the next step in the process of restructuring the
storage command. Specifically, it promotes the storage hidden subcommand
to a top-level command, hidden. | 
| | 
| 
| 
| 
| 
| 
| 
| | In an attempt to rework the structure of the storage command to better
accommodate future requirements for allowing to change the read-write
state of the unencrypted volume (as well as potentially the encrypted
one), this change removes the storage status subcommand and merges its
output into the storage command. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | This change bumps the version of the crate to 0.2.4. The following
notable changes have been made since 0.2.3:
- Added the reset command to perform a factory reset
- Added the -V/--version option to print the program's version
- Check the status of a PWS slot before accessing it in pws get
- Added NITROCLI_NO_CACHE environment variable to bypass caching of
  secrets
- Clear cached PIN entry as part of pin set command to prevent
  spurious authentication failures
- Bumped libc dependency to 0.2.57
- Bumped cc dependency to 1.0.37 | 
| | 
| 
| 
| 
| 
| | This change updates the libc crate to version 0.2.57.
Import subrepo libc/:libc at cdc48ea36d8d2890dba38e8f779001e6855339a2 | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| | When a PIN is changed using the pin set command, the last action is to
confirm the operation with the previously used PIN. This step will cause
this PIN, which is now stale and no longer valid, to be cached, which in
turn can cause follow up command using the same PIN type to use this
wrong cached entry for authentication.
To fix this problem, this change explicitly clear the PIN entry from the
cache after the PIN has been changed. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | So far we have cached secrets in gpg-agent(1) whenever that made sense
to do (i.e., for the two PINs in most contexts but not for passwords).
While there is reason to believe that such caching is desired by the
majority of users, not everybody has a use for it.
To give users an opportunity to opt out of such caching, this change
introduces a new environment variable, NITROCLI_NO_CACHE, that, when
present in the environment, instructs the program to bypass the cache
for all operations that require a secret and to instead inquire such
secrets each time they are needed. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| | The input to the Enum macro is supposed to resemble the definition of an
enum in Rust code. When manually defining an enum (or a struct for that
matter), we typically terminate all branches with a comma, and don't
just omit that on the last line.
To mirror this behavior, this change adjusts the Enum macro to accept
(and in fact, require) a comma-terminated last line as well, as opposed
to not accepting it as had been the case so far. | 
| | 
| 
| 
| 
| 
| | This change updates the cc crate to version 1.0.37.
Import subrepo cc/:cc at cbf6d2f1312b6be22a7a363cf5c2a02acabc531f | 
| | 
| 
| 
| 
| 
| | This change updates the libc crate to version 0.2.55.
Import subrepo libc/:libc at caf17a0641d29dc624621177f5756804dd180c13 | 
| | 
| 
| 
| 
| 
| 
| 
| 
| | Macros typically should reference types by their full path and not
assume that they are in scope wherever the macro is expanded. We did
missed one spot where AsRef was not fully qualified in the Enum macro.
While that is not much of an issue here (and there may be more
occurrences, e.g., in the auto derives) lets fix that up for the sake of
consistency. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| | With Rust 1.35 we get compile errors due to doc comments that are added
to macro invocations but not actually included in the expanded output.
The rustc wrongly assumes that we want to document the resulting code
and not just provide details about the invocation itself.
This change explicitly allows for those cases. Alternatively we could
have "downgraded" the doc comments to normal comments or removed them
altogether. There is little difference between those alternatives. | 
| | 
| 
| 
| 
| | This change adds a test case for the -V/--version option to the suite of
tests. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | Due to a bug in argparse [0], custom stdout and stderr settings are
ignored when using argparse::Print, as we currently do for the --version
option. This patch adds a workaround for this problem: Instead of using
argparse::Print, we use argparse::StoreTrue for the --version option.
The argument parsing will fail as the command is missing, but the
version variable will still be set to true if the version option was
set. So we ignore the parsing result and discard the argparse output if
the version variable is set.
[0] https://github.com/tailhook/rust-argparse/pull/50 | 
| | 
| 
| 
| 
| 
| 
| 
| 
| | The split between the parse_arguments and the handle_arguments functions
is not really useful for reasoning about the code. In fact, it just adds
additional overhead in the form of complex function signatures into the
picture.
As it provides no real other value, this change merges the functionality
of both functions into a single one: handle_arguments. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| | To be able to decide whether to print the argparse output depending on
the result of the argument parsing, this patch wraps stdout and stderr
in a BufWriter before invoking argparse. Our BufWriter implementation
only writes to the inner Write if the flush method is called. This
allows us to decide whether the buffered data should be written or
silently dropped. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| | We have introduced the parse function to unify the common parsing
related tasks. In that vein, this change goes one step further and
adjusts the function to actually consume the ArgumentParser object used
by it.
All clients using this function actually do not access the parser
afterwards, and, in fact, some of them have to explicitly drop it
because of borrow conflicts with "referred" arguments. | 
| | 
| 
| 
| 
| | This patch changes the error handling in the args' module parse function
to use the Result's map_err instead of a more verbose if let expression. | 
| | |  | 
| | 
| 
| 
| 
| 
| | This change updates the libc crate to version 0.2.48.
Import subrepo libc/:libc at 42cd3ba27254c423e03f6f4324de57075047f6a0 | 
| | 
| 
| 
| | This change updates the regex-syntax crate to version 0.6.5. | 
| | 
| 
| 
| | This change updates the memchr crate to version 2.1.3. | 
| | 
| 
| 
| | This change updates the proc-macro2 crate to version 0.4.26. | 
| | 
| 
| 
| | This change updates the quote crate to version 0.6.11. | 
| | 
| 
| 
| | This change updates the syn crate to version 0.15.26. | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| | The factory reset only clears the slot status. The slot content is
overwritten with random data. Therefore accessing a PWS slot after a
factory reset returns garbage data. We fixed this by always querying
the status before accessing the PWS. This patch adds a corresponding
test case. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | The Nitrokey devices do not check whether a PWS slot is programmed
before accessing it (upstream issues [0] [1]). Until this is fixed in
the firmware, we have to manually check the slot status in pws get. This
could have been done in libnitrokey or the nitrokey crate, yet this
would lead to unnecessary commands if we check multiple fields of a slot
at the same time.
[0] https://github.com/Nitrokey/nitrokey-pro-firmware/issues/56
[1] https://github.com/Nitrokey/nitrokey-storage-firmware/issues/81 | 
| | |  | 
| | 
| 
| 
| 
| 
| | After performing the factory reset, we also build the AES key so that
the device is fully usable. Due to timing issue, we have to add a delay
between the factory reset and building the AES key. | 
| | 
| 
| 
| 
| 
| 
| 
| | The -V/--version option prints the nitrocli version to stdout and exits.
In the future, it should also print the used libnitrokey version, but as
the required function is only available with nitrokey 0.3.2 and as the
current interface does not reflect the latest change in version naming,
I skipped that in this patch. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | This change bumps the version of the crate to 0.2.3. The following
notable changes have been made since 0.2.2:
- Added the storage hidden subcommand for working with hidden volumes
- Store cached PINs on a per-device basis to better support multi-device
  scenarios
- Further decreased binary size by using system allocator
- Bumped nitrokey dependency to 0.3.4
  - Bumped rand dependency to 0.6.4
  - Removed rustc_version, semver, and semver-parser dependencies
- Bumped nitrokey-sys dependency to 3.4.3
- Bumped libc dependency to 0.2.47 | 
| | 
| 
| 
| 
| 
| 
| | The duplicate_associated_type_bindings lint seems to have been removed
with the Rust 1.32 release.
This change removes the lint from the program to prevent the newly
introduced warning from being emitted. | 
| | 
| 
| 
| 
| 
| | If nitrokey-app is running, the device it connected to cannot be
detected by other applications. This patch adds this issue to the list
of known problems in the README. | 
| | 
| 
| 
| 
| 
| 
| | The CI scripts and the rustfmt configuration are only needed when
developing. There is no point in distributing them in the package
published on crates.io, so we exclude them from packaging using the
exclude setting in Cargo.toml. | 
| | 
| 
| 
| 
| 
| | This change updates the libc crate to version 0.2.47.
Import subrepo libc/:libc at ce1dfcbf81bd74662b5cd02a9214818a0bfbbffa | 
| | 
| 
| 
| 
| 
| | This change updates the nitrokey crate to version 0.3.4.
Import subrepo nitrokey/:nitrokey at 41cdc1f7091a3c442241dbb2379c50dbcc7e9c5f | 
| | 
| 
| 
| 
| 
| 
| 
| 
| | This change adds tests for the lock command. For the Nitrokey Pro we
cannot test too much because the only side-effect is that the password
safe is closed and it will be opened automatically again by virtue of
our non-interactive testing methodology.
For Storage devices we verify that the encrypted volume is closed, which
is a documented side-effect. | 
| | 
| 
| 
| 
| 
| | This change updates the README and the man page with documentation about
hidden volumes in general and the storage hidden subcommand in
particular. | 
| | 
| 
| 
| 
| 
| 
| | This change adds a test for the creation, opening, and closing of a
hidden subvolume. In order to support that in a non-interactive fashion,
we introduce and honor the NITROCLI_PASSWORD environment variable, that
prevents an interactive password query. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| | With this change we implement the storage hidden subcommand. We support
creation, opening, and closing of hidden volumes.
Note that the opening of a hidden volume automatically closes any opened
encrypted volumes and vice versa. To that end, we force file system
level caches to disk even from the storage open and storage hidden open
commands. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| | This change introduces a new subcommand to the storage command called
'hidden'. This subcommand can be used to interact with hidden volumes.
Right now we support three operations pertaining hidden volumes: create,
open, and close.
This patch merely provides the infrastructure for parsing the commands
and all their arguments, it does not yet implement them fully. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | With the required interface for secrets well defined, this change
introduces a second secret type in addition to PINs: passwords. Similar
to a PIN, a password can contain pretty arbitrary characters but
passwords can be retried repeatedly, whereas PINs cause a lockout after
a certain number of failed attempts.
Our first use case for passwords will be for hidden volumes. For those,
we do not want to gpg-agent to cache entries and so a password entry
indicates that it is not to be cached through the previously introduced
mechanism for optional caching. | 
| | 
| 
| 
| 
| 
| 
| 
| | Another commonality between a password and a PIN is that they typically
both have a minimum length.
To accommodate for this requirement, this change introduces another
method to the SecretEntry trait that represents the secret's minimum
character length. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | Currently, when we enter a secret (i.e., a PIN) through the pinentry
module, this PIN will automatically be cached and not asked from the
user again on subsequent inquiries. However, caching may not always be
desired. For the upcoming support of passwords used in conjunction with
hidden volumes, we do not want any caching because different passwords
can be entered for different volumes and the user's intention is not
clear until a password has actually been entered.
To accommodate this use case, this change modifies the signature of the
SecretEntry trait's cache_id method to return an optional cache ID. If
none is returned, caching of the entered secret is disabled. |