diff options
| -rw-r--r-- | nitrocli/CHANGELOG.md | 4 | ||||
| -rw-r--r-- | nitrocli/src/crc32.rs | 88 | ||||
| -rw-r--r-- | nitrocli/src/error.rs | 9 | ||||
| -rw-r--r-- | nitrocli/src/main.rs | 237 | ||||
| -rw-r--r-- | nitrocli/src/nitrokey.rs | 256 |
5 files changed, 27 insertions, 567 deletions
diff --git a/nitrocli/CHANGELOG.md b/nitrocli/CHANGELOG.md index 7ff193a..c8985f3 100644 --- a/nitrocli/CHANGELOG.md +++ b/nitrocli/CHANGELOG.md @@ -1,7 +1,7 @@ Unreleased ---------- -- Use the `nitrokey` crate for the `open` and `close` commands instead - of directly communicating with the Nitrokey device +- Use the `nitrokey` crate for the `open`, `close`, and `status` + commands instead of directly communicating with the Nitrokey device - Added `nitrokey` version `0.2.1` as a direct dependency and `nitrokey-sys` version `3.4.1` as well as `rand` version `0.4.3` as indirect dependencies diff --git a/nitrocli/src/crc32.rs b/nitrocli/src/crc32.rs deleted file mode 100644 index 8b85b49..0000000 --- a/nitrocli/src/crc32.rs +++ /dev/null @@ -1,88 +0,0 @@ -// crc32.rs - -// ************************************************************************* -// * Copyright (C) 2017-2018 Daniel Mueller (deso@posteo.net) * -// * * -// * This program is free software: you can redistribute it and/or modify * -// * it under the terms of the GNU General Public License as published by * -// * the Free Software Foundation, either version 3 of the License, or * -// * (at your option) any later version. * -// * * -// * This program is distributed in the hope that it will be useful, * -// * but WITHOUT ANY WARRANTY; without even the implied warranty of * -// * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * -// * GNU General Public License for more details. * -// * * -// * You should have received a copy of the GNU General Public License * -// * along with this program. If not, see <http://www.gnu.org/licenses/>. * -// ************************************************************************* - -/// Polynomial used in STM32. -const CRC32_POLYNOMIAL: u32 = 0x04c1_1db7; - - -fn crc32(mut crc: u32, data: u32) -> u32 { - crc ^= data; - - for _ in 0..32 { - if crc & 0x8000_0000 != 0 { - crc = (crc << 1) ^ CRC32_POLYNOMIAL; - } else { - crc <<= 1; - } - } - crc -} - - -/// Retrieve a u32 slice of the 'data' part. -/// -/// Note that the size of the supplied data has to be a multiple of 4 -/// bytes. -fn as_slice_u32(data: &[u8]) -> &[u32] { - assert!(data.len() % ::std::mem::size_of::<u32>() == 0); - - unsafe { - let ptr = data.as_ptr() as *const u32; - let len = data.len() / ::std::mem::size_of::<u32>(); - ::std::slice::from_raw_parts(ptr, len) - } -} - - -/// Calculate the CRC of a byte slice. -pub fn crc(data: &[u8]) -> u32 { - let mut crc = 0xffff_ffff; - let data = as_slice_u32(data); - - for byte in data { - crc = crc32(crc, *byte); - } - crc -} - - -#[cfg(test)] -mod tests { - use super::*; - - #[test] - fn test_crc32() { - let mut crc = 0; - - // The expected values were computed with the original function. - crc = crc32(crc, 0xdeadbeef); - assert_eq!(crc, 0x46dec763); - - crc = crc32(crc, 42); - assert_eq!(crc, 0x7e579b45); - } - - #[test] - fn test_crc() { - let data = &"thisisatextthatistobecrced..".to_string().into_bytes(); - let crc = crc(data); - - assert_eq!(crc, 0x469db4ee); - } -} diff --git a/nitrocli/src/error.rs b/nitrocli/src/error.rs index 5d6b266..80d9d92 100644 --- a/nitrocli/src/error.rs +++ b/nitrocli/src/error.rs @@ -26,20 +26,12 @@ use libhid; #[derive(Debug)] pub enum Error { - HidError(libhid::Error), IoError(io::Error), Utf8Error(string::FromUtf8Error), Error(String), } -impl From<libhid::Error> for Error { - fn from(e: libhid::Error) -> Error { - Error::HidError(e) - } -} - - impl From<io::Error> for Error { fn from(e: io::Error) -> Error { Error::IoError(e) @@ -57,7 +49,6 @@ impl From<string::FromUtf8Error> for Error { impl fmt::Display for Error { fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { match *self { - Error::HidError(ref e) => write!(f, "hidapi error: {}", e), Error::Utf8Error(_) => write!(f, "Encountered UTF-8 conversion error"), Error::IoError(ref e) => write!(f, "IO error: {}", e.get_ref().unwrap()), Error::Error(ref e) => write!(f, "{}", e), diff --git a/nitrocli/src/main.rs b/nitrocli/src/main.rs index 714c573..5ec68a2 100644 --- a/nitrocli/src/main.rs +++ b/nitrocli/src/main.rs @@ -68,29 +68,19 @@ //! Nitrocli is a program providing a command line interface to certain //! commands of the Nitrokey Storage device. -mod crc32; mod error; -mod nitrokey; mod pinentry; -use std::mem; use std::process; use std::result; -use std::thread; -use std::time; use libnitrokey; use crate::error::Error; type Result<T> = result::Result<T, Error>; -type NitroFunc = dyn Fn(&mut libhid::Handle) -> Result<()>; - const PIN_TYPE: pinentry::PinType = pinentry::PinType::User; -const SEND_TRY_COUNT: i8 = 3; -const RECV_TRY_COUNT: i8 = 40; -const SEND_RECV_DELAY_MS: u64 = 200; /// Create an `error::Error` with an error message of the format `msg: err`. @@ -105,185 +95,58 @@ fn get_storage_device() -> Result<libnitrokey::Storage> { .or_else(|_| Err(Error::Error("Nitrokey device not found".to_string()))) } - -/// Send a HID feature report to the device represented by the given handle. -fn send<P>(handle: &mut libhid::Handle, report: &nitrokey::Report<P>) -> Result<()> - where P: AsRef<[u8]>, -{ - let mut retry = SEND_TRY_COUNT; - loop { - let result = handle.feature().send_to(0, report.as_ref()); - retry -= 1; - - match result { - Ok(_) => { - return Ok(()); - }, - Err(err) => { - if retry > 0 { - thread::sleep(time::Duration::from_millis(SEND_RECV_DELAY_MS)); - continue; - } else { - return Err(Error::HidError(err)); - } - }, - } - } -} - - -/// Receive a HID feature report from the device represented by the given handle. -fn receive<P>(handle: &mut libhid::Handle) -> Result<nitrokey::Report<P>> - where P: AsRef<[u8]> + Default, -{ - let mut retry = RECV_TRY_COUNT; - loop { - let mut report = nitrokey::Report::<P>::new(); - let result = handle.feature().get_from(0, report.as_mut()); - - retry -= 1; - - match result { - Ok(size) => { - if size < mem::size_of_val(&report) { - if retry > 0 { - continue; - } else { - return Err(Error::Error("Failed to receive complete report".to_string())); - } - } - - if !report.is_valid() { - if retry > 0 { - continue; - } else { - return Err(Error::Error("Failed to receive report: CRC mismatch".to_string())); - } - } - return Ok(report); - }, - - Err(err) => { - if retry > 0 { - thread::sleep(time::Duration::from_millis(SEND_RECV_DELAY_MS)); - continue; - } else { - return Err(Error::HidError(err)); - } - }, +/// Return a string representation of the given volume status. +fn get_volume_status(status: &libnitrokey::VolumeStatus) -> &'static str { + if status.active { + if status.read_only { + "read-only" + } else { + "active" } + } else { + "inactive" } } -/// Transmit a HID feature report to the nitrokey and receive a response. -fn transmit<PS, PR>(handle: &mut libhid::Handle, - report: &nitrokey::Report<PS>) - -> Result<nitrokey::Report<PR>> - where PS: AsRef<[u8]>, - PR: AsRef<[u8]> + Default, -{ - send(handle, report)?; - - // We need to give the stick some time to handle the command. If we - // don't, we might just receive stale data from before. - thread::sleep(time::Duration::from_millis(SEND_RECV_DELAY_MS)); - - receive::<PR>(handle) -} - - -/// Find and open the nitrokey device and execute a function on it. -fn nitrokey_do(function: &NitroFunc) -> Result<()> { - let hid = libhid::init()?; - // The Manager::find method is plain stupid as it still returns an - // iterable. Using it does not help in more concise error handling. - for device in hid.devices() { - if device.vendor_id() == nitrokey::VID && device.product_id() == nitrokey::PID { - return function(&mut device.open()?); - } - } - Err(Error::Error("Nitrokey device not found".to_string())) -} - - /// Pretty print the response of a status command. -fn print_status(response: &nitrokey::DeviceStatusResponse) { +fn print_status(status: &libnitrokey::StorageStatus) { println!("Status:"); // We omit displaying information about the smartcard here as this // program really is only about the SD card portion of the device. - println!(" SD card ID: {:#x}", response.active_sdcard_id); + println!(" SD card ID: {:#x}", status.serial_number_sd_card); println!(" firmware version: {}.{}", - response.version_major, - response.version_minor); + status.firmware_version_major, + status.firmware_version_minor); println!(" firmware: {}", - if response.firmware_locked != 0 { + if status.firmware_locked { "locked".to_string() } else { "unlocked".to_string() }); println!(" storage keys: {}", - if response.storage_keys_missing == 0 { + if status.stick_initialized { "created".to_string() } else { "not created".to_string() }); - println!(" user retry count: {}", - response.user_password_retry_count); - println!(" admin retry count: {}", - response.admin_password_retry_count); + println!(" user retry count: {}", status.user_retry_count); + println!(" admin retry count: {}", status.admin_retry_count); println!(" volumes:"); - println!(" unencrypted: {}", - if response.volume_active & nitrokey::VOLUME_ACTIVE_UNENCRYPTED == 0 { - "inactive" - } else if response.unencrypted_volume_read_only != 0 { - "read-only" - } else { - "active" - }); - println!(" encrypted: {}", - if response.volume_active & nitrokey::VOLUME_ACTIVE_ENCRYPTED == 0 { - "inactive" - } else if response.encrypted_volume_read_only != 0 { - "read-only" - } else { - "active" - }); - println!(" hidden: {}", - if response.volume_active & nitrokey::VOLUME_ACTIVE_HIDDEN == 0 { - "inactive" - } else if response.hidden_volume_read_only != 0 { - "read-only" - } else { - "active" - }); + println!(" unencrypted: {}", get_volume_status(&status.unencrypted_volume)); + println!(" encrypted: {}", get_volume_status(&status.encrypted_volume)); + println!(" hidden: {}", get_volume_status(&status.hidden_volume)); } /// Inquire the status of the nitrokey. fn status() -> Result<()> { - type Response = nitrokey::Response<nitrokey::DeviceStatusResponse>; - - nitrokey_do(&|handle| { - let payload = nitrokey::DeviceStatusCommand::new(); - let report = nitrokey::Report::from(payload); - - let report = transmit::<_, nitrokey::EmptyPayload>(handle, &report)?; - let response = &AsRef::<Response>::as_ref(&report.data).data; - - // TODO: We should probably check the success of the command as - // well. - if response.magic != nitrokey::MAGIC_NUMBER_STICK20_CONFIG { - let error = format!("Status response contains invalid magic: {:#x} \ - (expected: {:#x})", - response.magic, - nitrokey::MAGIC_NUMBER_STICK20_CONFIG); - return Err(Error::Error(error.to_string())); - } + let status = get_storage_device()? + .get_status() + .map_err(|err| get_error("Getting Storage status failed", &err))?; - print_status(response); - Ok(()) - }) + print_status(&status); + Ok(()) } @@ -380,53 +243,3 @@ fn run() -> i32 { fn main() { process::exit(run()); } - - -#[cfg(test)] -mod tests { - use super::*; - - #[test] - fn wrong_crc() { - type Response = nitrokey::Response<nitrokey::DeviceStatusResponse>; - - nitrokey_do(&|handle| { - let payload = nitrokey::DeviceStatusCommand::new(); - let mut report = nitrokey::Report::from(payload); - - // We want to verify that we get the correct result (i.e., a - // report of the CRC mismatch) repeatedly. - for _ in 0..10 { - report.crc += 1; - - let new_report = transmit::<_, nitrokey::EmptyPayload>(handle, &report)?; - let response = AsRef::<Response>::as_ref(&new_report.data); - - assert_eq!(response.command, nitrokey::Command::GetDeviceStatus); - assert_eq!(response.command_crc, report.crc); - assert_eq!(response.command_status, nitrokey::CommandStatus::WrongCrc); - } - return Ok(()); - }) - .unwrap(); - } - - #[test] - fn device_status() { - type Response = nitrokey::Response<nitrokey::DeviceStatusResponse>; - - nitrokey_do(&|handle| { - let payload = nitrokey::DeviceStatusCommand::new(); - let report = nitrokey::Report::from(payload); - - let report = transmit::<_, nitrokey::EmptyPayload>(handle, &report)?; - let response = AsRef::<Response>::as_ref(&report.data); - - assert!(response.device_status == nitrokey::StorageStatus::Idle || - response.device_status == nitrokey::StorageStatus::Okay); - assert_eq!(response.data.magic, nitrokey::MAGIC_NUMBER_STICK20_CONFIG); - return Ok(()); - }) - .unwrap(); - } -} diff --git a/nitrocli/src/nitrokey.rs b/nitrocli/src/nitrokey.rs deleted file mode 100644 index 9f767d6..0000000 --- a/nitrocli/src/nitrokey.rs +++ /dev/null @@ -1,256 +0,0 @@ -// nitrokey.rs - -// ************************************************************************* -// * Copyright (C) 2017-2018 Daniel Mueller (deso@posteo.net) * -// * * -// * This program is free software: you can redistribute it and/or modify * -// * it under the terms of the GNU General Public License as published by * -// * the Free Software Foundation, either version 3 of the License, or * -// * (at your option) any later version. * -// * * -// * This program is distributed in the hope that it will be useful, * -// * but WITHOUT ANY WARRANTY; without even the implied warranty of * -// * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * -// * GNU General Public License for more details. * -// * * -// * You should have received a copy of the GNU General Public License * -// * along with this program. If not, see <http://www.gnu.org/licenses/>. * -// ************************************************************************* - -use std::mem; - -use crate::crc32::crc; - - -// The Nitrokey Storage vendor ID. -pub const VID: u16 = 0x20A0; -// The Nitrokey Storage product ID. -pub const PID: u16 = 0x4109; - -// Magic number identifying a storage response. -pub const MAGIC_NUMBER_STICK20_CONFIG: u16 = 0x3318; - -// Flags indicating whether the respective volume is active or not. -pub const VOLUME_ACTIVE_UNENCRYPTED: u8 = 0b001; -pub const VOLUME_ACTIVE_ENCRYPTED: u8 = 0b010; -pub const VOLUME_ACTIVE_HIDDEN: u8 = 0b100; - - -#[derive(Debug)] -#[derive(PartialEq)] -#[repr(u8)] -pub enum Command { - // Retrieve the device status. - GetDeviceStatus = 0x2E, -} - - -/// A report is the entity we send to the Nitrokey Storage HID. -/// -/// A report is always 64 bytes in size. The last four bytes comprise a -/// CRC of the actual payload. Note that when sending or receiving a -/// report it usually is preceded by a one byte report ID. This report -/// ID is zero here and not represented in the actual report object in -/// our design. -#[repr(packed)] -pub struct Report<Payload> - where Payload: AsRef<[u8]>, -{ - // The actual payload data. A report may encapsulate a command to send - // to the stick or a response to receive from it. - pub data: Payload, - pub crc: u32, -} - - -impl<P> Report<P> - where P: AsRef<[u8]> + Default, -{ - pub fn new() -> Report<P> { - Report { - data: P::default(), - crc: 0, - } - } - - pub fn is_valid(&self) -> bool { - self.crc == crc(self.data.as_ref()) - } -} - - -impl<P> AsRef<[u8]> for Report<P> - where P: AsRef<[u8]>, -{ - fn as_ref(&self) -> &[u8] { - unsafe { mem::transmute::<&Report<P>, &[u8; 64]>(self) } - } -} - - -impl<P> From<P> for Report<P> - where P: AsRef<[u8]>, -{ - fn from(payload: P) -> Report<P> { - let crc = crc(payload.as_ref()); - Report { - data: payload, - crc: crc, - } - } -} - - -impl<P> AsMut<[u8]> for Report<P> - where P: AsRef<[u8]>, -{ - fn as_mut(&mut self) -> &mut [u8] { - unsafe { mem::transmute::<&mut Report<P>, &mut [u8; 64]>(self) } - } -} - - -pub struct EmptyPayload { - pub data: [u8; 60], -} - -impl Default for EmptyPayload { - fn default() -> EmptyPayload { - EmptyPayload { - data: [0u8; 60], - } - } -} - -impl AsRef<[u8]> for EmptyPayload { - fn as_ref(&self) -> &[u8] { - unsafe { mem::transmute::<&EmptyPayload, &[u8; 60]>(self) } - } -} - -impl<P> AsRef<Response<P>> for EmptyPayload { - fn as_ref(&self) -> &Response<P> { - unsafe { mem::transmute::<&EmptyPayload, &Response<P>>(self) } - } -} - - -macro_rules! defaultCommandType { - ( $name:ident ) => { - #[allow(dead_code)] - #[repr(packed)] - pub struct $name { - command: Command, - padding: [u8; 59], - } - } -} - -macro_rules! defaultCommandNew { - ( $name:ident, $command:ident ) => { - impl $name { - pub fn new() -> $name { - $name{ - command: Command::$command, - padding: [0; 59], - } - } - } - } -} - -macro_rules! defaultPayloadAsRef { - ( $name:ty ) => { - impl AsRef<[u8]> for $name { - fn as_ref(&self) -> &[u8] { - unsafe { mem::transmute::<&$name, &[u8; 60]>(self) } - } - } - } -} - -macro_rules! defaultCommand { - ( $name:ident, $command:ident ) => { - defaultCommandType!($name); - defaultCommandNew!($name, $command); - defaultPayloadAsRef!($name); - } -} - - -defaultCommand!(DeviceStatusCommand, GetDeviceStatus); - - -#[allow(dead_code)] -#[derive(Debug)] -#[derive(PartialEq)] -#[repr(u8)] -pub enum CommandStatus { - Okay = 0, - WrongCrc = 1, - WrongSlot = 2, - SlotNotProgrammed = 3, - WrongPassword = 4, - NotAuthorized = 5, - TimestampWarning = 6, - NoNameError = 7, -} - - -#[allow(dead_code)] -#[derive(Copy)] -#[derive(Clone)] -#[derive(Debug)] -#[derive(PartialEq)] -#[repr(u8)] -pub enum StorageStatus { - Idle = 0, - Okay = 1, - Busy = 2, - WrongPassword = 3, - BusyProgressbar = 4, - PasswordMatrixReady = 5, - NoUserPasswordUnlock = 6, - SmartcardError = 7, - SecurityBitActive = 8, -} - - -#[repr(packed)] -pub struct Response<Payload> { - pub device_status: StorageStatus, - pub command: Command, - pub command_crc: u32, - pub command_status: CommandStatus, - pub data: Payload, -} - -impl<P> AsRef<[u8]> for Response<P> { - fn as_ref(&self) -> &[u8] { - unsafe { mem::transmute::<&Response<P>, &[u8; 60]>(self) } - } -} - - -#[repr(packed)] -pub struct DeviceStatusResponse { - pub padding0: [u8; 22], - pub magic: u16, - pub unencrypted_volume_read_only: u8, - pub encrypted_volume_read_only: u8, - pub version_major: u8, - pub version_minor: u8, - pub version_build: u8, - pub version_internal: u8, - pub hidden_volume_read_only: u8, - pub firmware_locked: u8, - pub new_sdcard_found: u8, - pub sdcard_fill_with_random: u8, - pub active_sdcard_id: u32, - pub volume_active: u8, - pub new_smartcard_found: u8, - pub user_password_retry_count: u8, - pub admin_password_retry_count: u8, - pub active_smartcard_id: u32, - pub storage_keys_missing: u8, -} |