|  | Commit message (Collapse) | Author | Age | 
|---|
| | 
| 
| 
| 
| 
| | Since Rust 1.34.0, we no longer need a `fn main` comment in doc tests
that return results.  It is sufficient to have an `Ok` return value with
type annotations. | 
| | 
| 
| 
| 
| 
| | Previously, the RawConfig struct had a try_from function.  As the
TryFrom trait has been stabilized with Rust 1.34.0, we can use it
instead. | 
| | 
| 
| 
| 
| | rand_os::OsRng has been deprecated.  Instead we can use rand_core with
the getrandom feature. | 
| | 
| 
| 
| 
| 
| | This patch splits the rather large device module into the submodules
pro, storage and wrapper.  This only changes the internal code structure
and does not affect the public API. | 
| | 
| 
| 
| 
| 
| 
| | This patch updates the rand_core dependency to version 0.5 and the
rand_os dependency to version 0.2.  This causes a change in util.rs:
Instead of constructing an OsRng instance using OsRng::new(), we can
directly instantiate the (now empty) struct. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| | The take and take_blocking functions return a PoisonError if the cache
is poisoned, i. e. if a thread panicked while holding the manager.  This
is a sensible default behaviour, but for example during testing, one
might want to ignore the poisoned cache.  This patch adds the force_take
function that unwraps the PoisonError and returns the cached Manager
even if the cache was poisoned. | 
| | 
| 
| 
| 
| 
| | During the connection manager refactoring, we temporarily used
deprecated methods.  This is no longer the case, so we can remove the
allow(deprecated) attribute. | 
| | 
| 
| 
| 
| 
| | This patch updates the documentation to reflect the latest changes to
connection handling.  It also updates the doc tests to prefer the new
methods over the old ones. | 
| | 
| 
| 
| 
| 
| 
| 
| | To enable applications like nitrokey-test to go back to a manager
instance from a Device instance, we add the into_manager function to the
Device trait.  To do that, we have to keep track of the Manager’s
lifetime by adding a lifetime to Device (and then to some other traits
that use Device). | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | In the last patches, we ensured that devices can only be obtained using
the Manager struct.  But we did not ensure that there is only one device
at a time.  This patch adds a mutable reference to the Manager instance
to the Device implementations.  The borrow checker makes sure that there
is only one mutable reference at a time.
In this patch, we have to remove the old connect, Pro::connect and
Storage::connect functions as they do no longer compile.  (They discard
the MutexGuard which invalidates the reference to the Manager.)
Therefore the tests do no longer compile. | 
| | 
| 
| 
| 
| 
| 
| | As part of the connection refactoring, this patch moves the connect
methods of the Pro and Storage structs into the Manager struct.  To
maintain compatibility with nitrokey-test, the old methods are not
removed but marked as deprecated. | 
| | 
| 
| 
| 
| 
| | As part of the connection refactoring, this patch moves the
connect_model function to the Manager struct.  As the connect_model
function is not used by nitrokey-test, it is removed. | 
| | 
| 
| 
| 
| 
| 
| | As part of the connection refactoring, we replace the connect function
with the Manager::connect method.  To maintain compatibility with
nitrokey-test, the connect function is not removed but marked as
deprecated. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | As part of the connection refactoring, we introduce the Manager struct
that deals with connection management.  To make sure there can be only
once instance of the manager, we add a global static Mutex that holds
the single Manager instance.  We use the struct to ensure that the user
can only connect to one device at a time.
This also changes the Error::PoisonError variant to store the
sync::PoisonError.  This allows the user to call into_inner on the
PoisonError to retrieve the MutexGuard and to ignore the error (for
example useful during testing). | 
| | 
| 
| 
| 
| 
| 
| 
| 
| | This patch prepares the refactoring of the connection methods by
introducing the Error variants ConcurrentAccessError and PoisonError.
ConcurrentAccessError indicates that the user tried to connect to
obtain a token that is currently locked, and PoisonError indicates that
a lock has been poisoned, i. e. a thread panicked while accessing using
a token. | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| 
| | As the return type of the NK_get_{major,minor}_firmware_version methods
changed with libnitrokey 3.5, we also have to adapt our
get_firmware_version function in device.rs.
This patch also updates the changelog and the todo list with the changes
caused by the new libnitrokey version. | 
| | 
| 
| 
| | This reverts commit 13006c00dcbd570cf8347d89557834e320427377. | 
| | 
| 
| 
| | This reverts commit 0972bbe82623c3d9649b6023d8f50d304aa0cde6. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| | The current implementation of PasswordSafe stored a normal reference to
the Device.  This patch changes the PasswordSafe struct to use a mutable
reference instead.  This allows the borrow checker to make sure that
there is only one PasswordSafe instance at a time.  While this is
currently not needed, it will become important once we can lock the PWS
on the Nitrokey when dropping the PasswordSafe instance. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | In the initial nitrokey-rs implementation, the Admin and the User struct
take the Device by value to make sure that the user cannot initiate a
second authentication while this first is still active (which would
invalidate the temporary password).  Now we realized that this is not
necessary – taking a mutable reference has the same effect, but leads to
a much cleaner API.
This patch refactors the Admin and User structs – and all dependent code
– to use a mutable reference instead of a Device value. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | Previously, all methods that access a Nitrokey device took a reference
to the device as input.  This method changes methods that change the
device state to require a mutable reference instead.  In most case,
this is straightforward as the method writes data to the device (for
example write_config or change_user_pin).  But there are two edge cases:
- Authenticating with a PIN changes the device state as it may decrease
  the PIN retry counter if the authentication fails.
- Generating an HOTP code changes the device state as it increases the
  HOTP counter. | 
| | 
| 
| 
| 
| 
| | To prepare the mutability refactoring, we add a device_mut method to
DeviceWrapper that can be used to obtain a mutable reference to the
wrapped device. | 
| | 
| 
| 
| 
| 
| | As we want to change some methods to take a mutable reference to a
Device, we implement DerefMut for User<T> and Admin<T> so that users can
obtain a mutable reference to the wrapped device. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| | Previously, we considered this command as unsupported as it only was
available with firmware version 0.49.  But as discussed in nitrocli
issue 80 [0], it will probably be re-enabled in future firmware
versions.  Therefore this patch adds the set_encrypted_volume_mode to
Storage.
[0] https://github.com/d-e-s-o/nitrocli/issues/80 | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| | This patch combines the get_{major,minor}_firmware_version methods into
the new get_firmware_version method that returns a FirmwareVersion
struct.  Currently, this requires casting from i32 to u8.  But this will
be fixed with the next libnitrokey version as we change the return types
for the firmware getters. | 
| | 
| 
| 
| 
| 
| 
| 
| | Previously, we sometimes returned a value without wrapping it in a
result if the API method did not indicate errors in the return value.
But we can detect errors using the NK_get_last_command_status function.
This patch changes the return types of these methods to Result<_, Error>
and adds error checks. | 
| | |  | 
| | 
| 
| 
| 
| | To avoid unnecessary function calls, we replace the or with an or_else
in get_cstring. | 
| | 
| 
| 
| 
| | The DEFAULT_{ADMIN,USER}_PIN constants implicitly have static lifetime.
Therefore we can remove the static lifetime modifiers. | 
| | 
| 
| 
| 
| | For consistency with the other Error variants, we rename Unknown to
UnknownError. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| | Many of our functions do not return a Result<_, Error>, but for example
a Result<_, (Device, Error)>.  We only use the typedef in one function,
but it makes the other functions more complicated as we have to use
result::Result (if crate::Result is imported).  Therefore, this patch
removes the typedef.  Applications or libraries can still redefine it if
they want to. | 
| | 
| 
| 
| 
| 
| 
| | rand_core does not have a stable release yet, and it is unlikely that
there will be one soon.  To be able to stabilize nitrokey without
waiting for a stable rand_core version, we remove the rand_core::Error
type from the public API and replace it with a Box<dyn error::Error>. | 
| | 
| 
| 
| 
| 
| 
| | This patch adds license and copyright information to all files to make
nitrokey-rs compliant with the REUSE practices [0].
[0] https://reuse.software/practices/2.0/ | 
| | 
| 
| 
| 
| 
| | Not all users of the authenticate methods want to use the device after
an error, so implementing From<(T: Device, Error)> for Error makes it
easier for them to discard the device. | 
| | 
| 
| 
| 
| 
| 
| | Previously, we used lossy UTF-8 conversion.  Yet the user should be
notified if we have a problem instead of silently changing the data.
Therefore, we now return an error if we enocunter an invalid UTF-8
string.  This leads to a change in `get_library_version`’s signature. | 
| | 
| 
| 
| 
| | Previously, we just ignored UTF-8 errors.  This patch prepares the
Utf8Error variant so that we are able to return UTF-8 errors. | 
| | |  | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| | This includes:
- using idiomatic Rust
- limiting the scope of unsafe blocks
- simplifying code | 
| | 
| 
| 
| 
| 
| | To reduce the number of casts, we introduce the temp_password_ptr method
that casts the pointer received from the Vec<u8> to a c_char pointer
that can be handled by libnitrokey. | 
| | 
| 
| 
| 
| 
| | Numeric casting might truncate an integer, while into() is only
implemented for numeric types if the cast is possible without
truncation. | 
| | 
| 
| 
| 
| 
| | The Pro and Storage structs may only be created using the connect
functions.  This patch adds a private PhantomData field to the structs
to ensure that the compiler does not allow direct instantiation. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| | If possible, check specific error codes instead of `is_err()`.  This
makes the code more readable and catches bugs resulting in the wrong
error code.  Also, using the assert_*_err and assert_ok macros yields
error messages containing the expected and the actual value.
To be able to use these macros with the `get_password_safe` method, we
also have to implement `Debug` for `PasswordSafe` and `Device`. | 
| | 
| 
| 
| 
| 
| | The CommandError::Undefined variant has been refactored into
Error::UnexpectedError and CommunicationError::NotConnected and is
therefore no longer needed. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| | Previously, we returned a CommandError::Undefined if a connect function
failed.  A CommunicationError::NotConnected is a more specific and
better fitting choice.
Once the Try trait has been stabilized, we should return an Option<_>
instead of a Result<_, Error> from the connect functions. | 
| | 
| 
| 
| 
| 
| 
| | The UnexpectedError variant is used when a libnitrokey function returns
a value that violates the function’s contract, for example if a function
returns a null pointer although it guarantees to never return null.
Previously, we returned a CommandError::Unspecified in these cases. | 
| | 
| 
| 
| | For example, the WrongSlot error may also be returned for a PWS slot. | 
| | 
| 
| 
| 
| | AsStr is automatically implementeded if Display is implemented, so
having a manual as_str() method is not necessary. |