|  | Commit message (Collapse) | Author | Age | 
|---|
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | Three more error codes are defined in libnitrokey but currently reported
as the CommandError::Unknown variant:
  200: representing a string that exceeds a limit
  202: indicating a string that is not in hexadecimal format when it
       should be
  203: suggesting that the target buffer is smaller than the source
       buffer and, hence, too small
This change introduces the CommandError variants StringTooLong,
InvalidHexString and TargetBufferTooSmall, respectively, representing
those errors. | 
| | 
| 
| 
| 
| 
| | This patch adds the global connect_model function that can be used to
connect to a Nitrokey device of a given model.  Contrary to Pro::connect
and Storage::connect, the model does not have to be set at compile time. | 
| | 
| 
| 
| | connect_model will be used for a public function with the next patch. | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| | This patch introduces the methods enable_hidden_volume,
disable_hidden_volume and create_hidden_volume for the Storage struct to
support the hidden volumes on the Nitrokey Storage.  The enable and
create methods require that the encrypted storage has been enabled.
Contrary to authentication and password safe access, we do not enforce
this requirement in the API as file system operations could have
unwanted side effects and should not performed implicitly. | 
| | |  | 
| | 
| 
| 
| 
| 
| | Contrary to my previous beliefs, build_aes_key has to be called even
after a factory reset using the Nitrokey API.  This patch updates the
documentation and the unit tests based on this insight. | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| | This patch adds the enable_firmware_update method to the Storage struct
that uses NK_enable_firmware_update to put the Nitrokey Storage into
update mode.  This method is not tested as external tooling is required
to resume normal operation and as it is hard to bail out if an error
occurs. | 
| | 
| 
| 
| 
| 
| 
| 
| | This patch adds the build_aes_key method to the Device trait that uses
the NK_build_aes_key function to build new AES keys on the device.  This
effectively resets the password safe and the encrypted storage.  It is
unclear whether other data (e. g. the one-time passwords) are affected
too. | 
| | 
| 
| 
| 
| 
| 
| | This patch adds the factory_reset_method to the Device trait that uses
the NK_factory_reset function to perform a factory reset.  The tests
verify that the user and admin PIN are reset and that the OTP storage
and the password safe are deleted. | 
| | 
| 
| 
| 
| 
| | This patch adds the change_update_pin method to the Storage struct that
uses the NK_change_update_password function to set the password required
for firmware updates. | 
| | 
| 
| 
| 
| 
| | After a factory reset, the password safe cannot be accessed as its
secret cannot be decrypted.  This patch improves the documentation for
GetPasswordSafe::get_password_safe to reflect this behavior. | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| | The CommandError::Unknown variant, which is used whenever a reported
error code is not known, makes it close to impossible to determine the
root cause of, say, a one-off error, because all information explaining
what went wrong is discarded.
With this change we adjust the Unknown variant to include the error
report. In addition, we introduce a new CommandError variant, Undefined,
that is used when no error code is available. | 
| | |  | 
| | 
| 
| 
| 
| | We switched to rand::thread_rng() which cannot fail.  Therefore the
CommandError::RngError is no longer needed and removed in this patch. | 
| | 
| 
| 
| 
| 
| 
| 
| | This patch adds the force argument to the set_time method in the
ConfigureOtp trait that allows the user to choose whether jumps to the
past are allowed when updating the time.  It is implemented by using the
NK_totp_set_time_soft function.  Previously, jumps where unconditionally
allowed. | 
| | |  | 
| | 
| 
| 
| 
| 
| | As these three enums are scalar values, this patch derives the Clone and
Copy traits for them.  This should avoid unnecessary allocations and
reduce the memory footprint. | 
| | |  | 
| | 
| 
| 
| 
| | This patch adds the function Device::get_model that returns the model of
the connected Nitrokey stick. | 
| | 
| 
| 
| 
| 
| 
| 
| | This patch updates the rand dependecy to version 0.6.  It also replaces
the OsRng, which is guaranteed to use OS/hardware entropy, with the
thread_rng, which is likely to use OS/hardware entropy as a seed.  The
choice of RNG and the handling of password should be reviewed at a later
point. | 
| | |  | 
| | 
| 
| 
| 
| 
| | Newer Rust versions support integration tests in a top-level tests
directory.  This patch refactors the existing unit tests into
integration tests. | 
| | 
| 
| 
| 
| 
| 
| | With Rust edition 2018, it is no longer necessary to declare
dependencies in the code using `extern crate`.  Therefore, this patch
removes these declarations and replaces them with `use` declarations if
necessary. | 
| | 
| 
| 
| 
| 
| | This patch changes use declarations for modules within this crate to use
the crate:: path qualifier.  This will be mandatory in Rust edition
2018. | 
| | 
| 
| 
| 
| | This patch changes the type of trait objects from `Trait` to `dyn
Trait`.  This fixes bare-trait-object compiler warnings. | 
| | 
| 
| 
| 
| | This patch makes hidden life time parameters explicit to fix
elided-lifetime-in-path compiler warnings. | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| | This patch enables the following compiler warnings:
- missing_docs for public symbols without documentation
- rust_2018_compatibility for Rust edition 2018 support
- rust_2018_idioms for Rust edition 2018 support
- unused for different types of unused code | 
| | |  | 
| | |  | 
| | 
| 
| 
| 
| 
| | This patch adds a `get_status` method to the `Storage` structure.  The
returned structure `StorageStatus` is based on the structure provided by
libnitrokey. | 
| | 
| 
| 
| 
| 
| 
| | As connect() now returns DeviceWrappers of the correct type, this patch
adds an example to the DeviceWrapper documentation that shows how to use
type conditions, i. e. how to execute a command only for Nitrokey
Storage devices. | 
| | 
| 
| 
| 
| 
| | This patch fixes the generic connect() method to return a DeviceWrapper
of the correct type.  This is enabled by the NK_get_device_model()
method introduced in libnitrokey v3.4. | 
| | 
| 
| 
| 
| 
| 
| 
| | Old libnitrokey versions could return pointers to both statically and
dynamically allocated strings for functions that return strings.  This
has been fixed in libnitrokey commit 7a8550d (included in v3.4).  This
patch removes the old workaround and always frees the return value of
functions returning a string pointer. | 
| | 
| 
| 
| 
| | Most notably, for command errors, this will print a human-readable error
message instead of just the name of the enum. | 
| | 
| 
| 
| 
| 
| | The std::fmt::Display implementation provides a human-readable error
message for a CommandError.  It is intended to be used in error
messages displayed to the user. | 
| | 
| 
| 
| 
| 
| | The new get_cstring method in util returns a Result<CString,
CommandError>, so mast callers can just use the ? operator to unwrap the
result instead of cumbersome unwrapping code. | 
| | 
| 
| 
| 
| 
| | The Result enum is more idiomatic and easier to use than our custom
CommandStatus enum with the same structure.  This is especially true for
the try operator ?. | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | When enabled, the password safe can be used without authentication.  The
lock device can be used to lock the password safe.  Currently,
PasswordSafe::drop calls this command to make sure that other
applications cannot access the password safe without authentication.
On the Nitrokey Storage, locking the device may also disable the
encrypted or hidden volume.  As using the password safe should not have
side effects on the storage volumes, this patch removes the call to the
lock device command from the Drop implementation.  Instead, the user
should call this method after making sure that it does not have side
effects.
A feature request for a command that only locks the password safe
without side effects is submitted to the Nitrokey Storage firmware
repository:
	https://github.com/Nitrokey/nitrokey-storage-firmware/issues/65 | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | This patch adds support for the commands to enable or disable the
encrypted volume on the Nitrokey Storage.  To test these commands, the
output of lsblk is parsed for the device model “Nitrokey Storage”.  This
is not perfect but seems to be the best solution for automated testing.
As the effect of enabling and disabling volumes is not immediate, a
delay of two seconds is added to the tests before checking lsblk.  This
is sufficient on my machine, yet it would be better to have a portable
version of this check.
This patch also adds a lock method to Device that executes the
lock_device command.  This command was previously only used to close the
password safe.  On the Nitrokey Storage, it also disables the encrypted
and hidden volume. | 
| | 
| 
| 
| 
| 
| 
| 
| | The current Nitrokey Storage firmware does not support timestamps that
do not fit into an unsigned integer.  Therefore, the tests totp_pin and
totp_no_pin are restricted to 32-bit timestamps.  New tests totp_pin_64
and totp_no_pin_64 are introduced for 64-bit timestamps.  These are
expected to panic for the Nitrokey Storage. | 
| | 
| 
| 
| 
| 
| | The firmware version is too volatile to restrict it to certain values.
Therefore, we only check that there is a non-zero version number instead
of expecting specific values. | 
| | |  | 
| | 
| 
| 
| 
| 
| | By calling NK_lock_device when dropping a PasswordSafe instance, we can
make sure that the password safe cannot be reused without
authentication. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| | Instead of wrapping an owned Device instance, PasswordSafe now only
requires a reference to a Device.  The lifetime parameter makes sure
that the device lives at least as long as the password safe.  Using a
reference instead of an owned device allows us to implement Drop on
PasswordSafe to make sure that the password safe is disabled once it is
destructed. | 
| | 
| 
| 
| 
| 
| 
| 
| | While 30 seconds is the default time step for TOTP, arbitrary values are
possible.  Yet the RFC does only provide test cases for the default time
window.  This patch adds tests where these test cases are applied for a
time window of 60 seconds (if both the current time and the time window
double, the resulting TOTP code is the same). |