From 1012a9beb5a89efdf3a74f0c78cd88a64abb98cd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sosth=C3=A8ne=20Gu=C3=A9don?= Date: Thu, 1 Feb 2024 17:29:57 +0100 Subject: [PATCH 1/5] Run cargo fmt Older version of Rust failed to format `service.rs` file. --- src/service.rs | 521 +++++++++++++++++++++++++++---------------------- 1 file changed, 283 insertions(+), 238 deletions(-) diff --git a/src/service.rs b/src/service.rs index d2e78ffb2a1..ec5961dbc9f 100644 --- a/src/service.rs +++ b/src/service.rs @@ -159,19 +159,14 @@ impl ServiceResources

{ debug_now!("TRUSSED {:?}", request); match request { - Request::DummyRequest => { - Ok(Reply::DummyReply) - }, + Request::DummyRequest => Ok(Reply::DummyReply), - Request::Agree(request) => { - match request.mechanism { - - Mechanism::P256 => mechanisms::P256::agree(&mut keystore(self, ctx)?, request), - Mechanism::X255 => mechanisms::X255::agree(&mut keystore(self, ctx)?, request), - _ => Err(Error::MechanismNotAvailable), - - }.map(Reply::Agree) - }, + Request::Agree(request) => match request.mechanism { + Mechanism::P256 => mechanisms::P256::agree(&mut keystore(self, ctx)?, request), + Mechanism::X255 => mechanisms::X255::agree(&mut keystore(self, ctx)?, request), + _ => Err(Error::MechanismNotAvailable), + } + .map(Reply::Agree), #[cfg(feature = "crypto-client-attest")] Request::Attest(request) => { @@ -180,103 +175,129 @@ impl ServiceResources

{ self.rng().map_err(|_| Error::EntropyMalfunction)?, full_store, ); - attest::try_attest(&mut attn_keystore, &mut certstore(self, ctx)?, &mut keystore(self, ctx)?, request).map(Reply::Attest) + attest::try_attest( + &mut attn_keystore, + &mut certstore(self, ctx)?, + &mut keystore(self, ctx)?, + request, + ) + .map(Reply::Attest) } #[cfg(not(feature = "crypto-client-attest"))] Request::Attest(_) => Err(Error::RequestNotAvailable), - Request::Decrypt(request) => { - match request.mechanism { - - Mechanism::Aes256Cbc => mechanisms::Aes256Cbc::decrypt(&mut keystore(self, ctx)?, request), - Mechanism::Chacha8Poly1305 => mechanisms::Chacha8Poly1305::decrypt(&mut keystore(self, ctx)?, request), - Mechanism::Tdes => mechanisms::Tdes::decrypt(&mut keystore(self, ctx)?, request), - _ => Err(Error::MechanismNotAvailable), - - }.map(Reply::Decrypt) - }, - - Request::DeriveKey(request) => { - match request.mechanism { - - Mechanism::HmacBlake2s => mechanisms::HmacBlake2s::derive_key(&mut keystore(self, ctx)?, request), - Mechanism::HmacSha1 => mechanisms::HmacSha1::derive_key(&mut keystore(self, ctx)?, request), - Mechanism::HmacSha256 => mechanisms::HmacSha256::derive_key(&mut keystore(self, ctx)?, request), - Mechanism::HmacSha512 => mechanisms::HmacSha512::derive_key(&mut keystore(self, ctx)?, request), - Mechanism::Ed255 => mechanisms::Ed255::derive_key(&mut keystore(self, ctx)?, request), - Mechanism::P256 => mechanisms::P256::derive_key(&mut keystore(self, ctx)?, request), - Mechanism::Sha256 => mechanisms::Sha256::derive_key(&mut keystore(self, ctx)?, request), - Mechanism::X255 => mechanisms::X255::derive_key(&mut keystore(self, ctx)?, request), - _ => Err(Error::MechanismNotAvailable), - - }.map(Reply::DeriveKey) - }, - - Request::DeserializeKey(request) => { - match request.mechanism { - - Mechanism::Ed255 => mechanisms::Ed255::deserialize_key(&mut keystore(self, ctx)?, request), - Mechanism::P256 => mechanisms::P256::deserialize_key(&mut keystore(self, ctx)?, request), - Mechanism::X255 => mechanisms::X255::deserialize_key(&mut keystore(self, ctx)?, request), - _ => Err(Error::MechanismNotAvailable), - - }.map(Reply::DeserializeKey) + Request::Decrypt(request) => match request.mechanism { + Mechanism::Aes256Cbc => { + mechanisms::Aes256Cbc::decrypt(&mut keystore(self, ctx)?, request) + } + Mechanism::Chacha8Poly1305 => { + mechanisms::Chacha8Poly1305::decrypt(&mut keystore(self, ctx)?, request) + } + Mechanism::Tdes => mechanisms::Tdes::decrypt(&mut keystore(self, ctx)?, request), + _ => Err(Error::MechanismNotAvailable), } + .map(Reply::Decrypt), - Request::Encrypt(request) => { - match request.mechanism { + Request::DeriveKey(request) => match request.mechanism { + Mechanism::HmacBlake2s => { + mechanisms::HmacBlake2s::derive_key(&mut keystore(self, ctx)?, request) + } + Mechanism::HmacSha1 => { + mechanisms::HmacSha1::derive_key(&mut keystore(self, ctx)?, request) + } + Mechanism::HmacSha256 => { + mechanisms::HmacSha256::derive_key(&mut keystore(self, ctx)?, request) + } + Mechanism::HmacSha512 => { + mechanisms::HmacSha512::derive_key(&mut keystore(self, ctx)?, request) + } + Mechanism::Ed255 => { + mechanisms::Ed255::derive_key(&mut keystore(self, ctx)?, request) + } + Mechanism::P256 => mechanisms::P256::derive_key(&mut keystore(self, ctx)?, request), + Mechanism::Sha256 => { + mechanisms::Sha256::derive_key(&mut keystore(self, ctx)?, request) + } + Mechanism::X255 => mechanisms::X255::derive_key(&mut keystore(self, ctx)?, request), + _ => Err(Error::MechanismNotAvailable), + } + .map(Reply::DeriveKey), - Mechanism::Aes256Cbc => mechanisms::Aes256Cbc::encrypt(&mut keystore(self, ctx)?, request), - Mechanism::Chacha8Poly1305 => mechanisms::Chacha8Poly1305::encrypt(&mut keystore(self, ctx)?, request), - Mechanism::Tdes => mechanisms::Tdes::encrypt(&mut keystore(self, ctx)?, request), - _ => Err(Error::MechanismNotAvailable), + Request::DeserializeKey(request) => match request.mechanism { + Mechanism::Ed255 => { + mechanisms::Ed255::deserialize_key(&mut keystore(self, ctx)?, request) + } + Mechanism::P256 => { + mechanisms::P256::deserialize_key(&mut keystore(self, ctx)?, request) + } + Mechanism::X255 => { + mechanisms::X255::deserialize_key(&mut keystore(self, ctx)?, request) + } + _ => Err(Error::MechanismNotAvailable), + } + .map(Reply::DeserializeKey), - }.map(Reply::Encrypt) - }, + Request::Encrypt(request) => match request.mechanism { + Mechanism::Aes256Cbc => { + mechanisms::Aes256Cbc::encrypt(&mut keystore(self, ctx)?, request) + } + Mechanism::Chacha8Poly1305 => { + mechanisms::Chacha8Poly1305::encrypt(&mut keystore(self, ctx)?, request) + } + Mechanism::Tdes => mechanisms::Tdes::encrypt(&mut keystore(self, ctx)?, request), + _ => Err(Error::MechanismNotAvailable), + } + .map(Reply::Encrypt), Request::Delete(request) => { let success = keystore(self, ctx)?.delete_key(&request.key); - Ok(Reply::Delete(reply::Delete { success } )) - }, + Ok(Reply::Delete(reply::Delete { success })) + } Request::Clear(request) => { let success = keystore(self, ctx)?.clear_key(&request.key); - Ok(Reply::Clear(reply::Clear { success } )) - }, + Ok(Reply::Clear(reply::Clear { success })) + } Request::DeleteAllKeys(request) => { let count = keystore(self, ctx)?.delete_all(request.location)?; - Ok(Reply::DeleteAllKeys(reply::DeleteAllKeys { count } )) - }, - - Request::Exists(request) => { - match request.mechanism { - - Mechanism::Ed255 => mechanisms::Ed255::exists(&mut keystore(self, ctx)?, request), - Mechanism::P256 => mechanisms::P256::exists(&mut keystore(self, ctx)?, request), - Mechanism::Totp => mechanisms::Totp::exists(&mut keystore(self, ctx)?, request), - Mechanism::X255 => mechanisms::X255::exists(&mut keystore(self, ctx)?, request), - _ => Err(Error::MechanismNotAvailable), - - }.map(Reply::Exists) - }, - - Request::GenerateKey(request) => { - match request.mechanism { - Mechanism::Chacha8Poly1305 => mechanisms::Chacha8Poly1305::generate_key(&mut keystore(self, ctx)?, request), - Mechanism::Ed255 => mechanisms::Ed255::generate_key(&mut keystore(self, ctx)?, request), - Mechanism::P256 => mechanisms::P256::generate_key(&mut keystore(self, ctx)?, request), - Mechanism::X255 => mechanisms::X255::generate_key(&mut keystore(self, ctx)?, request), - _ => Err(Error::MechanismNotAvailable), - }.map(Reply::GenerateKey) - }, + Ok(Reply::DeleteAllKeys(reply::DeleteAllKeys { count })) + } + + Request::Exists(request) => match request.mechanism { + Mechanism::Ed255 => mechanisms::Ed255::exists(&mut keystore(self, ctx)?, request), + Mechanism::P256 => mechanisms::P256::exists(&mut keystore(self, ctx)?, request), + Mechanism::Totp => mechanisms::Totp::exists(&mut keystore(self, ctx)?, request), + Mechanism::X255 => mechanisms::X255::exists(&mut keystore(self, ctx)?, request), + _ => Err(Error::MechanismNotAvailable), + } + .map(Reply::Exists), + + Request::GenerateKey(request) => match request.mechanism { + Mechanism::Chacha8Poly1305 => { + mechanisms::Chacha8Poly1305::generate_key(&mut keystore(self, ctx)?, request) + } + Mechanism::Ed255 => { + mechanisms::Ed255::generate_key(&mut keystore(self, ctx)?, request) + } + Mechanism::P256 => { + mechanisms::P256::generate_key(&mut keystore(self, ctx)?, request) + } + Mechanism::X255 => { + mechanisms::X255::generate_key(&mut keystore(self, ctx)?, request) + } + _ => Err(Error::MechanismNotAvailable), + } + .map(Reply::GenerateKey), Request::GenerateSecretKey(request) => { let mut secret_key = MediumData::new(); let size = request.size; let mut keystore = keystore(self, ctx)?; - secret_key.resize_default(request.size).map_err(|_| Error::ImplementationError)?; + secret_key + .resize_default(request.size) + .map_err(|_| Error::ImplementationError)?; keystore.rng().fill_bytes(&mut secret_key[..size]); let key_id = keystore.store_key( request.attributes.persistence, @@ -284,21 +305,34 @@ impl ServiceResources

{ key::Kind::Symmetric(size), &secret_key[..size], )?; - Ok(Reply::GenerateSecretKey(reply::GenerateSecretKey { key: key_id })) - }, + Ok(Reply::GenerateSecretKey(reply::GenerateSecretKey { + key: key_id, + })) + } // deprecated - Request::UnsafeInjectKey(request) => { - match request.mechanism { - Mechanism::P256 => mechanisms::P256::unsafe_inject_key(&mut keystore(self, ctx)?,request), - Mechanism::X255 => mechanisms::X255::unsafe_inject_key(&mut keystore(self, ctx)?,request), - Mechanism::Ed255 => mechanisms::Ed255::unsafe_inject_key(&mut keystore(self, ctx)?,request), - Mechanism::SharedSecret => mechanisms::SharedSecret::unsafe_inject_key(&mut keystore(self, ctx)?, request), - Mechanism::Aes256Cbc => mechanisms::Aes256Cbc::unsafe_inject_key(&mut keystore(self, ctx)?, request), - Mechanism::Tdes => mechanisms::Tdes::unsafe_inject_key(&mut keystore(self, ctx)?, request), - _ => Err(Error::MechanismNotAvailable) - }.map(Reply::UnsafeInjectKey) - }, + Request::UnsafeInjectKey(request) => match request.mechanism { + Mechanism::P256 => { + mechanisms::P256::unsafe_inject_key(&mut keystore(self, ctx)?, request) + } + Mechanism::X255 => { + mechanisms::X255::unsafe_inject_key(&mut keystore(self, ctx)?, request) + } + Mechanism::Ed255 => { + mechanisms::Ed255::unsafe_inject_key(&mut keystore(self, ctx)?, request) + } + Mechanism::SharedSecret => { + mechanisms::SharedSecret::unsafe_inject_key(&mut keystore(self, ctx)?, request) + } + Mechanism::Aes256Cbc => { + mechanisms::Aes256Cbc::unsafe_inject_key(&mut keystore(self, ctx)?, request) + } + Mechanism::Tdes => { + mechanisms::Tdes::unsafe_inject_key(&mut keystore(self, ctx)?, request) + } + _ => Err(Error::MechanismNotAvailable), + } + .map(Reply::UnsafeInjectKey), Request::UnsafeInjectSharedKey(request) => { let key_id = keystore(self, ctx)?.store_key( @@ -308,28 +342,30 @@ impl ServiceResources

{ &request.raw_key, )?; - Ok(Reply::UnsafeInjectSharedKey(reply::UnsafeInjectSharedKey { key: key_id } )) - }, - - Request::Hash(request) => { - match request.mechanism { - - Mechanism::Sha256 => mechanisms::Sha256::hash(&mut keystore(self, ctx)?, request), - _ => Err(Error::MechanismNotAvailable), + Ok(Reply::UnsafeInjectSharedKey(reply::UnsafeInjectSharedKey { + key: key_id, + })) + } - }.map(Reply::Hash) - }, + Request::Hash(request) => match request.mechanism { + Mechanism::Sha256 => mechanisms::Sha256::hash(&mut keystore(self, ctx)?, request), + _ => Err(Error::MechanismNotAvailable), + } + .map(Reply::Hash), Request::LocateFile(request) => { - let path = filestore.locate_file(request.location, request.dir.as_deref(), &request.filename)?; + let path = filestore.locate_file( + request.location, + request.dir.as_deref(), + &request.filename, + )?; - Ok(Reply::LocateFile(reply::LocateFile { path }) ) + Ok(Reply::LocateFile(reply::LocateFile { path })) } // This is now preferably done using littlefs-fuse (when device is not yet locked), // and should be removed from firmware completely Request::DebugDumpStore(_request) => { - info_now!(":: PERSISTENT"); recursively_list(self.platform.store().fs(Location::Internal), path!("/")); @@ -356,15 +392,19 @@ impl ServiceResources

{ } } Ok(()) - }).unwrap(); + }) + .unwrap(); } - Ok(Reply::DebugDumpStore(reply::DebugDumpStore {}) ) - + Ok(Reply::DebugDumpStore(reply::DebugDumpStore {})) } Request::ReadDirFirst(request) => { - let maybe_entry = match filestore.read_dir_first(&request.dir, request.location, request.not_before_filename.as_deref())? { + let maybe_entry = match filestore.read_dir_first( + &request.dir, + request.location, + request.not_before_filename.as_deref(), + )? { Some((entry, read_dir_state)) => { ctx.read_dir_state = Some(read_dir_state); Some(entry) @@ -372,10 +412,11 @@ impl ServiceResources

{ None => { ctx.read_dir_state = None; None - } }; - Ok(Reply::ReadDirFirst(reply::ReadDirFirst { entry: maybe_entry } )) + Ok(Reply::ReadDirFirst(reply::ReadDirFirst { + entry: maybe_entry, + })) } Request::ReadDirNext(_request) => { @@ -384,25 +425,29 @@ impl ServiceResources

{ let maybe_entry = match read_dir_state { None => None, - Some(state) => { - match filestore.read_dir_next(state)? { - Some((entry, read_dir_state)) => { - ctx.read_dir_state = Some(read_dir_state); - Some(entry) - } - None => { - ctx.read_dir_state = None; - None - } + Some(state) => match filestore.read_dir_next(state)? { + Some((entry, read_dir_state)) => { + ctx.read_dir_state = Some(read_dir_state); + Some(entry) } - } + None => { + ctx.read_dir_state = None; + None + } + }, }; - Ok(Reply::ReadDirNext(reply::ReadDirNext { entry: maybe_entry } )) + Ok(Reply::ReadDirNext(reply::ReadDirNext { + entry: maybe_entry, + })) } Request::ReadDirFilesFirst(request) => { - let maybe_data = match filestore.read_dir_files_first(&request.dir, request.location, request.user_attribute.clone())? { + let maybe_data = match filestore.read_dir_files_first( + &request.dir, + request.location, + request.user_attribute.clone(), + )? { Some((data, state)) => { ctx.read_dir_files_state = Some(state); data @@ -412,7 +457,9 @@ impl ServiceResources

{ None } }; - Ok(Reply::ReadDirFilesFirst(reply::ReadDirFilesFirst { data: maybe_data } )) + Ok(Reply::ReadDirFilesFirst(reply::ReadDirFilesFirst { + data: maybe_data, + })) } Request::ReadDirFilesNext(_request) => { @@ -420,48 +467,44 @@ impl ServiceResources

{ let maybe_data = match read_dir_files_state { None => None, - Some(state) => { - match filestore.read_dir_files_next(state)? { - Some((data, state)) => { - ctx.read_dir_files_state = Some(state); - data - } - None => { - ctx.read_dir_files_state = None; - None - } + Some(state) => match filestore.read_dir_files_next(state)? { + Some((data, state)) => { + ctx.read_dir_files_state = Some(state); + data } - } + None => { + ctx.read_dir_files_state = None; + None + } + }, }; - Ok(Reply::ReadDirFilesNext(reply::ReadDirFilesNext { data: maybe_data } )) + Ok(Reply::ReadDirFilesNext(reply::ReadDirFilesNext { + data: maybe_data, + })) } Request::RemoveDir(request) => { filestore.remove_dir(&request.path, request.location)?; - Ok(Reply::RemoveDir(reply::RemoveDir {} )) + Ok(Reply::RemoveDir(reply::RemoveDir {})) } Request::RemoveDirAll(request) => { let count = filestore.remove_dir_all(&request.path, request.location)?; - Ok(Reply::RemoveDirAll(reply::RemoveDirAll { count } )) + Ok(Reply::RemoveDirAll(reply::RemoveDirAll { count })) } Request::RemoveFile(request) => { filestore.remove_file(&request.path, request.location)?; - Ok(Reply::RemoveFile(reply::RemoveFile {} )) + Ok(Reply::RemoveFile(reply::RemoveFile {})) } - Request::ReadFile(request) => { - Ok(Reply::ReadFile(reply::ReadFile { - data: filestore.read(&request.path, request.location)? - })) - } + Request::ReadFile(request) => Ok(Reply::ReadFile(reply::ReadFile { + data: filestore.read(&request.path, request.location)?, + })), - Request::Metadata(request) => { - Ok(Reply::Metadata(reply::Metadata{ - metadata: filestore.metadata(&request.path, request.location)? - })) - } + Request::Metadata(request) => Ok(Reply::Metadata(reply::Metadata { + metadata: filestore.metadata(&request.path, request.location)?, + })), Request::Rename(request) => { filestore.rename(&request.from, &request.to, request.location)?; @@ -473,76 +516,84 @@ impl ServiceResources

{ let mut bytes = Message::new(); bytes.resize_default(request.count).unwrap(); self.rng()?.fill_bytes(&mut bytes); - Ok(Reply::RandomBytes(reply::RandomBytes { bytes } )) + Ok(Reply::RandomBytes(reply::RandomBytes { bytes })) } else { Err(Error::MechanismNotAvailable) } } - Request::SerializeKey(request) => { - match request.mechanism { - - Mechanism::Ed255 => mechanisms::Ed255::serialize_key(&mut keystore(self, ctx)?, request), - Mechanism::P256 => mechanisms::P256::serialize_key(&mut keystore(self, ctx)?, request), - Mechanism::X255 => mechanisms::X255::serialize_key(&mut keystore(self, ctx)?, request), - Mechanism::SharedSecret => mechanisms::SharedSecret::serialize_key(&mut keystore(self, ctx)?, request), - _ => Err(Error::MechanismNotAvailable), - - }.map(Reply::SerializeKey) + Request::SerializeKey(request) => match request.mechanism { + Mechanism::Ed255 => { + mechanisms::Ed255::serialize_key(&mut keystore(self, ctx)?, request) + } + Mechanism::P256 => { + mechanisms::P256::serialize_key(&mut keystore(self, ctx)?, request) + } + Mechanism::X255 => { + mechanisms::X255::serialize_key(&mut keystore(self, ctx)?, request) + } + Mechanism::SharedSecret => { + mechanisms::SharedSecret::serialize_key(&mut keystore(self, ctx)?, request) + } + _ => Err(Error::MechanismNotAvailable), } + .map(Reply::SerializeKey), - Request::Sign(request) => { - match request.mechanism { - - Mechanism::Ed255 => mechanisms::Ed255::sign(&mut keystore(self, ctx)?, request), - Mechanism::HmacBlake2s => mechanisms::HmacBlake2s::sign(&mut keystore(self, ctx)?, request), - Mechanism::HmacSha1 => mechanisms::HmacSha1::sign(&mut keystore(self, ctx)?, request), - Mechanism::HmacSha256 => mechanisms::HmacSha256::sign(&mut keystore(self, ctx)?, request), - Mechanism::HmacSha512 => mechanisms::HmacSha512::sign(&mut keystore(self, ctx)?, request), - Mechanism::P256 => mechanisms::P256::sign(&mut keystore(self, ctx)?, request), - Mechanism::P256Prehashed => mechanisms::P256Prehashed::sign(&mut keystore(self, ctx)?, request), - Mechanism::Totp => mechanisms::Totp::sign(&mut keystore(self, ctx)?, request), - _ => Err(Error::MechanismNotAvailable), - - }.map(Reply::Sign) - }, + Request::Sign(request) => match request.mechanism { + Mechanism::Ed255 => mechanisms::Ed255::sign(&mut keystore(self, ctx)?, request), + Mechanism::HmacBlake2s => { + mechanisms::HmacBlake2s::sign(&mut keystore(self, ctx)?, request) + } + Mechanism::HmacSha1 => { + mechanisms::HmacSha1::sign(&mut keystore(self, ctx)?, request) + } + Mechanism::HmacSha256 => { + mechanisms::HmacSha256::sign(&mut keystore(self, ctx)?, request) + } + Mechanism::HmacSha512 => { + mechanisms::HmacSha512::sign(&mut keystore(self, ctx)?, request) + } + Mechanism::P256 => mechanisms::P256::sign(&mut keystore(self, ctx)?, request), + Mechanism::P256Prehashed => { + mechanisms::P256Prehashed::sign(&mut keystore(self, ctx)?, request) + } + Mechanism::Totp => mechanisms::Totp::sign(&mut keystore(self, ctx)?, request), + _ => Err(Error::MechanismNotAvailable), + } + .map(Reply::Sign), Request::WriteFile(request) => { filestore.write(&request.path, request.location, &request.data)?; - Ok(Reply::WriteFile(reply::WriteFile {} )) + Ok(Reply::WriteFile(reply::WriteFile {})) } - Request::UnwrapKey(request) => { - match request.mechanism { - - Mechanism::Chacha8Poly1305 => mechanisms::Chacha8Poly1305::unwrap_key(&mut keystore(self, ctx)?, request), - _ => Err(Error::MechanismNotAvailable), - - }.map(Reply::UnwrapKey) + Request::UnwrapKey(request) => match request.mechanism { + Mechanism::Chacha8Poly1305 => { + mechanisms::Chacha8Poly1305::unwrap_key(&mut keystore(self, ctx)?, request) + } + _ => Err(Error::MechanismNotAvailable), } + .map(Reply::UnwrapKey), - Request::Verify(request) => { - match request.mechanism { - - Mechanism::Ed255 => mechanisms::Ed255::verify(&mut keystore(self, ctx)?, request), - Mechanism::P256 => mechanisms::P256::verify(&mut keystore(self, ctx)?, request), - _ => Err(Error::MechanismNotAvailable), - - }.map(Reply::Verify) - }, - - Request::WrapKey(request) => { - match request.mechanism { - - Mechanism::Aes256Cbc => mechanisms::Aes256Cbc::wrap_key(&mut keystore(self, ctx)?, request), - Mechanism::Chacha8Poly1305 => mechanisms::Chacha8Poly1305::wrap_key(&mut keystore(self, ctx)?, request), - _ => Err(Error::MechanismNotAvailable), + Request::Verify(request) => match request.mechanism { + Mechanism::Ed255 => mechanisms::Ed255::verify(&mut keystore(self, ctx)?, request), + Mechanism::P256 => mechanisms::P256::verify(&mut keystore(self, ctx)?, request), + _ => Err(Error::MechanismNotAvailable), + } + .map(Reply::Verify), - }.map(Reply::WrapKey) - }, + Request::WrapKey(request) => match request.mechanism { + Mechanism::Aes256Cbc => { + mechanisms::Aes256Cbc::wrap_key(&mut keystore(self, ctx)?, request) + } + Mechanism::Chacha8Poly1305 => { + mechanisms::Chacha8Poly1305::wrap_key(&mut keystore(self, ctx)?, request) + } + _ => Err(Error::MechanismNotAvailable), + } + .map(Reply::WrapKey), Request::RequestUserConsent(request) => { - // assert_eq!(request.level, consent::Level::Normal); let starttime = self.platform.user_interface().uptime(); @@ -602,9 +653,9 @@ impl ServiceResources

{ self.platform.user_interface().reboot(request.to); } - Request::Uptime(_request) => { - Ok(Reply::Uptime(reply::Uptime { uptime: self.platform.user_interface().uptime() })) - } + Request::Uptime(_request) => Ok(Reply::Uptime(reply::Uptime { + uptime: self.platform.user_interface().uptime(), + })), Request::Wink(request) => { self.platform.user_interface().wink(request.duration); @@ -612,47 +663,41 @@ impl ServiceResources

{ } Request::SetCustomStatus(request) => { - self.platform.user_interface().set_status(Status::Custom(request.status)); + self.platform + .user_interface() + .set_status(Status::Custom(request.status)); Ok(Reply::SetCustomStatus(reply::SetCustomStatus {})) } #[cfg(feature = "counter-client")] - Request::CreateCounter(request) => { - counterstore(self, ctx)?.create(request.location) - .map(|id| Reply::CreateCounter(reply::CreateCounter { id } )) - } + Request::CreateCounter(request) => counterstore(self, ctx)? + .create(request.location) + .map(|id| Reply::CreateCounter(reply::CreateCounter { id })), #[cfg(not(feature = "counter-client"))] Request::CreateCounter(_) => Err(Error::RequestNotAvailable), #[cfg(feature = "counter-client")] - Request::IncrementCounter(request) => { - counterstore(self, ctx)?.increment(request.id) - .map(|counter| Reply::IncrementCounter(reply::IncrementCounter { counter } )) - } + Request::IncrementCounter(request) => counterstore(self, ctx)? + .increment(request.id) + .map(|counter| Reply::IncrementCounter(reply::IncrementCounter { counter })), #[cfg(not(feature = "counter-client"))] Request::IncrementCounter(_) => Err(Error::RequestNotAvailable), - Request::DeleteCertificate(request) => { - certstore(self, ctx)?.delete_certificate(request.id) - .map(|_| Reply::DeleteCertificate(reply::DeleteCertificate {} )) - } + Request::DeleteCertificate(request) => certstore(self, ctx)? + .delete_certificate(request.id) + .map(|_| Reply::DeleteCertificate(reply::DeleteCertificate {})), - Request::ReadCertificate(request) => { - certstore(self, ctx)?.read_certificate(request.id) - .map(|der| Reply::ReadCertificate(reply::ReadCertificate { der } )) - } + Request::ReadCertificate(request) => certstore(self, ctx)? + .read_certificate(request.id) + .map(|der| Reply::ReadCertificate(reply::ReadCertificate { der })), - Request::WriteCertificate(request) => { - certstore(self, ctx)?.write_certificate(request.location, &request.der) - .map(|id| Reply::WriteCertificate(reply::WriteCertificate { id } )) - } - - Request::SerdeExtension(_) => { - Err(Error::RequestNotAvailable) - } + Request::WriteCertificate(request) => certstore(self, ctx)? + .write_certificate(request.location, &request.der) + .map(|id| Reply::WriteCertificate(reply::WriteCertificate { id })), + Request::SerdeExtension(_) => Err(Error::RequestNotAvailable), // _ => { // // #[cfg(test)] // // println!("todo: {:?} request!", &request); From 7f4e12db5a7aedbc63146d07182f70edfa502cc1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sosth=C3=A8ne=20Gu=C3=A9don?= Date: Thu, 1 Feb 2024 17:39:15 +0100 Subject: [PATCH 2/5] Fix clippy warnings --- src/mechanisms/hmacblake2s.rs | 6 +----- src/mechanisms/hmacsha1.rs | 6 +----- src/mechanisms/hmacsha256.rs | 6 +----- src/mechanisms/hmacsha512.rs | 4 ++-- src/service.rs | 1 + tests/store/mod.rs | 1 - 6 files changed, 6 insertions(+), 18 deletions(-) diff --git a/src/mechanisms/hmacblake2s.rs b/src/mechanisms/hmacblake2s.rs index 1f3320e1b54..07ae205e643 100644 --- a/src/mechanisms/hmacblake2s.rs +++ b/src/mechanisms/hmacblake2s.rs @@ -26,11 +26,7 @@ impl DeriveKey for super::HmacBlake2s { if let Some(additional_data) = &request.additional_data { mac.update(additional_data); } - let derived_key: [u8; 32] = mac - .finalize() - .into_bytes() - .try_into() - .map_err(|_| Error::InternalError)?; + let derived_key: [u8; 32] = mac.finalize().into_bytes().into(); let key = keystore.store_key( request.attributes.persistence, key::Secrecy::Secret, diff --git a/src/mechanisms/hmacsha1.rs b/src/mechanisms/hmacsha1.rs index f35a20fe505..2741f26bbdc 100644 --- a/src/mechanisms/hmacsha1.rs +++ b/src/mechanisms/hmacsha1.rs @@ -26,11 +26,7 @@ impl DeriveKey for super::HmacSha1 { if let Some(additional_data) = &request.additional_data { mac.update(additional_data); } - let derived_key: [u8; 20] = mac - .finalize() - .into_bytes() - .try_into() - .map_err(|_| Error::InternalError)?; + let derived_key: [u8; 20] = mac.finalize().into_bytes().into(); let key_id = keystore.store_key( request.attributes.persistence, key::Secrecy::Secret, diff --git a/src/mechanisms/hmacsha256.rs b/src/mechanisms/hmacsha256.rs index f25aaf4d288..c5b23e15266 100644 --- a/src/mechanisms/hmacsha256.rs +++ b/src/mechanisms/hmacsha256.rs @@ -31,11 +31,7 @@ impl DeriveKey for super::HmacSha256 { if let Some(additional_data) = &request.additional_data { mac.update(additional_data); } - let derived_key: [u8; 32] = mac - .finalize() - .into_bytes() - .try_into() - .map_err(|_| Error::InternalError)?; + let derived_key: [u8; 32] = mac.finalize().into_bytes().into(); let key_id = keystore.store_key( request.attributes.persistence, key::Secrecy::Secret, diff --git a/src/mechanisms/hmacsha512.rs b/src/mechanisms/hmacsha512.rs index 58a981d9218..881bde8edf7 100644 --- a/src/mechanisms/hmacsha512.rs +++ b/src/mechanisms/hmacsha512.rs @@ -25,8 +25,8 @@ impl DeriveKey for super::HmacSha512 { if let Some(additional_data) = &request.additional_data { mac.update(additional_data); } - let mut derived_key = [0u8; 64]; - derived_key.copy_from_slice(&mac.finalize().into_bytes()); //.try_into().map_err(|_| Error::InternalError)?; + let derived_key: [u8; 64] = mac.finalize().into_bytes().into(); + let key = keystore.store_key( request.attributes.persistence, key::Secrecy::Secret, diff --git a/src/service.rs b/src/service.rs index ec5961dbc9f..54db389dbaa 100644 --- a/src/service.rs +++ b/src/service.rs @@ -148,6 +148,7 @@ impl ServiceResources

{ generator } + #[cfg(feature = "crypto-client-attest")] let full_store = self.platform.store(); let keystore = once(|this, ctx| this.keystore(ctx.path.clone())); diff --git a/tests/store/mod.rs b/tests/store/mod.rs index 5ea456783c5..4318a73853e 100644 --- a/tests/store/mod.rs +++ b/tests/store/mod.rs @@ -1,4 +1,3 @@ -pub use generic_array::typenum::consts; use littlefs2::const_ram_storage; use trussed::types::{LfsResult, LfsStorage}; From 2a2b2091598b9ecd795966af42ab0766972f26da Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sosth=C3=A8ne=20Gu=C3=A9don?= Date: Wed, 21 Feb 2024 10:58:26 +0100 Subject: [PATCH 3/5] Add must_use attributes on futures. Prior to that there would be no warning when forgetting to use `(try_)syscall`. --- src/client.rs | 1 + src/serde_extensions.rs | 1 + 2 files changed, 2 insertions(+) diff --git a/src/client.rs b/src/client.rs index 1c9cf1d9c02..8897b4cf3c6 100644 --- a/src/client.rs +++ b/src/client.rs @@ -119,6 +119,7 @@ pub trait PollClient { } } +#[must_use = "Syscalls must be polled with the `syscall` macro"] pub struct FutureResult<'c, T, C: ?Sized> where C: PollClient, diff --git a/src/serde_extensions.rs b/src/serde_extensions.rs index 8c372d1a3e9..fa298269665 100644 --- a/src/serde_extensions.rs +++ b/src/serde_extensions.rs @@ -180,6 +180,7 @@ where /// A result returned by [`ExtensionClient`][] and clients using it. pub type ExtensionResult<'a, E, T, C> = Result, ClientError>; +#[must_use = "Syscalls must be polled with the `syscall` macro"] /// A future of an [`ExtensionResult`][]. pub struct ExtensionFutureResult<'c, E, T, C: ?Sized> { client: &'c mut C, From 6492abafb623b98e412e74bf72f1a3c6317de196 Mon Sep 17 00:00:00 2001 From: Robin Krahl Date: Fri, 1 Mar 2024 16:19:52 +0100 Subject: [PATCH 4/5] Add nonce to wrap_key and unwrap_key syscalls This patch adds a nonce argument to the wrap_key and unwrap_key syscalls to be able to use the Aes256Cbc mechanism with a non-zero IV in the future. --- CHANGELOG.md | 1 + src/api.rs | 2 ++ src/client.rs | 5 +++++ src/client/mechanisms.rs | 5 ++++- src/mechanisms/aes256cbc.rs | 2 +- src/mechanisms/chacha8poly1305.rs | 2 +- 6 files changed, 14 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6f46f656e5f..cda7ced1227 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -43,6 +43,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 by default). - Change store implementations to use littlefs2’s `DynFilesystem` trait instead of being generic over the storage implementation. +- Add `nonce` argument to `wrap_key` and `unwrap_key` syscalls. ### Fixed diff --git a/src/api.rs b/src/api.rs index a792c6cfaaa..327dec41c9f 100644 --- a/src/api.rs +++ b/src/api.rs @@ -312,6 +312,7 @@ pub mod request { - wrapping_key: KeyId - wrapped_key: Message - associated_data: Message + - nonce: ShortData - attributes: StorageAttributes Verify: @@ -327,6 +328,7 @@ pub mod request { - wrapping_key: KeyId - key: KeyId - associated_data: ShortData + - nonce: Option RequestUserConsent: - level: consent::Level diff --git a/src/client.rs b/src/client.rs index 8897b4cf3c6..cf6e88001a6 100644 --- a/src/client.rs +++ b/src/client.rs @@ -537,15 +537,18 @@ pub trait CryptoClient: PollClient { wrapping_key: KeyId, wrapped_key: Message, associated_data: &[u8], + nonce: &[u8], attributes: StorageAttributes, ) -> ClientResult<'c, reply::UnwrapKey, Self> { let associated_data = Message::from_slice(associated_data).map_err(|_| ClientError::DataTooLarge)?; + let nonce = ShortData::from_slice(nonce).map_err(|_| ClientError::DataTooLarge)?; self.request(request::UnwrapKey { mechanism, wrapping_key, wrapped_key, associated_data, + nonce, attributes, }) } @@ -556,6 +559,7 @@ pub trait CryptoClient: PollClient { wrapping_key: KeyId, key: KeyId, associated_data: &[u8], + nonce: Option, ) -> ClientResult<'_, reply::WrapKey, Self> { let associated_data = Bytes::from_slice(associated_data).map_err(|_| ClientError::DataTooLarge)?; @@ -564,6 +568,7 @@ pub trait CryptoClient: PollClient { wrapping_key, key, associated_data, + nonce, }) } } diff --git a/src/client/mechanisms.rs b/src/client/mechanisms.rs index 0d0dab65e44..2003876b4ed 100644 --- a/src/client/mechanisms.rs +++ b/src/client/mechanisms.rs @@ -17,7 +17,7 @@ pub trait Aes256Cbc: CryptoClient { wrapping_key: KeyId, key: KeyId, ) -> ClientResult<'_, reply::WrapKey, Self> { - self.wrap_key(Mechanism::Aes256Cbc, wrapping_key, key, &[]) + self.wrap_key(Mechanism::Aes256Cbc, wrapping_key, key, &[], None) } } @@ -81,6 +81,7 @@ pub trait Chacha8Poly1305: CryptoClient { wrapping_key, Message::from_slice(wrapped_key).map_err(|_| ClientError::DataTooLarge)?, associated_data, + &[], StorageAttributes::new().set_persistence(location), ) } @@ -90,12 +91,14 @@ pub trait Chacha8Poly1305: CryptoClient { wrapping_key: KeyId, key: KeyId, associated_data: &[u8], + nonce: Option<&[u8; 12]>, ) -> ClientResult<'c, reply::WrapKey, Self> { self.wrap_key( Mechanism::Chacha8Poly1305, wrapping_key, key, associated_data, + nonce.and_then(|nonce| ShortData::from_slice(nonce).ok()), ) } } diff --git a/src/mechanisms/aes256cbc.rs b/src/mechanisms/aes256cbc.rs index 6b0ca4c8fcb..2b114e00f35 100644 --- a/src/mechanisms/aes256cbc.rs +++ b/src/mechanisms/aes256cbc.rs @@ -83,7 +83,7 @@ impl WrapKey for super::Aes256Cbc { key: request.wrapping_key, message, associated_data: request.associated_data.clone(), - nonce: None, + nonce: request.nonce.clone(), }; let encryption_reply = ::encrypt(keystore, &encryption_request)?; diff --git a/src/mechanisms/chacha8poly1305.rs b/src/mechanisms/chacha8poly1305.rs index 9fe96030bc1..e2cb68cf9c4 100644 --- a/src/mechanisms/chacha8poly1305.rs +++ b/src/mechanisms/chacha8poly1305.rs @@ -183,7 +183,7 @@ impl WrapKey for super::Chacha8Poly1305 { key: request.wrapping_key, message, associated_data: request.associated_data.clone(), - nonce: None, + nonce: request.nonce.clone(), }; let encryption_reply = ::encrypt(keystore, &encryption_request)?; From cff2e663841b6a68d3a8ce12647d57b2b6fbc36c Mon Sep 17 00:00:00 2001 From: Robin Krahl Date: Fri, 1 Mar 2024 16:42:18 +0100 Subject: [PATCH 5/5] Use nonce as IV for Aes256Cbc mechanism --- CHANGELOG.md | 1 + src/client/mechanisms.rs | 12 ++++++++++-- src/mechanisms/aes256cbc.rs | 23 +++++++++++++++++++---- 3 files changed, 30 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index cda7ced1227..6ec19bcd6f9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -44,6 +44,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Change store implementations to use littlefs2’s `DynFilesystem` trait instead of being generic over the storage implementation. - Add `nonce` argument to `wrap_key` and `unwrap_key` syscalls. +- Use nonce as IV for Aes256Cbc mechanism. ### Fixed diff --git a/src/client/mechanisms.rs b/src/client/mechanisms.rs index 2003876b4ed..522841186d9 100644 --- a/src/client/mechanisms.rs +++ b/src/client/mechanisms.rs @@ -8,16 +8,24 @@ pub trait Aes256Cbc: CryptoClient { &'c mut self, key: KeyId, message: &[u8], + iv: &[u8], ) -> ClientResult<'c, reply::Decrypt, Self> { - self.decrypt(Mechanism::Aes256Cbc, key, message, &[], &[], &[]) + self.decrypt(Mechanism::Aes256Cbc, key, message, &[], iv, &[]) } fn wrap_key_aes256cbc( &mut self, wrapping_key: KeyId, key: KeyId, + iv: Option<&[u8; 16]>, ) -> ClientResult<'_, reply::WrapKey, Self> { - self.wrap_key(Mechanism::Aes256Cbc, wrapping_key, key, &[], None) + self.wrap_key( + Mechanism::Aes256Cbc, + wrapping_key, + key, + &[], + iv.and_then(|iv| ShortData::from_slice(iv).ok()), + ) } } diff --git a/src/mechanisms/aes256cbc.rs b/src/mechanisms/aes256cbc.rs index 2b114e00f35..192cbda0be5 100644 --- a/src/mechanisms/aes256cbc.rs +++ b/src/mechanisms/aes256cbc.rs @@ -31,8 +31,15 @@ impl Encrypt for super::Aes256Cbc { .try_into() .map_err(|_| Error::InternalError)?; - let zero_iv = [0u8; 16]; - let cipher = Aes256CbcEnc::new_from_slices(&symmetric_key, &zero_iv).unwrap(); + let iv = if let Some(nonce) = &request.nonce { + nonce + .as_slice() + .try_into() + .map_err(|_| Error::MechanismParamInvalid)? + } else { + [0u8; 16] + }; + let cipher = Aes256CbcEnc::new_from_slices(&symmetric_key, &iv).unwrap(); // buffer must have enough space for message+padding let mut buffer = request.message.clone(); @@ -117,8 +124,16 @@ impl Decrypt for super::Aes256Cbc { .try_into() .map_err(|_| Error::InternalError)?; - let zero_iv = [0u8; 16]; - let cipher = Aes256CbcDec::new_from_slices(&symmetric_key, &zero_iv).unwrap(); + let iv = if request.nonce.is_empty() { + [0u8; 16] + } else { + request + .nonce + .as_slice() + .try_into() + .map_err(|_| Error::MechanismParamInvalid)? + }; + let cipher = Aes256CbcDec::new_from_slices(&symmetric_key, &iv).unwrap(); // buffer must have enough space for message+padding let mut buffer = request.message.clone();