Merge branch '58-trussed-auth-version'

Fixes #80

.github/workflows/rust.yml

@@ -11,13 +11,21 @@ env:
 
 jobs:
   build:
-
     runs-on: ubuntu-latest
-
     steps:
     - uses: actions/checkout@v3
-    - name: Setup
-      run: sudo apt install llvm libclang-dev
+    - name: Setup Ubuntu
+      run: make setup-ubuntu
     - name: Run tests
-      run: cargo test --verbose
+      run: make ci
 
+  fuzz:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - name: Setup fuzz
+      run: make -C fuzz setup-ubuntu
+    - name: Setup fuzz 2
+      run: make -C fuzz setup
+    - name: Run tests
+      run: make -C fuzz ci

.gitignore

@@ -1,3 +1,7 @@
 /target
 Cargo.lock
 trussed-state.bin
+/fuzz/target
+/fuzz/corpus
+/fuzz/artifacts
+.idea

Cargo.toml

@@ -25,7 +25,7 @@ block-padding = "0.3.3"
 bitflags = "2.3.1"
 
 # extension
-trussed-auth = "0.2.0"
+trussed-auth = "0.2.2"
 
 [dev-dependencies]
 log = { version = "0.4.14", default-features = false }
@@ -37,7 +37,8 @@ usbd-ctaphid = "0.1"
 clap = { version = "3.0.0", features = ["cargo", "derive"] }
 clap-num = "1.0.0"
 delog = { version = "0.1.6", features = ["std-log"] }
-fido-authenticator = { version = "0.1", features = ["dispatch", "log-all"] }
+fido-authenticator = { git = "https://github.com/Nitrokey/fido-authenticator", tag = "v0.1.1-nitrokey.4",  features = ["dispatch", "log-all"] }
+
 admin-app = { version = "0.1", features = ["log-all"] }
 
 [features]
@@ -74,6 +75,5 @@ required-features = ["ctaphid", "devel"]
 
 [patch.crates-io]
 flexiber = { git = "https://github.com/Nitrokey/flexiber", tag = "0.1.1.nitrokey" }
-trussed = { git = "https://github.com/Nitrokey/trussed", rev = "52da9bb" }
-littlefs2 = { git =  "https://github.com/Nitrokey/littlefs2", tag = "v0.3.2-nitrokey-2" }
-trussed-auth = { git = "https://github.com/trussed-dev/trussed-auth/", rev = "6beabd125ea57e87bf642e18278fcc2ba224c50c" }
+trussed = { git = "https://github.com/Nitrokey/trussed", tag = "v0.1.0-nitrokey.11" }
+trussed-auth = { git = "https://github.com/trussed-dev/trussed-auth/", tag = "v0.2.2" }

Makefile

@@ -0,0 +1,7 @@
+.PHONY: ci setup-ubuntu
+
+ci:
+	cargo test --verbose
+
+setup-ubuntu:
+	sudo apt install llvm libclang-dev make

examples/usbip.rs

@@ -287,6 +287,8 @@ struct Apps {
     secrets: secrets_app::Authenticator<VirtClient>,
 }
 
+const MAX_RESIDENT_CREDENTIAL_COUNT: u32 = 50;
+
 impl trussed_usbip::Apps<VirtClient, dispatch::Dispatch> for Apps {
     type Data = ();
     fn new<B: ClientBuilder<VirtClient, dispatch::Dispatch>>(builder: &B, _data: ()) -> Self {
@@ -296,6 +298,7 @@ impl trussed_usbip::Apps<VirtClient, dispatch::Dispatch> for Apps {
             fido_authenticator::Config {
                 max_msg_size: MESSAGE_SIZE,
                 skip_up_timeout: None,
+                max_resident_credential_count: Some(MAX_RESIDENT_CREDENTIAL_COUNT),
             },
         );
         let admin = admin_app::App::new(builder.build("admin", &[BackendId::Core]), [0; 16], 0);

fuzz/Cargo.toml

@@ -19,17 +19,19 @@ iso7816 = "0.1"
 serde = { version = "1", default-features = false }
 trussed = { version = "0.1.0", features = ["virt", "verbose-tests"] }
 ctaphid-dispatch = { version = "0.1", optional = true }
-usbd-ctaphid = { git = "https://github.com/Nitrokey/nitrokey-3-firmware", optional = true }
 clap = { version = "3.0.0", features = ["cargo", "derive"] }
 clap-num = "1.0.0"
 pretty_env_logger = "0.4.0"
 
+# extension
+trussed-auth = "0.2.2"
+
 
 [dependencies.secrets-app]
 path = ".."
 
 [features]
-default = ["ctaphid-dispatch", "usbd-ctaphid", "apdu-dispatch"]
+default = ["ctaphid-dispatch", "apdu-dispatch"]
 
 
 # Prevent this from interfering with workspaces
@@ -53,5 +55,6 @@ doc = false
 
 
 [patch.crates-io]
-trussed = { git = "https://github.com/trussed-dev/trussed", branch = "main" }
-flexiber = { git = "https://github.com/Nitrokey/flexiber", rev = "0.1.1.nitrokey" }
+flexiber = { git = "https://github.com/Nitrokey/flexiber", tag = "0.1.1.nitrokey" }
+trussed = { git = "https://github.com/Nitrokey/trussed", tag = "v0.1.0-nitrokey.11" }
+trussed-auth = { git = "https://github.com/trussed-dev/trussed-auth/", tag = "v0.2.2" }

fuzz/Makefile

@@ -33,13 +33,22 @@ fuzz-cov-show:
 		> fuzz_coverage.html
 
 .PHONY: ci
-ci: check
+ci:
+	$(MAKE) fuzz FUZZ_DURATION=10 FUZZ_JOBS=1
 
 .PHONY: setup
 setup:
 	rustup component add clippy rustfmt && rustup toolchain install nightly
 	rustup component add llvm-tools-preview
-	cargo install cargo-tarpaulin cargo-fuzz --profile release
-	python3 -m pip install reuse
+	cargo install cargo-fuzz --profile release
+	#cargo install cargo-tarpaulin --profile release  # for coverage
+	# python3 -m pip install reuse
 	# Fedora 37
 	# sudo ln -s libclang.so.15 libclang.so
+
+.PHONY: setup-ubuntu
+setup-ubuntu:
+	sudo apt install llvm libclang-dev make curl clang pkg-config libssl-dev python3-pip git
+	# rust
+	# curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
+	# source "$HOME/.cargo/env"

fuzz/fuzz_targets/fuzz_target_1.rs

@@ -38,9 +38,22 @@ fn parse(data: &[u8]) -> Vec<&[u8]> {
     res
 }
 
+use trussed::types::Location;
+mod virt;
+
 fuzz_target!(|data: &[u8]| {
-    trussed::virt::with_ram_client("secrets", move |client| {
-        let mut secrets = secrets_app::Authenticator::<_>::new(client);
+
+    virt::with_ram_client("secrets", move |client| {
+
+        let options = secrets_app::Options::new(
+            Location::Internal,
+            0,
+            1,
+            [0x42, 0x42, 0x42, 0x42],
+            u16::MAX,
+        );
+        let mut secrets = secrets_app::Authenticator::new(client, options);
+
         let mut response = heapless::Vec::<u8, { 3 * 1024 }>::new();
 
         let commands = parse(data);

fuzz/fuzz_targets/virt.rs

@@ -0,0 +1,38 @@
+// Taken from Opcard-rs implementation
+// https://github.com/Nitrokey/opcard-rs/blob/ef8ee3b20958cf605a8d93ee98d28e337da9770f/src/virt.rs
+
+mod dispatch;
+
+use trussed::{
+    types::Bytes,
+    virt::{self, Client, Ram, StoreProvider},
+};
+
+/// Client type using a dispatcher with the backends required
+pub type VirtClient<S> = Client<S, dispatch::Dispatch>;
+
+/// Run a client using a provided store
+pub fn with_client<S, R, F>(store: S, client_id: &str, f: F) -> R
+    where
+        F: FnOnce(VirtClient<S>) -> R,
+        S: StoreProvider,
+{
+    #[allow(clippy::unwrap_used)]
+    virt::with_platform(store, |platform| {
+        platform.run_client_with_backends(
+            client_id,
+            dispatch::Dispatch::with_hw_key(Bytes::from_slice(b"some bytes").unwrap()),
+            dispatch::BACKENDS,
+            f,
+        )
+    })
+}
+
+/// Run the backend with the extensions required
+/// using a RAM file storage
+pub fn with_ram_client<R, F>(client_id: &str, f: F) -> R
+    where
+        F: FnOnce(VirtClient<Ram>) -> R,
+{
+    with_client(Ram::default(), client_id, f)
+}

fuzz/fuzz_targets/virt/dispatch.rs

@@ -0,0 +1,104 @@
+use trussed::{
+    api::{reply, request, Reply, Request},
+    backend::{Backend as _, BackendId},
+    error::Error,
+    platform::Platform,
+    serde_extensions::{ExtensionDispatch, ExtensionId, ExtensionImpl as _},
+    service::ServiceResources,
+    types::{Bytes, Context, Location},
+};
+use trussed_auth::{AuthBackend, AuthContext, AuthExtension, MAX_HW_KEY_LEN};
+
+pub const BACKENDS: &[BackendId<Backend>] =
+    &[BackendId::Custom(Backend::Auth), BackendId::Core];
+
+pub enum Backend {
+    Auth,
+}
+
+pub enum Extension {
+    Auth,
+}
+
+impl From<Extension> for u8 {
+    fn from(extension: Extension) -> Self {
+        match extension {
+            Extension::Auth => 0,
+        }
+    }
+}
+
+impl TryFrom<u8> for Extension {
+    type Error = Error;
+
+    fn try_from(id: u8) -> Result<Self, Self::Error> {
+        match id {
+            0 => Ok(Extension::Auth),
+            _ => Err(Error::InternalError),
+        }
+    }
+}
+
+pub struct Dispatch {
+    auth: AuthBackend,
+}
+
+#[derive(Default)]
+pub struct DispatchContext {
+    auth: AuthContext,
+}
+
+impl Dispatch {
+    pub fn with_hw_key(hw_key: Bytes<MAX_HW_KEY_LEN>) -> Self {
+        Self {
+            auth: AuthBackend::with_hw_key(Location::Internal, hw_key),
+        }
+    }
+}
+
+impl ExtensionDispatch for Dispatch {
+    type BackendId = Backend;
+    type Context = DispatchContext;
+    type ExtensionId = Extension;
+
+    fn core_request<P: Platform>(
+        &mut self,
+        backend: &Self::BackendId,
+        ctx: &mut Context<Self::Context>,
+        request: &Request,
+        resources: &mut ServiceResources<P>,
+    ) -> Result<Reply, Error> {
+        match backend {
+            Backend::Auth => {
+                self.auth
+                    .request(&mut ctx.core, &mut ctx.backends.auth, request, resources)
+            }
+        }
+    }
+
+    fn extension_request<P: Platform>(
+        &mut self,
+        backend: &Self::BackendId,
+        extension: &Self::ExtensionId,
+        ctx: &mut Context<Self::Context>,
+        request: &request::SerdeExtension,
+        resources: &mut ServiceResources<P>,
+    ) -> Result<reply::SerdeExtension, Error> {
+        match backend {
+            Backend::Auth => match extension {
+                Extension::Auth => self.auth.extension_request_serialized(
+                    &mut ctx.core,
+                    &mut ctx.backends.auth,
+                    request,
+                    resources,
+                ),
+            },
+        }
+    }
+}
+
+impl ExtensionId<AuthExtension> for Dispatch {
+    type Id = Extension;
+
+    const ID: Self::Id = Self::Id::Auth;
+}

src/command.rs

@@ -696,7 +696,7 @@ impl<'l, const C: usize> TryFrom<&'l Data<C>> for Register<'l> {
             let mut next_decoded: Option<TaggedSlice> = decoder.decode().ok();
             while let Some(next) = next_decoded {
                 let tag = next.tag().embedding().number as u8;
-                let tag = Tag::try_from(tag).unwrap();
+                let tag = Tag::try_from(tag).map_err(|_| FAILED_PARSING_ERROR)?;
                 let tag_data = next.as_bytes();
 
                 // Following should be caught before this loop