Comments (5)
FlorianUekermann
commented on July 1, 2024
1
Well, I believe the protocol is still exposed on an hsm, we just don't advertise it in the descriptor. So if any illegitimate use of the protocol can lead to sensitive leaks, we need to deactivate it. But I don't have a scenario.
Well... even if it is a problem, which I doubt, the protocol will be properly deactivated once the hsm branch goes away.
from nitrokey-pro-firmware.
szszszsz
commented on July 1, 2024
Hi @MaVo159 !
I agree - this looks like obvious typo, it should be memset instead.
Reference: memset memcpy.
from nitrokey-pro-firmware.
szszszsz
commented on July 1, 2024
Note: clearing is already correctly implemented in Storage firmware (checking same file, that is report_protocol.c)
Edit: Other files seems OK in both projects. Searched with memcpy.*0 regexp.
from nitrokey-pro-firmware.
FlorianUekermann
commented on July 1, 2024
Just checking that my logic isn't off. The nk hsm doesn't use this protocol at all, so these bugs don't matter on the temporary hsm branch. Actually, someone could still use it, but we would never expect a sane user to actually generate reports with sensitive info on an hsm...
Correct?
Otherwise we should remove the corresponding USB callbacks on the hsm branch to make sure this code is dead on hsm.
from nitrokey-pro-firmware.
szszszsz
commented on July 1, 2024
The functions listed in report_protocol.c (HID protocol) are not used anywhere else. I believe HSM is officially not supporting HID, so we can safely skip porting these changes to hsm branch.
from nitrokey-pro-firmware.
Related Issues (20)
- Nitrokey HSM: handle v4.0 smart cards
- Question: Support EC operations HOT 1
- Request: support longer OTP secrets, up to 64 bytes
- Nitrokey HSM: timeout on initialization after heavy use
- Nitrokey HSM: invalid serial number after a heavy load
- Allow to set a custom USB serial number
- WRONG_PASSWORD after accessing Nitrokey with scdrand HOT 10
- Adjust firmware for the new MCU
- Customise firmware HOT 3
- Adding Curve25519 support (on my own) HOT 2
- Consider using stack canaries via -fstack-protector* flags HOT 2
- Instructions with modern OpenOCD? HOT 6
- HW4: swapped red and green LEDs
- Lock device before Factory Reset execution
- Add HMAC for AES key
- OTP functionality HOT 7
- Document minimum compiler version
- Nitrokey Pro firmware upgrade from 0.9 -> 0.14 impossible from nitropy? HOT 6
- R3 Nitrokey Pro failure to enable update mode HOT 6
- PGP key used to sign binary firmware is not available HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nitrokey-pro-firmware.