ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2024-12-19 21:17:55 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

patches/hotp-verification-*/46.patch : readd https://github.com/Nitrokey/nitrokey-hotp-verification/pull/46 so that this PR can be tested and reviewed from OEM Factory Reset/User Re-Ownership perspective

Browse Source 
(PR 43 not in which fixes hotp_verification info, needed to reuse default PINs under seal-hotp if pubkey age <1 month and if Secret app PIN/GPG Admin PIN count >=3 )

Repro:
mkdir patches/hotp-verification-e9050e0c914e7a8ffef5d1c82a014e0e2bf79346
wget https://patch-diff.githubusercontent.com/raw/Nitrokey/nitrokey-hotp-verification/pull/46.patch -O patches/hotp-verification-e9050e0c914e7a8ffef5d1c82a014e0e2bf79346/46.patch
sudo rm -rf  build/x86/hotp-verification-e9050e0c914e7a8ffef5d1c82a014e0e2bf79346/
./docker_repro.sh make BOARD=qemu-coreboot-whiptail-tpm2-hotp USB_TOKEN=Nitrokey3NFC PUBKEY_ASC=pubkey.asc inject_gpg run

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
This commit is contained in:
Thierry Laurion 2024-12-07 11:12:38 -05:00
parent 86a61586b5
commit 4b4ac60240
No known key found for this signature in database
GPG Key ID: 9A53E1BB3FF00461
1 changed files with 219 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

219
patches/hotp-verification-e9050e0c914e7a8ffef5d1c82a014e0e2bf79346/46.patch Normal file
View File

@ -0,0 +1,219 @@
From de355ed93ba50280bf377772082b76b7a2285185 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sosth=C3=A8ne=20Gu=C3=A9don?= <sosthene@nitrokey.com>
Date: Mon, 25 Nov 2024 17:04:47 +0100
Subject: [PATCH 1/3] Add reset command for nitrokey 3
---
src/main.c | 10 ++++++++--
src/operations_ccid.c | 41 +++++++++++++++++++++++++++++++++++++++++
src/operations_ccid.h | 1 +
3 files changed, 50 insertions(+), 2 deletions(-)
diff --git a/src/main.c b/src/main.c
index 059069e..b80b71d 100644
--- a/src/main.c
+++ b/src/main.c
@@ -21,6 +21,7 @@
#include "ccid.h"
#include "operations.h"
+#include "operations_ccid.h"
#include "return_codes.h"
#include "utils.h"
#include "version.h"
@@ -134,8 +135,13 @@ int parse_cmd_and_run(int argc, char *const *argv) {
}
break;
case 'r':
- if (argc != 3) break;
- res = regenerate_AES_key(&dev, argv[2]);
+ if (strncmp(argv[1], "reset", 15) == 0) {
+ if (argc != 2) break;
+ res = nk3_reset(&dev);
+ } else if (strncmp(argv[1], "regenerate", 15) == 0) {
+ if (argc != 3) break;
+ res = regenerate_AES_key(&dev, argv[2]);
+ }
break;
default:
break;
diff --git a/src/operations_ccid.c b/src/operations_ccid.c
index eb46124..574155d 100644
--- a/src/operations_ccid.c
+++ b/src/operations_ccid.c
@@ -32,6 +32,47 @@
#include <string.h>
+
+int nk3_reset(struct Device *dev) {
+ libusb_device *usb_dev;
+ struct libusb_device_descriptor usb_desc;
+ usb_dev = libusb_get_device(dev->mp_devhandle_ccid);
+
+ int r = libusb_get_device_descriptor(usb_dev, &usb_desc);
+
+ if (r < 0) {
+ return r;
+ }
+
+
+ if (usb_desc.idVendor != NITROKEY_USB_VID || usb_desc.idProduct != NITROKEY_3_USB_PID) {
+ return 0;
+ }
+
+
+ uint8_t buf[10];
+ // encode
+ uint32_t icc_actual_length = iso7816_compose(buf, sizeof buf, Ins_Reset, 0xDE, 0xAD, 0, 0, NULL, 0);
+
+ // encode ccid wrapper
+ icc_actual_length = icc_compose(dev->ccid_buffer_out, sizeof dev->ccid_buffer_out,
+ 0x6F, icc_actual_length,
+ 0, 0, 0, buf);
+ // send
+ IccResult iccResult;
+ r = ccid_process_single(dev->mp_devhandle_ccid, dev->ccid_buffer_in, sizeof dev->ccid_buffer_in,
+ dev->ccid_buffer_out, icc_actual_length, &iccResult);
+ if (r != 0) {
+ return r;
+ }
+ // check status code
+ if (iccResult.data_status_code != 0x9000) {
+ return 1;
+ }
+
+ return RET_NO_ERROR;
+}
+
int set_pin_ccid(struct Device *dev, const char *admin_PIN) {
TLV tlvs[] = {
{
diff --git a/src/operations_ccid.h b/src/operations_ccid.h
index b26b3c7..ec0070c 100644
--- a/src/operations_ccid.h
+++ b/src/operations_ccid.h
@@ -11,6 +11,7 @@ int authenticate_or_set_ccid(struct Device *dev, const char *admin_PIN);
int set_secret_on_device_ccid(struct Device *dev, const char *admin_PIN, const char *OTP_secret_base32, const uint64_t hotp_counter);
int verify_code_ccid(struct Device *dev, const uint32_t code_to_verify);
int status_ccid(libusb_device_handle *handle, int *attempt_counter, uint16_t *firmware_version, uint32_t *serial_number);
+int nk3_reset(struct Device *dev);
#endif//NITROKEY_HOTP_VERIFICATION_OPERATIONS_CCID_H
From 8425e8c622138aef9ab207119e14f7cbedd40175 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sosth=C3=A8ne=20Gu=C3=A9don?= <sosthene@nitrokey.com>
Date: Mon, 2 Dec 2024 10:29:59 +0100
Subject: [PATCH 2/3] Add optional new pin when resetting
---
src/main.c | 9 +++++----
src/operations_ccid.c | 6 +++++-
src/operations_ccid.h | 5 ++++-
3 files changed, 14 insertions(+), 6 deletions(-)
diff --git a/src/main.c b/src/main.c
index b80b71d..3f4a1cc 100644
--- a/src/main.c
+++ b/src/main.c
@@ -38,9 +38,10 @@ void print_help(char *app_name) {
"\t%s info\n"
"\t%s version\n"
"\t%s check <HOTP CODE>\n"
- "\t%s regenerate <ADMIN PIN>\n"
+ "\t%s reset [ADMIN PIN]\n"
+ "\t%s regenerate\n"
"\t%s set <BASE32 HOTP SECRET> <ADMIN PIN> [COUNTER]\n",
- app_name, app_name, app_name, app_name, app_name, app_name);
+ app_name, app_name, app_name, app_name, app_name, app_name, app_name);
}
@@ -136,8 +137,8 @@ int parse_cmd_and_run(int argc, char *const *argv) {
break;
case 'r':
if (strncmp(argv[1], "reset", 15) == 0) {
- if (argc != 2) break;
- res = nk3_reset(&dev);
+ if (argc != 2 && argc != 3) break;
+ res = nk3_reset(&dev, argc == 3 ? argv[2]: NULL);
} else if (strncmp(argv[1], "regenerate", 15) == 0) {
if (argc != 3) break;
res = regenerate_AES_key(&dev, argv[2]);
diff --git a/src/operations_ccid.c b/src/operations_ccid.c
index 574155d..07834ce 100644
--- a/src/operations_ccid.c
+++ b/src/operations_ccid.c
@@ -33,7 +33,7 @@
-int nk3_reset(struct Device *dev) {
+int nk3_reset(struct Device *dev, const char * new_pin) {
libusb_device *usb_dev;
struct libusb_device_descriptor usb_desc;
usb_dev = libusb_get_device(dev->mp_devhandle_ccid);
@@ -70,6 +70,10 @@ int nk3_reset(struct Device *dev) {
return 1;
}
+ if (new_pin != NULL) {
+ set_pin_ccid(dev, new_pin);
+ }
+
return RET_NO_ERROR;
}
diff --git a/src/operations_ccid.h b/src/operations_ccid.h
index ec0070c..61cad72 100644
--- a/src/operations_ccid.h
+++ b/src/operations_ccid.h
@@ -11,7 +11,10 @@ int authenticate_or_set_ccid(struct Device *dev, const char *admin_PIN);
int set_secret_on_device_ccid(struct Device *dev, const char *admin_PIN, const char *OTP_secret_base32, const uint64_t hotp_counter);
int verify_code_ccid(struct Device *dev, const uint32_t code_to_verify);
int status_ccid(libusb_device_handle *handle, int *attempt_counter, uint16_t *firmware_version, uint32_t *serial_number);
-int nk3_reset(struct Device *dev);
+// new_pin can be `null`
+//
+// If it is, no new pin will be set
+int nk3_reset(struct Device *dev, const char * new_pin);
#endif//NITROKEY_HOTP_VERIFICATION_OPERATIONS_CCID_H
From 596f701985682adf6bfab06c78cbe132cbcb2aae Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sosth=C3=A8ne=20Gu=C3=A9don?= <sosthene@nitrokey.com>
Date: Tue, 3 Dec 2024 10:48:27 +0100
Subject: [PATCH 3/3] Fix null pointer bug on non nk3
---
src/operations_ccid.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/src/operations_ccid.c b/src/operations_ccid.c
index 07834ce..538d434 100644
--- a/src/operations_ccid.c
+++ b/src/operations_ccid.c
@@ -36,6 +36,12 @@
int nk3_reset(struct Device *dev, const char * new_pin) {
libusb_device *usb_dev;
struct libusb_device_descriptor usb_desc;
+
+ if (!dev->mp_devhandle_ccid) {
+ // Not an NK3
+ return RET_NO_ERROR;
+ }
+
usb_dev = libusb_get_device(dev->mp_devhandle_ccid);
int r = libusb_get_device_descriptor(usb_dev, &usb_desc);
@@ -46,7 +52,7 @@ int nk3_reset(struct Device *dev, const char * new_pin) {
if (usb_desc.idVendor != NITROKEY_USB_VID || usb_desc.idProduct != NITROKEY_3_USB_PID) {
- return 0;
+ return RET_NO_ERROR;
}