From 32e70316785f599e28c38c62a3ac72ba5f7acb27 Mon Sep 17 00:00:00 2001
From: Thierry Laurion <insurgo@riseup.net>
Date: Thu, 2 Jun 2022 13:52:51 -0400
Subject: [PATCH] bin/oem-factory-reset: prevent users to choose a GPG Admin
 PIN > 25 chars which would fail HOTP sealing

Fixes https://github.com/osresearch/heads/issues/1167
Circumvents https://github.com/Nitrokey/nitrokey-pro-firmware/issues/32
Adds validation so user cannot enter GPG User PIN > 64 while we are at it.

Note that GPG PINs can be up to 64 characters.
But GPG Admin PIN will fail HOTP sealing with GPG Admin PIN of more then 25 chars.

Edit: change upstream error to firmware issue, not nitrokey-app.
---
 initrd/bin/oem-factory-reset | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/initrd/bin/oem-factory-reset b/initrd/bin/oem-factory-reset
index 4c8d9e35..e479d2f7 100755
--- a/initrd/bin/oem-factory-reset
+++ b/initrd/bin/oem-factory-reset
@@ -22,6 +22,9 @@ USER_PIN=""
 ADMIN_PIN=""
 TPM_PASS=""
 
+#Circumvent Librem Key/Nitrokey HOTP firmware bug https://github.com/osresearch/heads/issues/1167
+MAX_HOTP_GPG_PIN_LENGTH=25
+
 # What are the Security components affected by custom passwords
 CUSTOM_PASS_AFFECTED_COMPONENTS=""
 
@@ -412,9 +415,9 @@ echo
 if [ "$prompt_output" == "y" \
   -o "$prompt_output" == "Y" ] \
 ; then
-  echo -e "\nThe chosen custom password must be at least 8 characters in length.\n"
+  echo -e "\nThe chosen custom password must be between 8 and $MAX_HOTP_GPG_PIN_LENGTH characters in length.\n"
   echo
-  while [[  ${#CUSTOM_SINGLE_PASS} -lt 8 ]] ; do
+  while [[  ${#CUSTOM_SINGLE_PASS} -lt 8 ]] || [[ ${#CUSTOM_SINGLE_PASS} -gt $MAX_HOTP_GPG_PIN_LENGTH ]] ; do
     echo -e -n "Enter the custom password: "
     read CUSTOM_SINGLE_PASS
   done
@@ -442,11 +445,13 @@ else
         read TPM_PASS
       done
     fi
-    while [[  ${#ADMIN_PIN} -lt 8 ]] ; do
+    while [[ ${#ADMIN_PIN} -lt 8 ]] || [[ ${#ADMIN_PIN} -gt $MAX_HOTP_GPG_PIN_LENGTH ]] ; do
+      echo -e -n "\nThis PIN should be between 8 to $MAX_HOTP_GPG_PIN_LENGTH characters in length.\n"
       echo -e -n "Enter desired GPG Admin PIN: "
       read ADMIN_PIN
     done
-    while [[  ${#USER_PIN} -lt 8 ]] ; do
+    while [[  ${#USER_PIN} -lt 8 ]] || [[ ${#USER_PIN} -gt 64 ]]; do
+      echo -e -n "\nThis PIN should be between 8 to 64 characters in length.\n"
       echo -e -n "Enter desired GPG User PIN: "
       read USER_PIN
     done