Merge pull request #761 from Nitrokey/hotp-neutral

Fix branding issue with HOTP USB Security Dongles
2025-01-30 16:14:01 +00:00 · 2020-07-23 15:05:13 -04:00 · 2020-07-23 15:05:13 -04:00 · 7ea13ee000
commit 7ea13ee000
parent d5262f11d4 d472c43c79
14 changed files with 99 additions and 140 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -8,13 +8,13 @@ stages:
 build:
  stage: build
-  retry: 2
+  retry: 1
  cache:
    paths:
      - packages
      - crossgcc
      - build
-    key: "heads-$GITLAB_USER_LOGIN"
+    key: "heads-$GITLAB_USER_LOGIN-2"
  script:
    - dnf install -y @development-tools gcc-c++ gcc-gnat zlib-devel perl-Digest-MD5 perl-Digest-SHA uuid-devel pcsc-tools ncurses-devel lbzip2 libuuid-devel lzma elfutils-libelf-devel bc bzip2 bison flex git gnupg iasl m4 nasm patch python wget libusb-devel cmake automake pv bsdiff autoconf libtool cpio texinfo
    - git fetch origin 
@ -75,6 +75,8 @@ build:
    - cat ./build/qemu-coreboot/hashes.txt
    - echo "Archiving qemu-coreboot logs..."
    - tar zcvf ./build/qemu-coreboot/logs.tar.gz ./build/log/*
    - echo "Calculate used space for cache"
    - du -shc packages crossgcc build
  artifacts:
    paths:
      - ./build/qemu-coreboot
--- a/2
+++ b/2
@ -428,7 +428,7 @@ bin_modules-$(CONFIG_FLASHTOOLS) += flashtools
 bin_modules-$(CONFIG_NEWT) += newt
 bin_modules-$(CONFIG_CAIRO) += cairo
 bin_modules-$(CONFIG_FBWHIPTAIL) += fbwhiptail
-bin_modules-$(CONFIG_LIBREMKEY) += libremkey-hotp-verification
+bin_modules-$(CONFIG_HOTPKEY) += hotp-verification
 bin_modules-$(CONFIG_MSRTOOLS) += msrtools
 $(foreach m, $(bin_modules-y), \
--- a/boards/librem13v2/librem13v2.config
+++ b/boards/librem13v2/librem13v2.config
@ -22,7 +22,7 @@ CONFIG_TPMTOTP=y
 #CONFIG_NEWT=y
 CONFIG_CAIRO=y
 CONFIG_FBWHIPTAIL=y
-CONFIG_LIBREMKEY=y
+CONFIG_HOTPKEY=y
 CONFIG_LINUX_USB=y
--- a/boards/librem13v4/librem13v4.config
+++ b/boards/librem13v4/librem13v4.config
@ -22,7 +22,7 @@ CONFIG_TPMTOTP=y
 #CONFIG_NEWT=y
 CONFIG_CAIRO=y
 CONFIG_FBWHIPTAIL=y
-CONFIG_LIBREMKEY=y
+CONFIG_HOTPKEY=y
 CONFIG_LINUX_USB=y
--- a/boards/librem15v3/librem15v3.config
+++ b/boards/librem15v3/librem15v3.config
@ -24,7 +24,7 @@ CONFIG_TPMTOTP=y
 #CONFIG_NEWT=y
 CONFIG_CAIRO=y
 CONFIG_FBWHIPTAIL=y
-CONFIG_LIBREMKEY=y
+CONFIG_HOTPKEY=y
 CONFIG_LINUX_USB=y
--- a/boards/librem15v4/librem15v4.config
+++ b/boards/librem15v4/librem15v4.config
@ -24,7 +24,7 @@ CONFIG_TPMTOTP=y
 #CONFIG_NEWT=y
 CONFIG_CAIRO=y
 CONFIG_FBWHIPTAIL=y
-CONFIG_LIBREMKEY=y
+CONFIG_HOTPKEY=y
 CONFIG_LINUX_USB=y
--- a/boards/x230-hotp-verification/x230-hotp-verification.config
+++ b/boards/x230-hotp-verification/x230-hotp-verification.config
@ -24,7 +24,7 @@ CONFIG_DROPBEAR=y
 #CONFIG_NEWT=y
 CONFIG_CAIRO=y
 CONFIG_FBWHIPTAIL=y
-CONFIG_LIBREMKEY=y
+CONFIG_HOTPKEY=y
 CONFIG_LINUX_USB=y
 CONFIG_LINUX_E1000E=y
--- a/initrd/bin/gui-init
+++ b/initrd/bin/gui-init
@ -92,10 +92,10 @@ update_totp()
 {
  echo "Scan the QR code to add the new TOTP secret"
  /bin/seal-totp
-  if [ -x /bin/libremkey_hotp_verification ]; then
+  if [ -x /bin/hotp_verification ]; then
-    echo "Once you have scanned the QR code, hit Enter to configure your Librem Key"
+    echo "Once you have scanned the QR code, hit Enter to configure your HOTP USB Security Dongle (e.g. Librem Key or Nitrokey)"
    read
-    /bin/seal-libremkey
+    /bin/seal-hotpkey
  else
    echo "Once you have scanned the QR code, hit Enter to continue"
    read
@ -118,7 +118,7 @@ clean_boot_check()
  [ $GPG_KEY_COUNT -ne 0 ] && return
   # check for USB security token
-  if [ "$CONFIG_LIBREMKEY" = "y" ]; then
+  if [ "$CONFIG_HOTPKEY" = "y" ]; then
    enable_usb
    if ! gpg --card-status > /dev/null ; then
      return
@ -140,6 +140,13 @@ else
  mount_boot
 fi
 # Use stored HOTP key branding
 if [ -r /boot/kexec_hotp_key ]; then
 	HOTPKEY_BRANDING="$(cat /boot/kexec_hotp_key)"
 else
 	HOTPKEY_BRANDING="HOTP USB Security Dongle"
 fi
 last_half=X
 while true; do
  MAIN_MENU_OPTIONS=""
@ -188,14 +195,16 @@ while true; do
  fi
  if [ "$totp_confirm" = "i" -o -z "$totp_confirm" ]; then 
-    if [ -x /bin/libremkey_hotp_verification ]; then
+    if [ -x /bin/hotp_verification ]; then
      HOTP=`unseal-hotp`
      enable_usb
-      if ! libremkey_hotp_verification info ; then
+      if ! hotp_verification info ; then
-        whiptail $CONFIG_WARNING_BG_COLOR --clear --title 'WARNING: Please Insert Your Librem Key' --msgbox "Your Librem Key was not detected.\n\nPlease insert your Librem Key" 30 90
+        whiptail $CONFIG_WARNING_BG_COLOR --clear \
 	--title "WARNING: Please Insert Your $HOTPKEY_BRANDING" \
 	--msgbox "Your $HOTPKEY_BRANDING was not detected.\n\nPlease insert your $HOTPKEY_BRANDING" 30 90
        fi
      # Don't output HOTP codes to screen, so as to make replay attacks harder
-      libremkey_hotp_verification check $HOTP
+      hotp_verification check $HOTP
      case "$?" in
        0 )
          HOTP="Success"
@ -205,7 +214,7 @@ while true; do
          MAIN_MENU_BG_COLOR=$CONFIG_ERROR_BG_COLOR
        ;;
        * )
-          HOTP="Error checking code, Insert Librem Key and retry"
+          HOTP="Error checking code, Insert $HOTPKEY_BRANDING and retry"
          MAIN_MENU_BG_COLOR=$CONFIG_WARNING_BG_COLOR
        ;;
      esac
--- a/initrd/bin/kexec-seal-key
+++ b/initrd/bin/kexec-seal-key
@ -84,9 +84,9 @@ cat "$KEY_DEVICES" | cut -d\  -f1 | xargs /bin/qubes-measure-luks \
 	|| die "Unable to measure the LUKS headers"
 luks_pcr=`tpm calcfuturepcr -ix 16 -if /tmp/luksDump.txt`
-# Librem Key loads USB modules which changes PCR5.
+# HOTP USB Secrity Dongle loads USB modules which changes PCR5.
-# In the event Librem Key is enabled, skip verification of PCR5
+# In the event HOTP USB Security Dongle is enabled, skip verification of PCR5
-if [ -x /bin/libremkey_hotp_verification ]; then
+if [ -x /bin/hotp_verification ]; then
  pcr_5="X"
 else
  pcr_5="0000000000000000000000000000000000000000"
--- a/initrd/bin/seal-libremkey
+++ b/initrd/bin/seal-libremkey
@ -1,11 +1,12 @@
 #!/bin/sh
-# Retrieve the sealed TOTP secret and initialize a Librem Key with it
+# Retrieve the sealed TOTP secret and initialize a USB Security dongle with it
 . /etc/functions
 HOTP_SEALED="/tmp/secret/hotp.sealed"
 HOTP_SECRET="/tmp/secret/hotp.key"
 HOTP_COUNTER="/boot/kexec_hotp_counter"
 HOTP_KEY="/boot/kexec_hotp_key"
 mount_boot()
 {
@ -16,6 +17,13 @@ mount_boot()
  fi
 }
 # Use stored HOTP key branding (this might be useful after OEM reset)
 if [ -r /boot/kexec_hotp_key ]; then
 	HOTPKEY_BRANDING="$(cat /boot/kexec_hotp_key)"
 else
 	HOTPKEY_BRANDING="HOTP USB Security Dongle"
 fi
 tpm nv_readvalue \
 	-in 4d47 \
 	-sz 312 \
@ -49,26 +57,35 @@ mount_boot
 counter_value=1
 enable_usb
-if ! libremkey_hotp_verification info ; then
+if ! hotp_verification info ; then
-  echo "Insert your Librem Key and press Enter to configure it"
+  echo "Insert your $HOTPKEY_BRANDING and press Enter to configure it"
  read
-  if ! libremkey_hotp_verification info ; then
+  if ! hotp_verification info ; then
    # don't leak key on failure
    shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null
-    die "Unable to find Librem Key"
+    die "Unable to find $HOTPKEY_BRANDING"
  fi
 fi
 # Set HOTP USB Security Dongle branding based on VID
 if [ ! $(lsusb | grep -q "20a0:") ]; then
 	HOTPKEY_BRANDING="Nitrokey"
 elif [ ! $(lsusb | grep -q "316d:") ]; then
 	HOTPKEY_BRANDING="Librem Key"
 else
 	HOTPKEY_BRANDING="HOTP USB Security Dongle"
 fi
 echo -e ""
-read -s -p "Enter your Librem Key Admin PIN: " admin_pin
+read -s -p "Enter your $HOTPKEY_BRANDING Admin PIN: " admin_pin
 echo -e "\n"
-libremkey_hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value 
+hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value "$HOTPKEY_BRANDING"
 if [ $? -ne 0 ]; then
  echo -e "\n"
  read -s -p "Error setting HOTP secret, re-enter Admin PIN and try again: " admin_pin
  echo -e "\n"
-  if ! libremkey_hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value ; then
+  if ! hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value "$HOTPKEY_BRANDING" ; then
    # don't leak key on failure
    shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null
    die "Setting HOTP secret failed"
@ -90,11 +107,15 @@ counter_value=`expr $counter_value + 1`
 echo $counter_value > $HOTP_COUNTER \
 || die "Unable to create hotp counter file"
 # Store/overwrite HOTP USB Security Dongle branding found out beforehand
 echo $HOTPKEY_BRANDING > $HOTP_KEY \
 || die "Unable to store hotp key file"
 #sha256sum /tmp/counter-$counter > $HOTP_COUNTER \
 #|| die "Unable to create hotp counter file"
 mount -o remount,ro /boot
-echo -e "\nLibrem Key initialized successfully. Press Enter to continue."
+echo -e "\n$HOTPKEY_BRANDING initialized successfully. Press Enter to continue."
 read
 exit 0
--- a/modules/hidapi
+++ b/modules/hidapi
@ -1,2 +1,2 @@
 # empty placeholder file
-# This submodule is defined in modules/libremkey-hotp-verification
+# This submodule is defined in modules/hotp-verification
--- a/modules/hotp-verification
+++ b/modules/hotp-verification
@ -0,0 +1,37 @@
 modules-$(CONFIG_HOTPKEY) += hotp-verification
 hotp-verification_depends := libusb $(musl_dep)
 hotp-verification_version := 5fb260e631b237a298b6dcca47bbd728f2c5ac3a
 hotp-verification_dir := hotp-verification-$(hotp-verification_version)
 hotp-verification_tar := nitrokey-hotp-verification-$(hotp-verification_version).tar.gz
 hotp-verification_url := https://github.com/Nitrokey/nitrokey-hotp-verification/archive/$(hotp-verification_version).tar.gz
 hotp-verification_hash := 5d98d158ba97fb970061d68e2c6f41582395e687b7752efb1a8038762b0e7b79
 hotp-verification_target := \
 	$(MAKE_JOBS) \
 	$(CROSS_TOOLS) \
 hotp-verification_output := \
 	hotp_verification \
 	hotp_initialize
 hotp-verification_configure := \
  INSTALL="$(INSTALL)" \
  CROSS="$(CROSS)" \
  $(CROSS_TOOLS) $(MAKE) LDFLAGS="$(INSTALL)/lib/libusb-1.0.so" GITVERSION="" LIBUSB_FLAGS="-I/usr/include/libusb-1.0" PKGCONFIG="" && $(MAKE) install INSTALL="$(INSTALL)"
 hotp-verification_depends  += hidapi
 modules-y += hidapi
 hidapi_version := e5ae0d30a523c565595bdfba3d5f2e9e1faf0bd0
 hidapi_dir := hotp-verification-$(hotp-verification_version)/hidapi
 hidapi_tar := hidapi-$(hidapi_version).tar.xz
 hidapi_url := https://github.com/Nitrokey/hidapi/archive/$(hidapi_version).tar.gz
 hidapi_hash := acc2a5089a8917085c2b3ebe9446065a21c760ba7e13cb54917043c4122188e0
 ## hidapi will be built as part of hotp-verification
 ## so nothing to do here (but need make to be happy)
 hidapi_output := .built
 hidapi_configure := echo -e 'all:\n\ttouch .built' > Makefile
--- a/modules/libremkey-hotp-verification
+++ b/modules/libremkey-hotp-verification
@ -1,37 +0,0 @@
 modules-$(CONFIG_LIBREMKEY) += libremkey-hotp-verification
 libremkey-hotp-verification_depends := libusb $(musl_dep)
 libremkey-hotp-verification_version := 809953b9b4bef97a4cffaa20d675bd7fe9d8da53
 libremkey-hotp-verification_dir := libremkey-hotp-verification-$(libremkey-hotp-verification_version)
 libremkey-hotp-verification_tar := nitrokey-hotp-verification-$(libremkey-hotp-verification_version).tar.gz
 libremkey-hotp-verification_url := https://github.com/Nitrokey/nitrokey-hotp-verification/archive/$(libremkey-hotp-verification_version).tar.gz
 libremkey-hotp-verification_hash := 251e5cef74e4e45eeddc49e4a1da1e22d1de774cd32cb0451a9030579ae958ba
 libremkey-hotp-verification_target := \
 	$(MAKE_JOBS) \
 	$(CROSS_TOOLS) \
 libremkey-hotp-verification_output := \
 	libremkey_hotp_verification \
 	libremkey_hotp_initialize
 libremkey-hotp-verification_configure := \
  INSTALL="$(INSTALL)" \
  CROSS="$(CROSS)" \
  $(CROSS_TOOLS) $(MAKE) LDFLAGS="$(INSTALL)/lib/libusb-1.0.so" && $(MAKE) install INSTALL="$(INSTALL)"
 libremkey-hotp-verification_depends  += hidapi
 modules-y += hidapi
 hidapi_version := e5ae0d30a523c565595bdfba3d5f2e9e1faf0bd0
 hidapi_dir := libremkey-hotp-verification-$(libremkey-hotp-verification_version)/hidapi
 hidapi_tar := hidapi-$(hidapi_version).tar.xz
 hidapi_url := https://github.com/Nitrokey/hidapi/archive/$(hidapi_version).tar.gz
 hidapi_hash := acc2a5089a8917085c2b3ebe9446065a21c760ba7e13cb54917043c4122188e0
 ## hidapi will be built as part of libremkey-hotp-verification
 ## so nothing to do here (but need make to be happy)
 hidapi_output := .built
 hidapi_configure := echo -e 'all:\n\ttouch .built' > Makefile
--- a/patches/libremkey-hotp-verification-e5fa36a7a1950226d0ef94e2eeed0ffb510eba89.patch
+++ b/patches/libremkey-hotp-verification-e5fa36a7a1950226d0ef94e2eeed0ffb510eba89.patch
@ -1,73 +0,0 @@
 --- nitrokey-hotp-verification-a/Toolchain-heads.cmake	2018-05-22 09:55:46.907209235 -0700
 +++ nitrokey-hotp-verification-b/Toolchain-heads.cmake	2018-05-22 09:55:26.659371966 -0700
@@ -0,0 +1,27 @@
 +SET(CMAKE_SYSTEM_NAME Linux)
 +SET(CMAKE_SYSTEM_VERSION 1)
 +
 +# Specify the cross compiler
 +SET(CMAKE_C_COMPILER $ENV{CROSS}gcc)
 +SET(CMAKE_CXX_COMPILER $ENV{CROSS}gcc)
 +
 +#sysroot location
 +set(MYSYSROOT $ENV{INSTALL})
 +
 +# compiler/linker flags
 +set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} --sysroot=${MYSYSROOT}" CACHE INTERNAL "" FORCE)
 +set(CMAKE_C_LINK_FLAGS "${CMAKE_C_LINK_FLAGS} --sysroot=${MYSYSROOT}" CACHE INTERNAL "" FORCE)
 +set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} --sysroot=${MYSYSROOT}" CACHE INTERNAL "" FORCE)
 +set(CMAKE_CXX_LINK_FLAGS "${CMAKE_CXX_LINK_FLAGS} --sysroot=${MYSYSROOT}" CACHE INTERNAL "" FORCE)
 +
 +# Where is the target environment
 +SET(CMAKE_FIND_ROOT_PATH "${MYSYSROOT}")
 +
 +# Search for programs only in the build host directories
 +SET(CMAKE_FIND_ROOT_PATH_MODE_PROGRAM NEVER)
 +
 +# Search for libraries and headers only in the target directories
 +SET(CMAKE_FIND_ROOT_PATH_MODE_LIBRARY ONLY)
 +SET(CMAKE_FIND_ROOT_PATH_MODE_INCLUDE ONLY)
 +
 +INCLUDE_DIRECTORIES(hidapi)
 --- libremkey-hotp-verification/device.c	2018-06-20 16:13:36.417804210 -0700
 +++ libremkey-hotp-verification-b/device.c	2018-06-20 16:14:34.532367723 -0700
@@ -34,7 +34,7 @@
 const unsigned short m_vid = 0x20a0;
 const unsigned short m_pid = 0x4108;
 -static const int CONNECTION_ATTEMPTS_COUNT = 80;
 +static const int CONNECTION_ATTEMPTS_COUNT = 2;
 static const int CONNECTION_ATTEMPT_DELAY_MICRO_SECONDS = 1000*1000/2;
 --- libremkey-hotp-verification/libremkey_hotp_initialize
 +++ libremkey-hotp-verification-b/libremkey_hotp_initialize
@@ -14,9 +14,9 @@ fi
 PIN=$1
 SECRET=$2
 COUNTER=$3
 -SECRET_B32=$(echo -n $SECRET | base32)
 +SECRET_B32=$(cat $SECRET | base32)
 -libremkey_hotp_verification set $SECRET_B32 $PIN 
 +libremkey_hotp_verification set $SECRET_B32 "$PIN"
 if [ $? -ne 0 ]; then
   echo "ERROR: Setting HOTP secret on Librem Key failed!"
   exit 1
@@ -25,7 +25,7 @@ fi
 i=9
 while [ "$i" -lt "$COUNTER" ]; do
   echo "Updating counter to $i"
 -  HOTP_CODE=$(echo $SECRET | hotp $i)
 +  HOTP_CODE=$(hotp $i < $SECRET)
   libremkey_hotp_verification check $HOTP_CODE > /dev/null
   if [ $? -ne 0 ]; then
     echo "HOTP check failed for counter=$i, code=$HOTP_CODE"
@@ -34,7 +34,7 @@ while [ "$i" -lt "$COUNTER" ]; do
   let "i += 10"
 done
 -HOTP_CODE=$(echo $SECRET | hotp $COUNTER)
 +HOTP_CODE=$(hotp $COUNTER < $SECRET)
 libremkey_hotp_verification check $HOTP_CODE > /dev/null
 if [ $? -ne 0 ]; then
   echo "HOTP check failed for counter=$COUNTER, code=$HOTP_CODE"
`@ -1,2 +1,2 @@`
	`# empty placeholder file`	`# empty placeholder file`
	`# This submodule is defined in modules/libremkey-hotp-verification`	`# This submodule is defined in modules/hotp-verification`