Merge pull request #588 from MrChromebox/hotp_fixes

HOTP fixes
This commit is contained in:
Kyle Rankin 2019-06-25 08:48:42 -07:00 committed by GitHub
commit a29c10ad51
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 45 additions and 8 deletions

View File

@ -29,8 +29,6 @@ tpm unsealfile \
|| die "Unable to unseal HOTP secret"
shred -n 10 -z -u "$HOTP_SEALED" 2> /dev/null
secret="`cat $HOTP_SECRET`"
shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null
# Store counter in file instead of TPM for now, as it conflicts with Heads
# config TPM counter as TPM 1.2 can only increment one counter between reboots
@ -54,21 +52,28 @@ enable_usb
if ! libremkey_hotp_verification info ; then
echo "Insert your Librem Key and press Enter to configure it"
read
libremkey_hotp_verification info \
|| die "Unable to find Librem Key"
if ! libremkey_hotp_verification info ; then
# don't leak key on failure
shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null
die "Unable to find Librem Key"
fi
fi
read -s -p "Enter your Librem Key Admin PIN" admin_pin
echo
libremkey_hotp_initialize $admin_pin $secret $counter_value
libremkey_hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value
if [ $? -ne 0 ]; then
read -s -p "Error setting HOTP secret, re-enter Admin PIN and try again:" admin_pin
libremkey_hotp_initialize $admin_pin $secret $counter_value \
|| die "Setting HOTP secret failed"
if ! libremkey_hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value ; then
# don't leak key on failure
shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null
die "Setting HOTP secret failed"
fi
fi
secret=""
# HOTP key no longer needed
shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null
# Make sure our counter is incremented ahead of the next check
#increment_tpm_counter $counter > /dev/null \

View File

@ -30,3 +30,35 @@
static const int CONNECTION_ATTEMPT_DELAY_MICRO_SECONDS = 1000*1000/2;
--- libremkey-hotp-verification/libremkey_hotp_initialize
+++ libremkey-hotp-verification-b/libremkey_hotp_initialize
@@ -14,9 +14,9 @@ fi
PIN=$1
SECRET=$2
COUNTER=$3
-SECRET_B32=$(echo -n $SECRET | base32)
+SECRET_B32=$(cat $SECRET | base32)
-libremkey_hotp_verification set $SECRET_B32 $PIN
+libremkey_hotp_verification set $SECRET_B32 "$PIN"
if [ $? -ne 0 ]; then
echo "ERROR: Setting HOTP secret on Librem Key failed!"
exit 1
@@ -25,7 +25,7 @@ fi
i=9
while [ "$i" -lt "$COUNTER" ]; do
echo "Updating counter to $i"
- HOTP_CODE=$(echo $SECRET | hotp $i)
+ HOTP_CODE=$(hotp $i < $SECRET)
libremkey_hotp_verification check $HOTP_CODE > /dev/null
if [ $? -ne 0 ]; then
echo "HOTP check failed for counter=$i, code=$HOTP_CODE"
@@ -34,7 +34,7 @@ while [ "$i" -lt "$COUNTER" ]; do
let "i += 10"
done
-HOTP_CODE=$(echo $SECRET | hotp $COUNTER)
+HOTP_CODE=$(hotp $COUNTER < $SECRET)
libremkey_hotp_verification check $HOTP_CODE > /dev/null
if [ $? -ne 0 ]; then
echo "HOTP check failed for counter=$COUNTER, code=$HOTP_CODE"