mirror of
https://github.com/linuxboot/heads.git
synced 2024-12-21 22:07:52 +00:00
0a35ef912f
HOTP/TOTP secrets don't have to be printable. Use binary data to include 160 bits of entropy instead of just 80. The secret is still limited to 20 bytes. Most keys now support up to 40 bytes, but tpmtotp is still limited to 20 bytes. Move the truncation to 20 bytes a bit later, for future improvements to detect the key's actual limit. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
72 lines
1.9 KiB
Bash
Executable File
72 lines
1.9 KiB
Bash
Executable File
#!/bin/bash
|
|
# Retrieve the sealed file and counter from the NVRAM, unseal it and compute the hotp
|
|
|
|
. /etc/functions
|
|
|
|
HOTP_SECRET="/tmp/secret/hotp.key"
|
|
HOTP_COUNTER="/boot/kexec_hotp_counter"
|
|
|
|
mount_boot_or_die()
|
|
{
|
|
TRACE "Under /bin/unseal-hotp:mount_boot_or_die"
|
|
# Mount local disk if it is not already mounted
|
|
if ! grep -q /boot /proc/mounts ; then
|
|
mount -o ro /boot \
|
|
|| die "Unable to mount /boot"
|
|
fi
|
|
}
|
|
|
|
TRACE "Under /bin/unseal-hotp"
|
|
|
|
# Store counter in file instead of TPM for now, as it conflicts with Heads
|
|
# config TPM counter as TPM 1.2 can only increment one counter between reboots
|
|
# get current value of HOTP counter in TPM, create if absent
|
|
mount_boot_or_die
|
|
|
|
#check_tpm_counter $HOTP_COUNTER hotp \
|
|
#|| die "Unable to find/create TPM counter"
|
|
#counter="$TPM_COUNTER"
|
|
#
|
|
#counter_value=$(read_tpm_counter $counter | cut -f2 -d ' ' | awk 'gsub("^000e","")')
|
|
#
|
|
|
|
counter_value=$(cat $HOTP_COUNTER)
|
|
|
|
if [ "$counter_value" == "" ]; then
|
|
die "Unable to read HOTP counter"
|
|
fi
|
|
|
|
#counter_value=$(printf "%d" 0x${counter_value})
|
|
if [ "$CONFIG_TPM" = "y" ]; then
|
|
DEBUG "Unsealing HOTP secret reuses TOTP sealed secret..."
|
|
tpmr unseal 4d47 0,1,2,3,4,7 312 "$HOTP_SECRET"
|
|
else
|
|
# without a TPM, generate a secret based on the SHA-256 of the ROM
|
|
secret_from_rom_hash > "$HOTP_SECRET" || die "Reading ROM failed"
|
|
fi
|
|
|
|
# Truncate the secret if it is longer than the maximum HOTP secret
|
|
truncate_max_bytes 20 "$HOTP_SECRET"
|
|
|
|
if ! hotp $counter_value < "$HOTP_SECRET"; then
|
|
shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null
|
|
die 'Unable to compute HOTP hash?'
|
|
fi
|
|
|
|
shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null
|
|
|
|
#increment_tpm_counter $counter > /dev/null \
|
|
#|| die "Unable to increment tpm counter"
|
|
|
|
mount -o remount,rw /boot
|
|
|
|
counter_value=`expr $counter_value + 1`
|
|
echo $counter_value > $HOTP_COUNTER \
|
|
|| die "Unable to create hotp counter file"
|
|
|
|
#sha256sum /tmp/counter-$counter > $HOTP_COUNTER \
|
|
#|| die "Unable to create hotp counter file"
|
|
mount -o remount,ro /boot
|
|
|
|
exit 0
|