From 957a1b9979e1fa066a291f4f638496336dc9a3d8 Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Sat, 7 Dec 2024 11:12:38 -0500 Subject: [PATCH] patches/hotp-verification-*/46.patch : radd https://github.com/Nitrokey/nitrokey-hotp-verification/pull/46 so that this PR can be tested and reviewed from OEM Factory Reset/User Re-Ownership perspective (PR 43 not in which fixes hotp_verification info, needed to reuse default PINs under seal-hotp if pubkey age <1 month and if Secret app PIN/GPG Admin PIN count >=3 ) Repro: mkdir patches/hotp-verification-e9050e0c914e7a8ffef5d1c82a014e0e2bf79346 wget https://patch-diff.githubusercontent.com/raw/Nitrokey/nitrokey-hotp-verification/pull/46.patch -O patches/hotp-verification-e9050e0c914e7a8ffef5d1c82a014e0e2bf79346/46.patch sudo rm -rf build/x86/hotp-verification-e9050e0c914e7a8ffef5d1c82a014e0e2bf79346/ ./docker_repro.sh make BOARD=qemu-coreboot-whiptail-tpm2-hotp USB_TOKEN=Nitrokey3NFC PUBKEY_ASC=pubkey.asc inject_gpg run Signed-off-by: Thierry Laurion --- .../46.patch | 219 ++++++++++++++++++ 1 file changed, 219 insertions(+) create mode 100644 patches/hotp-verification-e9050e0c914e7a8ffef5d1c82a014e0e2bf79346/46.patch diff --git a/patches/hotp-verification-e9050e0c914e7a8ffef5d1c82a014e0e2bf79346/46.patch b/patches/hotp-verification-e9050e0c914e7a8ffef5d1c82a014e0e2bf79346/46.patch new file mode 100644 index 000000000..781c10ffa --- /dev/null +++ b/patches/hotp-verification-e9050e0c914e7a8ffef5d1c82a014e0e2bf79346/46.patch @@ -0,0 +1,219 @@ +From de355ed93ba50280bf377772082b76b7a2285185 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sosth=C3=A8ne=20Gu=C3=A9don?= +Date: Mon, 25 Nov 2024 17:04:47 +0100 +Subject: [PATCH 1/3] Add reset command for nitrokey 3 + +--- + src/main.c | 10 ++++++++-- + src/operations_ccid.c | 41 +++++++++++++++++++++++++++++++++++++++++ + src/operations_ccid.h | 1 + + 3 files changed, 50 insertions(+), 2 deletions(-) + +diff --git a/src/main.c b/src/main.c +index 059069e..b80b71d 100644 +--- a/src/main.c ++++ b/src/main.c +@@ -21,6 +21,7 @@ + + #include "ccid.h" + #include "operations.h" ++#include "operations_ccid.h" + #include "return_codes.h" + #include "utils.h" + #include "version.h" +@@ -134,8 +135,13 @@ int parse_cmd_and_run(int argc, char *const *argv) { + } + break; + case 'r': +- if (argc != 3) break; +- res = regenerate_AES_key(&dev, argv[2]); ++ if (strncmp(argv[1], "reset", 15) == 0) { ++ if (argc != 2) break; ++ res = nk3_reset(&dev); ++ } else if (strncmp(argv[1], "regenerate", 15) == 0) { ++ if (argc != 3) break; ++ res = regenerate_AES_key(&dev, argv[2]); ++ } + break; + default: + break; +diff --git a/src/operations_ccid.c b/src/operations_ccid.c +index eb46124..574155d 100644 +--- a/src/operations_ccid.c ++++ b/src/operations_ccid.c +@@ -32,6 +32,47 @@ + #include + + ++ ++int nk3_reset(struct Device *dev) { ++ libusb_device *usb_dev; ++ struct libusb_device_descriptor usb_desc; ++ usb_dev = libusb_get_device(dev->mp_devhandle_ccid); ++ ++ int r = libusb_get_device_descriptor(usb_dev, &usb_desc); ++ ++ if (r < 0) { ++ return r; ++ } ++ ++ ++ if (usb_desc.idVendor != NITROKEY_USB_VID || usb_desc.idProduct != NITROKEY_3_USB_PID) { ++ return 0; ++ } ++ ++ ++ uint8_t buf[10]; ++ // encode ++ uint32_t icc_actual_length = iso7816_compose(buf, sizeof buf, Ins_Reset, 0xDE, 0xAD, 0, 0, NULL, 0); ++ ++ // encode ccid wrapper ++ icc_actual_length = icc_compose(dev->ccid_buffer_out, sizeof dev->ccid_buffer_out, ++ 0x6F, icc_actual_length, ++ 0, 0, 0, buf); ++ // send ++ IccResult iccResult; ++ r = ccid_process_single(dev->mp_devhandle_ccid, dev->ccid_buffer_in, sizeof dev->ccid_buffer_in, ++ dev->ccid_buffer_out, icc_actual_length, &iccResult); ++ if (r != 0) { ++ return r; ++ } ++ // check status code ++ if (iccResult.data_status_code != 0x9000) { ++ return 1; ++ } ++ ++ return RET_NO_ERROR; ++} ++ + int set_pin_ccid(struct Device *dev, const char *admin_PIN) { + TLV tlvs[] = { + { +diff --git a/src/operations_ccid.h b/src/operations_ccid.h +index b26b3c7..ec0070c 100644 +--- a/src/operations_ccid.h ++++ b/src/operations_ccid.h +@@ -11,6 +11,7 @@ int authenticate_or_set_ccid(struct Device *dev, const char *admin_PIN); + int set_secret_on_device_ccid(struct Device *dev, const char *admin_PIN, const char *OTP_secret_base32, const uint64_t hotp_counter); + int verify_code_ccid(struct Device *dev, const uint32_t code_to_verify); + int status_ccid(libusb_device_handle *handle, int *attempt_counter, uint16_t *firmware_version, uint32_t *serial_number); ++int nk3_reset(struct Device *dev); + + + #endif//NITROKEY_HOTP_VERIFICATION_OPERATIONS_CCID_H + +From 8425e8c622138aef9ab207119e14f7cbedd40175 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sosth=C3=A8ne=20Gu=C3=A9don?= +Date: Mon, 2 Dec 2024 10:29:59 +0100 +Subject: [PATCH 2/3] Add optional new pin when resetting + +--- + src/main.c | 9 +++++---- + src/operations_ccid.c | 6 +++++- + src/operations_ccid.h | 5 ++++- + 3 files changed, 14 insertions(+), 6 deletions(-) + +diff --git a/src/main.c b/src/main.c +index b80b71d..3f4a1cc 100644 +--- a/src/main.c ++++ b/src/main.c +@@ -38,9 +38,10 @@ void print_help(char *app_name) { + "\t%s info\n" + "\t%s version\n" + "\t%s check \n" +- "\t%s regenerate \n" ++ "\t%s reset [ADMIN PIN]\n" ++ "\t%s regenerate\n" + "\t%s set [COUNTER]\n", +- app_name, app_name, app_name, app_name, app_name, app_name); ++ app_name, app_name, app_name, app_name, app_name, app_name, app_name); + } + + +@@ -136,8 +137,8 @@ int parse_cmd_and_run(int argc, char *const *argv) { + break; + case 'r': + if (strncmp(argv[1], "reset", 15) == 0) { +- if (argc != 2) break; +- res = nk3_reset(&dev); ++ if (argc != 2 && argc != 3) break; ++ res = nk3_reset(&dev, argc == 3 ? argv[2]: NULL); + } else if (strncmp(argv[1], "regenerate", 15) == 0) { + if (argc != 3) break; + res = regenerate_AES_key(&dev, argv[2]); +diff --git a/src/operations_ccid.c b/src/operations_ccid.c +index 574155d..07834ce 100644 +--- a/src/operations_ccid.c ++++ b/src/operations_ccid.c +@@ -33,7 +33,7 @@ + + + +-int nk3_reset(struct Device *dev) { ++int nk3_reset(struct Device *dev, const char * new_pin) { + libusb_device *usb_dev; + struct libusb_device_descriptor usb_desc; + usb_dev = libusb_get_device(dev->mp_devhandle_ccid); +@@ -70,6 +70,10 @@ int nk3_reset(struct Device *dev) { + return 1; + } + ++ if (new_pin != NULL) { ++ set_pin_ccid(dev, new_pin); ++ } ++ + return RET_NO_ERROR; + } + +diff --git a/src/operations_ccid.h b/src/operations_ccid.h +index ec0070c..61cad72 100644 +--- a/src/operations_ccid.h ++++ b/src/operations_ccid.h +@@ -11,7 +11,10 @@ int authenticate_or_set_ccid(struct Device *dev, const char *admin_PIN); + int set_secret_on_device_ccid(struct Device *dev, const char *admin_PIN, const char *OTP_secret_base32, const uint64_t hotp_counter); + int verify_code_ccid(struct Device *dev, const uint32_t code_to_verify); + int status_ccid(libusb_device_handle *handle, int *attempt_counter, uint16_t *firmware_version, uint32_t *serial_number); +-int nk3_reset(struct Device *dev); ++// new_pin can be `null` ++// ++// If it is, no new pin will be set ++int nk3_reset(struct Device *dev, const char * new_pin); + + + #endif//NITROKEY_HOTP_VERIFICATION_OPERATIONS_CCID_H + +From 596f701985682adf6bfab06c78cbe132cbcb2aae Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sosth=C3=A8ne=20Gu=C3=A9don?= +Date: Tue, 3 Dec 2024 10:48:27 +0100 +Subject: [PATCH 3/3] Fix null pointer bug on non nk3 + +--- + src/operations_ccid.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/src/operations_ccid.c b/src/operations_ccid.c +index 07834ce..538d434 100644 +--- a/src/operations_ccid.c ++++ b/src/operations_ccid.c +@@ -36,6 +36,12 @@ + int nk3_reset(struct Device *dev, const char * new_pin) { + libusb_device *usb_dev; + struct libusb_device_descriptor usb_desc; ++ ++ if (!dev->mp_devhandle_ccid) { ++ // Not an NK3 ++ return RET_NO_ERROR; ++ } ++ + usb_dev = libusb_get_device(dev->mp_devhandle_ccid); + + int r = libusb_get_device_descriptor(usb_dev, &usb_desc); +@@ -46,7 +52,7 @@ int nk3_reset(struct Device *dev, const char * new_pin) { + + + if (usb_desc.idVendor != NITROKEY_USB_VID || usb_desc.idProduct != NITROKEY_3_USB_PID) { +- return 0; ++ return RET_NO_ERROR; + } + +