2023-08-23 13:42:16 +00:00
|
|
|
/*
|
|
|
|
* This file is part of the Trezor project, https://trezor.io/
|
|
|
|
*
|
|
|
|
* Copyright (c) SatoshiLabs
|
|
|
|
*
|
|
|
|
* This program is free software: you can redistribute it and/or modify
|
|
|
|
* it under the terms of the GNU General Public License as published by
|
|
|
|
* the Free Software Foundation, either version 3 of the License, or
|
|
|
|
* (at your option) any later version.
|
|
|
|
*
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
*/
|
|
|
|
|
2024-11-01 11:55:31 +00:00
|
|
|
#include <trezor_rtl.h>
|
|
|
|
|
2024-11-15 09:07:01 +00:00
|
|
|
#include <sec/optiga.h>
|
|
|
|
#include <sec/optiga_commands.h>
|
|
|
|
#include <sec/optiga_transport.h>
|
2023-09-19 12:24:56 +00:00
|
|
|
#include "hash_to_curve.h"
|
|
|
|
#include "hmac.h"
|
|
|
|
#include "memzero.h"
|
|
|
|
#include "rand.h"
|
|
|
|
#include "storage.h"
|
|
|
|
|
2024-08-13 05:47:59 +00:00
|
|
|
#ifdef KERNEL_MODE
|
|
|
|
|
2024-06-13 16:24:09 +00:00
|
|
|
// Counter-protected PIN secret and reset key for OID_STRETCHED_PIN_CTR (OID
|
|
|
|
// 0xF1D0).
|
2023-09-19 12:24:56 +00:00
|
|
|
#define OID_PIN_SECRET (OPTIGA_OID_DATA + 0)
|
|
|
|
|
2024-06-13 16:24:09 +00:00
|
|
|
// Digest of the stretched PIN (OID 0xF1D4).
|
|
|
|
#define OID_STRETCHED_PIN (OPTIGA_OID_DATA + 4)
|
2023-09-19 12:24:56 +00:00
|
|
|
|
2024-06-13 16:24:09 +00:00
|
|
|
// Counter-protected key for HMAC-SHA256 PIN stretching step (OID 0xF1D5).
|
|
|
|
#define OID_PIN_HMAC (OPTIGA_OID_DATA + 8)
|
2023-09-19 12:24:56 +00:00
|
|
|
|
2024-06-13 16:24:09 +00:00
|
|
|
// Counter which limits the guesses at OID_STRETCHED_PIN (OID 0xE120).
|
|
|
|
#define OID_STRETCHED_PIN_CTR (OPTIGA_OID_COUNTER + 0)
|
|
|
|
|
|
|
|
// Counter which limits the use of OID_PIN_HMAC (OID 0xE122).
|
|
|
|
#define OID_PIN_HMAC_CTR (OPTIGA_OID_COUNTER + 2)
|
2023-09-19 12:24:56 +00:00
|
|
|
|
2024-06-13 16:24:09 +00:00
|
|
|
// Counter which limits the total number of PIN stretching operations over the
|
|
|
|
// lifetime of the device (OID 0xE121).
|
|
|
|
#define OID_PIN_TOTAL_CTR (OPTIGA_OID_COUNTER + 1)
|
|
|
|
|
|
|
|
// Key for HMAC-SHA256 PIN stretching step used in storage version 3 and 4 (OID
|
|
|
|
// 0xF1D1).
|
|
|
|
#define OID_PIN_HMAC_V4 (OPTIGA_OID_DATA + 1)
|
2023-09-19 12:24:56 +00:00
|
|
|
|
|
|
|
// Key for AES-CMAC PIN stretching step (OID 0xE200).
|
|
|
|
#define OID_PIN_CMAC OPTIGA_OID_SYM_KEY
|
|
|
|
|
|
|
|
// Key for ECDH PIN stretching step (OID 0xE0F3).
|
|
|
|
#define OID_PIN_ECDH (OPTIGA_OID_ECC_KEY + 3)
|
|
|
|
|
2024-06-13 12:17:11 +00:00
|
|
|
// The number of times that PIN stretching is repeated.
|
|
|
|
#define PIN_STRETCH_ITERATIONS 2
|
2023-09-19 12:24:56 +00:00
|
|
|
|
2024-07-02 19:33:53 +00:00
|
|
|
// The throttling delay when the security event counter is at its maximum.
|
|
|
|
#define OPTIGA_T_MAX_MS 5000
|
|
|
|
|
2023-09-19 12:24:56 +00:00
|
|
|
// Value of the PIN counter when it is reset.
|
|
|
|
static const uint8_t COUNTER_RESET[] = {0, 0, 0, 0, 0, 0, 0, PIN_MAX_TRIES};
|
|
|
|
|
2024-06-26 09:16:54 +00:00
|
|
|
// Value of the PIN counter with one extra attempt needed in optiga_pin_set().
|
|
|
|
static const uint8_t COUNTER_RESET_EXTRA[] = {0, 0, 0, 0,
|
|
|
|
0, 0, 0, PIN_MAX_TRIES + 1};
|
|
|
|
|
2024-06-13 16:24:09 +00:00
|
|
|
// Initial value of the counter which limits the total number of PIN stretching
|
|
|
|
// operations. The limit is 600000 stretching operations, which equates to
|
|
|
|
// 300000 / PIN_STRETCH_ITERATIONS unlock operations over the lifetime of the
|
|
|
|
// device.
|
|
|
|
static const uint8_t PIN_TOTAL_CTR_INIT[] = {0, 0, 0, 0, 0, 0x09, 0x27, 0xC0};
|
2023-09-19 12:24:56 +00:00
|
|
|
|
2023-10-13 11:09:38 +00:00
|
|
|
static const optiga_metadata_item TYPE_AUTOREF =
|
|
|
|
OPTIGA_META_VALUE(OPTIGA_DATA_TYPE_AUTOREF);
|
|
|
|
static const optiga_metadata_item TYPE_PRESSEC =
|
|
|
|
OPTIGA_META_VALUE(OPTIGA_DATA_TYPE_PRESSEC);
|
2023-09-19 12:24:56 +00:00
|
|
|
static const optiga_metadata_item ACCESS_STRETCHED_PIN =
|
|
|
|
OPTIGA_ACCESS_CONDITION(OPTIGA_ACCESS_COND_AUTO, OID_STRETCHED_PIN);
|
|
|
|
static const optiga_metadata_item ACCESS_PIN_SECRET =
|
|
|
|
OPTIGA_ACCESS_CONDITION(OPTIGA_ACCESS_COND_AUTO, OID_PIN_SECRET);
|
2024-06-13 16:24:09 +00:00
|
|
|
static const optiga_metadata_item ACCESS_STRETCHED_PIN_CTR =
|
|
|
|
OPTIGA_ACCESS_CONDITION(OPTIGA_ACCESS_COND_LUC, OID_STRETCHED_PIN_CTR);
|
|
|
|
static const optiga_metadata_item ACCESS_PIN_TOTAL_CTR =
|
|
|
|
OPTIGA_ACCESS_CONDITION(OPTIGA_ACCESS_COND_LUC, OID_PIN_TOTAL_CTR);
|
|
|
|
static const optiga_metadata_item ACCESS_PIN_HMAC_CTR =
|
|
|
|
OPTIGA_ACCESS_CONDITION(OPTIGA_ACCESS_COND_LUC, OID_PIN_HMAC_CTR);
|
2023-09-19 12:24:56 +00:00
|
|
|
|
|
|
|
// Size of the DER BIT STRING header required for inputs to optiga_calc_ssec().
|
|
|
|
#define BIT_STRING_HEADER_SIZE 3
|
|
|
|
|
|
|
|
// Size of the CMAC/HMAC prefix returned by Optiga.
|
|
|
|
#define ENCRYPT_SYM_PREFIX_SIZE 3
|
2023-08-23 13:42:16 +00:00
|
|
|
|
2024-06-26 08:09:38 +00:00
|
|
|
optiga_sign_result optiga_sign(uint8_t index, const uint8_t *digest,
|
|
|
|
size_t digest_size, uint8_t *signature,
|
|
|
|
size_t max_sig_size, size_t *sig_size) {
|
2023-08-23 13:42:16 +00:00
|
|
|
if (index >= OPTIGA_ECC_KEY_COUNT) {
|
2024-06-26 08:09:38 +00:00
|
|
|
return OPTIGA_SIGN_ERROR;
|
2023-08-23 13:42:16 +00:00
|
|
|
}
|
|
|
|
|
2024-06-26 08:09:38 +00:00
|
|
|
optiga_result res =
|
2023-08-23 13:42:16 +00:00
|
|
|
optiga_calc_sign(OPTIGA_OID_ECC_KEY + index, digest, digest_size,
|
|
|
|
&signature[2], max_sig_size - 2, sig_size);
|
2024-06-26 08:09:38 +00:00
|
|
|
if (res != OPTIGA_SUCCESS) {
|
2023-08-23 13:42:16 +00:00
|
|
|
uint8_t error_code = 0;
|
2024-06-26 08:09:38 +00:00
|
|
|
if (res == OPTIGA_ERR_CMD &&
|
|
|
|
optiga_get_error_code(&error_code) == OPTIGA_SUCCESS &&
|
|
|
|
error_code == OPTIGA_ERR_CODE_ACCESS_COND) {
|
|
|
|
return OPTIGA_SIGN_INACCESSIBLE;
|
|
|
|
} else {
|
|
|
|
return OPTIGA_SIGN_ERROR;
|
|
|
|
}
|
2023-08-23 13:42:16 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Add sequence tag and length.
|
|
|
|
if (*sig_size >= 0x80) {
|
|
|
|
// Length not supported.
|
2024-06-26 08:09:38 +00:00
|
|
|
return OPTIGA_SIGN_ERROR;
|
2023-08-23 13:42:16 +00:00
|
|
|
}
|
|
|
|
signature[0] = 0x30;
|
|
|
|
signature[1] = *sig_size;
|
|
|
|
*sig_size += 2;
|
2024-06-26 08:09:38 +00:00
|
|
|
return OPTIGA_SIGN_SUCCESS;
|
2023-08-23 13:42:16 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
bool optiga_cert_size(uint8_t index, size_t *cert_size) {
|
|
|
|
*cert_size = 0;
|
|
|
|
|
|
|
|
if (index >= OPTIGA_CERT_COUNT) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
uint8_t metadata_bytes[OPTIGA_MAX_METADATA_SIZE] = {0};
|
|
|
|
size_t metadata_size = 0;
|
|
|
|
optiga_metadata metadata = {0};
|
|
|
|
optiga_result ret =
|
|
|
|
optiga_get_data_object(OPTIGA_OID_CERT + index, true, metadata_bytes,
|
|
|
|
sizeof(metadata_bytes), &metadata_size);
|
|
|
|
if (OPTIGA_SUCCESS != ret) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
ret = optiga_parse_metadata(metadata_bytes, metadata_size, &metadata);
|
|
|
|
if (OPTIGA_SUCCESS != ret || metadata.used_size.ptr == NULL) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
for (int i = 0; i < metadata.used_size.len; ++i) {
|
|
|
|
*cert_size = (*cert_size << 8) + metadata.used_size.ptr[i];
|
|
|
|
}
|
|
|
|
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
bool optiga_read_cert(uint8_t index, uint8_t *cert, size_t max_cert_size,
|
|
|
|
size_t *cert_size) {
|
|
|
|
if (index >= OPTIGA_CERT_COUNT) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
optiga_result ret = optiga_get_data_object(OPTIGA_OID_CERT + index, false,
|
|
|
|
cert, max_cert_size, cert_size);
|
|
|
|
return OPTIGA_SUCCESS == ret;
|
|
|
|
}
|
2023-09-08 09:19:06 +00:00
|
|
|
|
2024-06-25 09:23:25 +00:00
|
|
|
bool optiga_read_sec(uint8_t *sec) {
|
|
|
|
size_t size = 0;
|
|
|
|
optiga_result ret = optiga_get_data_object(OPTIGA_OID_SEC, false, sec,
|
|
|
|
sizeof(uint8_t), &size);
|
|
|
|
return ret == OPTIGA_SUCCESS && size == sizeof(uint8_t);
|
|
|
|
}
|
|
|
|
|
2024-07-09 12:30:18 +00:00
|
|
|
void optiga_set_sec_max(void) {
|
|
|
|
uint8_t invalid_point[] = {
|
|
|
|
0x03, 0x42, 0x00, 0x04, 0xe2, 0x67, 0x5b, 0xe0, 0xbb, 0xf4, 0xfb, 0x9d,
|
|
|
|
0xec, 0xaa, 0x1e, 0x96, 0xac, 0xc8, 0xa7, 0xca, 0xd0, 0x05, 0x84, 0xfe,
|
|
|
|
0xfd, 0x7f, 0x24, 0xc6, 0xe7, 0x72, 0x5b, 0x56, 0xb3, 0x45, 0x06, 0x67,
|
|
|
|
0xbc, 0x73, 0xe3, 0xb8, 0xf5, 0x5d, 0x1c, 0xad, 0xa0, 0x3e, 0x59, 0x1b,
|
|
|
|
0x3b, 0x9c, 0x6e, 0xc4, 0xb6, 0xd1, 0x05, 0xf7, 0xd8, 0xc0, 0x67, 0x0d,
|
|
|
|
0xfb, 0xcc, 0xea, 0xb1, 0x65, 0xdb, 0xa6, 0x5f};
|
|
|
|
uint8_t buffer[32] = {0};
|
|
|
|
size_t size = 0;
|
|
|
|
optiga_calc_ssec(OPTIGA_CURVE_P256, OID_PIN_ECDH, invalid_point,
|
|
|
|
sizeof(invalid_point), buffer, sizeof(buffer), &size);
|
|
|
|
}
|
|
|
|
|
2024-07-02 19:33:53 +00:00
|
|
|
uint32_t optiga_estimate_time_ms(storage_pin_op_t op) {
|
|
|
|
uint8_t sec = 0;
|
|
|
|
if (!optiga_read_sec(&sec)) {
|
|
|
|
return UINT32_MAX;
|
|
|
|
}
|
|
|
|
|
|
|
|
// Heuristic: The SEC will increase by about 4 during the operation up to a
|
|
|
|
// maximum of 255.
|
|
|
|
sec = (sec < 255 - 4) ? sec + 4 : 255;
|
|
|
|
|
|
|
|
// If the SEC is above 127, then Optiga introduces a throttling delay before
|
|
|
|
// the execution of each protected command. The delay grows propotionally to
|
|
|
|
// the SEC value up to a maximum delay of OPTIGA_T_MAX_MS.
|
|
|
|
uint32_t throttling_delay =
|
|
|
|
sec > 127 ? (sec - 127) * OPTIGA_T_MAX_MS / 128 : 0;
|
|
|
|
|
|
|
|
// To estimate the overall time of the PIN operation we multiply the
|
|
|
|
// throttling delay by the number of protected Optiga commands and add the
|
|
|
|
// time required to execute all Optiga commands without throttling delays.
|
|
|
|
switch (op) {
|
|
|
|
case STORAGE_PIN_OP_SET:
|
|
|
|
return throttling_delay * 6 + 1300;
|
|
|
|
case STORAGE_PIN_OP_VERIFY:
|
|
|
|
return throttling_delay * 7 + 1000;
|
|
|
|
case STORAGE_PIN_OP_CHANGE:
|
|
|
|
return throttling_delay * 13 + 2300;
|
|
|
|
default:
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-09-08 09:19:06 +00:00
|
|
|
bool optiga_random_buffer(uint8_t *dest, size_t size) {
|
|
|
|
while (size > OPTIGA_RANDOM_MAX_SIZE) {
|
|
|
|
if (optiga_get_random(dest, OPTIGA_RANDOM_MAX_SIZE) != OPTIGA_SUCCESS) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
dest += OPTIGA_RANDOM_MAX_SIZE;
|
|
|
|
size -= OPTIGA_RANDOM_MAX_SIZE;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (size < OPTIGA_RANDOM_MIN_SIZE) {
|
|
|
|
static uint8_t buffer[OPTIGA_RANDOM_MIN_SIZE] = {0};
|
|
|
|
optiga_result ret = optiga_get_random(buffer, OPTIGA_RANDOM_MIN_SIZE);
|
|
|
|
memcpy(dest, buffer, size);
|
|
|
|
return ret == OPTIGA_SUCCESS;
|
|
|
|
}
|
|
|
|
|
|
|
|
return optiga_get_random(dest, size) == OPTIGA_SUCCESS;
|
|
|
|
}
|
2023-09-19 12:24:56 +00:00
|
|
|
|
|
|
|
static bool read_metadata(uint16_t oid, optiga_metadata *metadata) {
|
|
|
|
static uint8_t serialized[OPTIGA_MAX_METADATA_SIZE] = {0};
|
|
|
|
size_t size = 0;
|
2024-06-26 08:09:38 +00:00
|
|
|
if (optiga_get_data_object(oid, true, serialized, sizeof(serialized),
|
|
|
|
&size) != OPTIGA_SUCCESS) {
|
2023-09-19 12:24:56 +00:00
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2024-06-26 08:09:38 +00:00
|
|
|
return optiga_parse_metadata(serialized, size, metadata) == OPTIGA_SUCCESS;
|
2023-09-19 12:24:56 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
static bool write_metadata(uint16_t oid, const optiga_metadata *metadata) {
|
|
|
|
uint8_t serialized[OPTIGA_MAX_METADATA_SIZE] = {0};
|
|
|
|
size_t size = 0;
|
|
|
|
|
2024-06-26 08:09:38 +00:00
|
|
|
if (optiga_serialize_metadata(metadata, serialized, sizeof(serialized),
|
|
|
|
&size) != OPTIGA_SUCCESS) {
|
2023-09-19 12:24:56 +00:00
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2024-06-26 08:09:38 +00:00
|
|
|
return optiga_set_data_object(oid, true, serialized, size) == OPTIGA_SUCCESS;
|
2023-09-19 12:24:56 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
bool optiga_set_metadata(uint16_t oid, const optiga_metadata *metadata) {
|
|
|
|
// Read the stored metadata.
|
|
|
|
optiga_metadata metadata_stored = {0};
|
|
|
|
if (!read_metadata(oid, &metadata_stored)) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
// If the stored metadata are different, then set them as requested.
|
|
|
|
if (!optiga_compare_metadata(metadata, &metadata_stored)) {
|
|
|
|
if (!write_metadata(oid, metadata)) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
// Check that the metadata was written correctly.
|
|
|
|
if (!read_metadata(oid, &metadata_stored)) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
if (!optiga_compare_metadata(metadata, &metadata_stored)) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-10-06 15:49:41 +00:00
|
|
|
#if PRODUCTION
|
|
|
|
// If the metadata aren't locked, then lock them in production builds.
|
2023-09-19 12:24:56 +00:00
|
|
|
optiga_metadata metadata_locked = {0};
|
|
|
|
metadata_locked.lcso = OPTIGA_META_LCS_OPERATIONAL;
|
|
|
|
if (!optiga_compare_metadata(&metadata_locked, &metadata_stored)) {
|
|
|
|
if (!write_metadata(oid, &metadata_locked)) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
// Check that metadata were locked correctly.
|
|
|
|
if (!read_metadata(oid, &metadata_stored)) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
if (!optiga_compare_metadata(&metadata_locked, &metadata_stored)) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
}
|
2023-10-06 15:49:41 +00:00
|
|
|
#endif
|
2023-09-19 12:24:56 +00:00
|
|
|
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
static bool optiga_pin_init_metadata(void) {
|
|
|
|
optiga_metadata metadata = {0};
|
|
|
|
|
2024-06-13 16:24:09 +00:00
|
|
|
// Set metadata for counter-protected PIN secret.
|
2023-09-19 12:24:56 +00:00
|
|
|
memzero(&metadata, sizeof(metadata));
|
|
|
|
metadata.change = OPTIGA_META_ACCESS_ALWAYS;
|
|
|
|
metadata.read = ACCESS_STRETCHED_PIN;
|
|
|
|
metadata.execute = OPTIGA_META_ACCESS_ALWAYS;
|
|
|
|
metadata.data_type = TYPE_AUTOREF;
|
|
|
|
if (!optiga_set_metadata(OID_PIN_SECRET, &metadata)) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2024-06-13 16:24:09 +00:00
|
|
|
// Set metadata for stretched PIN.
|
|
|
|
memzero(&metadata, sizeof(metadata));
|
|
|
|
metadata.change = ACCESS_PIN_SECRET;
|
|
|
|
metadata.read = OPTIGA_META_ACCESS_NEVER;
|
|
|
|
metadata.execute = ACCESS_STRETCHED_PIN_CTR;
|
|
|
|
metadata.data_type = TYPE_AUTOREF;
|
|
|
|
if (!optiga_set_metadata(OID_STRETCHED_PIN, &metadata)) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
// Set metadata for HMAC-SHA256 PIN stretching secret.
|
|
|
|
memzero(&metadata, sizeof(metadata));
|
|
|
|
metadata.change = ACCESS_STRETCHED_PIN;
|
|
|
|
metadata.read = OPTIGA_META_ACCESS_NEVER;
|
|
|
|
metadata.execute = ACCESS_PIN_HMAC_CTR;
|
|
|
|
metadata.data_type = TYPE_PRESSEC;
|
|
|
|
if (!optiga_set_metadata(OID_PIN_HMAC, &metadata)) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
// Set metadata for the counter of guesses at OID_STRETCHED_PIN.
|
2023-09-19 12:24:56 +00:00
|
|
|
memzero(&metadata, sizeof(metadata));
|
|
|
|
metadata.change = ACCESS_PIN_SECRET;
|
|
|
|
metadata.read = OPTIGA_META_ACCESS_ALWAYS;
|
|
|
|
metadata.execute = OPTIGA_META_ACCESS_ALWAYS;
|
2024-06-13 16:24:09 +00:00
|
|
|
if (!optiga_set_metadata(OID_STRETCHED_PIN_CTR, &metadata)) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
// Set metadata for the counter of OID_PIN_HMAC uses.
|
|
|
|
memzero(&metadata, sizeof(metadata));
|
|
|
|
metadata.change = ACCESS_STRETCHED_PIN;
|
|
|
|
metadata.read = OPTIGA_META_ACCESS_ALWAYS;
|
|
|
|
metadata.execute = OPTIGA_META_ACCESS_ALWAYS;
|
|
|
|
if (!optiga_set_metadata(OID_PIN_HMAC_CTR, &metadata)) {
|
2023-09-19 12:24:56 +00:00
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2024-06-13 16:24:09 +00:00
|
|
|
// Initialize the counter of the total number of PIN stretching operations, if
|
|
|
|
// write access is possible.
|
2023-09-19 12:24:56 +00:00
|
|
|
memzero(&metadata, sizeof(metadata));
|
|
|
|
metadata.change = OPTIGA_META_ACCESS_ALWAYS;
|
2024-06-13 16:24:09 +00:00
|
|
|
if (write_metadata(OID_PIN_TOTAL_CTR, &metadata)) {
|
|
|
|
optiga_result res =
|
|
|
|
optiga_set_data_object(OID_PIN_TOTAL_CTR, false, PIN_TOTAL_CTR_INIT,
|
|
|
|
sizeof(PIN_TOTAL_CTR_INIT));
|
2023-09-19 12:24:56 +00:00
|
|
|
if (res != OPTIGA_SUCCESS) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2024-06-13 16:24:09 +00:00
|
|
|
// Set metadata for the counter of the total number of PIN stretching
|
|
|
|
// operations.
|
2023-09-19 12:24:56 +00:00
|
|
|
memzero(&metadata, sizeof(metadata));
|
|
|
|
metadata.change = OPTIGA_META_ACCESS_NEVER;
|
|
|
|
metadata.read = OPTIGA_META_ACCESS_ALWAYS;
|
|
|
|
metadata.execute = OPTIGA_META_ACCESS_ALWAYS;
|
2024-06-13 16:24:09 +00:00
|
|
|
if (!optiga_set_metadata(OID_PIN_TOTAL_CTR, &metadata)) {
|
2023-09-19 12:24:56 +00:00
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
// Set metadata for AES-CMAC PIN stretching secret.
|
|
|
|
memzero(&metadata, sizeof(metadata));
|
|
|
|
metadata.change = OPTIGA_META_ACCESS_ALWAYS;
|
|
|
|
metadata.read = OPTIGA_META_ACCESS_NEVER;
|
2024-06-13 16:24:09 +00:00
|
|
|
metadata.execute = ACCESS_PIN_TOTAL_CTR;
|
2023-09-30 20:55:45 +00:00
|
|
|
metadata.key_usage = OPTIGA_META_KEY_USE_ENC;
|
2023-09-19 12:24:56 +00:00
|
|
|
if (!optiga_set_metadata(OID_PIN_CMAC, &metadata)) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
// Set metadata for ECDH PIN stretching secret.
|
|
|
|
memzero(&metadata, sizeof(metadata));
|
|
|
|
metadata.change = OPTIGA_META_ACCESS_ALWAYS;
|
|
|
|
metadata.read = OPTIGA_META_ACCESS_NEVER;
|
2024-06-13 16:24:09 +00:00
|
|
|
metadata.execute = ACCESS_PIN_TOTAL_CTR;
|
2023-09-19 12:24:56 +00:00
|
|
|
metadata.key_usage = OPTIGA_META_KEY_USE_KEYAGREE;
|
|
|
|
if (!optiga_set_metadata(OID_PIN_ECDH, &metadata)) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2024-06-26 08:09:38 +00:00
|
|
|
static bool optiga_pin_init_stretch(void) {
|
2023-09-19 12:24:56 +00:00
|
|
|
// Generate a new key in OID_PIN_CMAC.
|
2024-06-26 08:09:38 +00:00
|
|
|
if (optiga_gen_sym_key(OPTIGA_AES_256, OPTIGA_KEY_USAGE_ENC, OID_PIN_CMAC) !=
|
|
|
|
OPTIGA_SUCCESS) {
|
|
|
|
return false;
|
2023-09-19 12:24:56 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Generate a new key in OID_PIN_ECDH.
|
|
|
|
uint8_t public_key[6 + 65] = {0};
|
|
|
|
size_t size = 0;
|
2024-06-26 08:09:38 +00:00
|
|
|
return optiga_gen_key_pair(OPTIGA_CURVE_P256, OPTIGA_KEY_USAGE_KEYAGREE,
|
|
|
|
OID_PIN_ECDH, public_key, sizeof(public_key),
|
|
|
|
&size) == OPTIGA_SUCCESS;
|
2023-09-19 12:24:56 +00:00
|
|
|
}
|
|
|
|
|
2024-06-26 08:09:38 +00:00
|
|
|
static bool optiga_pin_stretch_common(
|
2024-07-02 19:33:53 +00:00
|
|
|
optiga_ui_progress_t ui_progress, HMAC_SHA256_CTX *ctx,
|
2024-06-13 16:24:09 +00:00
|
|
|
const uint8_t input[OPTIGA_PIN_SECRET_SIZE], bool version4) {
|
|
|
|
// Implements the functionality that is common to
|
|
|
|
// optiga_pin_stretch_cmac_ecdh() and the legacy function
|
|
|
|
// optiga_pin_stretch_secret_v4().
|
2024-06-13 12:17:11 +00:00
|
|
|
|
|
|
|
uint8_t buffer[ENCRYPT_SYM_PREFIX_SIZE + OPTIGA_PIN_SECRET_SIZE] = {0};
|
|
|
|
size_t size = 0;
|
2024-06-26 08:09:38 +00:00
|
|
|
bool ret = true;
|
2024-06-13 12:17:11 +00:00
|
|
|
|
|
|
|
// Combine intermediate result with OID_PIN_CMAC.
|
2024-06-26 08:09:38 +00:00
|
|
|
if (optiga_encrypt_sym(OPTIGA_SYM_MODE_CMAC, OID_PIN_CMAC, input,
|
|
|
|
OPTIGA_PIN_SECRET_SIZE, buffer, sizeof(buffer),
|
|
|
|
&size) != OPTIGA_SUCCESS) {
|
|
|
|
ret = false;
|
|
|
|
goto end;
|
2024-06-13 12:17:11 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
hmac_sha256_Update(ctx, buffer, size);
|
|
|
|
|
2024-06-13 16:24:09 +00:00
|
|
|
if (version4) {
|
|
|
|
// Combine intermediate result with OID_PIN_HMAC
|
2024-06-26 08:09:38 +00:00
|
|
|
if (optiga_encrypt_sym(OPTIGA_SYM_MODE_HMAC_SHA256, OID_PIN_HMAC_V4, input,
|
|
|
|
OPTIGA_PIN_SECRET_SIZE, buffer, sizeof(buffer),
|
|
|
|
&size) != OPTIGA_SUCCESS) {
|
|
|
|
ret = false;
|
|
|
|
goto end;
|
2024-06-13 16:24:09 +00:00
|
|
|
}
|
2024-06-13 12:17:11 +00:00
|
|
|
|
2024-06-13 16:24:09 +00:00
|
|
|
hmac_sha256_Update(ctx, buffer, size);
|
|
|
|
}
|
2024-06-13 12:17:11 +00:00
|
|
|
|
|
|
|
// Combine intermediate result with OID_PIN_ECDH
|
|
|
|
uint8_t encoded_point[BIT_STRING_HEADER_SIZE + 65] = {0x03, 0x42, 0x00};
|
|
|
|
if (!hash_to_curve_optiga(input, &encoded_point[BIT_STRING_HEADER_SIZE])) {
|
2024-06-26 08:09:38 +00:00
|
|
|
ret = false;
|
|
|
|
goto end;
|
2024-06-13 12:17:11 +00:00
|
|
|
}
|
2024-06-26 08:09:38 +00:00
|
|
|
|
|
|
|
if (optiga_calc_ssec(OPTIGA_CURVE_P256, OID_PIN_ECDH, encoded_point,
|
|
|
|
sizeof(encoded_point), buffer, sizeof(buffer),
|
|
|
|
&size) != OPTIGA_SUCCESS) {
|
|
|
|
ret = false;
|
|
|
|
goto end;
|
2024-06-13 12:17:11 +00:00
|
|
|
}
|
|
|
|
|
2024-07-02 19:33:53 +00:00
|
|
|
ui_progress();
|
2024-06-13 12:17:11 +00:00
|
|
|
|
|
|
|
hmac_sha256_Update(ctx, buffer, size);
|
2024-06-26 08:09:38 +00:00
|
|
|
|
|
|
|
end:
|
|
|
|
memzero(encoded_point, sizeof(encoded_point));
|
2024-06-13 12:17:11 +00:00
|
|
|
memzero(buffer, sizeof(buffer));
|
2024-06-26 08:09:38 +00:00
|
|
|
return ret;
|
2024-06-13 12:17:11 +00:00
|
|
|
}
|
|
|
|
|
2024-06-26 08:09:38 +00:00
|
|
|
static bool optiga_pin_stretch_secret_v4(
|
2024-07-02 19:33:53 +00:00
|
|
|
optiga_ui_progress_t ui_progress, uint8_t secret[OPTIGA_PIN_SECRET_SIZE]) {
|
2024-06-13 12:17:11 +00:00
|
|
|
// Legacy PIN verification method used in storage versions 3 and 4.
|
|
|
|
|
2023-09-19 12:24:56 +00:00
|
|
|
// This step hardens the PIN verification process in case an attacker is able
|
|
|
|
// to extract the secret value of a data object in Optiga that has a
|
|
|
|
// particular configuration, but does not allow secret extraction for other
|
|
|
|
// kinds of data objects. An attacker would need to be able to extract each of
|
|
|
|
// the secrets in the different data objects to conduct an offline brute-force
|
|
|
|
// search for the PIN. Thus it reduces the number of PIN values that the
|
|
|
|
// attacker can test in a unit of time by forcing them to involve the Optiga
|
|
|
|
// in each attempt.
|
|
|
|
|
|
|
|
// Pseudocode for the stretching process:
|
2024-06-13 16:24:09 +00:00
|
|
|
// cmac_out = CMAC(OID_PIN_CMAC, secret)
|
|
|
|
// hmac_out = HMAC(OID_PIN_HMAC_V4, secret)
|
|
|
|
// ecdh_out = ECDH(OID_PIN_ECDH, secret)
|
|
|
|
// secret = HMAC-SHA256(secret, cmac_out || hmac_out || ecdh_out)
|
2023-09-19 12:24:56 +00:00
|
|
|
|
|
|
|
HMAC_SHA256_CTX ctx = {0};
|
2024-06-13 16:24:09 +00:00
|
|
|
hmac_sha256_Init(&ctx, secret, OPTIGA_PIN_SECRET_SIZE);
|
2023-09-19 12:24:56 +00:00
|
|
|
|
2024-06-26 08:09:38 +00:00
|
|
|
bool ret = optiga_pin_stretch_common(ui_progress, &ctx, secret, true);
|
|
|
|
if (ret) {
|
|
|
|
hmac_sha256_Final(&ctx, secret);
|
2024-06-13 12:17:11 +00:00
|
|
|
}
|
2023-09-19 12:24:56 +00:00
|
|
|
|
2024-06-13 12:17:11 +00:00
|
|
|
memzero(&ctx, sizeof(ctx));
|
2024-06-26 08:09:38 +00:00
|
|
|
return ret;
|
2024-06-13 12:17:11 +00:00
|
|
|
}
|
2023-09-19 12:24:56 +00:00
|
|
|
|
2024-06-26 08:09:38 +00:00
|
|
|
static bool optiga_pin_stretch_cmac_ecdh(
|
2024-07-02 19:33:53 +00:00
|
|
|
optiga_ui_progress_t ui_progress,
|
2024-06-13 12:17:11 +00:00
|
|
|
uint8_t stretched_pin[OPTIGA_PIN_SECRET_SIZE]) {
|
|
|
|
// This step hardens the PIN verification process in case an attacker is able
|
|
|
|
// to extract the secret value of a data object in Optiga that has a
|
|
|
|
// particular configuration, but does not allow secret extraction for other
|
|
|
|
// kinds of data objects. An attacker would need to be able to extract each of
|
|
|
|
// the secrets in the different data objects to conduct an offline brute-force
|
|
|
|
// search for the PIN. Thus it reduces the number of PIN values that the
|
|
|
|
// attacker can test in a unit of time by forcing them to involve the Optiga
|
|
|
|
// in each attempt, and restricts the overall number of attempts using
|
2024-06-13 16:24:09 +00:00
|
|
|
// OID_PIN_TOTAL_CTR.
|
2023-09-19 12:24:56 +00:00
|
|
|
|
2024-06-13 12:17:11 +00:00
|
|
|
// Pseudocode for the stretching process:
|
2024-06-13 16:24:09 +00:00
|
|
|
// for _ in range(PIN_STRETCH_ITERATIONS):
|
|
|
|
// digest = HMAC-SHA256(stretched_pin, "")
|
|
|
|
// cmac_out = CMAC(OID_PIN_CMAC, digest)
|
|
|
|
// ecdh_out = ECDH(OID_PIN_ECDH, digest)
|
|
|
|
// stretched_pin = HMAC-SHA256(stretched_pin, cmac_out || ecdh_out)
|
2023-09-19 12:24:56 +00:00
|
|
|
|
2024-06-26 08:09:38 +00:00
|
|
|
bool ret = true;
|
2024-06-13 12:17:11 +00:00
|
|
|
uint8_t digest[OPTIGA_PIN_SECRET_SIZE] = {0};
|
|
|
|
HMAC_SHA256_CTX ctx = {0};
|
|
|
|
for (int i = 0; i < PIN_STRETCH_ITERATIONS; ++i) {
|
|
|
|
// Process the stretched PIN using a one-way function before sending it to
|
|
|
|
// the Optiga. This ensures that in the unlikely case of an attacker
|
|
|
|
// recording communication between the MCU and Optiga, they will not gain
|
|
|
|
// knowledge of the stretched PIN.
|
|
|
|
hmac_sha256(stretched_pin, OPTIGA_PIN_SECRET_SIZE, NULL, 0, digest);
|
|
|
|
hmac_sha256_Init(&ctx, stretched_pin, OPTIGA_PIN_SECRET_SIZE);
|
|
|
|
|
2024-06-26 08:09:38 +00:00
|
|
|
if (!optiga_pin_stretch_common(ui_progress, &ctx, digest, false)) {
|
|
|
|
ret = false;
|
|
|
|
goto end;
|
2023-09-19 12:24:56 +00:00
|
|
|
}
|
|
|
|
|
2024-06-13 12:17:11 +00:00
|
|
|
hmac_sha256_Final(&ctx, stretched_pin);
|
2023-09-19 12:24:56 +00:00
|
|
|
}
|
|
|
|
|
2024-06-26 08:09:38 +00:00
|
|
|
end:
|
2024-06-13 12:17:11 +00:00
|
|
|
memzero(digest, sizeof(digest));
|
2023-09-19 12:24:56 +00:00
|
|
|
memzero(&ctx, sizeof(ctx));
|
2024-06-26 08:09:38 +00:00
|
|
|
return ret;
|
2023-09-19 12:24:56 +00:00
|
|
|
}
|
|
|
|
|
2024-07-02 19:33:53 +00:00
|
|
|
bool optiga_pin_set(optiga_ui_progress_t ui_progress,
|
2024-06-26 08:09:38 +00:00
|
|
|
uint8_t stretched_pin[OPTIGA_PIN_SECRET_SIZE]) {
|
2024-07-02 19:33:53 +00:00
|
|
|
optiga_set_ui_progress(ui_progress);
|
|
|
|
|
2024-06-26 08:09:38 +00:00
|
|
|
bool ret = true;
|
|
|
|
if (!optiga_pin_init_metadata() || !optiga_pin_init_stretch()) {
|
|
|
|
ret = false;
|
2024-06-13 16:24:09 +00:00
|
|
|
goto end;
|
2023-10-02 17:16:55 +00:00
|
|
|
}
|
|
|
|
|
2024-07-02 19:33:53 +00:00
|
|
|
ui_progress();
|
2023-09-19 12:24:56 +00:00
|
|
|
|
2024-06-13 12:17:11 +00:00
|
|
|
// Stretch the PIN more with stretching secrets from the Optiga. This step
|
|
|
|
// ensures that if an attacker extracts the value of OID_STRETCHED_PIN or
|
|
|
|
// OID_PIN_SECRET, then it cannot be used to conduct an offline brute-force
|
|
|
|
// search for the PIN.
|
2024-06-26 08:09:38 +00:00
|
|
|
if (!optiga_pin_stretch_cmac_ecdh(ui_progress, stretched_pin)) {
|
|
|
|
ret = false;
|
2024-06-13 16:24:09 +00:00
|
|
|
goto end;
|
2023-09-19 12:24:56 +00:00
|
|
|
}
|
|
|
|
|
2024-06-13 12:17:11 +00:00
|
|
|
// Generate and store the counter-protected PIN secret.
|
|
|
|
uint8_t pin_secret[OPTIGA_PIN_SECRET_SIZE] = {0};
|
2024-06-26 08:09:38 +00:00
|
|
|
if (optiga_get_random(pin_secret, sizeof(pin_secret)) != OPTIGA_SUCCESS) {
|
|
|
|
ret = false;
|
2024-06-13 16:24:09 +00:00
|
|
|
goto end;
|
2023-09-19 12:24:56 +00:00
|
|
|
}
|
2024-06-13 12:17:11 +00:00
|
|
|
random_xor(pin_secret, sizeof(pin_secret));
|
2023-09-19 12:24:56 +00:00
|
|
|
|
2024-06-26 08:09:38 +00:00
|
|
|
if (optiga_set_data_object(OID_PIN_SECRET, false, pin_secret,
|
|
|
|
sizeof(pin_secret)) != OPTIGA_SUCCESS) {
|
|
|
|
ret = false;
|
2024-06-13 16:24:09 +00:00
|
|
|
goto end;
|
2023-09-19 12:24:56 +00:00
|
|
|
}
|
|
|
|
|
2024-06-13 16:24:09 +00:00
|
|
|
// Generate the key for the HMAC-SHA256 PIN stretching step.
|
|
|
|
uint8_t pin_hmac[OPTIGA_PIN_SECRET_SIZE] = {0};
|
2024-06-26 08:09:38 +00:00
|
|
|
if (optiga_get_random(pin_hmac, sizeof(pin_hmac)) != OPTIGA_SUCCESS) {
|
|
|
|
ret = false;
|
2024-06-13 16:24:09 +00:00
|
|
|
goto end;
|
|
|
|
}
|
|
|
|
random_xor(pin_hmac, sizeof(pin_hmac));
|
|
|
|
|
|
|
|
// Authorise using OID_PIN_SECRET so that we can write to OID_STRETCHED_PIN
|
|
|
|
// and OID_STRETCHED_PIN_CTR.
|
2024-06-26 08:09:38 +00:00
|
|
|
if (optiga_set_auto_state(OPTIGA_OID_SESSION_CTX, OID_PIN_SECRET, pin_secret,
|
|
|
|
sizeof(pin_secret)) != OPTIGA_SUCCESS) {
|
|
|
|
ret = false;
|
2024-06-13 16:24:09 +00:00
|
|
|
goto end;
|
2023-09-19 12:24:56 +00:00
|
|
|
}
|
|
|
|
|
2024-06-13 16:24:09 +00:00
|
|
|
// Process the stretched PIN using a one-way function before using it in the
|
|
|
|
// operation that will be executed in Optiga during verification. This ensures
|
|
|
|
// that in the unlikely case of an attacker recording communication between
|
|
|
|
// the MCU and Optiga, they will not gain knowledge of the stretched PIN.
|
|
|
|
uint8_t digest[OPTIGA_PIN_SECRET_SIZE] = {0};
|
|
|
|
hmac_sha256(stretched_pin, OPTIGA_PIN_SECRET_SIZE, NULL, 0, digest);
|
|
|
|
|
|
|
|
// Compute the operation that will be executed in Optiga during verification.
|
|
|
|
uint8_t hmac_buffer[ENCRYPT_SYM_PREFIX_SIZE + OPTIGA_PIN_SECRET_SIZE] = {
|
|
|
|
0x61, 0x00, 0x20};
|
|
|
|
hmac_sha256(pin_hmac, sizeof(pin_hmac), digest, sizeof(digest),
|
|
|
|
&hmac_buffer[ENCRYPT_SYM_PREFIX_SIZE]);
|
|
|
|
|
|
|
|
// Stretch the PIN with the result.
|
|
|
|
hmac_sha256(stretched_pin, OPTIGA_PIN_SECRET_SIZE, hmac_buffer,
|
|
|
|
sizeof(hmac_buffer), stretched_pin);
|
|
|
|
|
2024-06-13 12:17:11 +00:00
|
|
|
// Process the stretched PIN using a one-way function before sending it to the
|
|
|
|
// Optiga. This ensures that in the unlikely case of an attacker recording
|
|
|
|
// communication between the MCU and Optiga, they will not gain knowledge of
|
|
|
|
// the stretched PIN.
|
|
|
|
hmac_sha256(stretched_pin, OPTIGA_PIN_SECRET_SIZE, NULL, 0, digest);
|
|
|
|
|
|
|
|
// Store the digest of the stretched PIN in OID_STRETCHED_PIN.
|
2024-06-26 08:09:38 +00:00
|
|
|
if (optiga_set_data_object(OID_STRETCHED_PIN, false, digest,
|
|
|
|
sizeof(digest)) != OPTIGA_SUCCESS) {
|
|
|
|
ret = false;
|
2024-06-13 16:24:09 +00:00
|
|
|
goto end;
|
|
|
|
}
|
|
|
|
|
2024-06-26 09:16:54 +00:00
|
|
|
// Initialize the counter which limits the guesses at OID_STRETCHED_PIN with
|
|
|
|
// one extra attempt that we will use up in the next step.
|
|
|
|
if (optiga_set_data_object(OID_STRETCHED_PIN_CTR, false, COUNTER_RESET_EXTRA,
|
|
|
|
sizeof(COUNTER_RESET_EXTRA)) != OPTIGA_SUCCESS) {
|
2024-06-26 08:09:38 +00:00
|
|
|
ret = false;
|
2024-06-13 16:24:09 +00:00
|
|
|
goto end;
|
|
|
|
}
|
|
|
|
|
2024-07-02 19:33:53 +00:00
|
|
|
ui_progress();
|
2024-06-18 18:20:27 +00:00
|
|
|
|
2024-06-13 16:24:09 +00:00
|
|
|
// Authorise using OID_STRETCHED_PIN so that we can write to OID_PIN_HMAC and
|
|
|
|
// OID_PIN_HMAC_CTR.
|
2024-06-26 08:09:38 +00:00
|
|
|
if (optiga_set_auto_state(OPTIGA_OID_SESSION_CTX, OID_STRETCHED_PIN, digest,
|
|
|
|
sizeof(digest)) != OPTIGA_SUCCESS) {
|
|
|
|
ret = false;
|
2024-06-13 16:24:09 +00:00
|
|
|
goto end;
|
|
|
|
}
|
|
|
|
|
|
|
|
// Initialize the key for HMAC-SHA256 PIN stretching.
|
2024-06-26 08:09:38 +00:00
|
|
|
if (optiga_set_data_object(OID_PIN_HMAC, false, pin_hmac, sizeof(pin_hmac)) !=
|
|
|
|
OPTIGA_SUCCESS) {
|
|
|
|
ret = false;
|
2024-06-13 16:24:09 +00:00
|
|
|
goto end;
|
|
|
|
}
|
|
|
|
|
|
|
|
// Initialize the PIN counter which limits the use of OID_PIN_HMAC.
|
2024-06-26 08:09:38 +00:00
|
|
|
if (optiga_set_data_object(OID_PIN_HMAC_CTR, false, COUNTER_RESET,
|
|
|
|
sizeof(COUNTER_RESET)) != OPTIGA_SUCCESS) {
|
|
|
|
ret = false;
|
2024-06-13 16:24:09 +00:00
|
|
|
goto end;
|
|
|
|
}
|
|
|
|
|
2024-07-02 19:33:53 +00:00
|
|
|
ui_progress();
|
2024-06-13 12:17:11 +00:00
|
|
|
|
|
|
|
// Stretch the PIN more with the counter-protected PIN secret. This method
|
|
|
|
// ensures that if the user chooses a high-entropy PIN, then even if the
|
|
|
|
// Optiga and its communication link is completely compromised, it will not
|
|
|
|
// reduce the security of their device any more than if the Optiga was not
|
|
|
|
// integrated into the device in the first place.
|
|
|
|
hmac_sha256(stretched_pin, OPTIGA_PIN_SECRET_SIZE, pin_secret,
|
|
|
|
sizeof(pin_secret), stretched_pin);
|
2023-09-19 12:24:56 +00:00
|
|
|
|
2024-06-13 16:24:09 +00:00
|
|
|
end:
|
|
|
|
memzero(hmac_buffer, sizeof(hmac_buffer));
|
|
|
|
memzero(pin_hmac, sizeof(pin_hmac));
|
|
|
|
memzero(pin_secret, sizeof(pin_secret));
|
|
|
|
memzero(digest, sizeof(digest));
|
2023-09-19 12:24:56 +00:00
|
|
|
optiga_clear_auto_state(OID_PIN_SECRET);
|
2024-06-13 16:24:09 +00:00
|
|
|
optiga_clear_auto_state(OID_STRETCHED_PIN);
|
2024-07-02 19:33:53 +00:00
|
|
|
optiga_set_ui_progress(NULL);
|
2024-06-26 08:09:38 +00:00
|
|
|
return ret;
|
2023-09-19 12:24:56 +00:00
|
|
|
}
|
|
|
|
|
2024-06-26 08:09:38 +00:00
|
|
|
optiga_pin_result optiga_pin_verify_v4(
|
2024-07-02 19:33:53 +00:00
|
|
|
optiga_ui_progress_t ui_progress,
|
2024-06-26 08:09:38 +00:00
|
|
|
const uint8_t pin_secret[OPTIGA_PIN_SECRET_SIZE],
|
|
|
|
uint8_t out_secret[OPTIGA_PIN_SECRET_SIZE]) {
|
2024-06-13 12:17:11 +00:00
|
|
|
// Legacy PIN verification method used in storage version 3 and 4.
|
|
|
|
|
2024-07-02 19:33:53 +00:00
|
|
|
optiga_set_ui_progress(ui_progress);
|
2024-06-26 08:09:38 +00:00
|
|
|
optiga_pin_result ret = OPTIGA_PIN_SUCCESS;
|
|
|
|
|
2023-09-19 12:24:56 +00:00
|
|
|
// Process the PIN-derived secret using a one-way function before sending it
|
|
|
|
// to the Optiga.
|
|
|
|
uint8_t stretched_pin[OPTIGA_PIN_SECRET_SIZE] = {0};
|
|
|
|
hmac_sha256(pin_secret, OPTIGA_PIN_SECRET_SIZE, NULL, 0, stretched_pin);
|
|
|
|
|
|
|
|
// Combine the result with stretching secrets from the Optiga.
|
2024-06-26 08:09:38 +00:00
|
|
|
if (!optiga_pin_stretch_secret_v4(ui_progress, stretched_pin)) {
|
|
|
|
ret = OPTIGA_PIN_ERROR;
|
|
|
|
goto end;
|
2023-09-19 12:24:56 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Authorise using OID_STRETCHED_PIN so that we can read from OID_PIN_SECRET.
|
2024-06-26 08:09:38 +00:00
|
|
|
optiga_result res =
|
|
|
|
optiga_set_auto_state(OPTIGA_OID_SESSION_CTX, OID_STRETCHED_PIN,
|
|
|
|
stretched_pin, sizeof(stretched_pin));
|
|
|
|
if (res != OPTIGA_SUCCESS) {
|
2023-10-02 17:16:55 +00:00
|
|
|
uint8_t error_code = 0;
|
2024-06-26 08:09:38 +00:00
|
|
|
if (res != OPTIGA_ERR_CMD ||
|
|
|
|
optiga_get_error_code(&error_code) != OPTIGA_SUCCESS) {
|
|
|
|
ret = OPTIGA_PIN_ERROR;
|
|
|
|
goto end;
|
|
|
|
}
|
2023-10-02 17:16:55 +00:00
|
|
|
|
2024-06-26 08:09:38 +00:00
|
|
|
switch (error_code) {
|
|
|
|
case OPTIGA_ERR_CODE_CTR_LIMIT:
|
|
|
|
ret = OPTIGA_PIN_COUNTER_EXCEEDED;
|
|
|
|
break;
|
|
|
|
case OPTIGA_ERR_CODE_AUTH_FAIL:
|
|
|
|
ret = OPTIGA_PIN_INVALID;
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
ret = OPTIGA_PIN_ERROR;
|
|
|
|
}
|
|
|
|
goto end;
|
2023-09-19 12:24:56 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Read the master secret from OID_PIN_SECRET.
|
|
|
|
size_t size = 0;
|
2024-06-26 08:09:38 +00:00
|
|
|
if (optiga_get_data_object(OID_PIN_SECRET, false, out_secret,
|
|
|
|
OPTIGA_PIN_SECRET_SIZE, &size) != OPTIGA_SUCCESS ||
|
|
|
|
size != OPTIGA_PIN_SECRET_SIZE) {
|
|
|
|
ret = OPTIGA_PIN_ERROR;
|
|
|
|
goto end;
|
2023-09-19 12:24:56 +00:00
|
|
|
}
|
|
|
|
|
2024-07-02 19:33:53 +00:00
|
|
|
ui_progress();
|
2023-09-19 12:24:56 +00:00
|
|
|
|
|
|
|
// Authorise using OID_PIN_SECRET so that we can write to OID_PIN_COUNTER.
|
2024-06-26 08:09:38 +00:00
|
|
|
if (optiga_set_auto_state(OPTIGA_OID_SESSION_CTX, OID_PIN_SECRET, out_secret,
|
|
|
|
OPTIGA_PIN_SECRET_SIZE) != OPTIGA_SUCCESS) {
|
|
|
|
ret = OPTIGA_PIN_ERROR;
|
|
|
|
goto end;
|
2023-09-19 12:24:56 +00:00
|
|
|
}
|
|
|
|
|
2024-07-02 19:33:53 +00:00
|
|
|
ui_progress();
|
2023-09-19 12:24:56 +00:00
|
|
|
|
|
|
|
// Combine the value of OID_PIN_SECRET with the PIN-derived secret and
|
|
|
|
// stretching secrets from the Optiga.
|
|
|
|
hmac_sha256(pin_secret, OPTIGA_PIN_SECRET_SIZE, out_secret,
|
|
|
|
OPTIGA_PIN_SECRET_SIZE, out_secret);
|
2024-06-26 08:09:38 +00:00
|
|
|
if (!optiga_pin_stretch_secret_v4(ui_progress, out_secret)) {
|
|
|
|
ret = OPTIGA_PIN_ERROR;
|
|
|
|
goto end;
|
2023-09-19 12:24:56 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Combine the stretched master secret with the PIN-derived secret to derive
|
|
|
|
// the output secret.
|
|
|
|
hmac_sha256(pin_secret, OPTIGA_PIN_SECRET_SIZE, out_secret,
|
|
|
|
OPTIGA_PIN_SECRET_SIZE, out_secret);
|
2024-06-26 08:09:38 +00:00
|
|
|
|
|
|
|
end:
|
|
|
|
memzero(stretched_pin, sizeof(stretched_pin));
|
|
|
|
optiga_clear_auto_state(OID_STRETCHED_PIN);
|
2024-07-02 19:33:53 +00:00
|
|
|
optiga_set_ui_progress(NULL);
|
2024-06-26 08:09:38 +00:00
|
|
|
return ret;
|
2023-09-19 12:24:56 +00:00
|
|
|
}
|
2023-10-02 18:24:25 +00:00
|
|
|
|
2024-06-26 08:09:38 +00:00
|
|
|
static optiga_pin_result optiga_pin_stretch_hmac(
|
2024-06-13 16:24:09 +00:00
|
|
|
uint8_t stretched_pin[OPTIGA_PIN_SECRET_SIZE]) {
|
2024-06-26 08:09:38 +00:00
|
|
|
optiga_pin_result ret = OPTIGA_PIN_SUCCESS;
|
|
|
|
|
2024-06-13 16:24:09 +00:00
|
|
|
// Process the stretched PIN using a one-way function before sending it to the
|
|
|
|
// Optiga.
|
|
|
|
uint8_t digest[OPTIGA_PIN_SECRET_SIZE] = {0};
|
|
|
|
hmac_sha256(stretched_pin, OPTIGA_PIN_SECRET_SIZE, NULL, 0, digest);
|
|
|
|
|
|
|
|
// HMAC the digest with the key in OID_PIN_HMAC.
|
|
|
|
uint8_t hmac_buffer[ENCRYPT_SYM_PREFIX_SIZE + OPTIGA_PIN_SECRET_SIZE] = {0};
|
|
|
|
size_t size = 0;
|
|
|
|
optiga_result res = optiga_encrypt_sym(
|
|
|
|
OPTIGA_SYM_MODE_HMAC_SHA256, OID_PIN_HMAC, digest, sizeof(digest),
|
|
|
|
hmac_buffer, sizeof(hmac_buffer), &size);
|
|
|
|
if (res != OPTIGA_SUCCESS) {
|
|
|
|
uint8_t error_code = 0;
|
2024-06-26 08:09:38 +00:00
|
|
|
if (res == OPTIGA_ERR_CMD &&
|
|
|
|
optiga_get_error_code(&error_code) == OPTIGA_SUCCESS &&
|
|
|
|
error_code == OPTIGA_ERR_CODE_ACCESS_COND) {
|
|
|
|
ret = OPTIGA_PIN_COUNTER_EXCEEDED;
|
2024-06-13 16:24:09 +00:00
|
|
|
} else {
|
2024-06-26 08:09:38 +00:00
|
|
|
ret = OPTIGA_PIN_ERROR;
|
2024-06-13 16:24:09 +00:00
|
|
|
}
|
2024-06-26 08:09:38 +00:00
|
|
|
goto end;
|
2024-06-13 16:24:09 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Stretch the PIN with the result.
|
|
|
|
hmac_sha256(stretched_pin, OPTIGA_PIN_SECRET_SIZE, hmac_buffer, size,
|
|
|
|
stretched_pin);
|
2024-06-26 08:09:38 +00:00
|
|
|
|
|
|
|
end:
|
|
|
|
memzero(digest, sizeof(digest));
|
2024-06-13 16:24:09 +00:00
|
|
|
memzero(hmac_buffer, sizeof(hmac_buffer));
|
2024-06-26 08:09:38 +00:00
|
|
|
return ret;
|
2024-06-13 16:24:09 +00:00
|
|
|
}
|
|
|
|
|
2024-06-26 08:09:38 +00:00
|
|
|
optiga_pin_result optiga_pin_verify(
|
2024-07-02 19:33:53 +00:00
|
|
|
optiga_ui_progress_t ui_progress,
|
2024-06-26 08:09:38 +00:00
|
|
|
uint8_t stretched_pin[OPTIGA_PIN_SECRET_SIZE]) {
|
2024-07-02 19:33:53 +00:00
|
|
|
optiga_set_ui_progress(ui_progress);
|
2024-06-26 08:09:38 +00:00
|
|
|
optiga_pin_result ret = OPTIGA_PIN_SUCCESS;
|
|
|
|
|
2024-06-13 12:17:11 +00:00
|
|
|
// Stretch the PIN more with stretching secrets from the Optiga.
|
2024-06-26 08:09:38 +00:00
|
|
|
if (!optiga_pin_stretch_cmac_ecdh(ui_progress, stretched_pin)) {
|
|
|
|
ret = OPTIGA_PIN_ERROR;
|
|
|
|
goto end;
|
2024-06-13 16:24:09 +00:00
|
|
|
}
|
|
|
|
|
2024-06-26 08:09:38 +00:00
|
|
|
ret = optiga_pin_stretch_hmac(stretched_pin);
|
|
|
|
if (ret != OPTIGA_PIN_SUCCESS) {
|
|
|
|
goto end;
|
2024-06-13 12:17:11 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Process the stretched PIN using a one-way function before sending it to the
|
|
|
|
// Optiga.
|
|
|
|
uint8_t digest[OPTIGA_PIN_SECRET_SIZE] = {0};
|
|
|
|
hmac_sha256(stretched_pin, OPTIGA_PIN_SECRET_SIZE, NULL, 0, digest);
|
|
|
|
|
2024-06-13 16:24:09 +00:00
|
|
|
// Authorise using OID_STRETCHED_PIN so that we can read from OID_PIN_SECRET
|
|
|
|
// and reset OID_PIN_HMAC_CTR.
|
2024-06-26 08:09:38 +00:00
|
|
|
optiga_result res = optiga_set_auto_state(
|
|
|
|
OPTIGA_OID_SESSION_CTX, OID_STRETCHED_PIN, digest, sizeof(digest));
|
|
|
|
if (res != OPTIGA_SUCCESS) {
|
2024-06-13 12:17:11 +00:00
|
|
|
uint8_t error_code = 0;
|
2024-06-26 08:09:38 +00:00
|
|
|
if (res != OPTIGA_ERR_CMD ||
|
|
|
|
optiga_get_error_code(&error_code) != OPTIGA_SUCCESS) {
|
|
|
|
ret = OPTIGA_PIN_ERROR;
|
|
|
|
goto end;
|
|
|
|
}
|
|
|
|
|
|
|
|
switch (error_code) {
|
|
|
|
case OPTIGA_ERR_CODE_CTR_LIMIT:
|
|
|
|
ret = OPTIGA_PIN_COUNTER_EXCEEDED;
|
|
|
|
break;
|
|
|
|
case OPTIGA_ERR_CODE_AUTH_FAIL:
|
|
|
|
ret = OPTIGA_PIN_INVALID;
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
ret = OPTIGA_PIN_ERROR;
|
|
|
|
}
|
|
|
|
goto end;
|
2024-06-13 12:17:11 +00:00
|
|
|
}
|
|
|
|
|
2024-07-02 19:33:53 +00:00
|
|
|
ui_progress();
|
2024-06-18 18:20:27 +00:00
|
|
|
|
2024-06-13 16:24:09 +00:00
|
|
|
// Reset the counter which limits the use of OID_PIN_HMAC.
|
2024-06-26 08:09:38 +00:00
|
|
|
if (optiga_set_data_object(OID_PIN_HMAC_CTR, false, COUNTER_RESET,
|
|
|
|
sizeof(COUNTER_RESET)) != OPTIGA_SUCCESS) {
|
|
|
|
ret = OPTIGA_PIN_ERROR;
|
|
|
|
goto end;
|
2024-06-13 12:17:11 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Read the counter-protected PIN secret from OID_PIN_SECRET.
|
|
|
|
uint8_t pin_secret[OPTIGA_PIN_SECRET_SIZE] = {0};
|
|
|
|
size_t size = 0;
|
2024-06-26 08:09:38 +00:00
|
|
|
if (optiga_get_data_object(OID_PIN_SECRET, false, pin_secret,
|
|
|
|
OPTIGA_PIN_SECRET_SIZE, &size) != OPTIGA_SUCCESS) {
|
|
|
|
ret = OPTIGA_PIN_ERROR;
|
|
|
|
goto end;
|
2024-06-13 12:17:11 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Stretch the PIN more with the counter-protected PIN secret.
|
2024-06-13 16:24:09 +00:00
|
|
|
hmac_sha256(stretched_pin, OPTIGA_PIN_SECRET_SIZE, pin_secret, size,
|
|
|
|
stretched_pin);
|
2024-06-13 12:17:11 +00:00
|
|
|
|
2024-06-13 16:24:09 +00:00
|
|
|
// Authorise using OID_PIN_SECRET so that we can reset OID_STRETCHED_PIN_CTR.
|
2024-06-26 08:09:38 +00:00
|
|
|
if (optiga_set_auto_state(OPTIGA_OID_SESSION_CTX, OID_PIN_SECRET, pin_secret,
|
|
|
|
sizeof(pin_secret)) != OPTIGA_SUCCESS) {
|
|
|
|
ret = OPTIGA_PIN_ERROR;
|
|
|
|
goto end;
|
2024-06-13 12:17:11 +00:00
|
|
|
}
|
|
|
|
|
2024-06-13 16:24:09 +00:00
|
|
|
// Reset the counter which limits the guesses at OID_STRETCHED_PIN.
|
2024-06-26 08:09:38 +00:00
|
|
|
if (optiga_set_data_object(OID_STRETCHED_PIN_CTR, false, COUNTER_RESET,
|
|
|
|
sizeof(COUNTER_RESET)) != OPTIGA_SUCCESS) {
|
|
|
|
ret = OPTIGA_PIN_ERROR;
|
|
|
|
goto end;
|
2024-06-13 12:17:11 +00:00
|
|
|
}
|
|
|
|
|
2024-07-02 19:33:53 +00:00
|
|
|
ui_progress();
|
2024-06-13 12:17:11 +00:00
|
|
|
|
2024-06-26 08:09:38 +00:00
|
|
|
end:
|
|
|
|
memzero(pin_secret, sizeof(pin_secret));
|
|
|
|
memzero(digest, sizeof(digest));
|
|
|
|
optiga_clear_auto_state(OID_STRETCHED_PIN);
|
|
|
|
optiga_clear_auto_state(OID_PIN_SECRET);
|
2024-07-02 19:33:53 +00:00
|
|
|
optiga_set_ui_progress(NULL);
|
2024-06-26 08:09:38 +00:00
|
|
|
return ret;
|
2024-06-13 12:17:11 +00:00
|
|
|
}
|
|
|
|
|
2024-06-26 09:09:07 +00:00
|
|
|
static uint32_t uint32_from_be(uint8_t buf[4]) {
|
|
|
|
uint32_t i = buf[0];
|
|
|
|
i = (i << 8) + buf[1];
|
|
|
|
i = (i << 8) + buf[2];
|
|
|
|
i = (i << 8) + buf[3];
|
|
|
|
return i;
|
|
|
|
}
|
|
|
|
|
|
|
|
static bool optiga_get_counter_rem(uint16_t oid, uint32_t *ctr) {
|
2023-10-02 18:24:25 +00:00
|
|
|
uint8_t counter[8] = {0};
|
|
|
|
size_t counter_size = 0;
|
2024-06-26 09:09:07 +00:00
|
|
|
if (optiga_get_data_object(oid, false, counter, sizeof(counter),
|
|
|
|
&counter_size) != OPTIGA_SUCCESS ||
|
|
|
|
counter_size != sizeof(counter)) {
|
|
|
|
return false;
|
2023-10-02 18:24:25 +00:00
|
|
|
}
|
|
|
|
|
2024-06-26 09:09:07 +00:00
|
|
|
*ctr = uint32_from_be(&counter[4]) - uint32_from_be(&counter[0]);
|
|
|
|
return true;
|
2023-10-02 18:24:25 +00:00
|
|
|
}
|
|
|
|
|
2024-06-26 09:09:07 +00:00
|
|
|
bool optiga_pin_get_rem_v4(uint32_t *ctr) {
|
|
|
|
return optiga_get_counter_rem(OID_STRETCHED_PIN_CTR, ctr);
|
2024-06-13 16:24:09 +00:00
|
|
|
}
|
|
|
|
|
2024-06-26 09:09:07 +00:00
|
|
|
bool optiga_pin_get_rem(uint32_t *ctr) {
|
2024-06-13 16:24:09 +00:00
|
|
|
uint32_t ctr1 = 0;
|
|
|
|
uint32_t ctr2 = 0;
|
2024-06-26 09:09:07 +00:00
|
|
|
if (!optiga_get_counter_rem(OID_PIN_HMAC_CTR, &ctr1) ||
|
|
|
|
!optiga_get_counter_rem(OID_STRETCHED_PIN_CTR, &ctr2)) {
|
|
|
|
return false;
|
2024-06-13 16:24:09 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Ensure that the counters are in sync.
|
|
|
|
if (ctr1 > ctr2) {
|
2024-06-26 09:09:07 +00:00
|
|
|
if (optiga_count_data_object(OID_PIN_HMAC_CTR, ctr1 - ctr2) !=
|
2024-06-13 16:24:09 +00:00
|
|
|
OPTIGA_SUCCESS) {
|
2024-06-26 09:09:07 +00:00
|
|
|
return false;
|
2024-06-13 16:24:09 +00:00
|
|
|
}
|
2024-06-26 09:09:07 +00:00
|
|
|
*ctr = ctr2;
|
2024-06-13 16:24:09 +00:00
|
|
|
} else if (ctr2 > ctr1) {
|
2024-06-26 09:09:07 +00:00
|
|
|
if (optiga_count_data_object(OID_STRETCHED_PIN_CTR, ctr2 - ctr1) !=
|
2024-06-13 16:24:09 +00:00
|
|
|
OPTIGA_SUCCESS) {
|
2024-06-26 09:09:07 +00:00
|
|
|
return false;
|
2024-06-13 16:24:09 +00:00
|
|
|
}
|
2024-06-26 09:09:07 +00:00
|
|
|
*ctr = ctr1;
|
2024-06-13 16:24:09 +00:00
|
|
|
} else {
|
|
|
|
*ctr = ctr2;
|
|
|
|
}
|
2024-06-26 09:09:07 +00:00
|
|
|
return true;
|
2024-06-13 16:24:09 +00:00
|
|
|
}
|
|
|
|
|
2024-06-26 09:09:07 +00:00
|
|
|
bool optiga_pin_decrease_rem_v4(uint32_t count) {
|
2024-06-13 16:24:09 +00:00
|
|
|
if (count > 0xff) {
|
2024-06-26 09:09:07 +00:00
|
|
|
return false;
|
2024-06-13 16:24:09 +00:00
|
|
|
}
|
|
|
|
|
2024-06-26 09:09:07 +00:00
|
|
|
return optiga_count_data_object(OID_STRETCHED_PIN_CTR, count) ==
|
|
|
|
OPTIGA_SUCCESS;
|
2023-10-02 18:24:25 +00:00
|
|
|
}
|
|
|
|
|
2024-06-26 09:09:07 +00:00
|
|
|
bool optiga_pin_decrease_rem(uint32_t count) {
|
2023-10-02 18:24:25 +00:00
|
|
|
if (count > 0xff) {
|
2024-06-26 09:09:07 +00:00
|
|
|
return false;
|
2023-10-02 18:24:25 +00:00
|
|
|
}
|
|
|
|
|
2024-06-26 09:09:07 +00:00
|
|
|
return optiga_count_data_object(OID_PIN_HMAC_CTR, count) == OPTIGA_SUCCESS &&
|
|
|
|
optiga_count_data_object(OID_STRETCHED_PIN_CTR, count) ==
|
|
|
|
OPTIGA_SUCCESS;
|
2023-10-02 18:24:25 +00:00
|
|
|
}
|
2024-08-13 05:47:59 +00:00
|
|
|
|
|
|
|
#endif // KERNEL_MODE
|