arno/trezor-firmware
1
0
Fork 0
mirror of https://github.com/trezor/trezor-firmware.git synced 2025-01-18 11:21:11 +00:00
Code Issues Releases Wiki Activity

refactor(core): Use remaining PIN attempts in Optiga API.

Browse Source 
[no changelog]
This commit is contained in:
Andrew Kozlik 2024-06-26 11:09:07 +02:00 committed by Andrew Kozlik
parent fc09379877
commit 869b6fe6dc
4 changed files with 67 additions and 67 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
core/embed/trezorhal/optiga.h
View File

@ -79,12 +79,12 @@ optiga_pin_verify_v4(OPTIGA_UI_PROGRESS ui_progress,
const uint8_t pin_secret[OPTIGA_PIN_SECRET_SIZE], const uint8_t pin_secret[OPTIGA_PIN_SECRET_SIZE],
uint8_t out_secret[OPTIGA_PIN_SECRET_SIZE]); uint8_t out_secret[OPTIGA_PIN_SECRET_SIZE]);
int __wur optiga_pin_get_fails_v4(uint32_t *ctr); bool __wur optiga_pin_get_rem_v4(uint32_t *ctr);
int __wur optiga_pin_get_fails(uint32_t *ctr); bool __wur optiga_pin_get_rem(uint32_t *ctr);
int __wur optiga_pin_fails_increase_v4(uint32_t count); bool __wur optiga_pin_decrease_rem_v4(uint32_t count);
int __wur optiga_pin_fails_increase(uint32_t count); bool __wur optiga_pin_decrease_rem(uint32_t count);
#endif #endif

80
core/embed/trezorhal/optiga/optiga.c
View File

@ -851,75 +851,73 @@ end:
return ret; return ret;
} }
static int optiga_get_counter(uint16_t oid, uint32_t *ctr) { static uint32_t uint32_from_be(uint8_t buf[4]) {
uint32_t i = buf[0];
i = (i << 8) + buf[1];
i = (i << 8) + buf[2];
i = (i << 8) + buf[3];
return i;
}
static bool optiga_get_counter_rem(uint16_t oid, uint32_t *ctr) {
uint8_t counter[8] = {0}; uint8_t counter[8] = {0};
size_t counter_size = 0; size_t counter_size = 0;
optiga_result res = optiga_get_data_object(oid, false, counter, if (optiga_get_data_object(oid, false, counter, sizeof(counter),
sizeof(counter), &counter_size); &counter_size) != OPTIGA_SUCCESS ||
if (res != OPTIGA_SUCCESS) { counter_size != sizeof(counter)) {
return res; return false;
} }
if (counter_size != sizeof(counter)) { *ctr = uint32_from_be(&counter[4]) - uint32_from_be(&counter[0]);
return OPTIGA_ERR_SIZE; return true;
}
*ctr = counter[0];
*ctr = (*ctr << 8) + counter[1];
*ctr = (*ctr << 8) + counter[2];
*ctr = (*ctr << 8) + counter[3];
return OPTIGA_SUCCESS;
} }
int optiga_pin_get_fails_v4(uint32_t *ctr) { bool optiga_pin_get_rem_v4(uint32_t *ctr) {
return optiga_get_counter(OID_STRETCHED_PIN_CTR, ctr); return optiga_get_counter_rem(OID_STRETCHED_PIN_CTR, ctr);
} }
int optiga_pin_get_fails(uint32_t *ctr) { bool optiga_pin_get_rem(uint32_t *ctr) {
uint32_t ctr1 = 0; uint32_t ctr1 = 0;
uint32_t ctr2 = 0; uint32_t ctr2 = 0;
if (optiga_get_counter(OID_PIN_HMAC_CTR, &ctr1) != OPTIGA_SUCCESS || if (!optiga_get_counter_rem(OID_PIN_HMAC_CTR, &ctr1) ||
optiga_get_counter(OID_STRETCHED_PIN_CTR, &ctr2) != OPTIGA_SUCCESS) { !optiga_get_counter_rem(OID_STRETCHED_PIN_CTR, &ctr2)) {
return -1; return false;
} }
// Ensure that the counters are in sync. // Ensure that the counters are in sync.
if (ctr1 > ctr2) { if (ctr1 > ctr2) {
if (optiga_count_data_object(OID_STRETCHED_PIN_CTR, ctr1 - ctr2) != if (optiga_count_data_object(OID_PIN_HMAC_CTR, ctr1 - ctr2) !=
OPTIGA_SUCCESS) { OPTIGA_SUCCESS) {
return -1; return false;
}
*ctr = ctr1;
} else if (ctr2 > ctr1) {
if (optiga_count_data_object(OID_PIN_HMAC_CTR, ctr2 - ctr1) !=
OPTIGA_SUCCESS) {
return -1;
} }
*ctr = ctr2; *ctr = ctr2;
} else if (ctr2 > ctr1) {
if (optiga_count_data_object(OID_STRETCHED_PIN_CTR, ctr2 - ctr1) !=
OPTIGA_SUCCESS) {
return false;
}
*ctr = ctr1;
} else { } else {
*ctr = ctr2; *ctr = ctr2;
} }
return OPTIGA_SUCCESS; return true;
} }
int optiga_pin_fails_increase_v4(uint32_t count) { bool optiga_pin_decrease_rem_v4(uint32_t count) {
if (count > 0xff) { if (count > 0xff) {
return OPTIGA_ERR_PARAM; return false;
} }
return optiga_count_data_object(OID_STRETCHED_PIN_CTR, count); return optiga_count_data_object(OID_STRETCHED_PIN_CTR, count) ==
OPTIGA_SUCCESS;
} }
int optiga_pin_fails_increase(uint32_t count) { bool optiga_pin_decrease_rem(uint32_t count) {
if (count > 0xff) { if (count > 0xff) {
return OPTIGA_ERR_PARAM; return false;
} }
if (optiga_count_data_object(OID_PIN_HMAC_CTR, count) != OPTIGA_SUCCESS || return optiga_count_data_object(OID_PIN_HMAC_CTR, count) == OPTIGA_SUCCESS &&
optiga_count_data_object(OID_STRETCHED_PIN_CTR, count) != optiga_count_data_object(OID_STRETCHED_PIN_CTR, count) ==
OPTIGA_SUCCESS) { OPTIGA_SUCCESS;
return -1;
}
return OPTIGA_SUCCESS;
} }

17
core/embed/trezorhal/unix/optiga.c
View File

@ -23,6 +23,7 @@
#include "nist256p1.h" #include "nist256p1.h"
#include "optiga_common.h" #include "optiga_common.h"
#include "rand.h" #include "rand.h"
#include "storage.h"
#if defined(TREZOR_MODEL_R) #if defined(TREZOR_MODEL_R)
#include "certs/T2B1.h" #include "certs/T2B1.h"
@ -114,16 +115,16 @@ optiga_pin_result optiga_pin_verify(
return OPTIGA_PIN_SUCCESS; return OPTIGA_PIN_SUCCESS;
} }
int optiga_pin_get_fails_v4(uint32_t *ctr) { bool optiga_pin_get_rem_v4(uint32_t *ctr) {
*ctr = 0; *ctr = PIN_MAX_TRIES;
return OPTIGA_SUCCESS; return true;
} }
int optiga_pin_get_fails(uint32_t *ctr) { bool optiga_pin_get_rem(uint32_t *ctr) {
*ctr = 0; *ctr = PIN_MAX_TRIES;
return OPTIGA_SUCCESS; return true;
} }
int optiga_pin_fails_increase_v4(uint32_t count) { return OPTIGA_SUCCESS; } bool optiga_pin_decrease_rem_v4(uint32_t count) { return true; }
int optiga_pin_fails_increase(uint32_t count) { return OPTIGA_SUCCESS; } bool optiga_pin_decrease_rem(uint32_t count) { return true; }

29
storage/storage.c
View File

@ -1286,35 +1286,36 @@ uint32_t storage_get_pin_rem(void) {
return 0; return 0;
} }
uint32_t rem_mcu = PIN_MAX_TRIES - ctr_mcu;
#if USE_OPTIGA #if USE_OPTIGA
// Synchronize counters in case they diverged. // Synchronize counters in case they diverged.
uint32_t ctr_optiga = 0; uint32_t rem_optiga = 0;
optiga_result ret = OPTIGA_SUCCESS;
if (get_lock_version() >= 5) { if (get_lock_version() >= 5) {
ret = optiga_pin_get_fails(&ctr_optiga); ensure(optiga_pin_get_rem(&rem_optiga) * sectrue,
"optiga_pin_get_rem failed");
} else { } else {
ret = optiga_pin_get_fails_v4(&ctr_optiga); ensure(optiga_pin_get_rem_v4(&rem_optiga) * sectrue,
"optiga_pin_get_rem failed");
} }
ensure(ret == OPTIGA_SUCCESS ? sectrue : secfalse,
"optiga_pin_get_fails failed");
while (ctr_mcu < ctr_optiga) { while (rem_mcu > rem_optiga) {
storage_pin_fails_increase(); storage_pin_fails_increase();
ctr_mcu++; rem_mcu--;
} }
if (ctr_optiga < ctr_mcu) { if (rem_optiga > rem_mcu) {
if (get_lock_version() >= 5) { if (get_lock_version() >= 5) {
ret = optiga_pin_fails_increase(ctr_mcu - ctr_optiga); ensure(optiga_pin_decrease_rem(rem_optiga - rem_mcu) * sectrue,
"optiga_pin_decrease_rem failed");
} else { } else {
ret = optiga_pin_fails_increase_v4(ctr_mcu - ctr_optiga); ensure(optiga_pin_decrease_rem_v4(rem_optiga - rem_mcu) * sectrue,
"optiga_pin_decrease_rem failed");
} }
ensure(ret == OPTIGA_SUCCESS ? sectrue : secfalse,
"optiga_pin_fails_increase failed");
} }
#endif #endif
return PIN_MAX_TRIES - ctr_mcu; return rem_mcu;
} }
secbool storage_change_pin(const uint8_t *oldpin, size_t oldpin_len, secbool storage_change_pin(const uint8_t *oldpin, size_t oldpin_len,