From b88f36336784b8651355048c07453a7b2d7af42f Mon Sep 17 00:00:00 2001 From: Andrew Kozlik Date: Fri, 6 Oct 2023 17:47:33 +0200 Subject: [PATCH] feat(storage): Skip Optiga for empty PIN in debug builds. --- storage/storage.c | 26 ++++++++++++++++++++++++-- 1 file changed, 24 insertions(+), 2 deletions(-) diff --git a/storage/storage.c b/storage/storage.c index cf2380a9c..241244313 100644 --- a/storage/storage.c +++ b/storage/storage.c @@ -636,7 +636,18 @@ static secbool __wur derive_kek_set(const uint8_t *pin, size_t pin_len, uint8_t stretched_pin[OPTIGA_PIN_SECRET_SIZE] = {0}; stretch_pin_optiga(pin, pin_len, storage_salt, ext_salt, pbkdf2_iterations, stretched_pin); - int ret = optiga_pin_set(ui_progress, stretched_pin, optiga_secret); + int ret = OPTIGA_SUCCESS; +#if !PYOPT + // Skip usage of Optiga for empty PIN in debug builds to avoid excessive wear + // of Optiga counters. + if (pin_len == PIN_EMPTY_LEN) { + memcpy(optiga_secret, stretched_pin, sizeof(stretched_pin)); + ui_progress(OPTIGA_PIN_DERIVE_MS); + } else +#endif + { + ret = optiga_pin_set(ui_progress, stretched_pin, optiga_secret); + } memzero(stretched_pin, sizeof(stretched_pin)); if (ret != OPTIGA_SUCCESS) { memzero(optiga_secret, sizeof(optiga_secret)); @@ -662,7 +673,18 @@ static secbool __wur derive_kek_unlock(const uint8_t *pin, size_t pin_len, uint8_t stretched_pin[OPTIGA_PIN_SECRET_SIZE] = {0}; stretch_pin_optiga(pin, pin_len, storage_salt, ext_salt, pbkdf2_iterations, stretched_pin); - int ret = optiga_pin_verify(ui_progress, stretched_pin, optiga_secret); + int ret = OPTIGA_SUCCESS; +#if !PYOPT + // Skip usage of Optiga for empty PIN in debug builds to avoid excessive wear + // of Optiga counters. + if (pin_len == PIN_EMPTY_LEN) { + memcpy(optiga_secret, stretched_pin, sizeof(stretched_pin)); + ui_progress(OPTIGA_PIN_DERIVE_MS); + } else +#endif + { + ret = optiga_pin_verify(ui_progress, stretched_pin, optiga_secret); + } memzero(stretched_pin, sizeof(stretched_pin)); if (ret != OPTIGA_SUCCESS) { memzero(optiga_secret, sizeof(optiga_secret));