feat(storage): Skip Optiga for empty PIN in debug builds.

2025-07-05 14:22:33 +00:00 · 2023-10-06 17:47:33 +02:00 · 2023-10-06 17:47:33 +02:00 · b88f363367
commit b88f363367
parent 486f58d1c5
1 changed files with 24 additions and 2 deletions
--- a/storage/storage.c
+++ b/storage/storage.c
@ -636,7 +636,18 @@ static secbool __wur derive_kek_set(const uint8_t *pin, size_t pin_len,
  uint8_t stretched_pin[OPTIGA_PIN_SECRET_SIZE] = {0};
  stretch_pin_optiga(pin, pin_len, storage_salt, ext_salt, pbkdf2_iterations,
                     stretched_pin);
-  int ret = optiga_pin_set(ui_progress, stretched_pin, optiga_secret);
+  int ret = OPTIGA_SUCCESS;
+#if !PYOPT
+  // Skip usage of Optiga for empty PIN in debug builds to avoid excessive wear
+  // of Optiga counters.
+  if (pin_len == PIN_EMPTY_LEN) {
+    memcpy(optiga_secret, stretched_pin, sizeof(stretched_pin));
+    ui_progress(OPTIGA_PIN_DERIVE_MS);
+  } else
+#endif
+  {
+    ret = optiga_pin_set(ui_progress, stretched_pin, optiga_secret);
+  }
  memzero(stretched_pin, sizeof(stretched_pin));
  if (ret != OPTIGA_SUCCESS) {
    memzero(optiga_secret, sizeof(optiga_secret));
@ -662,7 +673,18 @@ static secbool __wur derive_kek_unlock(const uint8_t *pin, size_t pin_len,
  uint8_t stretched_pin[OPTIGA_PIN_SECRET_SIZE] = {0};
  stretch_pin_optiga(pin, pin_len, storage_salt, ext_salt, pbkdf2_iterations,
                     stretched_pin);
-  int ret = optiga_pin_verify(ui_progress, stretched_pin, optiga_secret);
+  int ret = OPTIGA_SUCCESS;
+#if !PYOPT
+  // Skip usage of Optiga for empty PIN in debug builds to avoid excessive wear
+  // of Optiga counters.
+  if (pin_len == PIN_EMPTY_LEN) {
+    memcpy(optiga_secret, stretched_pin, sizeof(stretched_pin));
+    ui_progress(OPTIGA_PIN_DERIVE_MS);
+  } else
+#endif
+  {
+    ret = optiga_pin_verify(ui_progress, stretched_pin, optiga_secret);
+  }
  memzero(stretched_pin, sizeof(stretched_pin));
  if (ret != OPTIGA_SUCCESS) {
    memzero(optiga_secret, sizeof(optiga_secret));