From c778d7b9c325b0ace734d2f4c5718fc5d3e3297e Mon Sep 17 00:00:00 2001
From: Pavol Rusnak <stick@gk2.sk>
Date: Mon, 31 Jul 2017 02:26:28 +0200
Subject: [PATCH] storage: wipe storage after 15 wrong pins

---
 firmware/fsm.c     |  5 +----
 firmware/protect.c | 17 ++++++++++++++---
 firmware/storage.c |  8 ++++++++
 firmware/storage.h |  2 ++
 4 files changed, 25 insertions(+), 7 deletions(-)

diff --git a/firmware/fsm.c b/firmware/fsm.c
index 9f6237d1f..532ec14f8 100644
--- a/firmware/fsm.c
+++ b/firmware/fsm.c
@@ -318,10 +318,7 @@ void fsm_msgWipeDevice(WipeDevice *msg)
 		layoutHome();
 		return;
 	}
-	storage_reset();
-	storage_reset_uuid();
-	storage_commit();
-	storage_clearPinArea();
+	storage_wipe();
 	// the following does not work on Mac anyway :-/ Linux/Windows are fine, so it is not needed
 	// usbReconnect(); // force re-enumeration because of the serial number change
 	fsm_sendSuccess(_("Device wiped"));
diff --git a/firmware/protect.c b/firmware/protect.c
index 53f5791a9..205b91c79 100644
--- a/firmware/protect.c
+++ b/firmware/protect.c
@@ -30,6 +30,8 @@
 #include "debug.h"
 #include "gettext.h"
 
+#define MAX_WRONG_PINS 15
+
 bool protectAbortedByInitialize = false;
 
 bool protectButton(ButtonRequestType type, bool confirm_only)
@@ -183,14 +185,23 @@ bool protectPin(bool use_cached)
 		fsm_sendFailure(FailureType_Failure_PinCancelled, NULL);
 		return false;
 	}
-	if (storage_increasePinFails(fails) && storage_containsPin(pin)) {
+	if (!storage_increasePinFails(fails)) {
+		fsm_sendFailure(FailureType_Failure_PinInvalid, NULL);
+		return false;
+	}
+	if (storage_containsPin(pin)) {
 		session_cachePin();
 		storage_resetPinFails(fails);
 		return true;
 	} else {
-		fsm_sendFailure(FailureType_Failure_PinInvalid, NULL);
-		return false;
+		if (~*fails > MAX_WRONG_PINS) {
+			layoutDialog(&bmp_icon_error, NULL, NULL, NULL, _("Too many wrong PINs"), _("entered. Storage has"), _("been wiped."), NULL, _("Please unplug"), _("the device."));
+			storage_wipe();
+			for (;;) {} // loop forever
+		}
 	}
+	fsm_sendFailure(FailureType_Failure_PinInvalid, NULL);
+	return false;
 }
 
 bool protectChangePin(void)
diff --git a/firmware/storage.c b/firmware/storage.c
index 35e6fc063..6eba0806e 100644
--- a/firmware/storage.c
+++ b/firmware/storage.c
@@ -622,3 +622,11 @@ void storage_setU2FCounter(uint32_t u2fcounter)
 	storage.u2f_counter = u2fcounter - storage_u2f_offset;
 	storage_commit();
 }
+
+void storage_wipe(void)
+{
+	storage_reset();
+	storage_reset_uuid();
+	storage_commit();
+	storage_clearPinArea();
+}
diff --git a/firmware/storage.h b/firmware/storage.h
index 18f85d494..0b27f3f20 100644
--- a/firmware/storage.h
+++ b/firmware/storage.h
@@ -73,6 +73,8 @@ bool storage_needsBackup(void);
 void storage_applyFlags(uint32_t flags);
 uint32_t storage_getFlags(void);
 
+void storage_wipe(void);
+
 extern Storage storage;
 
 extern char storage_uuid_str[25];