dearsky/pico-hsm
1
0
Fork 0
Code Issues 17 Pull Requests 4 Actions Packages Projects Releases 26 Wiki Activity

DKEK is reencrypted with the new pin if changed.

Browse Source 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
This commit is contained in:
Pol Henarejos
2022-03-04 23:08:15 +01:00
parent 78bad89415
commit 010c8018ea
1 changed files with 9 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
sc_hsm.c
View File

@@ -1156,6 +1156,15 @@ static int cmd_change_pin() {
uint16_t r = check_pin(file_pin1, apdu.cmd_apdu_data, pin_len); uint16_t r = check_pin(file_pin1, apdu.cmd_apdu_data, pin_len);
if (r != 0x9000) if (r != 0x9000)
return r; return r;
if (load_dkek() != HSM_OK) //loads the DKEK with old pin
return SW_EXEC_ERROR();
//encrypt DKEK with new pin
hash_multi(apdu.cmd_apdu_data+pin_len, apdu.cmd_apdu_data_len-pin_len, session_pin);
has_session_pin = true;
encrypt(session_pin, tmp_dkek, tmp_dkek+IV_SIZE, 32);
file_t *tf = search_by_fid(EF_DKEK, NULL, SPECIFY_EF);
flash_write_data_to_file(tf, tmp_dkek, sizeof(tmp_dkek));
release_dkek();
uint8_t dhash[33]; uint8_t dhash[33];
dhash[0] = apdu.cmd_apdu_data_len-pin_len; dhash[0] = apdu.cmd_apdu_data_len-pin_len;
double_hash_pin(apdu.cmd_apdu_data+pin_len, apdu.cmd_apdu_data_len-pin_len, dhash+1); double_hash_pin(apdu.cmd_apdu_data+pin_len, apdu.cmd_apdu_data_len-pin_len, dhash+1);