keystore: port _test_keystore_unlock to Rust

The smarteeprom disable is also ported, though not strictly needed in
unit tests - without it there is a memory leak due to the smarteeprom
mock using malloc.

Author: benma

src/keystore.c

@@ -322,7 +322,17 @@ static void _free_string(char** str)
 
 USE_RESULT static keystore_error_t _retain_seed(const uint8_t* seed, size_t seed_len)
 {
+#ifdef TESTING
+    const uint8_t test_unstretched_retained_seed_encryption_key[32] =
+        "\xfe\x09\x76\x01\x14\x52\xa7\x22\x12\xe4\xb8\xbd\x57\x2b\x5b\xe3\x01\x41\xa3\x56\xf1\x13"
+        "\x37\xd2\x9d\x35\xea\x8f\xf9\x97\xbe\xfc";
+    memcpy(
+        _unstretched_retained_seed_encryption_key,
+        test_unstretched_retained_seed_encryption_key,
+        32);
+#else
     random_32_bytes(_unstretched_retained_seed_encryption_key);
+#endif
     uint8_t retained_seed_encryption_key[32] = {0};
     UTIL_CLEANUP_32(retained_seed_encryption_key);
     keystore_error_t result = _stretch_retained_seed_encryption_key(

src/memory/memory.c

@@ -759,6 +759,17 @@ bool memory_get_salt_root(uint8_t* salt_root_out)
     return !MEMEQ(salt_root_out, empty, sizeof(empty));
 }
 
+#ifdef TESTING
+bool memory_set_salt_root(const uint8_t* salt_root)
+{
+    chunk_1_t chunk = {0};
+    CLEANUP_CHUNK(chunk);
+    _read_chunk(CHUNK_1, chunk_bytes);
+    memcpy(chunk.fields.salt_root, salt_root, 32);
+    return _write_chunk(CHUNK_1, chunk.bytes);
+}
+#endif
+
 bool memory_get_noise_static_private_key(uint8_t* private_key_out)
 {
     chunk_1_t chunk = {0};

src/memory/memory.h

@@ -219,6 +219,10 @@ USE_RESULT bool memory_bootloader_set_flags(auto_enter_t auto_enter, upside_down
  */
 USE_RESULT bool memory_get_salt_root(uint8_t* salt_root_out);
 
+#ifdef TESTING
+USE_RESULT bool memory_set_salt_root(const uint8_t* salt_root);
+#endif
+
 /**
  * @param[out] private_key_out must be 32 bytes.
  * @return false if the key has not been initialized (memory_setup() has not

src/rust/Cargo.lock

@@ -42,6 +42,7 @@ const ALLOWLIST_VARS: &[&str] = &[
     "MEMORY_PLATFORM_BITBOX02_PLUS",
     "MEMORY_SECURECHIP_TYPE_ATECC",
     "MEMORY_SECURECHIP_TYPE_OPTIGA",
+    "MAX_UNLOCK_ATTEMPTS",
 ];
 
 const ALLOWLIST_TYPES: &[&str] = &[
@@ -84,10 +85,12 @@ const ALLOWLIST_FNS: &[&str] = &[
     "keystore_unlock",
     "keystore_unlock_bip39",
     "keystore_bip39_mnemonic_from_seed",
+    "keystore_test_get_retained_seed_encrypted",
     "label_create",
     "localtime",
     "lock_animation_start",
     "lock_animation_stop",
+    "memory_set_salt_root",
     "memory_add_noise_remote_static_pubkey",
     "memory_bootloader_hash",
     "memory_check_noise_remote_static_pubkey",
@@ -142,6 +145,8 @@ const ALLOWLIST_FNS: &[&str] = &[
     "securechip_model",
     "securechip_monotonic_increments_remaining",
     "securechip_u2f_counter_set",
+    "smarteeprom_is_enabled",
+    "smarteeprom_disable",
     "smarteeprom_bb02_config",
     "status_create",
     "trinary_choice_create",

src/rust/bitbox02-sys/build.rs

@@ -30,6 +30,7 @@ hex = { workspace = true }
 
 [dev-dependencies]
 hex = { workspace = true }
+bitbox-aes = { path = "../bitbox-aes" }
 
 [features]
 # Only to be enabled in unit tests.

src/rust/bitbox02/Cargo.toml

@@ -509,6 +509,65 @@ mod tests {
         assert!(bip39_mnemonic_from_seed(b"foo").is_err());
     }
 
+    #[test]
+    fn test_unlock() {
+        mock_memory();
+        lock();
+
+        assert!(matches!(unlock("password"), Err(Error::Unseeded)));
+
+        let seed = hex::decode("cb33c20cea62a5c277527e2002da82e6e2b37450a755143a540a54cea8da9044")
+            .unwrap();
+
+        let mock_salt_root =
+            hex::decode("3333333333333333444444444444444411111111111111112222222222222222")
+                .unwrap();
+        crate::memory::set_salt_root(mock_salt_root.as_slice().try_into().unwrap()).unwrap();
+
+        assert!(encrypt_and_store_seed(&seed, "password").is_ok());
+        // Loop to check that unlocking works while unlocked.
+        for _ in 0..3 {
+            assert!(unlock("password").is_ok());
+        }
+
+        // Also check that the retained seed was encrypted with the expected encryption key.
+        let decrypted = {
+            let retained_seed_encrypted: &[u8] = unsafe {
+                let mut len = 0usize;
+                let ptr = bitbox02_sys::keystore_test_get_retained_seed_encrypted(&mut len);
+                core::slice::from_raw_parts(ptr, len)
+            };
+            let expected_retained_seed_secret =
+                hex::decode("b156be416530c6fc00018844161774a3546a53ac6dd4a0462608838e216008f7")
+                    .unwrap();
+            bitbox_aes::decrypt_with_hmac(&expected_retained_seed_secret, retained_seed_encrypted)
+                .unwrap()
+        };
+        assert_eq!(decrypted.as_slice(), seed.as_slice());
+
+        // First 9 wrong attempts.
+        for i in 1..bitbox02_sys::MAX_UNLOCK_ATTEMPTS {
+            assert!(matches!(
+                unlock("invalid password"),
+                Err(Error::IncorrectPassword { remaining_attempts }) if remaining_attempts
+                    == (bitbox02_sys::MAX_UNLOCK_ATTEMPTS  - i) as u8
+            ));
+            // Still seeded.
+            assert!(crate::memory::is_seeded());
+            // Wrong password does not lock the keystore again if already unlocked.
+            assert!(copy_seed().is_ok());
+        }
+        // Last attempt, triggers reset.
+        assert!(matches!(
+            unlock("invalid password"),
+            Err(Error::MaxAttemptsExceeded),
+        ));
+        // Last wrong attempt locks & resets. There is no more seed.
+        assert!(!crate::memory::is_seeded());
+        assert!(copy_seed().is_err());
+        assert!(matches!(unlock("password"), Err(Error::Unseeded)));
+    }
+
     // This tests that you can create a keystore, unlock it, and then do this again. This is an
     // expected workflow for when the wallet setup process is restarted after seeding and unlocking,
     // but before creating a backup, in which case a new seed is created.

src/rust/bitbox02/src/keystore.rs

@@ -217,6 +217,14 @@ pub fn ble_enable(enable: bool) -> Result<(), ()> {
     }
 }
 
+#[cfg(feature = "testing")]
+pub fn set_salt_root(salt_root: &[u8; 32]) -> Result<(), ()> {
+    match unsafe { bitbox02_sys::memory_set_salt_root(salt_root.as_ptr()) } {
+        true => Ok(()),
+        false => Err(()),
+    }
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;

src/rust/bitbox02/src/memory.rs

@@ -51,6 +51,9 @@ pub fn mock_memory() {
 
         assert!(bitbox02_sys::memory_setup(&MEMORY_IFS));
 
+        if bitbox02_sys::smarteeprom_is_enabled() {
+            bitbox02_sys::smarteeprom_disable();
+        }
         bitbox02_sys::smarteeprom_bb02_config();
         bitbox02_sys::bitbox02_smarteeprom_init();
         bitbox02_sys::spi_mem_full_erase();

src/rust/bitbox02/src/testing.rs

@@ -52,10 +52,6 @@ static uint8_t _mock_bip39_seed[64] = {
     0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
 };
 
-static uint8_t _unstretched_retained_seed_encryption_key[32] =
-    "\xfe\x09\x76\x01\x14\x52\xa7\x22\x12\xe4\xb8\xbd\x57\x2b\x5b\xe3\x01\x41\xa3\x56\xf1\x13\x37"
-    "\xd2\x9d\x35\xea\x8f\xf9\x97\xbe\xfc";
-
 static uint8_t _unstretched_retained_bip39_seed_encryption_key[32] =
     "\x9b\x44\xc7\x04\x88\x93\xfa\xaf\x6e\x2d\x76\x25\xd1\x3d\x8f\x1c\xab\x07\x65\xfd\x61\xf1\x59"
     "\xd9\x71\x3e\x08\x15\x5d\x06\x71\x7c";
@@ -73,10 +69,6 @@ static const uint8_t _expected_seckey[32] = {
     0x58, 0x92, 0x32, 0x9d, 0x67, 0xdf, 0xd4, 0xad, 0x05, 0xe9, 0xc3, 0xd0, 0x6e, 0xdf, 0x74, 0xfb,
 };
 
-static uint8_t _expected_retained_seed_secret[32] =
-    "\xb1\x56\xbe\x41\x65\x30\xc6\xfc\x00\x01\x88\x44\x16\x17\x74\xa3\x54\x6a\x53\xac\x6d\xd4\xa0"
-    "\x46\x26\x08\x83\x8e\x21\x60\x08\xf7";
-
 const uint8_t _expected_retained_bip39_seed_secret[32] =
     "\x85\x6d\x9a\x8c\x1e\xa4\x2a\x69\xae\x76\x32\x42\x44\xac\xe6\x74\x39\x7f\xf1\x36\x0a\x4b\xa4"
     "\xc8\x5f\xfb\xd4\x2c\xee\x8a\x7f\x29";
@@ -117,16 +109,6 @@ int __wrap_secp256k1_anti_exfil_sign(
     return __real_secp256k1_anti_exfil_sign(ctx, sig, msg32, seckey, host_data32, recid);
 }
 
-/** Reset the SmartEEPROM configuration. */
-static void _smarteeprom_reset(void)
-{
-    if (smarteeprom_is_enabled()) {
-        smarteeprom_disable();
-    }
-    smarteeprom_bb02_config();
-    bitbox02_smarteeprom_init();
-}
-
 static bool _reset_reset_called = false;
 void __wrap_reset_reset(void)
 {
@@ -138,21 +120,13 @@ void __wrap_random_32_bytes(uint8_t* buf)
     memcpy(buf, (const void*)mock(), 32);
 }
 
-static void _expect_retain_seed(void)
-{
-    will_return(__wrap_random_32_bytes, _unstretched_retained_seed_encryption_key);
-}
-
 static void _expect_retain_bip39_seed(void)
 {
     will_return(__wrap_random_32_bytes, _unstretched_retained_bip39_seed_encryption_key);
 }
 
 void _mock_unlocked(const uint8_t* seed, size_t seed_len, const uint8_t* bip39_seed)
 {
-    if (seed != NULL) {
-        _expect_retain_seed();
-    }
     if (bip39_seed != NULL) {
         _expect_retain_bip39_seed();
     }
@@ -262,86 +236,6 @@ static void _expect_encrypt_and_store_seed(void)
     will_return(__wrap_memory_is_initialized, false);
 }
 
-static void _expect_seeded(bool seeded)
-{
-    uint8_t seed[KEYSTORE_MAX_SEED_LENGTH];
-    size_t len;
-    assert_int_equal(seeded, keystore_copy_seed(seed, &len));
-    if (seeded) {
-        assert_memory_equal(seed, _mock_seed, sizeof(_mock_seed));
-        // Also check that the retained seed was encrypted with the expected encryption key.
-        size_t encrypted_len = 0;
-        const uint8_t* retained_seed_encrypted =
-            keystore_test_get_retained_seed_encrypted(&encrypted_len);
-        size_t decrypted_len = encrypted_len - 48;
-        uint8_t out[decrypted_len];
-        assert_true(cipher_aes_hmac_decrypt(
-            retained_seed_encrypted,
-            encrypted_len,
-            out,
-            &decrypted_len,
-            _expected_retained_seed_secret));
-        assert_int_equal(decrypted_len, 32);
-        assert_memory_equal(out, _mock_seed, decrypted_len);
-    }
-}
-
-static void _perform_some_unlocks(void)
-{
-    uint8_t remaining_attempts;
-    // Loop to check that unlocking unlocked works while unlocked.
-    for (int i = 0; i < 3; i++) {
-        _reset_reset_called = false;
-        will_return(__wrap_memory_is_seeded, true);
-        if (i == 0) {
-            _expect_retain_seed();
-        }
-        assert_int_equal(KEYSTORE_OK, keystore_unlock(PASSWORD, &remaining_attempts, NULL));
-        assert_int_equal(remaining_attempts, MAX_UNLOCK_ATTEMPTS);
-        assert_false(_reset_reset_called);
-        _expect_seeded(true);
-    }
-}
-
-static void _test_keystore_unlock(void** state)
-{
-    _smarteeprom_reset();
-    _mock_unlocked(NULL, 0, NULL); // reset to locked
-
-    uint8_t remaining_attempts;
-
-    will_return(__wrap_memory_is_seeded, false);
-    assert_int_equal(KEYSTORE_ERR_UNSEEDED, keystore_unlock(PASSWORD, &remaining_attempts, NULL));
-    _expect_encrypt_and_store_seed();
-    assert_int_equal(keystore_encrypt_and_store_seed(_mock_seed, 32, PASSWORD), KEYSTORE_OK);
-    _expect_seeded(false);
-
-    _perform_some_unlocks();
-
-    // Invalid passwords until we run out of attempts.
-    for (int i = 1; i <= MAX_UNLOCK_ATTEMPTS; i++) {
-        _reset_reset_called = false;
-        will_return(__wrap_memory_is_seeded, true);
-        assert_int_equal(
-            i >= MAX_UNLOCK_ATTEMPTS ? KEYSTORE_ERR_MAX_ATTEMPTS_EXCEEDED
-                                     : KEYSTORE_ERR_INCORRECT_PASSWORD,
-            keystore_unlock("invalid password", &remaining_attempts, NULL));
-        assert_int_equal(remaining_attempts, MAX_UNLOCK_ATTEMPTS - i);
-        // Wrong password does not lock the keystore again if already unlocked.
-        _expect_seeded(true);
-        // reset_reset() called in last attempt
-        assert_int_equal(i == MAX_UNLOCK_ATTEMPTS, _reset_reset_called);
-    }
-
-    // Trying again after max attempts is blocked immediately.
-    _reset_reset_called = false;
-    will_return(__wrap_memory_is_seeded, true);
-    assert_int_equal(
-        KEYSTORE_ERR_MAX_ATTEMPTS_EXCEEDED, keystore_unlock(PASSWORD, &remaining_attempts, NULL));
-    assert_int_equal(remaining_attempts, 0);
-    assert_true(_reset_reset_called);
-}
-
 static void _test_keystore_unlock_bip39(void** state)
 {
     keystore_lock();
@@ -567,7 +461,6 @@ int main(void)
     const struct CMUnitTest tests[] = {
         cmocka_unit_test(_test_keystore_secp256k1_nonce_commit),
         cmocka_unit_test(_test_keystore_secp256k1_sign),
-        cmocka_unit_test(_test_keystore_unlock),
         cmocka_unit_test(_test_keystore_unlock_bip39),
         cmocka_unit_test(_test_keystore_lock),
         cmocka_unit_test(_test_keystore_bip39_mnemonic_from_seed),