securechip: return granular error code from securechip_kdf()

So we can use it and show it to the user if it goes wrong in keystore_unlock().

Author: benma

src/keystore.c

@@ -108,8 +108,19 @@ static uint8_t* _get_bip39_seed(void)
     return _retained_bip39_seed;
 }
 
-static keystore_error_t _stretch_password(const char* password, uint8_t* kdf_out)
+/**
+ * Stretch the user password using the securechip, putting the result in `kdf_out`, which must be 32
+ * bytes. `securechip_result_out`, if not NULL, will contain the error code from `securechip_kdf()`
+ * if there was a secure chip error, and 0 otherwise.
+ */
+static keystore_error_t _stretch_password(
+    const char* password,
+    uint8_t* kdf_out,
+    int* securechip_result_out)
 {
+    if (securechip_result_out != NULL) {
+        *securechip_result_out = 0;
+    }
     uint8_t password_salted_hashed[32] = {0};
     UTIL_CLEANUP_32(password_salted_hashed);
     if (!salt_hash_data(
@@ -126,13 +137,21 @@ static keystore_error_t _stretch_password(const char* password, uint8_t* kdf_out
 
     // First KDF on SECURECHIP_SLOT_ROLLKEY increments the monotonic
     // counter. Call only once!
-    if (!securechip_kdf(SECURECHIP_SLOT_ROLLKEY, kdf_in, 32, kdf_out)) {
+    int securechip_result = securechip_kdf(SECURECHIP_SLOT_ROLLKEY, kdf_in, 32, kdf_out);
+    if (securechip_result) {
+        if (securechip_result_out != NULL) {
+            *securechip_result_out = securechip_result;
+        }
         return KEYSTORE_ERR_SC_KDF;
     }
     // Second KDF does not use the counter and we call it multiple times.
     for (int i = 0; i < KDF_NUM_ITERATIONS; i++) {
         memcpy(kdf_in, kdf_out, 32);
-        if (!securechip_kdf(SECURECHIP_SLOT_KDF, kdf_in, 32, kdf_out)) {
+        securechip_result = securechip_kdf(SECURECHIP_SLOT_KDF, kdf_in, 32, kdf_out);
+        if (securechip_result) {
+            if (securechip_result_out != NULL) {
+                *securechip_result_out = securechip_result;
+            }
             return KEYSTORE_ERR_SC_KDF;
         }
     }
@@ -153,11 +172,18 @@ static keystore_error_t _stretch_password(const char* password, uint8_t* kdf_out
     return KEYSTORE_OK;
 }
 
+/**
+ * Retrieves the encrypted seed and attempts to decrypt it using the password.
+ *
+ * `securechip_result_out`, if not NULL, will contain the error code from `securechip_kdf()` if
+ * there was a secure chip error, and 0 otherwise.
+ */
 static keystore_error_t _get_and_decrypt_seed(
     const char* password,
     uint8_t* decrypted_seed_out,
     size_t* decrypted_seed_len_out,
-    bool* password_correct_out)
+    bool* password_correct_out,
+    int* securechip_result_out)
 {
     uint8_t encrypted_seed_and_hmac[96];
     UTIL_CLEANUP_32(encrypted_seed_and_hmac);
@@ -167,7 +193,7 @@ static keystore_error_t _get_and_decrypt_seed(
     }
     uint8_t secret[32];
     UTIL_CLEANUP_32(secret);
-    keystore_error_t result = _stretch_password(password, secret);
+    keystore_error_t result = _stretch_password(password, secret, securechip_result_out);
     if (result != KEYSTORE_OK) {
         return result;
     }
@@ -199,7 +225,7 @@ static bool _verify_seed(
     size_t seed_len;
     UTIL_CLEANUP_32(decrypted_seed);
     bool password_correct = false;
-    if (_get_and_decrypt_seed(password, decrypted_seed, &seed_len, &password_correct) !=
+    if (_get_and_decrypt_seed(password, decrypted_seed, &seed_len, &password_correct, NULL) !=
         KEYSTORE_OK) {
         return false;
     }
@@ -235,7 +261,7 @@ bool keystore_encrypt_and_store_seed(
     }
     uint8_t secret[32] = {0};
     UTIL_CLEANUP_32(secret);
-    if (_stretch_password(password, secret) != KEYSTORE_OK) {
+    if (_stretch_password(password, secret, NULL) != KEYSTORE_OK) {
         return false;
     }
 
@@ -302,7 +328,10 @@ static void _free_string(char** str)
     wally_free_string(*str);
 }
 
-keystore_error_t keystore_unlock(const char* password, uint8_t* remaining_attempts_out)
+keystore_error_t keystore_unlock(
+    const char* password,
+    uint8_t* remaining_attempts_out,
+    int* securechip_result_out)
 {
     if (!memory_is_seeded()) {
         return KEYSTORE_ERR_UNSEEDED;
@@ -323,7 +352,8 @@ keystore_error_t keystore_unlock(const char* password, uint8_t* remaining_attemp
     UTIL_CLEANUP_32(seed);
     size_t seed_len;
     bool password_correct = false;
-    keystore_error_t result = _get_and_decrypt_seed(password, seed, &seed_len, &password_correct);
+    keystore_error_t result =
+        _get_and_decrypt_seed(password, seed, &seed_len, &password_correct, securechip_result_out);
     if (result != KEYSTORE_OK) {
         return result;
     }

src/keystore.h

@@ -94,12 +94,15 @@ USE_RESULT bool keystore_create_and_store_seed(
  * If it is false, the keystore is not unlocked.
  * @param[out] remaining_attempts_out will have the number of remaining attempts.
  * If zero, the keystore is locked until the device is reset.
+ * @param[out] securechip_result_out, if not NULL, will contain the error code from
+ * `securechip_kdf()` if there was a secure chip error, and 0 otherwise.
  * @return
  * - KEYSTORE_OK if they keystore was successfully unlocked
  * - KEYSTORE_ERR_* if unsuccessful.
  * Only call this if memory_is_seeded() returns true.
  */
-USE_RESULT keystore_error_t keystore_unlock(const char* password, uint8_t* remaining_attempts_out);
+USE_RESULT keystore_error_t
+keystore_unlock(const char* password, uint8_t* remaining_attempts_out, int* securechip_result_out);
 
 /** Unlocks the bip39 seed.
  * @param[in] mnemonic_passphrase bip39 passphrase used in the derivation. Use the

src/rust/bitbox02/src/keystore.rs

@@ -38,7 +38,8 @@ pub enum Error {
     MaxAttemptsExceeded,
     Unseeded,
     Memory,
-    ScKdf,
+    // Securechip error with the error code from securechip.c
+    ScKdf(i32),
     Salt,
     Hash,
     SeedSize,
@@ -47,7 +48,14 @@ pub enum Error {
 
 pub fn unlock(password: &SafeInputString) -> Result<(), Error> {
     let mut remaining_attempts: u8 = 0;
-    match unsafe { bitbox02_sys::keystore_unlock(password.as_cstr(), &mut remaining_attempts) } {
+    let mut securechip_result: i32 = 0;
+    match unsafe {
+        bitbox02_sys::keystore_unlock(
+            password.as_cstr(),
+            &mut remaining_attempts,
+            &mut securechip_result,
+        )
+    } {
         keystore_error_t::KEYSTORE_OK => Ok(()),
         keystore_error_t::KEYSTORE_ERR_INCORRECT_PASSWORD => {
             Err(Error::IncorrectPassword { remaining_attempts })
@@ -56,7 +64,7 @@ pub fn unlock(password: &SafeInputString) -> Result<(), Error> {
         keystore_error_t::KEYSTORE_ERR_UNSEEDED => Err(Error::Unseeded),
         keystore_error_t::KEYSTORE_ERR_MEMORY => Err(Error::Memory),
         keystore_error_t::KEYSTORE_ERR_SEED_SIZE => Err(Error::SeedSize),
-        keystore_error_t::KEYSTORE_ERR_SC_KDF => Err(Error::ScKdf),
+        keystore_error_t::KEYSTORE_ERR_SC_KDF => Err(Error::ScKdf(securechip_result)),
         keystore_error_t::KEYSTORE_ERR_SALT => Err(Error::Salt),
         keystore_error_t::KEYSTORE_ERR_HASH => Err(Error::Hash),
     }

src/securechip/securechip.c

@@ -513,18 +513,18 @@ bool securechip_update_keys(void)
     return _update_kdf_key() == ATCA_SUCCESS;
 }
 
-bool securechip_kdf(securechip_slot_t slot, const uint8_t* msg, size_t len, uint8_t* kdf_out)
+int securechip_kdf(securechip_slot_t slot, const uint8_t* msg, size_t len, uint8_t* kdf_out)
 {
     if (len > 127 || (slot != SECURECHIP_SLOT_ROLLKEY && slot != SECURECHIP_SLOT_KDF)) {
-        return false;
+        return SC_ERR_INVALID_ARGS;
     }
     if (msg == kdf_out) {
-        return false;
+        return SC_ERR_INVALID_ARGS;
     }
 
     ATCA_STATUS result = _authorize_key();
     if (result != ATCA_SUCCESS) {
-        return false;
+        return result;
     }
 
     uint8_t nonce_out[32] = {0};
@@ -555,7 +555,7 @@ bool securechip_kdf(securechip_slot_t slot, const uint8_t* msg, size_t len, uint
     /*     kdf_out, */
     /*     nonce_out); */
     if (result != ATCA_SUCCESS) {
-        return false;
+        return result;
     }
     // Output is encrypted with the io protection key.
     uint8_t io_protection_key[32] = {0};
@@ -567,11 +567,7 @@ bool securechip_kdf(securechip_slot_t slot, const uint8_t* msg, size_t len, uint
         .data = kdf_out,
         .data_size = 32,
     };
-    result = atcah_io_decrypt(&io_dec_params);
-    if (result != ATCA_SUCCESS) {
-        return false;
-    }
-    return true;
+    return atcah_io_decrypt(&io_dec_params);
 }
 
 bool securechip_gen_attestation_key(uint8_t* pubkey_out)

src/securechip/securechip.h

@@ -29,6 +29,7 @@ typedef enum {
     SC_ERR_SLOT_UNLOCKED_AUTH = -5,
     SC_ERR_SLOT_UNLOCKED_ENC = -6,
     SC_ERR_IFS = -7,
+    SC_ERR_INVALID_ARGS = -8,
 } securechip_error_t;
 
 typedef struct {
@@ -87,9 +88,9 @@ USE_RESULT bool securechip_update_keys(void);
  * @param[in] len Must be <= 127.
  * @param[out] kdf_out Must have size 32. Result of the kdf will be stored here.
  * Cannot be the same as `msg`.
- * @return true on success.
+ * @return values of `securechip_error_t` if negative, values of `ATCA_STATUS` if positive, 0 on
  */
-USE_RESULT bool securechip_kdf(
+USE_RESULT int securechip_kdf(
     securechip_slot_t slot,
     const uint8_t* msg,
     size_t len,

src/workflow/restore.c

@@ -60,7 +60,7 @@ bool workflow_restore_backup(const RestoreBackupRequest* restore_request)
         return false;
     }
     uint8_t remaining_attempts;
-    if (keystore_unlock(password, &remaining_attempts) != KEYSTORE_OK) {
+    if (keystore_unlock(password, &remaining_attempts, NULL) != KEYSTORE_OK) {
         // This should/can never happen, but let's check anyway.
         Abort("workflow_restore_backup: unlock failed");
     }

test/device-test/src/test_backup.c

@@ -131,7 +131,7 @@ int main(void)
         Abort("Failed to create keystore");
     }
     uint8_t remaining_attempts;
-    if (keystore_unlock("device-test", &remaining_attempts) != KEYSTORE_OK) {
+    if (keystore_unlock("device-test", &remaining_attempts, NULL) != KEYSTORE_OK) {
         Abort("Failed to unlock keystore");
     }
     _test_backup(_timestamp, _timestamp);

test/unit-test/framework/mock_securechip.c

@@ -30,13 +30,13 @@ bool securechip_update_keys(void)
     return true;
 }
 
-bool securechip_kdf(securechip_slot_t slot, const uint8_t* msg, size_t len, uint8_t* kdf_out)
+int securechip_kdf(securechip_slot_t slot, const uint8_t* msg, size_t len, uint8_t* kdf_out)
 {
     check_expected(slot);
     check_expected(msg);
     // wally_sha256(msg, len, kdf_out, 32);
     memcpy(kdf_out, (const uint8_t*)mock(), 32);
-    return true;
+    return 0;
 }
 
 bool securechip_u2f_counter_set(uint32_t counter)

test/unit-test/test_keystore.c

@@ -376,15 +376,15 @@ static void _test_keystore_create_and_unlock_twice(void** state)
 
     will_return(__wrap_memory_is_seeded, true);
     _expect_stretch(true);
-    assert_int_equal(KEYSTORE_OK, keystore_unlock(PASSWORD, &remaining_attempts));
+    assert_int_equal(KEYSTORE_OK, keystore_unlock(PASSWORD, &remaining_attempts, NULL));
 
     // Create new (different) seed.
     _expect_encrypt_and_store_seed();
     assert_true(keystore_encrypt_and_store_seed(_mock_seed_2, 32, PASSWORD));
 
     will_return(__wrap_memory_is_seeded, true);
     _expect_stretch(true);
-    assert_int_equal(KEYSTORE_OK, keystore_unlock(PASSWORD, &remaining_attempts));
+    assert_int_equal(KEYSTORE_OK, keystore_unlock(PASSWORD, &remaining_attempts, NULL));
 }
 
 static void _expect_seeded(bool seeded)
@@ -402,7 +402,7 @@ static void _perform_some_unlocks(void)
         _reset_reset_called = false;
         will_return(__wrap_memory_is_seeded, true);
         _expect_stretch(true);
-        assert_int_equal(KEYSTORE_OK, keystore_unlock(PASSWORD, &remaining_attempts));
+        assert_int_equal(KEYSTORE_OK, keystore_unlock(PASSWORD, &remaining_attempts, NULL));
         assert_int_equal(remaining_attempts, MAX_UNLOCK_ATTEMPTS);
         assert_false(_reset_reset_called);
         _expect_seeded(true);
@@ -417,7 +417,7 @@ static void _test_keystore_unlock(void** state)
     uint8_t remaining_attempts;
 
     will_return(__wrap_memory_is_seeded, false);
-    assert_int_equal(KEYSTORE_ERR_UNSEEDED, keystore_unlock(PASSWORD, &remaining_attempts));
+    assert_int_equal(KEYSTORE_ERR_UNSEEDED, keystore_unlock(PASSWORD, &remaining_attempts, NULL));
     _expect_encrypt_and_store_seed();
     assert_true(keystore_encrypt_and_store_seed(_mock_seed, 32, PASSWORD));
     _expect_seeded(false);
@@ -432,7 +432,7 @@ static void _test_keystore_unlock(void** state)
         assert_int_equal(
             i >= MAX_UNLOCK_ATTEMPTS ? KEYSTORE_ERR_MAX_ATTEMPTS_EXCEEDED
                                      : KEYSTORE_ERR_INCORRECT_PASSWORD,
-            keystore_unlock(PASSWORD, &remaining_attempts));
+            keystore_unlock(PASSWORD, &remaining_attempts, NULL));
         assert_int_equal(remaining_attempts, MAX_UNLOCK_ATTEMPTS - i);
         // Wrong password does not lock the keystore again if already unlocked.
         _expect_seeded(true);
@@ -444,7 +444,7 @@ static void _test_keystore_unlock(void** state)
     _reset_reset_called = false;
     will_return(__wrap_memory_is_seeded, true);
     assert_int_equal(
-        KEYSTORE_ERR_MAX_ATTEMPTS_EXCEEDED, keystore_unlock(PASSWORD, &remaining_attempts));
+        KEYSTORE_ERR_MAX_ATTEMPTS_EXCEEDED, keystore_unlock(PASSWORD, &remaining_attempts, NULL));
     assert_int_equal(remaining_attempts, 0);
     assert_true(_reset_reset_called);
 }

test/unit-test/test_keystore_functional.c

@@ -48,12 +48,12 @@ static uint8_t _salt_root[KEYSTORE_MAX_SEED_LENGTH] = {
     0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
 };
 
-bool __wrap_securechip_kdf(securechip_slot_t slot, const uint8_t* msg, size_t len, uint8_t* kdf_out)
+int __wrap_securechip_kdf(securechip_slot_t slot, const uint8_t* msg, size_t len, uint8_t* kdf_out)
 {
     assert_true(slot == SECURECHIP_SLOT_KDF || slot == SECURECHIP_SLOT_ROLLKEY);
     uint8_t key[3] = "key";
     assert_int_equal(WALLY_OK, wally_hmac_sha256(key, sizeof(key), msg, len, kdf_out, SHA256_LEN));
-    return true;
+    return 0;
 }
 
 /** Reset the SmartEEPROM configuration. */
@@ -86,11 +86,12 @@ static void _test_seeds(void** state)
         will_return(__wrap_memory_is_seeded, true);
         assert_int_equal(
             KEYSTORE_ERR_INCORRECT_PASSWORD,
-            keystore_unlock(_some_other_password, &remaining_attempts));
+            keystore_unlock(_some_other_password, &remaining_attempts, NULL));
         // First time: unlock. After unlock, it becomes a password check.
         for (int i = 0; i < 3; i++) {
             will_return(__wrap_memory_is_seeded, true);
-            assert_int_equal(KEYSTORE_OK, keystore_unlock(_some_password, &remaining_attempts));
+            assert_int_equal(
+                KEYSTORE_OK, keystore_unlock(_some_password, &remaining_attempts, NULL));
         }
         assert_true(keystore_copy_seed(read_seed, &read_seed_len));
         assert_int_equal(seed_size, read_seed_len);
@@ -158,7 +159,7 @@ static void _test_combination(
     uint8_t remaining_attempts;
     assert_true(keystore_is_locked());
     will_return(__wrap_memory_is_seeded, true);
-    assert_int_equal(KEYSTORE_OK, keystore_unlock(_some_password, &remaining_attempts));
+    assert_int_equal(KEYSTORE_OK, keystore_unlock(_some_password, &remaining_attempts, NULL));
     assert_true(keystore_is_locked());
     assert_true(keystore_unlock_bip39(mnemonic_passphrase));
     assert_false(keystore_is_locked());