Reduce SC events during restore

src/keystore.c

@@ -208,22 +208,35 @@ static keystore_error_t _get_and_decrypt_seed(
 }
 
 static bool _verify_seed(
-    const char* password,
+    const uint8_t* encryption_key,
     const uint8_t* expected_seed,
     size_t expected_seed_len)
 {
-    uint8_t decrypted_seed[KEYSTORE_MAX_SEED_LENGTH] = {0};
-    size_t seed_len;
-    UTIL_CLEANUP_32(decrypted_seed);
-    if (_get_and_decrypt_seed(password, decrypted_seed, &seed_len, NULL) != KEYSTORE_OK) {
+    uint8_t encrypted_seed_and_hmac[96];
+    UTIL_CLEANUP_32(encrypted_seed_and_hmac);
+    uint8_t encrypted_len;
+    if (!memory_get_encrypted_seed_and_hmac(encrypted_seed_and_hmac, &encrypted_len)) {
         return false;
     }
-    if (expected_seed_len != seed_len) {
+    if (encrypted_len < 49) {
+        Abort("_verify_seed: underflow / zero size");
+    }
+    size_t decrypted_len = encrypted_len - 48;
+    uint8_t decrypted[decrypted_len];
+    bool password_correct = cipher_aes_hmac_decrypt(
+        encrypted_seed_and_hmac, encrypted_len, decrypted, &decrypted_len, encryption_key);
+    if (!password_correct) {
         return false;
     }
-    if (!MEMEQ(expected_seed, decrypted_seed, seed_len)) {
+    if (expected_seed_len != decrypted_len) {
+        util_zero(decrypted, sizeof(decrypted));
+        return false;
+    }
+    if (!MEMEQ(expected_seed, decrypted, expected_seed_len)) {
+        util_zero(decrypted, sizeof(decrypted));
         return false;
     }
+    util_zero(decrypted, sizeof(decrypted));
     return true;
 }
 
@@ -356,7 +369,7 @@ keystore_error_t keystore_encrypt_and_store_seed(
     if (!memory_set_encrypted_seed_and_hmac(encrypted_seed, encrypted_seed_len_u8)) {
         return KEYSTORE_ERR_MEMORY;
     }
-    if (!_verify_seed(password, seed, seed_length)) {
+    if (!_verify_seed(secret, seed, seed_length)) {
         if (!memory_reset_hww()) {
             return KEYSTORE_ERR_MEMORY;
         }

src/rust/bitbox02-rust/src/hww/api/restore.rs

@@ -200,7 +200,7 @@ mod tests {
             )),
             Ok(Response::Success(pb::Success {}))
         );
-        assert_eq!(bitbox02::securechip::fake_event_counter(), 13);
+        assert_eq!(bitbox02::securechip::fake_event_counter(), 8);
         drop(mock_hal); // to remove mutable borrow of counter
         assert_eq!(counter, 2);
         assert!(!keystore::is_locked());

src/rust/bitbox02-rust/src/hww/api/set_password.rs

@@ -80,7 +80,7 @@ mod tests {
             )),
             Ok(Response::Success(pb::Success {}))
         );
-        assert_eq!(bitbox02::securechip::fake_event_counter(), 14);
+        assert_eq!(bitbox02::securechip::fake_event_counter(), 9);
         drop(mock_hal); // to remove mutable borrow of counter
         assert_eq!(counter, 2);
         assert!(!keystore::is_locked());

src/rust/bitbox02-rust/src/keystore.rs

@@ -577,7 +577,7 @@ mod tests {
 
             bitbox02::securechip::fake_event_counter_reset();
             assert!(keystore::encrypt_and_store_seed(seed, "foo").is_ok());
-            assert_eq!(bitbox02::securechip::fake_event_counter(), 12);
+            assert_eq!(bitbox02::securechip::fake_event_counter(), 7);
 
             assert!(keystore::is_locked());