Remove session pin.

It is intended for bio features, not supported by Pico HSM. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
2026-04-09 17:25:50 +02:00 · 2026-03-18 16:40:08 +01:00
parent 1ced9f6267
commit 54cba3efdf
5 changed files with 10 additions and 63 deletions
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -74,7 +74,6 @@ set(SOURCES ${SOURCES}
    ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_derive_asym.c
    ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_extras.c
    ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_general_authenticate.c
-    ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_session_pin.c
    ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_puk_auth.c
    ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_pso.c
    ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_bip_slip.c
--- a/2
+++ b/2
--- a/src/hsm/cmd_session_pin.c
+++ b/src/hsm/cmd_session_pin.c
@@ -1,35 +0,0 @@
-/*
- * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
- * Copyright (c) 2022 Pol Henarejos.
- *
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Affero General Public License as published by
- * the Free Software Foundation, version 3.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Affero General Public License for more details.
- *
- * You should have received a copy of the GNU Affero General Public License
- * along with this program. If not, see <https://www.gnu.org/licenses/>.
- */
-
-#include "sc_hsm.h"
-#include "random.h"
-#include "eac.h"
-
-int cmd_session_pin(void) {
-    if (P1(apdu) == 0x01 && P2(apdu) == 0x81) {
-        memcpy(sm_session_pin, random_bytes_get(8), 8);
-        sm_session_pin_len = 8;
-
-        memcpy(res_APDU, sm_session_pin, sm_session_pin_len);
-        res_APDU_size = sm_session_pin_len;
-        apdu.ne = sm_session_pin_len;
-    }
-    else {
-        return SW_INCORRECT_P1P2();
-    }
-    return SW_OK();
-}
--- a/src/hsm/sc_hsm.c
+++ b/src/hsm/sc_hsm.c
@@ -235,7 +235,6 @@ void init_sc_hsm(void) {
 int sc_hsm_unload(void) {
    has_session_pin = has_session_sopin = false;
    isUserAuthenticated = false;
-    sm_session_pin_len = 0;
    return PICOKEY_OK;
 }

@@ -363,28 +362,17 @@ uint16_t check_pin(const file_t *pin, const uint8_t *data, uint16_t len) {
        isUserAuthenticated = false;
    }
    has_session_pin = has_session_sopin = false;
-    if (is_secured_apdu() && sm_session_pin_len > 0 && pin == file_pin1) {
-        if (len == sm_session_pin_len && memcmp(data, sm_session_pin, len) != 0) {
-            int retries;
-            if ((retries = pin_wrong_retry(pin)) < PICOKEY_OK) {
-                return SW_PIN_BLOCKED();
-            }
-            return set_res_sw(0x63, 0xc0 | (uint8_t)retries);
-        }
+    uint8_t dhash[32];
+    double_hash_pin(data, len, dhash);
+    if (sizeof(dhash) != file_get_size(pin) - 1) { // 1 byte for pin len
+        return SW_CONDITIONS_NOT_SATISFIED();
    }
-    else {
-        uint8_t dhash[32];
-        double_hash_pin(data, len, dhash);
-        if (sizeof(dhash) != file_get_size(pin) - 1) { // 1 byte for pin len
-            return SW_CONDITIONS_NOT_SATISFIED();
-        }
-        if (memcmp(file_get_data(pin) + 1, dhash, sizeof(dhash)) != 0) {
-            int retries;
-            if ((retries = pin_wrong_retry(pin)) < PICOKEY_OK) {
-                return SW_PIN_BLOCKED();
-            }
-            return set_res_sw(0x63, 0xc0 | (uint8_t)retries);
+    if (memcmp(file_get_data(pin) + 1, dhash, sizeof(dhash)) != 0) {
+        int retries;
+        if ((retries = pin_wrong_retry(pin)) < PICOKEY_OK) {
+            return SW_PIN_BLOCKED();
        }
+        return set_res_sw(0x63, 0xc0 | (uint8_t)retries);
    }
    int r = pin_reset_retries(pin, false);
    if (r == PICOKEY_ERR_BLOCKED) {
@@ -684,7 +672,6 @@ int load_private_key_ecdh(mbedtls_ecp_keypair *ctx, file_t *fkey) {
 #define INS_KEY_DOMAIN              0x52
 #define INS_PUK_AUTH                0x54
 #define INS_LIST_KEYS               0x58
-#define INS_SESSION_PIN             0x5A
 #define INS_DECRYPT_ASYM            0x62
 #define INS_EXTRAS                  0x64
 #define INS_SIGNATURE               0x68
@@ -725,7 +712,6 @@ static const cmd_t cmds[] = {
    { INS_EXTRAS, cmd_extras },
    { INS_MSE, cmd_mse },
    { INS_GENERAL_AUTHENTICATE, cmd_general_authenticate },
-    { INS_SESSION_PIN, cmd_session_pin },
    { INS_PUK_AUTH, cmd_puk_auth },
    { INS_PSO, cmd_pso },
    { INS_EXTERNAL_AUTHENTICATE, cmd_external_authenticate },
--- a/src/hsm/sc_hsm.h
+++ b/src/hsm/sc_hsm.h
@@ -82,8 +82,6 @@ extern const uint8_t sc_hsm_aid[];

 #define HSM_OPT_RRC                 0x0001
 #define HSM_OPT_TRANSPORT_PIN       0x0002
-#define HSM_OPT_SESSION_PIN         0x0004
-#define HSM_OPT_SESSION_PIN_EXPL    0x000C
 #define HSM_OPT_REPLACE_PKA         0x0008
 #define HSM_OPT_COMBINED_AUTH       0x0010
 #define HSM_OPT_RRC_RESET_ONLY      0x0020
@@ -158,7 +156,6 @@ extern int cmd_cipher_sym(void);
 extern int cmd_derive_asym(void);
 extern int cmd_extras(void);
 extern int cmd_general_authenticate(void);
-extern int cmd_session_pin(void);
 extern int cmd_puk_auth(void);
 extern int cmd_pso(void);
 extern int cmd_bip_slip(void);