From 859dec7e4af5ba73b18fe37c610c6c97adbed29a Mon Sep 17 00:00:00 2001
From: Pol Henarejos <pol.henarejos@cttc.es>
Date: Sun, 8 Dec 2024 01:23:51 +0100
Subject: [PATCH] Accept mkek mask only if secure lock is enabled.

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
---
 src/hsm/cmd_extras.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/src/hsm/cmd_extras.c b/src/hsm/cmd_extras.c
index 9c2cfe5..4641411 100644
--- a/src/hsm/cmd_extras.c
+++ b/src/hsm/cmd_extras.c
@@ -162,13 +162,12 @@ int cmd_extras() {
             if (mse.init == false) {
                 return SW_COMMAND_NOT_ALLOWED();
             }
-
+            uint16_t opts = get_device_options();
             int ret = mse_decrypt_ct(apdu.data, apdu.nc);
             if (ret != 0) {
                 return SW_WRONG_DATA();
             }
             if (P2(apdu) == SECURE_LOCK_ENABLE || P2(apdu) == SECURE_LOCK_DISABLE) { // Enable
-                uint16_t opts = get_device_options();
                 uint8_t newopts[] = { opts >> 8, (opts & 0xff) };
                 if ((P2(apdu) == SECURE_LOCK_ENABLE && !(opts & HSM_OPT_SECURE_LOCK)) ||
                     (P2(apdu) == SECURE_LOCK_DISABLE && (opts & HSM_OPT_SECURE_LOCK))) {
@@ -196,7 +195,7 @@ int cmd_extras() {
                 file_put_data(tf, newopts, sizeof(newopts));
                 low_flash_available();
             }
-            else if (P2(apdu) == SECURE_LOCK_MASK) {
+            else if (P2(apdu) == SECURE_LOCK_MASK && (opts & HSM_OPT_SECURE_LOCK)) {
                 memcpy(mkek_mask, apdu.data, MKEK_KEY_SIZE);
                 has_mkek_mask = true;
             }