1 /*
2 * Copyright (C) 2022-2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "user_auth_funcs.h"
17
18 #include <math.h>
19 #include "securec.h"
20
21 #include "auth_level.h"
22 #include "adaptor_algorithm.h"
23 #include "adaptor_log.h"
24 #include "adaptor_time.h"
25 #include "auth_token_signer.h"
26 #include "context_manager.h"
27 #include "executor_message.h"
28 #include "hmac_key.h"
29 #include "idm_database.h"
30 #include "idm_session.h"
31 #include "udid_manager.h"
32
33 #ifdef IAM_TEST_ENABLE
34 #define IAM_STATIC
35 #else
36 #define IAM_STATIC static
37 #endif
38
39 // Used to cache screenLock auth token plain.
40 IAM_STATIC UnlockAuthResultCache g_unlockAuthResult = {false, 0, 0, {}};
41 // Used to cache any caller auth token plain.
42 IAM_STATIC UnlockAuthResultCache g_anyAuthResult = {false, 0, 0, {}};
43
GenerateSolutionFunc(AuthParamHal param,LinkedList ** schedules)44 ResultCode GenerateSolutionFunc(AuthParamHal param, LinkedList **schedules)
45 {
46 if (schedules == NULL) {
47 LOG_ERROR("schedules is null");
48 return RESULT_BAD_PARAM;
49 }
50 if (!GetEnableStatus(param.userId, param.authType)) {
51 LOG_ERROR("authType is not support %{public}d", param.authType);
52 return RESULT_TYPE_NOT_SUPPORT;
53 }
54 UserAuthContext *authContext = NULL;
55 ResultCode result = GenerateAuthContext(param, &authContext);
56 if (result != RESULT_SUCCESS) {
57 LOG_ERROR("GenerateAuthContext fail %{public}d", result);
58 return result;
59 }
60 if (authContext == NULL) {
61 LOG_ERROR("authContext is null");
62 return RESULT_GENERAL_ERROR;
63 }
64 if (!authContext->isExpiredReturnSuccess && authContext->authExpiredSysTime != NO_CHECK_PIN_EXPIRED_PERIOD) {
65 uint64_t nowTime = GetReeTime();
66 if (nowTime > authContext->authExpiredSysTime) {
67 LOG_ERROR("pin is expired");
68 return RESULT_PIN_EXPIRED;
69 }
70 }
71 ResultCode ret = CopySchedules(authContext, schedules);
72 if (ret != RESULT_SUCCESS) {
73 DestroyContext(authContext);
74 return ret;
75 }
76 return ret;
77 }
78
CacheUnlockAuthResult(int32_t userId,uint64_t secureUid,const UserAuthTokenHal * unlockToken)79 IAM_STATIC void CacheUnlockAuthResult(int32_t userId, uint64_t secureUid, const UserAuthTokenHal *unlockToken)
80 {
81 (void)memset_s(&g_unlockAuthResult, sizeof(UnlockAuthResultCache), 0, sizeof(UnlockAuthResultCache));
82 g_unlockAuthResult.isCached = true;
83 g_unlockAuthResult.userId = userId;
84 g_unlockAuthResult.secureUid = secureUid;
85 g_unlockAuthResult.authToken = *unlockToken;
86 }
87
CacheAnyAuthResult(int32_t userId,uint64_t secureUid,const UserAuthTokenHal * unlockToken)88 IAM_STATIC void CacheAnyAuthResult(int32_t userId, uint64_t secureUid, const UserAuthTokenHal *unlockToken)
89 {
90 (void)memset_s(&g_anyAuthResult, sizeof(UnlockAuthResultCache), 0, sizeof(UnlockAuthResultCache));
91 g_anyAuthResult.isCached = true;
92 g_anyAuthResult.userId = userId;
93 g_anyAuthResult.secureUid = secureUid;
94 g_anyAuthResult.authToken = *unlockToken;
95 }
96
SetAuthResult(uint64_t credentialId,const UserAuthContext * context,const ExecutorResultInfo * info,AuthResult * result)97 IAM_STATIC void SetAuthResult(uint64_t credentialId,
98 const UserAuthContext *context, const ExecutorResultInfo *info, AuthResult *result)
99 {
100 result->credentialId = credentialId;
101 result->userId = context->userId;
102 result->authType = context->authType;
103 result->freezingTime = info->freezingTime;
104 result->remainTimes = info->remainTimes;
105 result->result = info->result;
106 }
107
GetExpiredInfoForResult(const UserAuthContext * context,AuthResult * result)108 IAM_STATIC ResultCode GetExpiredInfoForResult(const UserAuthContext *context, AuthResult *result)
109 {
110 if (context == NULL || result == NULL) {
111 LOG_INFO("bad param");
112 return RESULT_BAD_PARAM;
113 }
114 if (context->authExpiredSysTime == NO_CHECK_PIN_EXPIRED_PERIOD) {
115 LOG_INFO("pinExpiredPeriod is not set");
116 result->pinExpiredInfo = NO_SET_PIN_EXPIRED_PERIOD;
117 return RESULT_SUCCESS;
118 }
119 uint64_t currentTime = GetReeTime();
120 if (currentTime < context->authExpiredSysTime) {
121 // MAX_JS_NUMBER_VALUE is 2^50.
122 const uint64_t MAX_JS_NUMBER_VALUE = 1125899906842624;
123 result->pinExpiredInfo = MAX_JS_NUMBER_VALUE;
124 if (context->authExpiredSysTime - currentTime < MAX_JS_NUMBER_VALUE) {
125 result->pinExpiredInfo = context->authExpiredSysTime - currentTime;
126 }
127 LOG_INFO("pin is not expired");
128 return RESULT_SUCCESS;
129 }
130 result->pinExpiredInfo = 0;
131 if (!context->isExpiredReturnSuccess) {
132 LOG_ERROR("pin is expired");
133 return RESULT_PIN_EXPIRED;
134 }
135 LOG_INFO("caller is screenLock or setting");
136 return RESULT_SUCCESS;
137 }
138
HandleAuthSuccessResult(const UserAuthContext * context,const ExecutorResultInfo * info,AuthResult * result,UserAuthTokenHal * authToken)139 IAM_STATIC ResultCode HandleAuthSuccessResult(const UserAuthContext *context, const ExecutorResultInfo *info,
140 AuthResult *result, UserAuthTokenHal *authToken)
141 {
142 EnrolledStateHal enrolledState = {};
143 if (GetEnrolledState(context->userId, context->authType, &enrolledState) == RESULT_SUCCESS) {
144 result->credentialDigest = enrolledState.credentialDigest;
145 result->credentialCount = enrolledState.credentialCount;
146 }
147 if (result->result == RESULT_SUCCESS && context->authType == PIN_AUTH &&
148 memcmp(context->localUdid, context->collectorUdid, sizeof(context->localUdid)) == 0) {
149 result->rootSecret = CopyBuffer(info->rootSecret);
150 if (!IsBufferValid(result->rootSecret)) {
151 LOG_ERROR("rootSecret is invalid");
152 return RESULT_NO_MEMORY;
153 }
154 CacheRootSecret(context->userId, result->rootSecret);
155 }
156 ResultCode ret = GetExpiredInfoForResult(context, result);
157 if (ret != RESULT_SUCCESS) {
158 LOG_ERROR("GetExpiredInfoForResult failed");
159 return ret;
160 }
161 uint64_t secureUid;
162 ret = GetSecureUid(context->userId, &secureUid);
163 if (ret != RESULT_SUCCESS) {
164 LOG_ERROR("get secure uid failed");
165 return RESULT_GENERAL_ERROR;
166 }
167 if (context->authIntent == UNLOCK) {
168 LOG_INFO("cache unlock auth result");
169 CacheUnlockAuthResult(context->userId, secureUid, authToken);
170 }
171 LOG_INFO("cache any auth result");
172 CacheAnyAuthResult(context->userId, secureUid, authToken);
173 return RESULT_SUCCESS;
174 }
175
SetAuthResultMsgToAttribute(Attribute * attribute,AuthResult * result,uint64_t scheduleId,Uint8Array authToken)176 IAM_STATIC ResultCode SetAuthResultMsgToAttribute(Attribute *attribute, AuthResult *result,
177 uint64_t scheduleId, Uint8Array authToken)
178 {
179 ResultCode ret = SetAttributeUint64(attribute, ATTR_SCHEDULE_ID, scheduleId);
180 if (ret != RESULT_SUCCESS) {
181 LOG_ERROR("SetAttributeUint64 scheduleId failed");
182 return ret;
183 }
184 ret = SetAttributeInt32(attribute, ATTR_RESULT, result->result);
185 if (ret != RESULT_SUCCESS) {
186 LOG_ERROR("SetAttributeInt32 result failed");
187 return ret;
188 }
189 ret = SetAttributeInt32(attribute, ATTR_LOCKOUT_DURATION, result->freezingTime);
190 if (ret != RESULT_SUCCESS) {
191 LOG_ERROR("SetAttributeInt32 freezingTime failed");
192 return ret;
193 }
194 ret = SetAttributeInt32(attribute, ATTR_REMAIN_ATTEMPTS, result->remainTimes);
195 if (ret != RESULT_SUCCESS) {
196 LOG_ERROR("SetAttributeInt32 remainTimes failed");
197 return ret;
198 }
199 ret = SetAttributeInt32(attribute, ATTR_USER_ID, result->userId);
200 if (ret != RESULT_SUCCESS) {
201 LOG_ERROR("SetAttributeInt32 userId failed");
202 return ret;
203 }
204 ret = SetAttributeUint8Array(attribute, ATTR_TOKEN, authToken);
205 if (ret != RESULT_SUCCESS) {
206 LOG_ERROR("SetAttributeUint8Array for authToken fail");
207 }
208 return ret;
209 }
210
GenerateRemoteAuthResultMsg(AuthResult * result,uint64_t scheduleId,Uint8Array collectorUdid,UserAuthTokenHal * authToken)211 IAM_STATIC ResultCode GenerateRemoteAuthResultMsg(AuthResult *result, uint64_t scheduleId, Uint8Array collectorUdid,
212 UserAuthTokenHal *authToken)
213 {
214 Attribute *attribute = NULL;
215 Uint8Array retInfo = {};
216 ResultCode funcRet = RESULT_GENERAL_ERROR;
217 do {
218 attribute = CreateEmptyAttribute();
219 retInfo = (Uint8Array){ Malloc(MAX_EXECUTOR_MSG_LEN), MAX_EXECUTOR_MSG_LEN };
220 if (attribute == NULL || retInfo.data == NULL) {
221 LOG_ERROR("create attribute or malloc failed");
222 break;
223 }
224
225 Uint8Array authTokenIn = { (uint8_t *)(&authToken), sizeof(UserAuthTokenHal) };
226 if (SetAuthResultMsgToAttribute(attribute, result, scheduleId, authTokenIn) != RESULT_SUCCESS) {
227 LOG_ERROR("SetAuthResultMsgToAttribute failed");
228 break;
229 }
230
231 SignParam signParam = {
232 .needSignature = true,
233 .keyType = KEY_TYPE_CROSS_DEVICE,
234 .peerUdid = collectorUdid
235 };
236 if (GetAttributeExecutorMsg(attribute, &retInfo, signParam) != RESULT_SUCCESS) {
237 LOG_ERROR("GetAttributeExecutorMsg failed");
238 break;
239 }
240 result->remoteAuthResultMsg = CreateBufferByData(retInfo.data, retInfo.len);
241 funcRet = RESULT_SUCCESS;
242 } while (0);
243
244 FreeAttribute(&attribute);
245 Free(retInfo.data);
246 return funcRet;
247 }
248
RequestAuthResultFuncInner(UserAuthContext * userAuthContext,ExecutorResultInfo * executorResultInfo,UserAuthTokenHal * authToken,AuthResult * result)249 IAM_STATIC ResultCode RequestAuthResultFuncInner(UserAuthContext *userAuthContext,
250 ExecutorResultInfo *executorResultInfo, UserAuthTokenHal *authToken, AuthResult *result)
251 {
252 ResultCode ret = RESULT_SUCCESS;
253 Uint8Array collectorUdid = { userAuthContext->collectorUdid, sizeof(userAuthContext->collectorUdid) };
254 if (!IsLocalUdid(collectorUdid)) {
255 ret = GenerateRemoteAuthResultMsg(result, executorResultInfo->scheduleId, collectorUdid, authToken);
256 if (ret != RESULT_SUCCESS) {
257 LOG_ERROR("generate remote auth result failed");
258 return ret;
259 }
260 }
261
262 if (executorResultInfo->result == RESULT_SUCCESS) {
263 ret = HandleAuthSuccessResult(userAuthContext, executorResultInfo, result, authToken);
264 if (ret != RESULT_SUCCESS) {
265 LOG_ERROR("handle auth success result failed");
266 return ret;
267 }
268 }
269 return ret;
270 }
271
RequestAuthResultFunc(uint64_t contextId,const Buffer * scheduleResult,UserAuthTokenHal * authToken,AuthResult * result)272 ResultCode RequestAuthResultFunc(uint64_t contextId, const Buffer *scheduleResult, UserAuthTokenHal *authToken,
273 AuthResult *result)
274 {
275 if (!IsBufferValid(scheduleResult) || authToken == NULL || result == NULL || result->rootSecret != NULL) {
276 LOG_ERROR("param is invalid");
277 DestroyContextbyId(contextId);
278 return RESULT_BAD_PARAM;
279 }
280
281 UserAuthContext *userAuthContext = GetContext(contextId);
282 if (userAuthContext == NULL) {
283 LOG_ERROR("context is not found");
284 return RESULT_GENERAL_ERROR;
285 }
286
287 ExecutorResultInfo *executorResultInfo = CreateExecutorResultInfo(scheduleResult);
288 if (executorResultInfo == NULL) {
289 LOG_ERROR("CreateExecutorResultInfo fail");
290 DestroyContext(userAuthContext);
291 return RESULT_GENERAL_ERROR;
292 }
293
294
295 uint64_t credentialId;
296 ResultCode ret = FillInContext(userAuthContext, &credentialId, executorResultInfo, SCHEDULE_MODE_AUTH);
297 if (ret != RESULT_SUCCESS) {
298 LOG_ERROR("FillInContext fail");
299 goto EXIT;
300 }
301
302 if (executorResultInfo->result == RESULT_SUCCESS) {
303 ret = GetAuthTokenDataAndSign(userAuthContext, credentialId, SCHEDULE_MODE_AUTH, authToken);
304 if (ret != RESULT_SUCCESS) {
305 LOG_ERROR("sign token failed");
306 goto EXIT;
307 }
308 }
309 SetAuthResult(credentialId, userAuthContext, executorResultInfo, result);
310 if (RequestAuthResultFuncInner(userAuthContext, executorResultInfo, authToken, result) != RESULT_SUCCESS) {
311 LOG_ERROR("RequestAuthResultFuncInner failed");
312 goto EXIT;
313 }
314
315 EXIT:
316 DestroyExecutorResultInfo(executorResultInfo);
317 DestroyContext(userAuthContext);
318 return ret;
319 }
320
GetEnrolledStateFunc(int32_t userId,uint32_t authType,EnrolledStateHal * enrolledStateHal)321 ResultCode GetEnrolledStateFunc(int32_t userId, uint32_t authType, EnrolledStateHal *enrolledStateHal)
322 {
323 if (!GetEnableStatus(userId, authType)) {
324 LOG_ERROR("authType is not support %{public}d", authType);
325 return RESULT_TYPE_NOT_SUPPORT;
326 }
327 ResultCode ret = GetEnrolledState(userId, authType, enrolledStateHal);
328 if (ret != RESULT_SUCCESS) {
329 LOG_ERROR("GetEnrolledState failed");
330 return ret;
331 }
332
333 return RESULT_SUCCESS;
334 }
335
CheckReuseUnlockTokenValid(const ReuseUnlockParamHal * info,UnlockAuthResultCache authResultCache)336 IAM_STATIC ResultCode CheckReuseUnlockTokenValid(const ReuseUnlockParamHal *info, UnlockAuthResultCache authResultCache)
337 {
338 if (!authResultCache.isCached) {
339 LOG_ERROR("invalid cached unlock token");
340 return RESULT_GENERAL_ERROR;
341 }
342 if ((authResultCache.authToken.tokenDataPlain.authMode != SCHEDULE_MODE_AUTH)
343 || (authResultCache.authToken.tokenDataPlain.tokenType != TOKEN_TYPE_LOCAL_AUTH)) {
344 LOG_ERROR("need local auth");
345 return RESULT_VERIFY_TOKEN_FAIL;
346 }
347 uint64_t time = GetSystemTime();
348 if (time < authResultCache.authToken.tokenDataPlain.time) {
349 LOG_ERROR("bad system time");
350 return RESULT_GENERAL_ERROR;
351 }
352 if ((time - authResultCache.authToken.tokenDataPlain.time) > REUSED_UNLOCK_TOKEN_PERIOD) {
353 (void)memset_s(&authResultCache, sizeof(UnlockAuthResultCache), 0, sizeof(UnlockAuthResultCache));
354 authResultCache.isCached = false;
355 LOG_ERROR("cached unlock token is time out");
356 return RESULT_TOKEN_TIMEOUT;
357 }
358 if ((time - authResultCache.authToken.tokenDataPlain.time) > info->reuseUnlockResultDuration) {
359 LOG_ERROR("reuse unlock check reuseUnlockResultDuration fail");
360 return RESULT_TOKEN_TIMEOUT;
361 }
362 if (info->userId != authResultCache.userId) {
363 LOG_ERROR("reuse unlock check userId fail");
364 return RESULT_GENERAL_ERROR;
365 }
366 if (info->authTrustLevel > authResultCache.authToken.tokenDataPlain.authTrustLevel) {
367 LOG_ERROR("reuse unlock check authTrustLevel fail");
368 return RESULT_GENERAL_ERROR;
369 }
370 if (info->reuseUnlockResultMode == AUTH_TYPE_RELEVANT ||
371 info->reuseUnlockResultMode == CALLER_IRRELEVANT_AUTH_TYPE_RELEVANT) {
372 for (uint32_t i = 0; i < info->authTypeSize; i++) {
373 if (info->authTypes[i] == authResultCache.authToken.tokenDataPlain.authType) {
374 return RESULT_SUCCESS;
375 }
376 }
377 LOG_ERROR("reuse unlock check authType fail");
378 return RESULT_GENERAL_ERROR;
379 }
380 return RESULT_SUCCESS;
381 }
382
GetReuseUnlockResult(const ReuseUnlockParamHal * info,ReuseUnlockResult * reuseResult)383 IAM_STATIC ResultCode GetReuseUnlockResult(const ReuseUnlockParamHal *info, ReuseUnlockResult *reuseResult)
384 {
385 UnlockAuthResultCache authResultCache = {};
386 if (info->reuseUnlockResultMode == AUTH_TYPE_RELEVANT || info->reuseUnlockResultMode == AUTH_TYPE_IRRELEVANT) {
387 authResultCache = g_unlockAuthResult;
388 } else if (info->reuseUnlockResultMode == CALLER_IRRELEVANT_AUTH_TYPE_RELEVANT ||
389 info->reuseUnlockResultMode == CALLER_IRRELEVANT_AUTH_TYPE_IRRELEVANT) {
390 authResultCache = g_anyAuthResult;
391 }
392 uint64_t secureUid;
393 ResultCode ret = GetSecureUid(info->userId, &secureUid);
394 if (ret != RESULT_SUCCESS) {
395 LOG_ERROR("get secure uid failed");
396 return RESULT_GENERAL_ERROR;
397 }
398 if (secureUid != authResultCache.secureUid) {
399 LOG_ERROR("check secureUid failed");
400 return RESULT_GENERAL_ERROR;
401 }
402 ret = CheckReuseUnlockTokenValid(info, authResultCache);
403 if (ret != RESULT_SUCCESS) {
404 LOG_ERROR("check unlock token fail");
405 return ret;
406 }
407 *((UserAuthTokenHal *)reuseResult->token) = authResultCache.authToken;
408 reuseResult->authType = authResultCache.authToken.tokenDataPlain.authType;
409 ((UserAuthTokenHal *)reuseResult->token)->tokenDataPlain.authMode = SCHEDULE_MODE_REUSE_UNLOCK_AUTH_RESULT;
410 ((UserAuthTokenHal *)reuseResult->token)->tokenDataPlain.tokenType = TOKEN_TYPE_LOCAL_RESIGN;
411 if (memcpy_s(((UserAuthTokenHal *)reuseResult->token)->tokenDataPlain.challenge, CHALLENGE_LEN, info->challenge,
412 CHALLENGE_LEN) != EOK) {
413 LOG_ERROR("challenge copy failed");
414 return RESULT_BAD_COPY;
415 }
416 ret = GetEnrolledState(info->userId, reuseResult->authType, &reuseResult->enrolledState);
417 if (ret == RESULT_NOT_ENROLLED) {
418 LOG_ERROR("GetEnrolledState result not enrolled");
419 (void)memset_s(&reuseResult->enrolledState, sizeof(EnrolledStateHal), 0, sizeof(EnrolledStateHal));
420 ret = RESULT_SUCCESS;
421 }
422 return ret;
423 }
424
CheckReuseUnlockResultFunc(const ReuseUnlockParamHal * info,ReuseUnlockResult * reuseResult)425 ResultCode CheckReuseUnlockResultFunc(const ReuseUnlockParamHal *info, ReuseUnlockResult *reuseResult)
426 {
427 if (info == NULL || reuseResult == NULL || info->reuseUnlockResultDuration == 0 ||
428 info->reuseUnlockResultDuration > REUSED_UNLOCK_TOKEN_PERIOD ||
429 (info->reuseUnlockResultMode != AUTH_TYPE_RELEVANT && info->reuseUnlockResultMode != AUTH_TYPE_IRRELEVANT &&
430 info->reuseUnlockResultMode != CALLER_IRRELEVANT_AUTH_TYPE_RELEVANT &&
431 info->reuseUnlockResultMode != CALLER_IRRELEVANT_AUTH_TYPE_IRRELEVANT)) {
432 LOG_ERROR("CheckReuseUnlockResultFunc bad param");
433 return RESULT_BAD_PARAM;
434 }
435 ResultCode ret = GetReuseUnlockResult(info, reuseResult);
436 if (ret != RESULT_SUCCESS) {
437 LOG_ERROR("get reuse unlock result failed");
438 (void)memset_s(reuseResult, sizeof(ReuseUnlockResult), 0, sizeof(ReuseUnlockResult));
439 return ret;
440 }
441 ret = ReuseUnlockTokenSign((UserAuthTokenHal *)reuseResult->token);
442 if (ret != RESULT_SUCCESS) {
443 LOG_ERROR("reuse unlock token sign failed");
444 (void)memset_s(reuseResult, sizeof(ReuseUnlockResult), 0, sizeof(ReuseUnlockResult));
445 return ret;
446 }
447 return ret;
448 }
449
SetGlobalConfigParamFunc(GlobalConfigParamHal * param)450 ResultCode SetGlobalConfigParamFunc(GlobalConfigParamHal *param)
451 {
452 if (param == NULL || param->userIdNum > MAX_USER || param->authTypeNum > MAX_AUTH_TYPE_LEN ||
453 param->authTypeNum == 0 || (param->type != PIN_EXPIRED_PERIOD && param->type != ENABLE_STATUS)) {
454 LOG_ERROR("bad param");
455 return RESULT_BAD_PARAM;
456 }
457 ResultCode ret = SaveGlobalConfigParam(param);
458 if (ret != RESULT_SUCCESS) {
459 LOG_ERROR("Save globalConfigParam failed");
460 }
461 return ret;
462 }
463
GetAvailableStatusFunc(int32_t userId,int32_t authType,uint32_t authTrustLevel)464 ResultCode GetAvailableStatusFunc(int32_t userId, int32_t authType, uint32_t authTrustLevel)
465 {
466 if (!GetEnableStatus(userId, authType)) {
467 LOG_ERROR("authType is not support %{public}d", authType);
468 return RESULT_TYPE_NOT_SUPPORT;
469 }
470 ResultCode ret = CheckAtlByExecutorAndCred(userId, authType, authTrustLevel);
471 if (ret != RESULT_SUCCESS) {
472 LOG_ERROR("CheckAtlByExecutorAndCred failed");
473 return ret;
474 }
475
476 PinExpiredInfo expiredInfo = {};
477 ret = GetPinExpiredInfo(userId, &expiredInfo);
478 if (ret != RESULT_SUCCESS) {
479 LOG_ERROR("GetPinExpiredInfo failed");
480 return ret;
481 }
482 if (expiredInfo.pinExpiredPeriod == NO_CHECK_PIN_EXPIRED_PERIOD) {
483 LOG_ERROR("pinExpiredPeriod is not set");
484 return RESULT_SUCCESS;
485 }
486 uint64_t nowTime = GetReeTime();
487 if (nowTime > expiredInfo.pinExpiredPeriod + expiredInfo.pinEnrolledSysTime) {
488 LOG_ERROR("pin is expired");
489 return RESULT_PIN_EXPIRED;
490 }
491 return RESULT_SUCCESS;
492 }
493
GenerateScheduleFunc(const Buffer * tlv,Uint8Array remoteUdid,ScheduleInfoParam * scheduleInfo)494 ResultCode GenerateScheduleFunc(const Buffer *tlv, Uint8Array remoteUdid, ScheduleInfoParam *scheduleInfo)
495 {
496 if (!IsBufferValid(tlv) || IS_ARRAY_NULL(remoteUdid) || (scheduleInfo == NULL)) {
497 LOG_ERROR("param is invalid");
498 return RESULT_BAD_PARAM;
499 }
500 ResultCode result = CreateScheduleInfo(tlv, remoteUdid, scheduleInfo);
501 if (result != RESULT_SUCCESS) {
502 LOG_ERROR("CreateScheduleInfo failed");
503 }
504 return result;
505 }
506
GenerateAuthResultFunc(const Buffer * tlv,AuthResultParam * authResultInfo)507 ResultCode GenerateAuthResultFunc(const Buffer *tlv, AuthResultParam *authResultInfo)
508 {
509 if (!IsBufferValid(tlv) || (authResultInfo == NULL)) {
510 LOG_ERROR("param is invalid");
511 return RESULT_BAD_PARAM;
512 }
513 ResultCode result = CreateAuthResultInfo(tlv, authResultInfo);
514 if (result != RESULT_SUCCESS) {
515 LOG_ERROR("CreateAuthResultInfo failed");
516 }
517 return result;
518 }
519
GetExecutorInfoLinkedList(uint32_t authType,uint32_t executorRole,LinkedList * allExecutorInfoList)520 ResultCode GetExecutorInfoLinkedList(uint32_t authType, uint32_t executorRole, LinkedList *allExecutorInfoList)
521 {
522 IF_TRUE_LOGE_AND_RETURN_VAL(allExecutorInfoList == NULL, RESULT_BAD_PARAM);
523 uint8_t localUdidData[UDID_LEN] = { 0 };
524 Uint8Array localUdid = { localUdidData, UDID_LEN };
525 bool getLocalUdidRet = GetLocalUdid(&localUdid);
526 IF_TRUE_LOGE_AND_RETURN_VAL(!getLocalUdidRet, RESULT_GENERAL_ERROR);
527
528 ExecutorCondition condition = {};
529 SetExecutorConditionAuthType(&condition, authType);
530 SetExecutorConditionExecutorRole(&condition, executorRole);
531 SetExecutorConditionDeviceUdid(&condition, localUdid);
532
533 LinkedList *executorList = QueryExecutor(&condition);
534 if (executorList == NULL) {
535 LOG_ERROR("query executor failed");
536 return RESULT_UNKNOWN;
537 }
538 if (executorList->getSize(executorList) == 0) {
539 LOG_ERROR("executor is not found");
540 DestroyLinkedList(executorList);
541 return RESULT_TYPE_NOT_SUPPORT;
542 }
543 LinkedListNode *temp = executorList->head;
544 while (temp != NULL) {
545 ExecutorInfoHal *executorInfo = (ExecutorInfoHal *)temp->data;
546 if (executorInfo == NULL) {
547 LOG_ERROR("executorInfo is invalid");
548 DestroyLinkedList(executorList);
549 return RESULT_UNKNOWN;
550 }
551 ExecutorInfoHal *copiedExecutorInfo = CopyExecutorInfo(executorInfo);
552 if (executorInfo == NULL) {
553 LOG_ERROR("copiedExecutorInfo is invalid");
554 DestroyLinkedList(executorList);
555 return RESULT_UNKNOWN;
556 }
557 if (allExecutorInfoList->insert(allExecutorInfoList, copiedExecutorInfo) != RESULT_SUCCESS) {
558 LOG_ERROR("insert executor info failed");
559 DestroyLinkedList(executorList);
560 return RESULT_GENERAL_ERROR;
561 }
562 temp = temp->next;
563 }
564 DestroyLinkedList(executorList);
565 return RESULT_SUCCESS;
566 }
567
GetSignExecutorInfoFuncInner(Uint8Array peerUdid,LinkedList * executorList,Uint8Array executorInfoTlvMsg,Uint8Array * executorInfoArray,uint32_t executorInfoArraySize)568 static Buffer *GetSignExecutorInfoFuncInner(Uint8Array peerUdid, LinkedList *executorList,
569 Uint8Array executorInfoTlvMsg, Uint8Array *executorInfoArray, uint32_t executorInfoArraySize)
570 {
571 LinkedListNode *temp = executorList->head;
572 uint32_t index = 0;
573 while (temp != NULL) {
574 ExecutorInfoHal *executorInfo = (ExecutorInfoHal *)temp->data;
575 if (executorInfo == NULL) {
576 LOG_ERROR("executorInfo is invalid");
577 return NULL;
578 }
579 if (index >= executorInfoArraySize) {
580 LOG_ERROR("executor size is invalid");
581 return NULL;
582 }
583 ResultCode result = GetExecutorInfoMsg(executorInfo, &executorInfoArray[index]);
584 if (result != RESULT_SUCCESS) {
585 LOG_ERROR("get executor info msg fail");
586 return NULL;
587 }
588 index++;
589 temp = temp->next;
590 }
591 ResultCode result = GetMultiDataSerializedMsg(executorInfoArray, executorInfoArraySize, &executorInfoTlvMsg);
592 if (result != RESULT_SUCCESS) {
593 LOG_ERROR("GetMultiDataSerializedMsg failed");
594 return NULL;
595 }
596 return GetExecutorInfoTlv(executorInfoTlvMsg, peerUdid);
597 }
598
GetSignExecutorInfoFunc(Uint8Array peerUdid,LinkedList * executorList)599 Buffer *GetSignExecutorInfoFunc(Uint8Array peerUdid, LinkedList *executorList)
600 {
601 if (IS_ARRAY_NULL(peerUdid) || executorList == NULL) {
602 LOG_ERROR("params is null");
603 return NULL;
604 }
605 if (executorList->getSize(executorList) == 0) {
606 LOG_ERROR("executor is unregistered");
607 return NULL;
608 }
609 if (executorList->size > UINT32_MAX / sizeof(Uint8Array)) {
610 LOG_ERROR("invalid executorList size");
611 return NULL;
612 }
613
614 Uint8Array executorInfoTlvMsg = { Malloc(MAX_EXECUTOR_MSG_LEN), MAX_EXECUTOR_MSG_LEN };
615 IF_TRUE_LOGE_AND_RETURN_VAL(executorInfoTlvMsg.data == NULL, NULL);
616
617 Uint8Array executorInfoArray[executorList->size];
618 bool mallocOk = true;
619 for (uint32_t i = 0; i < executorList->size; i++) {
620 executorInfoArray[i] = (Uint8Array){ Malloc(MAX_EXECUTOR_MSG_LEN), MAX_EXECUTOR_MSG_LEN };
621 if (executorInfoArray[i].data == NULL) {
622 LOG_ERROR("malloc fail");
623 mallocOk = false;
624 continue;
625 }
626 }
627
628 Buffer *signedExecutorInfo = NULL;
629 if (mallocOk) {
630 signedExecutorInfo = GetSignExecutorInfoFuncInner(peerUdid, executorList,
631 executorInfoTlvMsg, executorInfoArray, executorList->size);
632 }
633
634 Free(executorInfoTlvMsg.data);
635 for (uint32_t i = 0; i < executorList->size; i++) {
636 Free(executorInfoArray[i].data);
637 }
638
639 return signedExecutorInfo;
640 }
641
DestroyAuthResult(AuthResult * authResult)642 void DestroyAuthResult(AuthResult *authResult)
643 {
644 if (authResult == NULL) {
645 return;
646 }
647 DestoryBuffer(authResult->rootSecret);
648 DestoryBuffer(authResult->remoteAuthResultMsg);
649 (void)memset_s(authResult, sizeof(AuthResult), 0, sizeof(AuthResult));
650 }