1 /*
2 * Copyright (C) 2022-2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "user_auth_funcs.h"
17
18 #include <math.h>
19 #include "securec.h"
20
21 #include "auth_level.h"
22 #include "adaptor_algorithm.h"
23 #include "adaptor_log.h"
24 #include "adaptor_time.h"
25 #include "auth_token_signer.h"
26 #include "context_manager.h"
27 #include "executor_message.h"
28 #include "hmac_key.h"
29 #include "idm_database.h"
30 #include "idm_session.h"
31 #include "udid_manager.h"
32
33 #ifdef IAM_TEST_ENABLE
34 #define IAM_STATIC
35 #else
36 #define IAM_STATIC static
37 #endif
38
39 // Used to cache screenLock auth token plain.
40 IAM_STATIC UnlockAuthResultCache g_unlockAuthResult = {false, 0, 0, {}};
41 // Used to cache any caller auth token plain.
42 IAM_STATIC UnlockAuthResultCache g_anyAuthResult = {false, 0, 0, {}};
43
GenerateSolutionFunc(AuthParamHal param,LinkedList ** schedules)44 ResultCode GenerateSolutionFunc(AuthParamHal param, LinkedList **schedules)
45 {
46 if (schedules == NULL) {
47 LOG_ERROR("schedules is null");
48 return RESULT_BAD_PARAM;
49 }
50 if (!GetEnableStatus(param.userId, param.authType)) {
51 LOG_ERROR("authType is not support %{public}d", param.authType);
52 return RESULT_TYPE_NOT_SUPPORT;
53 }
54 UserAuthContext *authContext = NULL;
55 ResultCode result = GenerateAuthContext(param, &authContext);
56 if (result != RESULT_SUCCESS) {
57 LOG_ERROR("GenerateAuthContext fail %{public}d", result);
58 return result;
59 }
60 if (authContext == NULL) {
61 LOG_ERROR("authContext is null");
62 return RESULT_GENERAL_ERROR;
63 }
64 if (!authContext->isExpiredReturnSuccess && authContext->authExpiredSysTime != NO_CHECK_PIN_EXPIRED_PERIOD) {
65 uint64_t nowTime = GetReeTime();
66 if (nowTime > authContext->authExpiredSysTime) {
67 LOG_ERROR("pin is expired");
68 return RESULT_PIN_EXPIRED;
69 }
70 }
71 ResultCode ret = CopySchedules(authContext, schedules);
72 if (ret != RESULT_SUCCESS) {
73 DestroyContext(authContext);
74 return ret;
75 }
76 return ret;
77 }
78
CacheUnlockAuthResult(int32_t userId,uint64_t secureUid,const UserAuthTokenHal * unlockToken)79 IAM_STATIC void CacheUnlockAuthResult(int32_t userId, uint64_t secureUid, const UserAuthTokenHal *unlockToken)
80 {
81 (void)memset_s(&g_unlockAuthResult, sizeof(UnlockAuthResultCache), 0, sizeof(UnlockAuthResultCache));
82 g_unlockAuthResult.isCached = true;
83 g_unlockAuthResult.userId = userId;
84 g_unlockAuthResult.secureUid = secureUid;
85 g_unlockAuthResult.authToken = *unlockToken;
86 }
87
CacheAnyAuthResult(int32_t userId,uint64_t secureUid,const UserAuthTokenHal * unlockToken)88 IAM_STATIC void CacheAnyAuthResult(int32_t userId, uint64_t secureUid, const UserAuthTokenHal *unlockToken)
89 {
90 (void)memset_s(&g_anyAuthResult, sizeof(UnlockAuthResultCache), 0, sizeof(UnlockAuthResultCache));
91 g_anyAuthResult.isCached = true;
92 g_anyAuthResult.userId = userId;
93 g_anyAuthResult.secureUid = secureUid;
94 g_anyAuthResult.authToken = *unlockToken;
95 }
96
SetAuthResult(uint64_t credentialId,const UserAuthContext * context,const ExecutorResultInfo * info,AuthResult * result)97 IAM_STATIC void SetAuthResult(uint64_t credentialId,
98 const UserAuthContext *context, const ExecutorResultInfo *info, AuthResult *result)
99 {
100 result->credentialId = credentialId;
101 result->userId = context->userId;
102 result->authType = context->authType;
103 result->freezingTime = info->freezingTime;
104 result->remainTimes = info->remainTimes;
105 result->result = info->result;
106 }
107
GetExpiredInfoForResult(const UserAuthContext * context,AuthResult * result)108 IAM_STATIC ResultCode GetExpiredInfoForResult(const UserAuthContext *context, AuthResult *result)
109 {
110 if (context == NULL || result == NULL) {
111 LOG_INFO("bad param");
112 return RESULT_BAD_PARAM;
113 }
114 if (context->authIntent == ABANDONED_PIN_AUTH) {
115 result->pinExpiredInfo = GetCredentialValidPeriod(context->userId, result->credentialId);
116 } else {
117 if (context->authExpiredSysTime == NO_CHECK_PIN_EXPIRED_PERIOD) {
118 LOG_INFO("pinExpiredPeriod is not set");
119 result->pinExpiredInfo = NO_SET_PIN_EXPIRED_PERIOD;
120 return RESULT_SUCCESS;
121 }
122 uint64_t currentTime = GetReeTime();
123 if (currentTime < context->authExpiredSysTime) {
124 // MAX_JS_NUMBER_VALUE is 2^50.
125 const uint64_t MAX_JS_NUMBER_VALUE = 1125899906842624;
126 result->pinExpiredInfo = MAX_JS_NUMBER_VALUE;
127 if (context->authExpiredSysTime - currentTime < MAX_JS_NUMBER_VALUE) {
128 result->pinExpiredInfo = context->authExpiredSysTime - currentTime;
129 }
130 LOG_INFO("pin is not expired");
131 return RESULT_SUCCESS;
132 }
133 result->pinExpiredInfo = 0;
134 if (!context->isExpiredReturnSuccess) {
135 LOG_ERROR("pin is expired");
136 return RESULT_PIN_EXPIRED;
137 }
138 LOG_INFO("caller is screenLock or setting");
139 }
140 return RESULT_SUCCESS;
141 }
142
HandleAuthSuccessResult(const UserAuthContext * context,const ExecutorResultInfo * info,AuthResult * result,UserAuthTokenHal * authToken)143 IAM_STATIC ResultCode HandleAuthSuccessResult(const UserAuthContext *context, const ExecutorResultInfo *info,
144 AuthResult *result, UserAuthTokenHal *authToken)
145 {
146 EnrolledStateHal enrolledState = {};
147 if (GetEnrolledState(context->userId, context->authType, &enrolledState) == RESULT_SUCCESS) {
148 result->credentialDigest = enrolledState.credentialDigest;
149 result->credentialCount = enrolledState.credentialCount;
150 }
151
152 if (result->result == RESULT_SUCCESS && context->authType == PIN_AUTH &&
153 IsAllZero(&context->collectorUdid[0], UDID_LEN)) {
154 if (context->authIntent == ABANDONED_PIN_AUTH) {
155 SetOldRootSecret(context->userId, info->oldRootSecret);
156 }
157 result->rootSecret = CopyBuffer(info->rootSecret);
158 if (!IsBufferValid(result->rootSecret)) {
159 LOG_ERROR("rootSecret is invalid");
160 return RESULT_NO_MEMORY;
161 }
162 SetCurRootSecret(context->userId, result->rootSecret);
163 }
164 ResultCode ret = GetExpiredInfoForResult(context, result);
165 if (ret != RESULT_SUCCESS) {
166 LOG_ERROR("GetExpiredInfoForResult failed");
167 return ret;
168 }
169 uint64_t secureUid;
170 ret = GetSecureUid(context->userId, &secureUid);
171 if (ret != RESULT_SUCCESS) {
172 LOG_ERROR("get secure uid failed");
173 return RESULT_GENERAL_ERROR;
174 }
175 if (context->authIntent == UNLOCK) {
176 LOG_INFO("cache unlock auth result");
177 CacheUnlockAuthResult(context->userId, secureUid, authToken);
178 }
179
180 LOG_INFO("cache any auth result");
181 CacheAnyAuthResult(context->userId, secureUid, authToken);
182 return RESULT_SUCCESS;
183 }
184
SetAuthResultMsgToAttribute(Attribute * attribute,AuthResult * result,uint64_t scheduleId,Uint8Array authToken)185 IAM_STATIC ResultCode SetAuthResultMsgToAttribute(Attribute *attribute, AuthResult *result,
186 uint64_t scheduleId, Uint8Array authToken)
187 {
188 ResultCode ret = SetAttributeUint64(attribute, ATTR_SCHEDULE_ID, scheduleId);
189 if (ret != RESULT_SUCCESS) {
190 LOG_ERROR("SetAttributeUint64 scheduleId failed");
191 return ret;
192 }
193 ret = SetAttributeInt32(attribute, ATTR_RESULT, result->result);
194 if (ret != RESULT_SUCCESS) {
195 LOG_ERROR("SetAttributeInt32 result failed");
196 return ret;
197 }
198 ret = SetAttributeInt32(attribute, ATTR_LOCKOUT_DURATION, result->freezingTime);
199 if (ret != RESULT_SUCCESS) {
200 LOG_ERROR("SetAttributeInt32 freezingTime failed");
201 return ret;
202 }
203 ret = SetAttributeInt32(attribute, ATTR_REMAIN_ATTEMPTS, result->remainTimes);
204 if (ret != RESULT_SUCCESS) {
205 LOG_ERROR("SetAttributeInt32 remainTimes failed");
206 return ret;
207 }
208 ret = SetAttributeInt32(attribute, ATTR_USER_ID, result->userId);
209 if (ret != RESULT_SUCCESS) {
210 LOG_ERROR("SetAttributeInt32 userId failed");
211 return ret;
212 }
213 ret = SetAttributeUint8Array(attribute, ATTR_TOKEN, authToken);
214 if (ret != RESULT_SUCCESS) {
215 LOG_ERROR("SetAttributeUint8Array for authToken fail");
216 }
217 return ret;
218 }
219
GenerateRemoteAuthResultMsg(AuthResult * result,uint64_t scheduleId,Uint8Array collectorUdid,UserAuthTokenHal * authToken)220 IAM_STATIC ResultCode GenerateRemoteAuthResultMsg(AuthResult *result, uint64_t scheduleId, Uint8Array collectorUdid,
221 UserAuthTokenHal *authToken)
222 {
223 Attribute *attribute = NULL;
224 Uint8Array retInfo = {};
225 ResultCode funcRet = RESULT_GENERAL_ERROR;
226 do {
227 attribute = CreateEmptyAttribute();
228 retInfo = (Uint8Array){ Malloc(MAX_EXECUTOR_MSG_LEN), MAX_EXECUTOR_MSG_LEN };
229 if (attribute == NULL || retInfo.data == NULL) {
230 LOG_ERROR("create attribute or malloc failed");
231 break;
232 }
233
234 Uint8Array authTokenIn = { (uint8_t *)(&authToken), sizeof(UserAuthTokenHal) };
235 if (SetAuthResultMsgToAttribute(attribute, result, scheduleId, authTokenIn) != RESULT_SUCCESS) {
236 LOG_ERROR("SetAuthResultMsgToAttribute failed");
237 break;
238 }
239
240 SignParam signParam = {
241 .needSignature = true,
242 .keyType = KEY_TYPE_CROSS_DEVICE,
243 .peerUdid = collectorUdid
244 };
245 if (GetAttributeExecutorMsg(attribute, &retInfo, signParam) != RESULT_SUCCESS) {
246 LOG_ERROR("GetAttributeExecutorMsg failed");
247 break;
248 }
249 result->remoteAuthResultMsg = CreateBufferByData(retInfo.data, retInfo.len);
250 funcRet = RESULT_SUCCESS;
251 } while (0);
252
253 FreeAttribute(&attribute);
254 Free(retInfo.data);
255 return funcRet;
256 }
257
RequestAuthResultFuncInner(UserAuthContext * userAuthContext,ExecutorResultInfo * executorResultInfo,UserAuthTokenHal * authToken,AuthResult * result)258 IAM_STATIC ResultCode RequestAuthResultFuncInner(UserAuthContext *userAuthContext,
259 ExecutorResultInfo *executorResultInfo, UserAuthTokenHal *authToken, AuthResult *result)
260 {
261 ResultCode ret = RESULT_SUCCESS;
262 Uint8Array collectorUdid = { userAuthContext->collectorUdid, sizeof(userAuthContext->collectorUdid) };
263 if (!IsLocalUdid(collectorUdid) && !IsAllZero(userAuthContext->collectorUdid, UDID_LEN)) {
264 ret = GenerateRemoteAuthResultMsg(result, executorResultInfo->scheduleId, collectorUdid, authToken);
265 if (ret != RESULT_SUCCESS) {
266 LOG_ERROR("generate remote auth result failed");
267 return ret;
268 }
269 }
270
271 if (executorResultInfo->result == RESULT_SUCCESS) {
272 ret = HandleAuthSuccessResult(userAuthContext, executorResultInfo, result, authToken);
273 if (ret != RESULT_SUCCESS) {
274 LOG_ERROR("handle auth success result failed");
275 return ret;
276 }
277
278 SetPinChangeScence(userAuthContext->userId, userAuthContext->authIntent);
279 }
280 return ret;
281 }
282
RequestAuthResultFunc(uint64_t contextId,const Buffer * scheduleResult,UserAuthTokenHal * authToken,AuthResult * result)283 ResultCode RequestAuthResultFunc(uint64_t contextId, const Buffer *scheduleResult, UserAuthTokenHal *authToken,
284 AuthResult *result)
285 {
286 if (!IsBufferValid(scheduleResult) || authToken == NULL || result == NULL || result->rootSecret != NULL) {
287 LOG_ERROR("param is invalid");
288 DestroyContextbyId(contextId);
289 return RESULT_BAD_PARAM;
290 }
291
292 UserAuthContext *userAuthContext = GetContext(contextId);
293 if (userAuthContext == NULL) {
294 LOG_ERROR("context is not found");
295 return RESULT_GENERAL_ERROR;
296 }
297
298 ExecutorResultInfo *executorResultInfo = CreateExecutorResultInfo(scheduleResult);
299 if (executorResultInfo == NULL) {
300 LOG_ERROR("CreateExecutorResultInfo fail");
301 DestroyContext(userAuthContext);
302 return RESULT_GENERAL_ERROR;
303 }
304
305 uint64_t credentialId;
306 ResultCode ret = FillInContext(userAuthContext, &credentialId, executorResultInfo, SCHEDULE_MODE_AUTH);
307 if (ret != RESULT_SUCCESS) {
308 LOG_ERROR("FillInContext fail");
309 goto EXIT;
310 }
311
312 if (executorResultInfo->result == RESULT_SUCCESS) {
313 ret = GetAuthTokenDataAndSign(userAuthContext, credentialId, SCHEDULE_MODE_AUTH, authToken);
314 if (ret != RESULT_SUCCESS) {
315 LOG_ERROR("sign token failed");
316 goto EXIT;
317 }
318 }
319 SetAuthResult(credentialId, userAuthContext, executorResultInfo, result);
320 if (RequestAuthResultFuncInner(userAuthContext, executorResultInfo, authToken, result) != RESULT_SUCCESS) {
321 LOG_ERROR("RequestAuthResultFuncInner failed");
322 goto EXIT;
323 }
324
325 EXIT:
326 DestroyExecutorResultInfo(executorResultInfo);
327 DestroyContext(userAuthContext);
328 return ret;
329 }
330
GetEnrolledStateFunc(int32_t userId,uint32_t authType,EnrolledStateHal * enrolledStateHal)331 ResultCode GetEnrolledStateFunc(int32_t userId, uint32_t authType, EnrolledStateHal *enrolledStateHal)
332 {
333 if (!GetEnableStatus(userId, authType)) {
334 LOG_ERROR("authType is not support %{public}d", authType);
335 return RESULT_TYPE_NOT_SUPPORT;
336 }
337 ResultCode ret = GetEnrolledState(userId, authType, enrolledStateHal);
338 if (ret != RESULT_SUCCESS) {
339 LOG_ERROR("GetEnrolledState failed");
340 return ret;
341 }
342
343 return RESULT_SUCCESS;
344 }
345
CheckReuseUnlockTokenValid(const ReuseUnlockParamHal * info,UnlockAuthResultCache authResultCache)346 IAM_STATIC ResultCode CheckReuseUnlockTokenValid(const ReuseUnlockParamHal *info, UnlockAuthResultCache authResultCache)
347 {
348 if (!authResultCache.isCached) {
349 LOG_ERROR("invalid cached unlock token");
350 return RESULT_REUSE_AUTH_RESULT_FAILED;
351 }
352 if ((authResultCache.authToken.tokenDataPlain.authMode != SCHEDULE_MODE_AUTH)
353 || (authResultCache.authToken.tokenDataPlain.tokenType != TOKEN_TYPE_LOCAL_AUTH)) {
354 LOG_ERROR("need local auth");
355 return RESULT_REUSE_AUTH_RESULT_FAILED;
356 }
357 uint64_t time = GetSystemTime();
358 if (time < authResultCache.authToken.tokenDataPlain.time) {
359 LOG_ERROR("bad system time");
360 return RESULT_REUSE_AUTH_RESULT_FAILED;
361 }
362 if ((time - authResultCache.authToken.tokenDataPlain.time) > REUSED_UNLOCK_TOKEN_PERIOD) {
363 (void)memset_s(&authResultCache, sizeof(UnlockAuthResultCache), 0, sizeof(UnlockAuthResultCache));
364 authResultCache.isCached = false;
365 LOG_ERROR("cached unlock token is time out");
366 return RESULT_REUSE_AUTH_RESULT_FAILED;
367 }
368 if ((time - authResultCache.authToken.tokenDataPlain.time) > info->reuseUnlockResultDuration) {
369 LOG_ERROR("reuse unlock check reuseUnlockResultDuration fail");
370 return RESULT_REUSE_AUTH_RESULT_FAILED;
371 }
372 if (info->userId != authResultCache.userId) {
373 LOG_ERROR("reuse unlock check userId fail");
374 return RESULT_REUSE_AUTH_RESULT_FAILED;
375 }
376 if (info->authTrustLevel > authResultCache.authToken.tokenDataPlain.authTrustLevel) {
377 LOG_ERROR("reuse unlock check authTrustLevel fail");
378 return RESULT_REUSE_AUTH_RESULT_FAILED;
379 }
380 if (info->reuseUnlockResultMode == AUTH_TYPE_RELEVANT ||
381 info->reuseUnlockResultMode == CALLER_IRRELEVANT_AUTH_TYPE_RELEVANT) {
382 for (uint32_t i = 0; i < info->authTypeSize; i++) {
383 if (info->authTypes[i] == authResultCache.authToken.tokenDataPlain.authType) {
384 return RESULT_SUCCESS;
385 }
386 }
387 LOG_ERROR("reuse unlock check authType fail");
388 return RESULT_REUSE_AUTH_RESULT_FAILED;
389 }
390 return RESULT_SUCCESS;
391 }
392
GetReuseUnlockResult(const ReuseUnlockParamHal * info,ReuseUnlockResult * reuseResult)393 IAM_STATIC ResultCode GetReuseUnlockResult(const ReuseUnlockParamHal *info, ReuseUnlockResult *reuseResult)
394 {
395 UnlockAuthResultCache authResultCache = {};
396 if (info->reuseUnlockResultMode == AUTH_TYPE_RELEVANT || info->reuseUnlockResultMode == AUTH_TYPE_IRRELEVANT) {
397 authResultCache = g_unlockAuthResult;
398 } else if (info->reuseUnlockResultMode == CALLER_IRRELEVANT_AUTH_TYPE_RELEVANT ||
399 info->reuseUnlockResultMode == CALLER_IRRELEVANT_AUTH_TYPE_IRRELEVANT) {
400 authResultCache = g_anyAuthResult;
401 }
402 uint64_t secureUid;
403 ResultCode ret = GetSecureUid(info->userId, &secureUid);
404 if (ret != RESULT_SUCCESS) {
405 LOG_ERROR("get secure uid failed");
406 return RESULT_GENERAL_ERROR;
407 }
408 if (secureUid != authResultCache.secureUid) {
409 LOG_ERROR("check secureUid failed");
410 return RESULT_GENERAL_ERROR;
411 }
412 ret = CheckReuseUnlockTokenValid(info, authResultCache);
413 if (ret != RESULT_SUCCESS) {
414 LOG_ERROR("check unlock token fail");
415 return ret;
416 }
417 *((UserAuthTokenHal *)reuseResult->token) = authResultCache.authToken;
418 reuseResult->authType = authResultCache.authToken.tokenDataPlain.authType;
419 ((UserAuthTokenHal *)reuseResult->token)->tokenDataPlain.authMode = SCHEDULE_MODE_REUSE_UNLOCK_AUTH_RESULT;
420 ((UserAuthTokenHal *)reuseResult->token)->tokenDataPlain.tokenType = TOKEN_TYPE_LOCAL_RESIGN;
421 if (memcpy_s(((UserAuthTokenHal *)reuseResult->token)->tokenDataPlain.challenge, CHALLENGE_LEN, info->challenge,
422 CHALLENGE_LEN) != EOK) {
423 LOG_ERROR("challenge copy failed");
424 return RESULT_BAD_COPY;
425 }
426 ret = GetEnrolledState(info->userId, reuseResult->authType, &reuseResult->enrolledState);
427 if (ret == RESULT_NOT_ENROLLED) {
428 LOG_ERROR("GetEnrolledState result not enrolled");
429 (void)memset_s(&reuseResult->enrolledState, sizeof(EnrolledStateHal), 0, sizeof(EnrolledStateHal));
430 ret = RESULT_SUCCESS;
431 }
432 return ret;
433 }
434
CheckReuseUnlockResultFunc(const ReuseUnlockParamHal * info,ReuseUnlockResult * reuseResult)435 ResultCode CheckReuseUnlockResultFunc(const ReuseUnlockParamHal *info, ReuseUnlockResult *reuseResult)
436 {
437 if (info == NULL || reuseResult == NULL || info->reuseUnlockResultDuration == 0 ||
438 info->reuseUnlockResultDuration > REUSED_UNLOCK_TOKEN_PERIOD ||
439 (info->reuseUnlockResultMode != AUTH_TYPE_RELEVANT && info->reuseUnlockResultMode != AUTH_TYPE_IRRELEVANT &&
440 info->reuseUnlockResultMode != CALLER_IRRELEVANT_AUTH_TYPE_RELEVANT &&
441 info->reuseUnlockResultMode != CALLER_IRRELEVANT_AUTH_TYPE_IRRELEVANT)) {
442 LOG_ERROR("CheckReuseUnlockResultFunc bad param");
443 return RESULT_BAD_PARAM;
444 }
445 ResultCode ret = GetReuseUnlockResult(info, reuseResult);
446 if (ret != RESULT_SUCCESS) {
447 LOG_ERROR("get reuse unlock result failed");
448 (void)memset_s(reuseResult, sizeof(ReuseUnlockResult), 0, sizeof(ReuseUnlockResult));
449 return ret;
450 }
451 ret = ReuseUnlockTokenSign((UserAuthTokenHal *)reuseResult->token);
452 if (ret != RESULT_SUCCESS) {
453 LOG_ERROR("reuse unlock token sign failed");
454 (void)memset_s(reuseResult, sizeof(ReuseUnlockResult), 0, sizeof(ReuseUnlockResult));
455 return ret;
456 }
457 return ret;
458 }
459
SetGlobalConfigParamFunc(GlobalConfigParamHal * param)460 ResultCode SetGlobalConfigParamFunc(GlobalConfigParamHal *param)
461 {
462 if (param == NULL || param->userIdNum > MAX_USER || param->authTypeNum > MAX_AUTH_TYPE_LEN ||
463 param->authTypeNum == 0 || (param->type != PIN_EXPIRED_PERIOD && param->type != ENABLE_STATUS)) {
464 LOG_ERROR("bad param");
465 return RESULT_BAD_PARAM;
466 }
467 ResultCode ret = SaveGlobalConfigParam(param);
468 if (ret != RESULT_SUCCESS) {
469 LOG_ERROR("Save globalConfigParam failed");
470 }
471 return ret;
472 }
473
GetAvailableStatusFunc(int32_t userId,int32_t authType,uint32_t authTrustLevel)474 ResultCode GetAvailableStatusFunc(int32_t userId, int32_t authType, uint32_t authTrustLevel)
475 {
476 if (!GetEnableStatus(userId, authType)) {
477 LOG_ERROR("authType is not support %{public}d", authType);
478 return RESULT_TYPE_NOT_SUPPORT;
479 }
480 ResultCode ret = CheckAtlByExecutorAndCred(userId, authType, authTrustLevel);
481 if (ret != RESULT_SUCCESS) {
482 LOG_ERROR("CheckAtlByExecutorAndCred failed");
483 return ret;
484 }
485
486 PinExpiredInfo expiredInfo = {};
487 ret = GetPinExpiredInfo(userId, &expiredInfo);
488 if (ret != RESULT_SUCCESS) {
489 LOG_ERROR("GetPinExpiredInfo failed");
490 return ret;
491 }
492 if (expiredInfo.pinExpiredPeriod == NO_CHECK_PIN_EXPIRED_PERIOD) {
493 LOG_ERROR("pinExpiredPeriod is not set");
494 return RESULT_SUCCESS;
495 }
496 uint64_t nowTime = GetReeTime();
497 if (nowTime > expiredInfo.pinExpiredPeriod + expiredInfo.pinEnrolledSysTime) {
498 LOG_ERROR("pin is expired");
499 return RESULT_PIN_EXPIRED;
500 }
501 return RESULT_SUCCESS;
502 }
503
GenerateScheduleFunc(const Buffer * tlv,Uint8Array remoteUdid,ScheduleInfoParam * scheduleInfo)504 ResultCode GenerateScheduleFunc(const Buffer *tlv, Uint8Array remoteUdid, ScheduleInfoParam *scheduleInfo)
505 {
506 if (!IsBufferValid(tlv) || IS_ARRAY_NULL(remoteUdid) || (scheduleInfo == NULL)) {
507 LOG_ERROR("param is invalid");
508 return RESULT_BAD_PARAM;
509 }
510 ResultCode result = CreateScheduleInfo(tlv, remoteUdid, scheduleInfo);
511 if (result != RESULT_SUCCESS) {
512 LOG_ERROR("CreateScheduleInfo failed");
513 }
514 return result;
515 }
516
GenerateAuthResultFunc(const Buffer * tlv,AuthResultParam * authResultInfo)517 ResultCode GenerateAuthResultFunc(const Buffer *tlv, AuthResultParam *authResultInfo)
518 {
519 if (!IsBufferValid(tlv) || (authResultInfo == NULL)) {
520 LOG_ERROR("param is invalid");
521 return RESULT_BAD_PARAM;
522 }
523 ResultCode result = CreateAuthResultInfo(tlv, authResultInfo);
524 if (result != RESULT_SUCCESS) {
525 LOG_ERROR("CreateAuthResultInfo failed");
526 }
527 return result;
528 }
529
GetExecutorInfoLinkedList(uint32_t authType,uint32_t executorRole,LinkedList * allExecutorInfoList)530 ResultCode GetExecutorInfoLinkedList(uint32_t authType, uint32_t executorRole, LinkedList *allExecutorInfoList)
531 {
532 IF_TRUE_LOGE_AND_RETURN_VAL(allExecutorInfoList == NULL, RESULT_BAD_PARAM);
533 uint8_t localUdidData[UDID_LEN] = { 0 };
534 Uint8Array localUdid = { localUdidData, UDID_LEN };
535 bool getLocalUdidRet = GetLocalUdid(&localUdid);
536 IF_TRUE_LOGE_AND_RETURN_VAL(!getLocalUdidRet, RESULT_GENERAL_ERROR);
537
538 ExecutorCondition condition = {};
539 SetExecutorConditionAuthType(&condition, authType);
540 SetExecutorConditionExecutorRole(&condition, executorRole);
541 SetExecutorConditionDeviceUdid(&condition, localUdid);
542
543 LinkedList *executorList = QueryExecutor(&condition);
544 if (executorList == NULL) {
545 LOG_ERROR("query executor failed");
546 return RESULT_UNKNOWN;
547 }
548 if (executorList->getSize(executorList) == 0) {
549 LOG_ERROR("executor is not found");
550 DestroyLinkedList(executorList);
551 return RESULT_TYPE_NOT_SUPPORT;
552 }
553 LinkedListNode *temp = executorList->head;
554 while (temp != NULL) {
555 ExecutorInfoHal *executorInfo = (ExecutorInfoHal *)temp->data;
556 if (executorInfo == NULL) {
557 LOG_ERROR("executorInfo is invalid");
558 DestroyLinkedList(executorList);
559 return RESULT_UNKNOWN;
560 }
561 ExecutorInfoHal *copiedExecutorInfo = CopyExecutorInfo(executorInfo);
562 if (executorInfo == NULL) {
563 LOG_ERROR("copiedExecutorInfo is invalid");
564 DestroyLinkedList(executorList);
565 return RESULT_UNKNOWN;
566 }
567 if (allExecutorInfoList->insert(allExecutorInfoList, copiedExecutorInfo) != RESULT_SUCCESS) {
568 LOG_ERROR("insert executor info failed");
569 DestroyLinkedList(executorList);
570 return RESULT_GENERAL_ERROR;
571 }
572 temp = temp->next;
573 }
574 DestroyLinkedList(executorList);
575 return RESULT_SUCCESS;
576 }
577
GetSignExecutorInfoFuncInner(Uint8Array peerUdid,LinkedList * executorList,Uint8Array executorInfoTlvMsg,Uint8Array * executorInfoArray,uint32_t executorInfoArraySize)578 static Buffer *GetSignExecutorInfoFuncInner(Uint8Array peerUdid, LinkedList *executorList,
579 Uint8Array executorInfoTlvMsg, Uint8Array *executorInfoArray, uint32_t executorInfoArraySize)
580 {
581 LinkedListNode *temp = executorList->head;
582 uint32_t index = 0;
583 while (temp != NULL) {
584 ExecutorInfoHal *executorInfo = (ExecutorInfoHal *)temp->data;
585 if (executorInfo == NULL) {
586 LOG_ERROR("executorInfo is invalid");
587 return NULL;
588 }
589 if (index >= executorInfoArraySize) {
590 LOG_ERROR("executor size is invalid");
591 return NULL;
592 }
593 ResultCode result = GetExecutorInfoMsg(executorInfo, &executorInfoArray[index]);
594 if (result != RESULT_SUCCESS) {
595 LOG_ERROR("get executor info msg fail");
596 return NULL;
597 }
598 index++;
599 temp = temp->next;
600 }
601 ResultCode result = GetMultiDataSerializedMsg(executorInfoArray, executorInfoArraySize, &executorInfoTlvMsg);
602 if (result != RESULT_SUCCESS) {
603 LOG_ERROR("GetMultiDataSerializedMsg failed");
604 return NULL;
605 }
606 return GetExecutorInfoTlv(executorInfoTlvMsg, peerUdid);
607 }
608
GetSignExecutorInfoFunc(Uint8Array peerUdid,LinkedList * executorList)609 Buffer *GetSignExecutorInfoFunc(Uint8Array peerUdid, LinkedList *executorList)
610 {
611 if (IS_ARRAY_NULL(peerUdid) || executorList == NULL) {
612 LOG_ERROR("params is null");
613 return NULL;
614 }
615 if (executorList->getSize(executorList) == 0) {
616 LOG_ERROR("executor is unregistered");
617 return NULL;
618 }
619 if (executorList->size > UINT32_MAX / sizeof(Uint8Array)) {
620 LOG_ERROR("invalid executorList size");
621 return NULL;
622 }
623
624 Uint8Array executorInfoTlvMsg = { Malloc(MAX_EXECUTOR_MSG_LEN), MAX_EXECUTOR_MSG_LEN };
625 IF_TRUE_LOGE_AND_RETURN_VAL(executorInfoTlvMsg.data == NULL, NULL);
626
627 Uint8Array executorInfoArray[executorList->size];
628 bool mallocOk = true;
629 for (uint32_t i = 0; i < executorList->size; i++) {
630 executorInfoArray[i] = (Uint8Array){ Malloc(MAX_EXECUTOR_MSG_LEN), MAX_EXECUTOR_MSG_LEN };
631 if (executorInfoArray[i].data == NULL) {
632 LOG_ERROR("malloc fail");
633 mallocOk = false;
634 continue;
635 }
636 }
637
638 Buffer *signedExecutorInfo = NULL;
639 if (mallocOk) {
640 signedExecutorInfo = GetSignExecutorInfoFuncInner(peerUdid, executorList,
641 executorInfoTlvMsg, executorInfoArray, executorList->size);
642 }
643
644 Free(executorInfoTlvMsg.data);
645 for (uint32_t i = 0; i < executorList->size; i++) {
646 Free(executorInfoArray[i].data);
647 }
648
649 return signedExecutorInfo;
650 }
651
DestroyAuthResult(AuthResult * authResult)652 void DestroyAuthResult(AuthResult *authResult)
653 {
654 if (authResult == NULL) {
655 return;
656 }
657 DestoryBuffer(authResult->rootSecret);
658 DestoryBuffer(authResult->remoteAuthResultMsg);
659 (void)memset_s(authResult, sizeof(AuthResult), 0, sizeof(AuthResult));
660 }