1 /*
2 * This file is part of the openHiTLS project.
3 *
4 * openHiTLS is licensed under the Mulan PSL v2.
5 * You can use this software according to the terms and conditions of the Mulan PSL v2.
6 * You may obtain a copy of Mulan PSL v2 at:
7 *
8 * http://license.coscl.org.cn/MulanPSL2
9 *
10 * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND,
11 * EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT,
12 * MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE.
13 * See the Mulan PSL v2 for more details.
14 */
15 #include <stdint.h>
16 #include "securec.h"
17 #include "bsl_errno.h"
18 #include "auth_errno.h"
19 #include "auth_privpass_token.h"
20 #include "bsl_err_internal.h"
21 #include "bsl_sal.h"
22 #include "bsl_bytes.h"
23 #include "privpass_token.h"
24
DecodeTokenChallengeReq(PrivPass_TokenChallengeReq * tokenChallengeReq,const uint8_t * buffer,uint32_t buffLen)25 static int32_t DecodeTokenChallengeReq(PrivPass_TokenChallengeReq *tokenChallengeReq, const uint8_t *buffer,
26 uint32_t buffLen)
27 {
28 // Allocate memory for the new buffer
29 uint8_t *data = (uint8_t *)BSL_SAL_Dump(buffer, buffLen);
30 if (data == NULL) {
31 BSL_ERR_PUSH_ERROR(BSL_DUMP_FAIL);
32 return BSL_DUMP_FAIL;
33 }
34 tokenChallengeReq->challengeReq = data;
35 tokenChallengeReq->challengeReqLen = buffLen;
36 return HITLS_AUTH_SUCCESS;
37 }
38
EncodeTokenChallengeReq(const PrivPass_TokenChallengeReq * tokenChallengeReq,uint8_t * buffer,uint32_t * buffLen)39 static int32_t EncodeTokenChallengeReq(const PrivPass_TokenChallengeReq *tokenChallengeReq, uint8_t *buffer,
40 uint32_t *buffLen)
41 {
42 if (tokenChallengeReq->challengeReqLen == 0) {
43 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_INVALID_TOKEN_CHALLENGE_REQ);
44 return HITLS_AUTH_PRIVPASS_INVALID_TOKEN_CHALLENGE_REQ;
45 }
46 if (buffer == NULL) {
47 *buffLen = tokenChallengeReq->challengeReqLen;
48 return HITLS_AUTH_SUCCESS;
49 }
50 if (*buffLen < tokenChallengeReq->challengeReqLen) {
51 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_BUFFER_NOT_ENOUGH);
52 return HITLS_AUTH_PRIVPASS_BUFFER_NOT_ENOUGH;
53 }
54 (void)memcpy_s(buffer, tokenChallengeReq->challengeReqLen, tokenChallengeReq->challengeReq,
55 tokenChallengeReq->challengeReqLen);
56 *buffLen = tokenChallengeReq->challengeReqLen;
57 return HITLS_AUTH_SUCCESS;
58 }
59
ValidateInitialParams(uint32_t remainLen)60 static int32_t ValidateInitialParams(uint32_t remainLen)
61 {
62 // MinLength: tokenType(2) + issuerNameLen(2) + redemptionLen(1) + originInfoLen(2)
63 if (remainLen < 2 + 2 + 1 + 2) {
64 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_INVALID_TOKEN_CHALLENGE);
65 return HITLS_AUTH_PRIVPASS_INVALID_TOKEN_CHALLENGE;
66 }
67 return HITLS_AUTH_SUCCESS;
68 }
69
DecodeTokenTypeAndValidate(uint16_t * tokenType,const uint8_t ** curr,uint32_t * remainLen)70 static int32_t DecodeTokenTypeAndValidate(uint16_t *tokenType, const uint8_t **curr, uint32_t *remainLen)
71 {
72 *tokenType = BSL_ByteToUint16(*curr);
73 if (*tokenType != PRIVPASS_PUBLIC_VERIFY_TOKENTYPE) {
74 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_INVALID_TOKEN_TYPE);
75 return HITLS_AUTH_PRIVPASS_INVALID_TOKEN_TYPE;
76 }
77 *curr += 2; // offset 2 bytes.
78 *remainLen -= 2;
79 return HITLS_AUTH_SUCCESS;
80 }
81
DecodeIssuerName(uint8_t ** issueName,uint32_t * issuerNameLen,const uint8_t ** curr,uint32_t * remainLen)82 static int32_t DecodeIssuerName(uint8_t **issueName, uint32_t *issuerNameLen, const uint8_t **curr, uint32_t *remainLen)
83 {
84 *issuerNameLen = (uint32_t)BSL_ByteToUint16(*curr);
85 *curr += 2; // offset 2 bytes.
86 *remainLen -= 2;
87
88 if (*issuerNameLen == 0 || *remainLen < *issuerNameLen) {
89 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_INVALID_TOKEN_CHALLENGE);
90 return HITLS_AUTH_PRIVPASS_INVALID_TOKEN_CHALLENGE;
91 }
92
93 *issueName = BSL_SAL_Dump(*curr, *issuerNameLen);
94 if (*issueName == NULL) {
95 BSL_ERR_PUSH_ERROR(BSL_DUMP_FAIL);
96 return BSL_DUMP_FAIL;
97 }
98
99 *curr += *issuerNameLen;
100 *remainLen -= *issuerNameLen;
101 return HITLS_AUTH_SUCCESS;
102 }
103
DecodeRedemption(uint8_t ** redemption,uint32_t * redemptionLen,const uint8_t ** curr,uint32_t * remainLen)104 static int32_t DecodeRedemption(uint8_t **redemption, uint32_t *redemptionLen, const uint8_t **curr,
105 uint32_t *remainLen)
106 {
107 if (*remainLen < 1) {
108 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_INVALID_TOKEN_CHALLENGE);
109 return HITLS_AUTH_PRIVPASS_INVALID_TOKEN_CHALLENGE;
110 }
111
112 *redemptionLen = (uint32_t)**curr;
113 *curr += 1;
114 *remainLen -= 1;
115
116 if (*remainLen < *redemptionLen || (*redemptionLen != PRIVPASS_REDEMPTION_LEN && *redemptionLen != 0)) {
117 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_INVALID_TOKEN_CHALLENGE);
118 return HITLS_AUTH_PRIVPASS_INVALID_TOKEN_CHALLENGE;
119 }
120
121 if (*redemptionLen != 0) {
122 *redemption = BSL_SAL_Dump(*curr, *redemptionLen);
123 if (*redemption == NULL) {
124 BSL_ERR_PUSH_ERROR(BSL_DUMP_FAIL);
125 return BSL_DUMP_FAIL;
126 }
127 *curr += *redemptionLen;
128 *remainLen -= *redemptionLen;
129 }
130 return HITLS_AUTH_SUCCESS;
131 }
132
DecodeOriginInfo(uint8_t ** originInfo,uint32_t * originInfoLen,const uint8_t ** curr,uint32_t * remainLen)133 static int32_t DecodeOriginInfo(uint8_t **originInfo, uint32_t *originInfoLen, const uint8_t **curr,
134 uint32_t *remainLen)
135 {
136 if (*remainLen < 2) { // len needs 2 bytes to store.
137 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_INVALID_TOKEN_CHALLENGE);
138 return HITLS_AUTH_PRIVPASS_INVALID_TOKEN_CHALLENGE;
139 }
140
141 *originInfoLen = (uint32_t)BSL_ByteToUint16(*curr);
142 *curr += 2; // offset 2 bytes.
143 *remainLen -= 2;
144 if (*remainLen != *originInfoLen) {
145 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_INVALID_TOKEN_CHALLENGE);
146 return HITLS_AUTH_PRIVPASS_INVALID_TOKEN_CHALLENGE;
147 }
148
149 if (*originInfoLen > 0) {
150 *originInfo = BSL_SAL_Dump(*curr, *originInfoLen);
151 if (*originInfo == NULL) {
152 BSL_ERR_PUSH_ERROR(BSL_DUMP_FAIL);
153 return BSL_DUMP_FAIL;
154 }
155 }
156 return HITLS_AUTH_SUCCESS;
157 }
158
DecodeTokenChallenge(PrivPass_TokenChallenge * challenge,const uint8_t * buffer,uint32_t buffLen)159 static int32_t DecodeTokenChallenge(PrivPass_TokenChallenge *challenge, const uint8_t *buffer, uint32_t buffLen)
160 {
161 int32_t ret = ValidateInitialParams(buffLen);
162 if (ret != HITLS_AUTH_SUCCESS) {
163 return ret;
164 }
165
166 const uint8_t *curr = buffer;
167 uint32_t remainLen = buffLen;
168 // Decode each component
169 ret = DecodeTokenTypeAndValidate(&challenge->tokenType, &curr, &remainLen);
170 if (ret != HITLS_AUTH_SUCCESS) {
171 return ret;
172 }
173 ret = DecodeIssuerName(&challenge->issuerName.data, &challenge->issuerName.dataLen, &curr, &remainLen);
174 if (ret != HITLS_AUTH_SUCCESS) {
175 return ret;
176 }
177 ret = DecodeRedemption(&challenge->redemption.data, &challenge->redemption.dataLen, &curr, &remainLen);
178 if (ret != HITLS_AUTH_SUCCESS) {
179 return ret;
180 }
181 return DecodeOriginInfo(&challenge->originInfo.data, &challenge->originInfo.dataLen, &curr, &remainLen);
182 }
183
CheckTokenChallengeParam(const PrivPass_TokenChallenge * challenge)184 static int32_t CheckTokenChallengeParam(const PrivPass_TokenChallenge *challenge)
185 {
186 if (challenge->issuerName.dataLen == 0 || challenge->issuerName.dataLen > PRIVPASS_MAX_ISSUER_NAME_LEN ||
187 challenge->originInfo.dataLen > PRIVPASS_MAX_ORIGIN_INFO_LEN ||
188 (challenge->redemption.dataLen != 0 && challenge->redemption.dataLen != PRIVPASS_REDEMPTION_LEN)) {
189 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_INVALID_TOKEN_CHALLENGE);
190 return HITLS_AUTH_PRIVPASS_INVALID_TOKEN_CHALLENGE;
191 }
192 return HITLS_AUTH_SUCCESS;
193 }
194
EncodeTokenChallenge(const PrivPass_TokenChallenge * challenge,uint8_t * buffer,uint32_t * outBuffLen)195 static int32_t EncodeTokenChallenge(const PrivPass_TokenChallenge *challenge,
196 uint8_t *buffer, uint32_t *outBuffLen)
197 {
198 int32_t ret = CheckTokenChallengeParam(challenge);
199 if (ret != HITLS_AUTH_SUCCESS) {
200 return ret;
201 }
202 // 2(tokenType) + 2(issuerNameLen) + issuerName + 1(redemptionLen) + redemption + 2(originInfoLen) + originInfo
203 uint64_t totalLen = 2 + 2 + challenge->issuerName.dataLen + 1 + challenge->redemption.dataLen + 2 +
204 (uint64_t)challenge->originInfo.dataLen;
205 if (totalLen > UINT32_MAX) {
206 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_INVALID_TOKEN_CHALLENGE);
207 return HITLS_AUTH_PRIVPASS_INVALID_TOKEN_CHALLENGE;
208 }
209 if (buffer == NULL) {
210 *outBuffLen = (uint32_t)totalLen;
211 return HITLS_AUTH_SUCCESS;
212 }
213 if (*outBuffLen < (uint32_t)totalLen) {
214 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_BUFFER_NOT_ENOUGH);
215 return HITLS_AUTH_PRIVPASS_BUFFER_NOT_ENOUGH;
216 }
217
218 uint8_t *curr = buffer;
219 BSL_Uint16ToByte(challenge->tokenType, curr); // Write tokenType (2 bytes)
220 BSL_Uint16ToByte((uint16_t)challenge->issuerName.dataLen, curr + 2); // Write IssuerName length (2 bytes) and data
221 curr += 4; // offset 4 bytes.
222
223 if (challenge->issuerName.dataLen > 0 && challenge->issuerName.data != NULL) {
224 (void)memcpy_s(curr, challenge->issuerName.dataLen, challenge->issuerName.data,
225 challenge->issuerName.dataLen);
226 curr += challenge->issuerName.dataLen;
227 }
228
229 // Write redemptionContext (1 byte)
230 *curr++ = (uint8_t)challenge->redemption.dataLen;
231 if (challenge->redemption.dataLen > 0 && challenge->redemption.data != NULL) {
232 (void)memcpy_s(curr, challenge->redemption.dataLen, challenge->redemption.data,
233 challenge->redemption.dataLen);
234 curr += challenge->redemption.dataLen;
235 }
236
237 // Write originInfo length (2 bytes) and data
238 BSL_Uint16ToByte((uint16_t)challenge->originInfo.dataLen, curr);
239 curr += 2; // offset 2 bytes.
240 if (challenge->originInfo.dataLen > 0 && challenge->originInfo.data != NULL) {
241 (void)memcpy_s(curr, challenge->originInfo.dataLen, challenge->originInfo.data,
242 challenge->originInfo.dataLen);
243 }
244 *outBuffLen = (uint32_t)totalLen;
245 return HITLS_AUTH_SUCCESS;
246 }
247
ObtainAuthenticatorLen(uint16_t tokenType)248 static uint32_t ObtainAuthenticatorLen(uint16_t tokenType)
249 {
250 if (tokenType == PRIVPASS_PUBLIC_VERIFY_TOKENTYPE) {
251 return (uint32_t)PRIVPASS_TOKEN_NK;
252 }
253 return 0;
254 }
255
DecodeTokenRequest(PrivPass_TokenRequest * tokenRequest,const uint8_t * buffer,uint32_t buffLen)256 static int32_t DecodeTokenRequest(PrivPass_TokenRequest *tokenRequest, const uint8_t *buffer, uint32_t buffLen)
257 {
258 // Check minimum length for tokenType (2 bytes)
259 if (buffLen < 2) {
260 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_BUFFER_NOT_ENOUGH);
261 return HITLS_AUTH_PRIVPASS_BUFFER_NOT_ENOUGH;
262 }
263
264 // Decode and verify tokenType first (2 bytes, network byte order)
265 uint16_t tokenType = BSL_ByteToUint16(buffer);
266 if (tokenType != PRIVPASS_PUBLIC_VERIFY_TOKENTYPE) {
267 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_INVALID_TOKEN_REQUEST);
268 return HITLS_AUTH_PRIVPASS_INVALID_TOKEN_REQUEST;
269 }
270 uint32_t blindedMsgLen = ObtainAuthenticatorLen(tokenType);
271 // Now check the complete buffer length: 2(tokenType) + 1(truncatedTokenKeyId) + blindedMsgLen
272 if (buffLen != (2 + 1 + blindedMsgLen)) {
273 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_BUFFER_NOT_ENOUGH);
274 return HITLS_AUTH_PRIVPASS_BUFFER_NOT_ENOUGH;
275 }
276
277 int32_t offset = 2; // Skip tokenType which we've already processed
278 // Decode truncatedTokenKeyId (1 byte)
279 uint8_t truncatedTokenKeyId = buffer[offset++];
280
281 // Decode blindedMsg
282 uint8_t *blindedMsg = (uint8_t *)BSL_SAL_Dump(buffer + offset, blindedMsgLen);
283 if (blindedMsg == NULL) {
284 BSL_ERR_PUSH_ERROR(BSL_DUMP_FAIL);
285 return BSL_DUMP_FAIL;
286 }
287 tokenRequest->tokenType = tokenType;
288 tokenRequest->blindedMsg.data = blindedMsg;
289 tokenRequest->blindedMsg.dataLen = blindedMsgLen;
290 tokenRequest->truncatedTokenKeyId = truncatedTokenKeyId;
291 return HITLS_AUTH_SUCCESS;
292 }
293
CheckTokenRequest(const PrivPass_TokenRequest * request)294 static int32_t CheckTokenRequest(const PrivPass_TokenRequest *request)
295 {
296 if (request->tokenType == PRIVPASS_PUBLIC_VERIFY_TOKENTYPE &&
297 (request->blindedMsg.data != NULL && request->blindedMsg.dataLen == PRIVPASS_TOKEN_NK)) {
298 return HITLS_AUTH_SUCCESS;
299 }
300 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_INVALID_TOKEN_REQUEST);
301 return HITLS_AUTH_PRIVPASS_INVALID_TOKEN_REQUEST;
302 }
303
EncodeTokenRequest(const PrivPass_TokenRequest * request,uint8_t * buffer,uint32_t * outBuffLen)304 static int32_t EncodeTokenRequest(const PrivPass_TokenRequest *request, uint8_t *buffer, uint32_t *outBuffLen)
305 {
306 // Verify tokenType
307 int32_t ret = CheckTokenRequest(request);
308 if (ret != HITLS_AUTH_SUCCESS) {
309 return ret;
310 }
311 uint32_t authenticatorLen = ObtainAuthenticatorLen(request->tokenType);
312 // Calculate total length: 2(tokenType) + 1(truncatedTokenKeyId) + (blindedMsg)
313 uint32_t totalLen = 2 + 1 + authenticatorLen;
314 if (buffer == NULL) {
315 *outBuffLen = totalLen;
316 return HITLS_AUTH_SUCCESS;
317 }
318 if (*outBuffLen < totalLen) {
319 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_BUFFER_NOT_ENOUGH);
320 return HITLS_AUTH_PRIVPASS_BUFFER_NOT_ENOUGH;
321 }
322
323 // Encode data
324 int32_t offset = 0;
325 // Encode tokenType (2 bytes, network byte order)
326 BSL_Uint16ToByte(request->tokenType, buffer);
327 offset += 2; // offset 2 bytes.
328 // Encode truncatedTokenKeyId (1 byte)
329 buffer[offset++] = request->truncatedTokenKeyId;
330 // Encode blindedMsg
331 (void)memcpy_s(buffer + offset, authenticatorLen, request->blindedMsg.data, authenticatorLen);
332 *outBuffLen = totalLen;
333 return HITLS_AUTH_SUCCESS;
334 }
335
DecodePubTokenResp(PrivPass_TokenResponse * tokenResp,const uint8_t * buffer,uint32_t buffLen)336 static int32_t DecodePubTokenResp(PrivPass_TokenResponse *tokenResp, const uint8_t *buffer, uint32_t buffLen)
337 {
338 // Allocate memory for the new buffer
339 tokenResp->st.pubResp.blindSig = (uint8_t *)BSL_SAL_Dump(buffer, buffLen);
340 if (tokenResp->st.pubResp.blindSig == NULL) {
341 BSL_ERR_PUSH_ERROR(BSL_DUMP_FAIL);
342 return BSL_DUMP_FAIL;
343 }
344
345 tokenResp->st.pubResp.blindSigLen = buffLen;
346 tokenResp->type = HITLS_AUTH_PRIVPASS_TOKEN_RESPONSE_PUB;
347 return HITLS_AUTH_SUCCESS;
348 }
349
DecodeTokenResp(PrivPass_TokenResponse * tokenResp,const uint8_t * buffer,uint32_t buffLen)350 static int32_t DecodeTokenResp(PrivPass_TokenResponse *tokenResp, const uint8_t *buffer, uint32_t buffLen)
351 {
352 if (buffLen == PRIVPASS_TOKEN_NK) {
353 return DecodePubTokenResp(tokenResp, buffer, buffLen);
354 }
355 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_INVALID_TOKEN_TYPE);
356 return HITLS_AUTH_PRIVPASS_INVALID_TOKEN_TYPE;
357 }
358
EncodeTokenPubResp(const PrivPass_TokenPubResponse * resp,uint8_t * buffer,uint32_t * buffLen)359 static int32_t EncodeTokenPubResp(const PrivPass_TokenPubResponse *resp, uint8_t *buffer, uint32_t *buffLen)
360 {
361 if (resp->blindSig == NULL || resp->blindSigLen != PRIVPASS_TOKEN_NK) {
362 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_INVALID_TOKEN_RESPONSE);
363 return HITLS_AUTH_PRIVPASS_INVALID_TOKEN_RESPONSE;
364 }
365 if (buffer == NULL) {
366 *buffLen = resp->blindSigLen;
367 return HITLS_AUTH_SUCCESS;
368 }
369 // Check buffer length
370 if (*buffLen < resp->blindSigLen) {
371 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_BUFFER_NOT_ENOUGH);
372 return HITLS_AUTH_PRIVPASS_BUFFER_NOT_ENOUGH;
373 }
374
375 // Copy token data to buffer
376 (void)memcpy_s(buffer, resp->blindSigLen, resp->blindSig, resp->blindSigLen);
377 *buffLen = resp->blindSigLen;
378 return HITLS_AUTH_SUCCESS;
379 }
380
EncodeTokenResp(const PrivPass_TokenResponse * resp,uint8_t * buffer,uint32_t * buffLen)381 static int32_t EncodeTokenResp(const PrivPass_TokenResponse *resp, uint8_t *buffer, uint32_t *buffLen)
382 {
383 if (resp->type == HITLS_AUTH_PRIVPASS_TOKEN_RESPONSE_PUB) {
384 return EncodeTokenPubResp(&resp->st.pubResp, buffer, buffLen);
385 }
386 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_INVALID_TOKEN_RESPONSE);
387 return HITLS_AUTH_PRIVPASS_INVALID_TOKEN_RESPONSE;
388 }
389
CheckToken(const PrivPass_TokenInstance * token)390 static int32_t CheckToken(const PrivPass_TokenInstance *token)
391 {
392 if (token->tokenType == PRIVPASS_PUBLIC_VERIFY_TOKENTYPE &&
393 (token->authenticator.data != NULL && token->authenticator.dataLen == PRIVPASS_TOKEN_NK)) {
394 return HITLS_AUTH_SUCCESS;
395 }
396 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_INVALID_TOKEN_INSTANCE);
397 return HITLS_AUTH_PRIVPASS_INVALID_TOKEN_INSTANCE;
398 }
399
EncodeToken(const PrivPass_TokenInstance * token,uint8_t * buffer,uint32_t * outBuffLen)400 static int32_t EncodeToken(const PrivPass_TokenInstance *token, uint8_t *buffer, uint32_t *outBuffLen)
401 {
402 // Verify tokenType
403 int32_t ret = CheckToken(token);
404 if (ret != HITLS_AUTH_SUCCESS) {
405 return ret;
406 }
407 // Calculate total length: 2(tokenType) + 32(nonce) + 32(challengeDigest) + 32(tokenKeyId) + authenticatorLen
408 uint32_t totalLen = 2 + PRIVPASS_TOKEN_NONCE_LEN + PRIVPASS_TOKEN_SHA256_SIZE + PRIVPASS_TOKEN_SHA256_SIZE +
409 token->authenticator.dataLen;
410 if (buffer == NULL) {
411 *outBuffLen = totalLen;
412 return HITLS_AUTH_SUCCESS;
413 }
414 if (*outBuffLen < totalLen) {
415 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_BUFFER_NOT_ENOUGH);
416 return HITLS_AUTH_PRIVPASS_BUFFER_NOT_ENOUGH;
417 }
418
419 int32_t offset = 0;
420
421 // Encode tokenType (network byte order)
422 BSL_Uint16ToByte(token->tokenType, buffer);
423 offset += 2; // offset 2 bytes.
424 // Encode nonce
425 (void)memcpy_s(buffer + offset, PRIVPASS_TOKEN_NONCE_LEN, token->nonce, PRIVPASS_TOKEN_NONCE_LEN);
426 offset += PRIVPASS_TOKEN_NONCE_LEN;
427
428 // Encode challengeDigest
429 (void)memcpy_s(buffer + offset, PRIVPASS_TOKEN_SHA256_SIZE, token->challengeDigest, PRIVPASS_TOKEN_SHA256_SIZE);
430 offset += PRIVPASS_TOKEN_SHA256_SIZE;
431
432 // Encode tokenKeyId
433 (void)memcpy_s(buffer + offset, PRIVPASS_TOKEN_SHA256_SIZE, token->tokenKeyId, PRIVPASS_TOKEN_SHA256_SIZE);
434 offset += PRIVPASS_TOKEN_SHA256_SIZE;
435
436 // Encode authenticator
437 (void)memcpy_s(buffer + offset, token->authenticator.dataLen, token->authenticator.data,
438 token->authenticator.dataLen);
439
440 *outBuffLen = totalLen;
441 return HITLS_AUTH_SUCCESS;
442 }
443
DecodeToken(PrivPass_TokenInstance * token,const uint8_t * buffer,uint32_t buffLen)444 static int32_t DecodeToken(PrivPass_TokenInstance *token, const uint8_t *buffer, uint32_t buffLen)
445 {
446 // First check if there are enough bytes to read tokenType(2 bytes).
447 if (buffLen < 2) {
448 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_BUFFER_NOT_ENOUGH);
449 return HITLS_AUTH_PRIVPASS_BUFFER_NOT_ENOUGH;
450 }
451
452 // Decode and verify tokenType first (network byte order)
453 uint16_t tokenType = BSL_ByteToUint16(buffer);
454 if (tokenType != PRIVPASS_PUBLIC_VERIFY_TOKENTYPE) {
455 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_INVALID_TOKEN_TYPE);
456 return HITLS_AUTH_PRIVPASS_INVALID_TOKEN_TYPE;
457 }
458 token->tokenType = tokenType;
459 uint32_t authenticatorLen = ObtainAuthenticatorLen(tokenType);
460 // Calculate total length: 2(tokenType) + 32(nonce) + 32(challengeDigest) + 32(tokenKeyId) + authenticatorLen
461 if (buffLen != (2 + PRIVPASS_TOKEN_NONCE_LEN + PRIVPASS_TOKEN_SHA256_SIZE + PRIVPASS_TOKEN_SHA256_SIZE +
462 authenticatorLen)) {
463 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_BUFFER_NOT_ENOUGH);
464 return HITLS_AUTH_PRIVPASS_BUFFER_NOT_ENOUGH;
465 }
466
467 int32_t offset = 2; // Skip tokenType which we've already read
468 // Decode nonce
469 (void)memcpy_s(token->nonce, PRIVPASS_TOKEN_NONCE_LEN, buffer + offset, PRIVPASS_TOKEN_NONCE_LEN);
470 offset += PRIVPASS_TOKEN_NONCE_LEN;
471
472 // Decode challengeDigest
473 (void)memcpy_s(token->challengeDigest, PRIVPASS_TOKEN_SHA256_SIZE, buffer + offset, PRIVPASS_TOKEN_SHA256_SIZE);
474 offset += PRIVPASS_TOKEN_SHA256_SIZE;
475
476 // Decode tokenKeyId
477 (void)memcpy_s(token->tokenKeyId, PRIVPASS_TOKEN_SHA256_SIZE, buffer + offset, PRIVPASS_TOKEN_SHA256_SIZE);
478 offset += PRIVPASS_TOKEN_SHA256_SIZE;
479
480 // Decode authenticator
481 token->authenticator.data = (uint8_t *)BSL_SAL_Dump(buffer + offset, authenticatorLen);
482 if (token->authenticator.data == NULL) {
483 BSL_ERR_PUSH_ERROR(BSL_DUMP_FAIL);
484 return BSL_DUMP_FAIL;
485 }
486 token->authenticator.dataLen = authenticatorLen;
487 return HITLS_AUTH_SUCCESS;
488 }
489
CheckDeserializationInput(int32_t tokenType,const uint8_t * buffer,uint32_t buffLen,HITLS_AUTH_PrivPassToken ** object)490 static int32_t CheckDeserializationInput(int32_t tokenType, const uint8_t *buffer, uint32_t buffLen,
491 HITLS_AUTH_PrivPassToken **object)
492 {
493 if (buffer == NULL || buffLen == 0 || object == NULL || *object != NULL) {
494 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_INVALID_INPUT);
495 return HITLS_AUTH_PRIVPASS_INVALID_INPUT;
496 }
497 switch (tokenType) {
498 case HITLS_AUTH_PRIVPASS_TOKEN_CHALLENGE_REQUEST:
499 case HITLS_AUTH_PRIVPASS_TOKEN_CHALLENGE:
500 case HITLS_AUTH_PRIVPASS_TOKEN_REQUEST:
501 case HITLS_AUTH_PRIVPASS_TOKEN_RESPONSE:
502 case HITLS_AUTH_PRIVPASS_TOKEN_INSTANCE:
503 return HITLS_AUTH_SUCCESS;
504 default:
505 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_INVALID_TOKEN_TYPE);
506 return HITLS_AUTH_PRIVPASS_INVALID_TOKEN_TYPE;
507 }
508 }
509
HITLS_AUTH_PrivPassDeserialization(HITLS_AUTH_PrivPassCtx * ctx,int32_t tokenType,const uint8_t * buffer,uint32_t buffLen,HITLS_AUTH_PrivPassToken ** object)510 int32_t HITLS_AUTH_PrivPassDeserialization(HITLS_AUTH_PrivPassCtx *ctx, int32_t tokenType, const uint8_t *buffer,
511 uint32_t buffLen, HITLS_AUTH_PrivPassToken **object)
512 {
513 (void)ctx;
514 int32_t ret = CheckDeserializationInput(tokenType, buffer, buffLen, object);
515 if (ret != HITLS_AUTH_SUCCESS) {
516 return ret;
517 }
518 // Allocate the token object
519 HITLS_AUTH_PrivPassToken *output = HITLS_AUTH_PrivPassNewToken(tokenType);
520 if (output == NULL) {
521 BSL_ERR_PUSH_ERROR(BSL_MALLOC_FAIL);
522 return BSL_MALLOC_FAIL;
523 }
524
525 switch (tokenType) {
526 case HITLS_AUTH_PRIVPASS_TOKEN_CHALLENGE_REQUEST:
527 ret = DecodeTokenChallengeReq(output->st.tokenChallengeReq, buffer, buffLen);
528 break;
529 case HITLS_AUTH_PRIVPASS_TOKEN_CHALLENGE:
530 ret = DecodeTokenChallenge(output->st.tokenChallenge, buffer, buffLen);
531 break;
532 case HITLS_AUTH_PRIVPASS_TOKEN_REQUEST:
533 ret = DecodeTokenRequest(output->st.tokenRequest, buffer, buffLen);
534 break;
535 case HITLS_AUTH_PRIVPASS_TOKEN_RESPONSE:
536 ret = DecodeTokenResp(output->st.tokenResponse, buffer, buffLen);
537 break;
538 case HITLS_AUTH_PRIVPASS_TOKEN_INSTANCE:
539 ret = DecodeToken(output->st.token, buffer, buffLen);
540 break;
541 default:
542 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_INVALID_TOKEN_TYPE);
543 ret = HITLS_AUTH_PRIVPASS_INVALID_TOKEN_TYPE;
544 break;
545 }
546
547 if (ret != HITLS_AUTH_SUCCESS) {
548 HITLS_AUTH_PrivPassFreeToken(output);
549 return ret;
550 }
551
552 *object = output;
553 return HITLS_AUTH_SUCCESS;
554 }
555
HITLS_AUTH_PrivPassSerialization(HITLS_AUTH_PrivPassCtx * ctx,const HITLS_AUTH_PrivPassToken * object,uint8_t * buffer,uint32_t * outBuffLen)556 int32_t HITLS_AUTH_PrivPassSerialization(HITLS_AUTH_PrivPassCtx *ctx, const HITLS_AUTH_PrivPassToken *object,
557 uint8_t *buffer, uint32_t *outBuffLen)
558 {
559 (void)ctx;
560 if (object == NULL || outBuffLen == NULL) {
561 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_INVALID_INPUT);
562 return HITLS_AUTH_PRIVPASS_INVALID_INPUT;
563 }
564 switch (object->type) {
565 case HITLS_AUTH_PRIVPASS_TOKEN_CHALLENGE_REQUEST:
566 return EncodeTokenChallengeReq(object->st.tokenChallengeReq, buffer, outBuffLen);
567 case HITLS_AUTH_PRIVPASS_TOKEN_CHALLENGE:
568 return EncodeTokenChallenge(object->st.tokenChallenge, buffer, outBuffLen);
569 case HITLS_AUTH_PRIVPASS_TOKEN_REQUEST:
570 return EncodeTokenRequest(object->st.tokenRequest, buffer, outBuffLen);
571 case HITLS_AUTH_PRIVPASS_TOKEN_RESPONSE:
572 return EncodeTokenResp(object->st.tokenResponse, buffer, outBuffLen);
573 case HITLS_AUTH_PRIVPASS_TOKEN_INSTANCE:
574 return EncodeToken(object->st.token, buffer, outBuffLen);
575 default:
576 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_INVALID_TOKEN_TYPE);
577 return HITLS_AUTH_PRIVPASS_INVALID_TOKEN_TYPE;
578 }
579 }
580
HITLS_AUTH_PrivPassNewToken(int32_t tokenType)581 HITLS_AUTH_PrivPassToken *HITLS_AUTH_PrivPassNewToken(int32_t tokenType)
582 {
583 HITLS_AUTH_PrivPassToken *object = (HITLS_AUTH_PrivPassToken *)BSL_SAL_Calloc(1u, sizeof(HITLS_AUTH_PrivPassToken));
584 if (object == NULL) {
585 BSL_ERR_PUSH_ERROR(BSL_MALLOC_FAIL);
586 return NULL;
587 }
588 switch (tokenType) {
589 case HITLS_AUTH_PRIVPASS_TOKEN_CHALLENGE_REQUEST:
590 object->st.tokenChallengeReq = (PrivPass_TokenChallengeReq *)BSL_SAL_Calloc(1u,
591 sizeof(PrivPass_TokenChallengeReq));
592 if (object->st.tokenChallengeReq == NULL) {
593 goto ERR;
594 }
595 break;
596 case HITLS_AUTH_PRIVPASS_TOKEN_CHALLENGE:
597 object->st.tokenChallenge = (PrivPass_TokenChallenge *)BSL_SAL_Calloc(1u, sizeof(PrivPass_TokenChallenge));
598 if (object->st.tokenChallenge == NULL) {
599 goto ERR;
600 }
601 break;
602 case HITLS_AUTH_PRIVPASS_TOKEN_REQUEST:
603 object->st.tokenRequest = (PrivPass_TokenRequest *)BSL_SAL_Calloc(1u, sizeof(PrivPass_TokenRequest));
604 if (object->st.tokenRequest == NULL) {
605 goto ERR;
606 }
607 break;
608 case HITLS_AUTH_PRIVPASS_TOKEN_RESPONSE:
609 object->st.tokenResponse = (PrivPass_TokenResponse *)BSL_SAL_Calloc(1u, sizeof(PrivPass_TokenResponse));
610 if (object->st.tokenResponse == NULL) {
611 goto ERR;
612 }
613 break;
614 case HITLS_AUTH_PRIVPASS_TOKEN_INSTANCE:
615 object->st.token = (PrivPass_TokenInstance *)BSL_SAL_Calloc(1u, sizeof(PrivPass_TokenInstance));
616 if (object->st.token == NULL) {
617 goto ERR;
618 }
619 break;
620 default:
621 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_INVALID_TOKEN_TYPE);
622 BSL_SAL_Free(object);
623 return NULL;
624 }
625 object->type = tokenType;
626 return object;
627 ERR:
628 BSL_ERR_PUSH_ERROR(BSL_MALLOC_FAIL);
629 BSL_SAL_Free(object);
630 return NULL;
631 }
632
FreeTokenChallengeReq(PrivPass_TokenChallengeReq * challengeReq)633 static void FreeTokenChallengeReq(PrivPass_TokenChallengeReq *challengeReq)
634 {
635 if (challengeReq == NULL) {
636 return;
637 }
638 BSL_SAL_FREE(challengeReq->challengeReq);
639 BSL_SAL_Free(challengeReq);
640 }
641
FreeTokenChallenge(PrivPass_TokenChallenge * challenge)642 static void FreeTokenChallenge(PrivPass_TokenChallenge *challenge)
643 {
644 if (challenge == NULL) {
645 return;
646 }
647 BSL_SAL_FREE(challenge->issuerName.data);
648 BSL_SAL_FREE(challenge->originInfo.data);
649 BSL_SAL_FREE(challenge->redemption.data);
650 BSL_SAL_Free(challenge);
651 }
652
FreeTokenResponse(PrivPass_TokenResponse * response)653 static void FreeTokenResponse(PrivPass_TokenResponse *response)
654 {
655 if (response == NULL) {
656 return;
657 }
658 if (response->type == HITLS_AUTH_PRIVPASS_TOKEN_RESPONSE_PUB) {
659 BSL_SAL_FREE(response->st.pubResp.blindSig);
660 }
661 BSL_SAL_Free(response);
662 }
663
FreeTokenRequest(PrivPass_TokenRequest * request)664 static void FreeTokenRequest(PrivPass_TokenRequest *request)
665 {
666 if (request == NULL) {
667 return;
668 }
669 BSL_SAL_FREE(request->blindedMsg.data);
670 BSL_SAL_Free(request);
671 }
672
FreeToken(PrivPass_TokenInstance * token)673 static void FreeToken(PrivPass_TokenInstance *token)
674 {
675 if (token == NULL) {
676 return;
677 }
678 BSL_SAL_FREE(token->authenticator.data);
679 BSL_SAL_Free(token);
680 }
681
HITLS_AUTH_PrivPassFreeToken(HITLS_AUTH_PrivPassToken * object)682 void HITLS_AUTH_PrivPassFreeToken(HITLS_AUTH_PrivPassToken *object)
683 {
684 if (object == NULL) {
685 return;
686 }
687 switch (object->type) {
688 case HITLS_AUTH_PRIVPASS_TOKEN_CHALLENGE_REQUEST:
689 FreeTokenChallengeReq(object->st.tokenChallengeReq);
690 break;
691 case HITLS_AUTH_PRIVPASS_TOKEN_CHALLENGE:
692 FreeTokenChallenge(object->st.tokenChallenge);
693 break;
694 case HITLS_AUTH_PRIVPASS_TOKEN_REQUEST:
695 FreeTokenRequest(object->st.tokenRequest);
696 break;
697 case HITLS_AUTH_PRIVPASS_TOKEN_RESPONSE:
698 FreeTokenResponse(object->st.tokenResponse);
699 break;
700 case HITLS_AUTH_PRIVPASS_TOKEN_INSTANCE:
701 FreeToken(object->st.token);
702 break;
703 default:
704 break;
705 }
706 BSL_SAL_Free(object);
707 }
708
HITLS_AUTH_PrivPassNewCtx(int32_t protocolType)709 HITLS_AUTH_PrivPassCtx *HITLS_AUTH_PrivPassNewCtx(int32_t protocolType)
710 {
711 if (protocolType != HITLS_AUTH_PRIVPASS_PUB_VERIFY_TOKENS) {
712 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_INVALID_TOEKN_PROTOCOL_TYPE);
713 return NULL;
714 }
715 HITLS_AUTH_PrivPassCtx *ctx = (HITLS_AUTH_PrivPassCtx *)BSL_SAL_Calloc(1u, sizeof(HITLS_AUTH_PrivPassCtx));
716 if (ctx == NULL) {
717 BSL_ERR_PUSH_ERROR(BSL_MALLOC_FAIL);
718 return NULL;
719 }
720 ctx->method = PrivPassCryptPubCb();
721 return ctx;
722 }
723
HITLS_AUTH_PrivPassFreeCtx(HITLS_AUTH_PrivPassCtx * ctx)724 void HITLS_AUTH_PrivPassFreeCtx(HITLS_AUTH_PrivPassCtx *ctx)
725 {
726 if (ctx == NULL) {
727 return;
728 }
729 if (ctx->method.freePkeyCtx != NULL) {
730 if (ctx->prvKeyCtx != NULL) {
731 ctx->method.freePkeyCtx(ctx->prvKeyCtx);
732 }
733 if (ctx->pubKeyCtx != NULL) {
734 ctx->method.freePkeyCtx(ctx->pubKeyCtx);
735 }
736 }
737 BSL_SAL_Free(ctx);
738 }
739
HITLS_AUTH_PrivPassSetCryptCb(HITLS_AUTH_PrivPassCtx * ctx,int32_t cbType,void * cryptCb)740 int32_t HITLS_AUTH_PrivPassSetCryptCb(HITLS_AUTH_PrivPassCtx *ctx, int32_t cbType, void *cryptCb)
741 {
742 if (ctx == NULL || cryptCb == NULL) {
743 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_INVALID_INPUT);
744 return HITLS_AUTH_PRIVPASS_INVALID_INPUT;
745 }
746 switch (cbType) {
747 case HITLS_AUTH_PRIVPASS_NEW_PKEY_CTX_CB:
748 ctx->method.newPkeyCtx = (HITLS_AUTH_PrivPassNewPkeyCtx)cryptCb;
749 break;
750 case HITLS_AUTH_PRIVPASS_FREE_PKEY_CTX_CB:
751 ctx->method.freePkeyCtx = (HITLS_AUTH_PrivPassFreePkeyCtx)cryptCb;
752 break;
753 case HITLS_AUTH_PRIVPASS_DIGEST_CB:
754 ctx->method.digest = (HITLS_AUTH_PrivPassDigest)cryptCb;
755 break;
756 case HITLS_AUTH_PRIVPASS_BLIND_CB:
757 ctx->method.blind = (HITLS_AUTH_PrivPassBlind)cryptCb;
758 break;
759 case HITLS_AUTH_PRIVPASS_UNBLIND_CB:
760 ctx->method.unBlind = (HITLS_AUTH_PrivPassUnblind)cryptCb;
761 break;
762 case HITLS_AUTH_PRIVPASS_SIGNDATA_CB:
763 ctx->method.signData = (HITLS_AUTH_PrivPassSignData)cryptCb;
764 break;
765 case HITLS_AUTH_PRIVPASS_VERIFY_CB:
766 ctx->method.verify = (HITLS_AUTH_PrivPassVerify)cryptCb;
767 break;
768 case HITLS_AUTH_PRIVPASS_DECODE_PUBKEY_CB:
769 ctx->method.decodePubKey = (HITLS_AUTH_PrivPassDecodePubKey)cryptCb;
770 break;
771 case HITLS_AUTH_PRIVPASS_DECODE_PRVKEY_CB:
772 ctx->method.decodePrvKey = (HITLS_AUTH_PrivPassDecodePrvKey)cryptCb;
773 break;
774 case HITLS_AUTH_PRIVPASS_CHECK_KEYPAIR_CB:
775 ctx->method.checkKeyPair = (HITLS_AUTH_PrivPassCheckKeyPair)cryptCb;
776 break;
777 case HITLS_AUTH_PRIVPASS_RANDOM_CB:
778 ctx->method.random = (HITLS_AUTH_PrivPassRandom)cryptCb;
779 break;
780 default:
781 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_INVALID_CRYPTO_CALLBACK_TYPE);
782 return HITLS_AUTH_PRIVPASS_INVALID_CRYPTO_CALLBACK_TYPE;
783 }
784 return HITLS_AUTH_SUCCESS;
785 }
786
PrivPassGetTokenChallengeRequest(HITLS_AUTH_PrivPassToken * ctx,BSL_Param * param)787 static int32_t PrivPassGetTokenChallengeRequest(HITLS_AUTH_PrivPassToken *ctx, BSL_Param *param)
788 {
789 if (param == NULL || ctx->type != HITLS_AUTH_PRIVPASS_TOKEN_CHALLENGE_REQUEST ||
790 ctx->st.tokenChallengeReq == NULL) {
791 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_INVALID_INPUT);
792 return HITLS_AUTH_PRIVPASS_INVALID_INPUT;
793 }
794 if (ctx->st.tokenChallengeReq->challengeReq == NULL || ctx->st.tokenChallengeReq->challengeReqLen == 0) {
795 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_NO_TOKEN_CHALLENGE_REQUEST);
796 return HITLS_AUTH_PRIVPASS_NO_TOKEN_CHALLENGE_REQUEST;
797 }
798 BSL_Param *output = BSL_PARAM_FindParam(param, AUTH_PARAM_PRIVPASS_TOKENCHALLENGE_REQUEST);
799 if (output == NULL || output->valueType != BSL_PARAM_TYPE_OCTETS_PTR) {
800 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_INVALID_INPUT);
801 return HITLS_AUTH_PRIVPASS_INVALID_INPUT;
802 }
803 if (output->valueLen < ctx->st.tokenChallengeReq->challengeReqLen) {
804 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_INVALID_INPUT);
805 return HITLS_AUTH_PRIVPASS_INVALID_INPUT;
806 }
807 (void)memcpy_s(output->value, output->valueLen, ctx->st.tokenChallengeReq->challengeReq,
808 ctx->st.tokenChallengeReq->challengeReqLen);
809 output->useLen = ctx->st.tokenChallengeReq->challengeReqLen;
810 return HITLS_AUTH_SUCCESS;
811 }
812
GetTokenChallengeContent(PrivPass_TokenChallenge * challenge,BSL_Param * param,int32_t target,uint8_t * targetBuff,uint32_t targetLen)813 static int32_t GetTokenChallengeContent(PrivPass_TokenChallenge *challenge, BSL_Param *param, int32_t target,
814 uint8_t *targetBuff, uint32_t targetLen)
815 {
816 BSL_Param *output = BSL_PARAM_FindParam(param, target);
817 if (target == AUTH_PARAM_PRIVPASS_TOKENCHALLENGE_TYPE) {
818 if (output != NULL && output->valueType == BSL_PARAM_TYPE_UINT16) {
819 return BSL_PARAM_SetValue(output, target, BSL_PARAM_TYPE_UINT16, &challenge->tokenType, targetLen);
820 }
821 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_INVALID_INPUT);
822 return HITLS_AUTH_PRIVPASS_INVALID_INPUT;
823 }
824 if (output == NULL || output->valueType != BSL_PARAM_TYPE_OCTETS_PTR) {
825 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_INVALID_INPUT);
826 return HITLS_AUTH_PRIVPASS_INVALID_INPUT;
827 }
828 if (output->valueLen < targetLen) {
829 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_BUFFER_NOT_ENOUGH);
830 return HITLS_AUTH_PRIVPASS_BUFFER_NOT_ENOUGH;
831 }
832 (void)memcpy_s(output->value, output->valueLen, targetBuff, targetLen);
833 output->useLen = targetLen;
834 return HITLS_AUTH_SUCCESS;
835 }
836
PrivPassGetTokenChallengeContent(HITLS_AUTH_PrivPassToken * obj,int32_t cmd,BSL_Param * param)837 static int32_t PrivPassGetTokenChallengeContent(HITLS_AUTH_PrivPassToken *obj, int32_t cmd, BSL_Param *param)
838 {
839 if (param == NULL || obj->type != HITLS_AUTH_PRIVPASS_TOKEN_CHALLENGE || obj->st.tokenChallenge == NULL) {
840 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_INVALID_INPUT);
841 return HITLS_AUTH_PRIVPASS_INVALID_INPUT;
842 }
843 PrivPass_TokenChallenge *challenge = obj->st.tokenChallenge;
844 int32_t target = 0;
845 uint8_t *targetBuff = 0;
846 uint32_t targetLen = 0;
847 switch (cmd) {
848 case HITLS_AUTH_PRIVPASS_GET_TOKENCHALLENGE_TYPE:
849 target = AUTH_PARAM_PRIVPASS_TOKENCHALLENGE_TYPE;
850 targetLen = (uint32_t)sizeof(challenge->tokenType);
851 break;
852 case HITLS_AUTH_PRIVPASS_GET_TOKENCHALLENGE_ISSUERNAME:
853 if (challenge->issuerName.data == NULL || challenge->issuerName.dataLen == 0) {
854 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_NO_ISSUERNAME);
855 return HITLS_AUTH_PRIVPASS_NO_ISSUERNAME;
856 }
857 target = AUTH_PARAM_PRIVPASS_TOKENCHALLENGE_ISSUERNAME;
858 targetBuff = challenge->issuerName.data;
859 targetLen = challenge->issuerName.dataLen;
860 break;
861 case HITLS_AUTH_PRIVPASS_GET_TOKENCHALLENGE_REDEMPTION:
862 target = AUTH_PARAM_PRIVPASS_TOKENCHALLENGE_REDEMPTION;
863 targetBuff = challenge->redemption.data; // the redemption can be null
864 targetLen = challenge->redemption.dataLen;
865 break;
866 default:
867 target = AUTH_PARAM_PRIVPASS_TOKENCHALLENGE_ORIGININFO;
868 targetBuff = challenge->originInfo.data; // the originInfo can be null
869 targetLen = challenge->originInfo.dataLen;
870 break;
871 }
872 return GetTokenChallengeContent(challenge, param, target, targetBuff, targetLen);
873 }
874
PrivPassGetTokenRequestContent(HITLS_AUTH_PrivPassToken * obj,int32_t cmd,BSL_Param * param)875 static int32_t PrivPassGetTokenRequestContent(HITLS_AUTH_PrivPassToken *obj, int32_t cmd, BSL_Param *param)
876 {
877 if (param == NULL || obj->type != HITLS_AUTH_PRIVPASS_TOKEN_REQUEST || obj->st.tokenRequest == NULL) {
878 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_INVALID_INPUT);
879 return HITLS_AUTH_PRIVPASS_INVALID_INPUT;
880 }
881 PrivPass_TokenRequest *request = obj->st.tokenRequest;
882 BSL_Param *output = NULL;
883 switch (cmd) {
884 case HITLS_AUTH_PRIVPASS_GET_TOKENREQUEST_TYPE:
885 output = BSL_PARAM_FindParam(param, AUTH_PARAM_PRIVPASS_TOKENREQUEST_TYPE);
886 if (output != NULL && output->valueType == BSL_PARAM_TYPE_UINT16) {
887 return BSL_PARAM_SetValue(output, AUTH_PARAM_PRIVPASS_TOKENREQUEST_TYPE, BSL_PARAM_TYPE_UINT16,
888 &request->tokenType, (uint32_t)sizeof(request->tokenType));
889 }
890 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_INVALID_INPUT);
891 return HITLS_AUTH_PRIVPASS_INVALID_INPUT;
892 case HITLS_AUTH_PRIVPASS_GET_TOKENREQUEST_TRUNCATEDTOKENKEYID:
893 output = BSL_PARAM_FindParam(param, AUTH_PARAM_PRIVPASS_TOKENREQUEST_TRUNCATEDTOKENKEYID);
894 if (output != NULL && output->valueType == BSL_PARAM_TYPE_UINT8) {
895 return BSL_PARAM_SetValue(output, AUTH_PARAM_PRIVPASS_TOKENREQUEST_TRUNCATEDTOKENKEYID,
896 BSL_PARAM_TYPE_UINT8, &request->truncatedTokenKeyId, 1); // 1 byte.
897 }
898 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_INVALID_INPUT);
899 return HITLS_AUTH_PRIVPASS_INVALID_INPUT;
900 default:
901 output = BSL_PARAM_FindParam(param, AUTH_PARAM_PRIVPASS_TOKENREQUEST_BLINDEDMSG);
902 if (output == NULL || output->valueType != BSL_PARAM_TYPE_OCTETS_PTR) {
903 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_INVALID_INPUT);
904 return HITLS_AUTH_PRIVPASS_INVALID_INPUT;
905 }
906 if (request->blindedMsg.data == NULL || request->blindedMsg.dataLen == 0) {
907 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_NO_BLINDEDMSG);
908 return HITLS_AUTH_PRIVPASS_NO_BLINDEDMSG;
909 }
910 if (output->valueLen < request->blindedMsg.dataLen) {
911 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_BUFFER_NOT_ENOUGH);
912 return HITLS_AUTH_PRIVPASS_BUFFER_NOT_ENOUGH;
913 }
914 (void)memcpy_s(output->value, output->valueLen, request->blindedMsg.data, request->blindedMsg.dataLen);
915 output->useLen = request->blindedMsg.dataLen;
916 return HITLS_AUTH_SUCCESS;
917 }
918 }
919
PrivPassGetTokenResponseContent(HITLS_AUTH_PrivPassToken * ctx,BSL_Param * param)920 static int32_t PrivPassGetTokenResponseContent(HITLS_AUTH_PrivPassToken *ctx, BSL_Param *param)
921 {
922 if (param == NULL || ctx->type != HITLS_AUTH_PRIVPASS_TOKEN_RESPONSE || ctx->st.tokenResponse == NULL) {
923 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_INVALID_INPUT);
924 return HITLS_AUTH_PRIVPASS_INVALID_INPUT;
925 }
926 if (ctx->st.tokenResponse->st.pubResp.blindSig == NULL || ctx->st.tokenResponse->st.pubResp.blindSigLen == 0) {
927 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_NO_RESPONSE_INFO);
928 return HITLS_AUTH_PRIVPASS_NO_RESPONSE_INFO;
929 }
930 BSL_Param *output = BSL_PARAM_FindParam(param, AUTH_PARAM_PRIVPASS_TOKENRESPONSE_INFO);
931 if (output == NULL || output->valueType != BSL_PARAM_TYPE_OCTETS_PTR) {
932 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_INVALID_INPUT);
933 return HITLS_AUTH_PRIVPASS_INVALID_INPUT;
934 }
935 if (output->valueLen < ctx->st.tokenResponse->st.pubResp.blindSigLen) {
936 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_BUFFER_NOT_ENOUGH);
937 return HITLS_AUTH_PRIVPASS_BUFFER_NOT_ENOUGH;
938 }
939 (void)memcpy_s(output->value, output->valueLen, ctx->st.tokenResponse->st.pubResp.blindSig,
940 ctx->st.tokenResponse->st.pubResp.blindSigLen);
941 output->useLen = ctx->st.tokenResponse->st.pubResp.blindSigLen;
942 return HITLS_AUTH_SUCCESS;
943 }
944
CopyTokenContent(PrivPass_TokenInstance * token,BSL_Param * param,int32_t target,uint8_t * targetBuff,uint32_t targetLen)945 static int32_t CopyTokenContent(PrivPass_TokenInstance *token, BSL_Param *param, int32_t target, uint8_t *targetBuff,
946 uint32_t targetLen)
947 {
948 BSL_Param *output = BSL_PARAM_FindParam(param, target);
949 if (target == AUTH_PARAM_PRIVPASS_TOKEN_TYPE) {
950 if (output != NULL && output->valueType == BSL_PARAM_TYPE_UINT16) {
951 return BSL_PARAM_SetValue(output, target, BSL_PARAM_TYPE_UINT16, &token->tokenType,
952 (uint32_t)sizeof(token->tokenType));
953 }
954 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_INVALID_INPUT);
955 return HITLS_AUTH_PRIVPASS_INVALID_INPUT;
956 }
957 if (target == AUTH_PARAM_PRIVPASS_TOKEN_AUTHENTICATOR && targetBuff == NULL) {
958 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_NO_AUTHENTICATOR);
959 return HITLS_AUTH_PRIVPASS_NO_AUTHENTICATOR;
960 }
961 if (output == NULL || output->valueType != BSL_PARAM_TYPE_OCTETS_PTR) {
962 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_INVALID_INPUT);
963 return HITLS_AUTH_PRIVPASS_INVALID_INPUT;
964 }
965 if (output->valueLen < targetLen) {
966 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_BUFFER_NOT_ENOUGH);
967 return HITLS_AUTH_PRIVPASS_BUFFER_NOT_ENOUGH;
968 }
969 (void)memcpy_s(output->value, output->valueLen, targetBuff, targetLen);
970 output->useLen = targetLen;
971 return HITLS_AUTH_SUCCESS;
972 }
973
PrivPassGetTokenContent(HITLS_AUTH_PrivPassToken * obj,int32_t cmd,BSL_Param * param)974 static int32_t PrivPassGetTokenContent(HITLS_AUTH_PrivPassToken *obj, int32_t cmd, BSL_Param *param)
975 {
976 if (param == NULL || obj->type != HITLS_AUTH_PRIVPASS_TOKEN_INSTANCE || obj->st.token == NULL) {
977 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_INVALID_INPUT);
978 return HITLS_AUTH_PRIVPASS_INVALID_INPUT;
979 }
980 PrivPass_TokenInstance *token = obj->st.token;
981 int32_t target;
982 uint8_t *targetBuff = 0;
983 uint32_t targetLen = 0;
984 switch (cmd) {
985 case HITLS_AUTH_PRIVPASS_GET_TOKEN_TYPE:
986 target = AUTH_PARAM_PRIVPASS_TOKEN_TYPE;
987 targetLen = (uint32_t)sizeof(token->tokenType);
988 break;
989 case HITLS_AUTH_PRIVPASS_GET_TOKEN_NONCE:
990 target = AUTH_PARAM_PRIVPASS_TOKEN_NONCE;
991 targetBuff = token->nonce;
992 targetLen = PRIVPASS_TOKEN_NONCE_LEN;
993 break;
994 case HITLS_AUTH_PRIVPASS_GET_TOKEN_CHALLENGEDIGEST:
995 target = AUTH_PARAM_PRIVPASS_TOKEN_CHALLENGEDIGEST;
996 targetBuff = token->challengeDigest;
997 targetLen = PRIVPASS_TOKEN_SHA256_SIZE;
998 break;
999 case HITLS_AUTH_PRIVPASS_GET_TOKEN_TOKENKEYID:
1000 target = AUTH_PARAM_PRIVPASS_TOKEN_TOKENKEYID;
1001 targetBuff = token->tokenKeyId;
1002 targetLen = PRIVPASS_TOKEN_SHA256_SIZE;
1003 break;
1004 default:
1005 target = AUTH_PARAM_PRIVPASS_TOKEN_AUTHENTICATOR;
1006 targetBuff = token->authenticator.data;
1007 targetLen = token->authenticator.dataLen;
1008 break;
1009 }
1010 return CopyTokenContent(token, param, target, targetBuff, targetLen);
1011 }
1012
HITLS_AUTH_PrivPassTokenCtrl(HITLS_AUTH_PrivPassToken * object,int32_t cmd,void * param,uint32_t paramLen)1013 int32_t HITLS_AUTH_PrivPassTokenCtrl(HITLS_AUTH_PrivPassToken *object, int32_t cmd, void *param, uint32_t paramLen)
1014 {
1015 if (object == NULL) {
1016 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_INVALID_INPUT);
1017 return HITLS_AUTH_PRIVPASS_INVALID_INPUT;
1018 }
1019 (void)paramLen;
1020 switch (cmd) {
1021 case HITLS_AUTH_PRIVPASS_GET_TOKENCHALLENGEREQUEST_INFO:
1022 return PrivPassGetTokenChallengeRequest(object, param);
1023 case HITLS_AUTH_PRIVPASS_GET_TOKENCHALLENGE_TYPE:
1024 case HITLS_AUTH_PRIVPASS_GET_TOKENCHALLENGE_ISSUERNAME:
1025 case HITLS_AUTH_PRIVPASS_GET_TOKENCHALLENGE_REDEMPTION:
1026 case HITLS_AUTH_PRIVPASS_GET_TOKENCHALLENGE_ORIGININFO:
1027 return PrivPassGetTokenChallengeContent(object, cmd, param);
1028 case HITLS_AUTH_PRIVPASS_GET_TOKENREQUEST_TYPE:
1029 case HITLS_AUTH_PRIVPASS_GET_TOKENREQUEST_TRUNCATEDTOKENKEYID:
1030 case HITLS_AUTH_PRIVPASS_GET_TOKENREQUEST_BLINDEDMSG:
1031 return PrivPassGetTokenRequestContent(object, cmd, param);
1032 case HITLS_AUTH_PRIVPASS_GET_TOKENRESPONSE_INFO:
1033 return PrivPassGetTokenResponseContent(object, param);
1034 case HITLS_AUTH_PRIVPASS_GET_TOKEN_TYPE:
1035 case HITLS_AUTH_PRIVPASS_GET_TOKEN_NONCE:
1036 case HITLS_AUTH_PRIVPASS_GET_TOKEN_CHALLENGEDIGEST:
1037 case HITLS_AUTH_PRIVPASS_GET_TOKEN_TOKENKEYID:
1038 case HITLS_AUTH_PRIVPASS_GET_TOKEN_AUTHENTICATOR:
1039 return PrivPassGetTokenContent(object, cmd, param);
1040 default:
1041 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_INVALID_CMD);
1042 return HITLS_AUTH_PRIVPASS_INVALID_CMD;
1043 }
1044 }
1045
PrivPassGetCtxContent(HITLS_AUTH_PrivPassCtx * ctx,int32_t cmd,BSL_Param * param)1046 static int32_t PrivPassGetCtxContent(HITLS_AUTH_PrivPassCtx *ctx, int32_t cmd, BSL_Param *param)
1047 {
1048 BSL_Param *output = NULL;
1049 switch (cmd) {
1050 case HITLS_AUTH_PRIVPASS_GET_CTX_NONCE:
1051 output = BSL_PARAM_FindParam(param, AUTH_PARAM_PRIVPASS_CTX_NONCE);
1052 if (output == NULL || output->valueType != BSL_PARAM_TYPE_OCTETS_PTR) {
1053 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_INVALID_INPUT);
1054 return HITLS_AUTH_PRIVPASS_INVALID_INPUT;
1055 }
1056 if (output->valueLen < PRIVPASS_TOKEN_NONCE_LEN) {
1057 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_BUFFER_NOT_ENOUGH);
1058 return HITLS_AUTH_PRIVPASS_BUFFER_NOT_ENOUGH;
1059 }
1060 (void)memcpy_s(output->value, output->valueLen, ctx->nonce, PRIVPASS_TOKEN_NONCE_LEN);
1061 output->useLen = PRIVPASS_TOKEN_NONCE_LEN;
1062 return HITLS_AUTH_SUCCESS;
1063 case HITLS_AUTH_PRIVPASS_GET_CTX_TRUNCATEDTOKENKEYID:
1064 if (ctx->pubKeyCtx == NULL) {
1065 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_NO_PUBKEY_INFO);
1066 return HITLS_AUTH_PRIVPASS_NO_PUBKEY_INFO;
1067 }
1068 output = BSL_PARAM_FindParam(param, AUTH_PARAM_PRIVPASS_CTX_TRUNCATEDTOKENKEYID);
1069 if (output == NULL || output->valueType != BSL_PARAM_TYPE_UINT8) {
1070 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_INVALID_INPUT);
1071 return HITLS_AUTH_PRIVPASS_INVALID_INPUT;
1072 }
1073 return BSL_PARAM_SetValue(output, AUTH_PARAM_PRIVPASS_CTX_TRUNCATEDTOKENKEYID, BSL_PARAM_TYPE_UINT8,
1074 &ctx->tokenKeyId[PRIVPASS_TOKEN_SHA256_SIZE - 1], 1); // 1 byte
1075 default:
1076 if (ctx->pubKeyCtx == NULL) {
1077 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_NO_PUBKEY_INFO);
1078 return HITLS_AUTH_PRIVPASS_NO_PUBKEY_INFO;
1079 }
1080 output = BSL_PARAM_FindParam(param, AUTH_PARAM_PRIVPASS_CTX_TOKENKEYID);
1081 if (output == NULL || output->valueType != BSL_PARAM_TYPE_OCTETS_PTR) {
1082 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_INVALID_INPUT);
1083 return HITLS_AUTH_PRIVPASS_INVALID_INPUT;
1084 }
1085 if (output->valueLen < PRIVPASS_TOKEN_SHA256_SIZE) {
1086 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_BUFFER_NOT_ENOUGH);
1087 return HITLS_AUTH_PRIVPASS_BUFFER_NOT_ENOUGH;
1088 }
1089 (void)memcpy_s(output->value, output->valueLen, ctx->tokenKeyId, PRIVPASS_TOKEN_SHA256_SIZE);
1090 output->useLen = PRIVPASS_TOKEN_SHA256_SIZE;
1091 return HITLS_AUTH_SUCCESS;
1092 }
1093 }
1094
HITLS_AUTH_PrivPassCtxCtrl(HITLS_AUTH_PrivPassCtx * ctx,int32_t cmd,void * param,uint32_t paramLen)1095 int32_t HITLS_AUTH_PrivPassCtxCtrl(HITLS_AUTH_PrivPassCtx *ctx, int32_t cmd, void *param, uint32_t paramLen)
1096 {
1097 if (ctx == NULL || param == NULL) {
1098 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_INVALID_INPUT);
1099 return HITLS_AUTH_PRIVPASS_INVALID_INPUT;
1100 }
1101 (void)paramLen;
1102 switch (cmd) {
1103 case HITLS_AUTH_PRIVPASS_GET_CTX_TOKENKEYID:
1104 case HITLS_AUTH_PRIVPASS_GET_CTX_TRUNCATEDTOKENKEYID:
1105 case HITLS_AUTH_PRIVPASS_GET_CTX_NONCE:
1106 return PrivPassGetCtxContent(ctx, cmd, param);
1107 default:
1108 BSL_ERR_PUSH_ERROR(HITLS_AUTH_PRIVPASS_INVALID_CMD);
1109 return HITLS_AUTH_PRIVPASS_INVALID_CMD;
1110 }
1111 }